amadey | 4d492d7086707959692bd3428cec77d1bc00b0d497b34a33e58f65deaa574f5b

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2023, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d492d7086707959692bd3428cec77d1bc00b0d497b34a33e58f65deaa574f5b.exe
Size

517KB
MD5

37fa397b2e6c99d5440e0b81c555bd3a
SHA1

0a175fcff70b7eb58319b900ab3cb58aa7e7a4db
SHA256

4d492d7086707959692bd3428cec77d1bc00b0d497b34a33e58f65deaa574f5b
SHA512

3896d1d025620e56dd8bd51ce67acdf57e9a5212d9c85999b2ef3ae437836f8540c68dc16292458cf90aea82763db963c8078ccc62b0d317213f926bcc4d288e
SSDEEP

12288:GMr1y90w/9FqNggdaW1SwKMxJ2DaKfD+:ryB//qmG1lJDKa

Score

10^/10

amadey healer redline maxik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

5.42.92.67/norm/index.php

Extracted

Family

redline

Botnet

maxik

77.91.124.156:19071

Attributes

auth_value
a7714e1bc167c67e3fc8f9e368352269

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000231e1-152.dat	healer
behavioral1/files/0x00080000000231e1-153.dat	healer
behavioral1/memory/3312-154-0x0000000000AA0000-0x0000000000AAA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p0049619.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p0049619.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p0049619.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p0049619.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p0049619.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p0049619.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 9 IoCs

pid	Process
3500	z6968764.exe
3160	z4449768.exe
3312	p0049619.exe
2992	r4135135.exe
1328	legola.exe
2792	s0956539.exe
1296	legola.exe
3816	legola.exe
3856	legola.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p0049619.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4d492d7086707959692bd3428cec77d1bc00b0d497b34a33e58f65deaa574f5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6968764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4449768.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3312	p0049619.exe
3312	p0049619.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3312	p0049619.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2992	r4135135.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 3500	1356	4d492d7086707959692bd3428cec77d1bc00b0d497b34a33e58f65deaa574f5b.exe	81
PID 1356 wrote to memory of 3500	1356	4d492d7086707959692bd3428cec77d1bc00b0d497b34a33e58f65deaa574f5b.exe	81
PID 1356 wrote to memory of 3500	1356	4d492d7086707959692bd3428cec77d1bc00b0d497b34a33e58f65deaa574f5b.exe	81
PID 3500 wrote to memory of 3160	3500	z6968764.exe	82
PID 3500 wrote to memory of 3160	3500	z6968764.exe	82
PID 3500 wrote to memory of 3160	3500	z6968764.exe	82
PID 3160 wrote to memory of 3312	3160	z4449768.exe	83
PID 3160 wrote to memory of 3312	3160	z4449768.exe	83
PID 3160 wrote to memory of 2992	3160	z4449768.exe	91
PID 3160 wrote to memory of 2992	3160	z4449768.exe	91
PID 3160 wrote to memory of 2992	3160	z4449768.exe	91
PID 2992 wrote to memory of 1328	2992	r4135135.exe	92
PID 2992 wrote to memory of 1328	2992	r4135135.exe	92
PID 2992 wrote to memory of 1328	2992	r4135135.exe	92
PID 3500 wrote to memory of 2792	3500	z6968764.exe	93
PID 3500 wrote to memory of 2792	3500	z6968764.exe	93
PID 3500 wrote to memory of 2792	3500	z6968764.exe	93
PID 1328 wrote to memory of 2320	1328	legola.exe	95
PID 1328 wrote to memory of 2320	1328	legola.exe	95
PID 1328 wrote to memory of 2320	1328	legola.exe	95
PID 1328 wrote to memory of 4184	1328	legola.exe	97
PID 1328 wrote to memory of 4184	1328	legola.exe	97
PID 1328 wrote to memory of 4184	1328	legola.exe	97
PID 4184 wrote to memory of 2928	4184	cmd.exe	99
PID 4184 wrote to memory of 2928	4184	cmd.exe	99
PID 4184 wrote to memory of 2928	4184	cmd.exe	99
PID 4184 wrote to memory of 1872	4184	cmd.exe	100
PID 4184 wrote to memory of 1872	4184	cmd.exe	100
PID 4184 wrote to memory of 1872	4184	cmd.exe	100
PID 4184 wrote to memory of 1140	4184	cmd.exe	101
PID 4184 wrote to memory of 1140	4184	cmd.exe	101
PID 4184 wrote to memory of 1140	4184	cmd.exe	101
PID 4184 wrote to memory of 3796	4184	cmd.exe	103
PID 4184 wrote to memory of 3796	4184	cmd.exe	103
PID 4184 wrote to memory of 3796	4184	cmd.exe	103
PID 4184 wrote to memory of 2424	4184	cmd.exe	102
PID 4184 wrote to memory of 2424	4184	cmd.exe	102
PID 4184 wrote to memory of 2424	4184	cmd.exe	102
PID 4184 wrote to memory of 2740	4184	cmd.exe	104
PID 4184 wrote to memory of 2740	4184	cmd.exe	104
PID 4184 wrote to memory of 2740	4184	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\4d492d7086707959692bd3428cec77d1bc00b0d497b34a33e58f65deaa574f5b.exe
"C:\Users\Admin\AppData\Local\Temp\4d492d7086707959692bd3428cec77d1bc00b0d497b34a33e58f65deaa574f5b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6968764.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6968764.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4449768.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4449768.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0049619.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0049619.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r4135135.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r4135135.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2320
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legola.exe" /P "Admin:N"
        7⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legola.exe" /P "Admin:R" /E
        7⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:N"
        7⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:R" /E
        7⤵
        
