amadey | 4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3

Analysis

max time kernel
147s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe
Size

1.8MB
MD5

b744a970020e1fdbae5c7763f30ed604
SHA1

5235946db0eafb6079f016a15e8e2c5f7cae432d
SHA256

4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3
SHA512

9df5a75b117cb8bfc62a32af0fba5ded8b259df2f4bc3309cf5a160a3cbae56a0113fe42bc4c1a1bfc197d8b3ee1a5fd4ecc77dbafc124d47191160c02a407c6
SSDEEP

24576:YlHbqU3MRKGTZgqCrSikD/HO0yJHYUHRbNxmindZM/Tg24PPH9F7F7OH0R0o8ocX:Yl7rAhCrSD/HOjJ4yROinAgPTEHW0o8

Score

10^/10

amadey redline sectoprat traffic discovery evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

redline

Botnet

Traffic

b-stamps.gl.at.ply.gg:30946

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000233f1-35.dat	family_redline
behavioral1/memory/3936-49-0x0000000000710000-0x000000000072E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000233f1-35.dat	family_sectoprat
behavioral1/memory/3936-49-0x0000000000710000-0x000000000072E000-memory.dmp	family_sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
52	3928	rundll32.exe
53	4696	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	chrosha.exe

Executes dropped EXE 2 IoCs

pid	Process
3224	chrosha.exe
3936	build12.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Wine	4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe
Key opened	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Wine	chrosha.exe

Loads dropped DLL 3 IoCs

pid	Process
2292	rundll32.exe
3928	rundll32.exe
4696	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3008	4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe
3224	chrosha.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\chrosha.job	4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3008	4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe
3008	4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe
3224	chrosha.exe
3224	chrosha.exe
3936	build12.exe
3936	build12.exe
3928	rundll32.exe
3928	rundll32.exe
3928	rundll32.exe
3928	rundll32.exe
3928	rundll32.exe
3928	rundll32.exe
3928	rundll32.exe
3928	rundll32.exe
3928	rundll32.exe
3928	rundll32.exe
684	powershell.exe
684	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	build12.exe
Token: SeDebugPrivilege	684	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 3936	3224	chrosha.exe	94
PID 3224 wrote to memory of 3936	3224	chrosha.exe	94
PID 3224 wrote to memory of 3936	3224	chrosha.exe	94
PID 3224 wrote to memory of 2292	3224	chrosha.exe	99
PID 3224 wrote to memory of 2292	3224	chrosha.exe	99
PID 3224 wrote to memory of 2292	3224	chrosha.exe	99
PID 2292 wrote to memory of 3928	2292	rundll32.exe	100
PID 2292 wrote to memory of 3928	2292	rundll32.exe	100
PID 3928 wrote to memory of 1316	3928	rundll32.exe	101
PID 3928 wrote to memory of 1316	3928	rundll32.exe	101
PID 3928 wrote to memory of 684	3928	rundll32.exe	103
PID 3928 wrote to memory of 684	3928	rundll32.exe	103
PID 3224 wrote to memory of 4696	3224	chrosha.exe	105
PID 3224 wrote to memory of 4696	3224	chrosha.exe	105
PID 3224 wrote to memory of 4696	3224	chrosha.exe	105

C:\Users\Admin\AppData\Local\Temp\4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe
"C:\Users\Admin\AppData\Local\Temp\4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3008

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\1000188001\build12.exe
  "C:\Users\Admin\AppData\Local\Temp\1000188001\build12.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\177723727746_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:684
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000188001\build12.exe

Filesize
95KB

MD5
4cfd179519524269052023e10de6b866

SHA1
1e92ba2322e341b979d53422cf0e044c4f3b1846

SHA256
a24a85156ce1a077403b4fffe4c4e1c592df412d6495fba921771c59456b43af

SHA512
6477c8dc2ba0f754716ee074be131bc14a7d616c877210e0a3fbed7ea3fd132f2833518c52211757a8a875018061ae56fcdd7c30b8149ebe91c33763057ed8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

Filesize
1.8MB

MD5
b744a970020e1fdbae5c7763f30ed604

SHA1
5235946db0eafb6079f016a15e8e2c5f7cae432d

SHA256
4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3

SHA512
9df5a75b117cb8bfc62a32af0fba5ded8b259df2f4bc3309cf5a160a3cbae56a0113fe42bc4c1a1bfc197d8b3ee1a5fd4ecc77dbafc124d47191160c02a407c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ii0030qz.oib.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA20D.tmp

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA242.tmp

Filesize
100KB

MD5
455ab9618e6698ef673aa0f106114fdd

SHA1
88dc5a73fdb92d1b49dfda20b2c67aafbbaebcf9

SHA256
7d756e0f89492214381da99d9a1f22110078a22da64b131a711022faec2937f3

SHA512
f7ffdc519927eaed3a8552fd85092934f8bb3f5bee09ec4ce551f2ed8c7e7a4dc449c06e87d4c5aa1a69dd72ac7a2a0d10c879ff2c65dfaa0f214ac007db08fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA26C.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA283.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA289.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2C4.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
memory/684-262-0x000002B49FAC0000-0x000002B49FAE2000-memory.dmp

Filesize
136KB

Download
memory/684-263-0x00007FFE21DF0000-0x00007FFE228B1000-memory.dmp

Filesize
10.8MB

Download
memory/684-264-0x000002B49D7D0000-0x000002B49D7E0000-memory.dmp

Filesize
64KB

Download
memory/684-265-0x000002B49D7D0000-0x000002B49D7E0000-memory.dmp

Filesize
64KB

Download
memory/684-274-0x00007FFE21DF0000-0x00007FFE228B1000-memory.dmp

Filesize
10.8MB

Download
memory/684-268-0x000002B49FB30000-0x000002B49FB3A000-memory.dmp

Filesize
40KB

Download
memory/684-267-0x000002B49FB50000-0x000002B49FB62000-memory.dmp

Filesize
72KB

Download
memory/684-266-0x000002B49D7D0000-0x000002B49D7E0000-memory.dmp

Filesize
64KB

Download
memory/3008-8-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3008-10-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/3008-11-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/3008-16-0x0000000000FF0000-0x000000000149E000-memory.dmp

Filesize
4.7MB

Download
memory/3008-9-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/3008-7-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/3008-0-0x0000000000FF0000-0x000000000149E000-memory.dmp

Filesize
4.7MB

Download
memory/3008-6-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/3008-5-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3008-4-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/3008-3-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/3008-2-0x0000000000FF0000-0x000000000149E000-memory.dmp

Filesize
4.7MB

Download
memory/3008-1-0x0000000077534000-0x0000000077536000-memory.dmp

Filesize
8KB

Download
memory/3224-26-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/3224-290-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-299-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-298-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-297-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-296-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-295-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-62-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-294-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-293-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-292-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-291-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-289-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-19-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-277-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-20-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-21-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/3224-252-0x0000000000920000-0x0000000000DCE000-memory.dmp

Filesize
4.7MB

Download
memory/3224-29-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/3224-28-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/3224-22-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/3224-23-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3224-24-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/3224-25-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/