        PID:2740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s0956539.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s0956539.exe
    3⤵
    - Executes dropped EXE
    PID:2792

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:1296

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:3816

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6968764.exe

Filesize
390KB

MD5
c99e9c4484855605b4a52dd52abb4c3c

SHA1
d5269ef0591cb2e6f8a587faa01b58c2b6e86f16

SHA256
c640adcb9c6fc857c5fb7f6a5d7be987db620133bddb0e0af01287d20a3592d3

SHA512
e0621061113522e7e601bbd4c43a4cce16a0fdde0b97e4aa804079d78ce08d9db45e9938e369392c850f083f388abac973b394a054d8e7867239b2fb5007abe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6968764.exe

Filesize
390KB

MD5
c99e9c4484855605b4a52dd52abb4c3c

SHA1
d5269ef0591cb2e6f8a587faa01b58c2b6e86f16

SHA256
c640adcb9c6fc857c5fb7f6a5d7be987db620133bddb0e0af01287d20a3592d3

SHA512
e0621061113522e7e601bbd4c43a4cce16a0fdde0b97e4aa804079d78ce08d9db45e9938e369392c850f083f388abac973b394a054d8e7867239b2fb5007abe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s0956539.exe

Filesize
175KB

MD5
46bfbb758e4b2bac2774c7f583839388

SHA1
bcad598205c4dc9fdea57c27202b7043442bd7bb

SHA256
7cdee49e35b7bb70b36cf1d451a2c3e52d0bb20bdaea7412a6d6d4d0d262b9c4

SHA512
10cefa2cc867fff34eaeb242c7fb8d34e69babf88d5b9ffe00b54e3dcd894227b5d341f80b5ce62ba4f02ae5fddf11f9eddde9de0e78fc68dd095c5e6f69a829

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s0956539.exe

Filesize
175KB

MD5
46bfbb758e4b2bac2774c7f583839388

SHA1
bcad598205c4dc9fdea57c27202b7043442bd7bb

SHA256
7cdee49e35b7bb70b36cf1d451a2c3e52d0bb20bdaea7412a6d6d4d0d262b9c4

SHA512
10cefa2cc867fff34eaeb242c7fb8d34e69babf88d5b9ffe00b54e3dcd894227b5d341f80b5ce62ba4f02ae5fddf11f9eddde9de0e78fc68dd095c5e6f69a829

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4449768.exe

Filesize
234KB

MD5
c3994d1c502653dede5ba600ed4c7796

SHA1
c9bbc5ae61be8e21091a89a62a44cb9ddbb23c4b

SHA256
acd3241ce259ecfd6c2db0cca69eb2f29f9740816d1a6cd7404444c751f0e394

SHA512
3f535388cd5af3587b456d01700d7ab3782a867cfb8c98632691c7d8104f248078c98570971bb0f3a358edecd33e2a97d34a31c1ec615bb6789bb1c118154cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4449768.exe

Filesize
234KB

MD5
c3994d1c502653dede5ba600ed4c7796

SHA1
c9bbc5ae61be8e21091a89a62a44cb9ddbb23c4b

SHA256
acd3241ce259ecfd6c2db0cca69eb2f29f9740816d1a6cd7404444c751f0e394

SHA512
3f535388cd5af3587b456d01700d7ab3782a867cfb8c98632691c7d8104f248078c98570971bb0f3a358edecd33e2a97d34a31c1ec615bb6789bb1c118154cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0049619.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0049619.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r4135135.exe

Filesize
227KB

MD5
17bd11b5fb5febd3fbda4c3e3641a424

SHA1
753bf2d41a89a405a88784a52416e7194994b79b

SHA256
69dd2c44f9ca835c40c3b5327f9722e5fb48aeb108dcb0e67309242477112a83

SHA512
a27738348aa45ed97b9757209354d19c16d04f29a2fd0ff371cc3632cbddb32a1df752cf28cb781199582cb57c46a350344a7090aa7a1d0274b22f58e901817e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r4135135.exe

Filesize
227KB

MD5
17bd11b5fb5febd3fbda4c3e3641a424

SHA1
753bf2d41a89a405a88784a52416e7194994b79b

SHA256
69dd2c44f9ca835c40c3b5327f9722e5fb48aeb108dcb0e67309242477112a83

SHA512
a27738348aa45ed97b9757209354d19c16d04f29a2fd0ff371cc3632cbddb32a1df752cf28cb781199582cb57c46a350344a7090aa7a1d0274b22f58e901817e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
227KB

MD5
17bd11b5fb5febd3fbda4c3e3641a424

SHA1
753bf2d41a89a405a88784a52416e7194994b79b

SHA256
69dd2c44f9ca835c40c3b5327f9722e5fb48aeb108dcb0e67309242477112a83

SHA512
a27738348aa45ed97b9757209354d19c16d04f29a2fd0ff371cc3632cbddb32a1df752cf28cb781199582cb57c46a350344a7090aa7a1d0274b22f58e901817e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
227KB

MD5
17bd11b5fb5febd3fbda4c3e3641a424

SHA1
753bf2d41a89a405a88784a52416e7194994b79b

SHA256
69dd2c44f9ca835c40c3b5327f9722e5fb48aeb108dcb0e67309242477112a83

SHA512
a27738348aa45ed97b9757209354d19c16d04f29a2fd0ff371cc3632cbddb32a1df752cf28cb781199582cb57c46a350344a7090aa7a1d0274b22f58e901817e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
227KB

MD5
17bd11b5fb5febd3fbda4c3e3641a424

SHA1
753bf2d41a89a405a88784a52416e7194994b79b

SHA256
69dd2c44f9ca835c40c3b5327f9722e5fb48aeb108dcb0e67309242477112a83

SHA512
a27738348aa45ed97b9757209354d19c16d04f29a2fd0ff371cc3632cbddb32a1df752cf28cb781199582cb57c46a350344a7090aa7a1d0274b22f58e901817e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
227KB

MD5
17bd11b5fb5febd3fbda4c3e3641a424

SHA1
753bf2d41a89a405a88784a52416e7194994b79b

SHA256
69dd2c44f9ca835c40c3b5327f9722e5fb48aeb108dcb0e67309242477112a83

SHA512
a27738348aa45ed97b9757209354d19c16d04f29a2fd0ff371cc3632cbddb32a1df752cf28cb781199582cb57c46a350344a7090aa7a1d0274b22f58e901817e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
227KB

MD5
17bd11b5fb5febd3fbda4c3e3641a424

SHA1
753bf2d41a89a405a88784a52416e7194994b79b

SHA256
69dd2c44f9ca835c40c3b5327f9722e5fb48aeb108dcb0e67309242477112a83

SHA512
a27738348aa45ed97b9757209354d19c16d04f29a2fd0ff371cc3632cbddb32a1df752cf28cb781199582cb57c46a350344a7090aa7a1d0274b22f58e901817e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
227KB

MD5
17bd11b5fb5febd3fbda4c3e3641a424

SHA1
753bf2d41a89a405a88784a52416e7194994b79b

SHA256
69dd2c44f9ca835c40c3b5327f9722e5fb48aeb108dcb0e67309242477112a83

SHA512
a27738348aa45ed97b9757209354d19c16d04f29a2fd0ff371cc3632cbddb32a1df752cf28cb781199582cb57c46a350344a7090aa7a1d0274b22f58e901817e

Download Submit
memory/2792-179-0x0000000005280000-0x0000000005292000-memory.dmp

Filesize
72KB

Download
memory/2792-175-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/2792-176-0x0000000005830000-0x0000000005E48000-memory.dmp

Filesize
6.1MB

Download
memory/2792-177-0x0000000005340000-0x000000000544A000-memory.dmp

Filesize
1.0MB

Download
memory/2792-178-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2792-174-0x00000000007B0000-0x00000000007E0000-memory.dmp

Filesize
192KB

Download
memory/2792-180-0x00000000052E0000-0x000000000531C000-memory.dmp

Filesize
240KB

Download
memory/2792-181-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/2792-183-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3312-157-0x00007FFC75F70000-0x00007FFC76A31000-memory.dmp

Filesize
10.8MB

Download
memory/3312-155-0x00007FFC75F70000-0x00007FFC76A31000-memory.dmp

Filesize
10.8MB

Download
memory/3312-154-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download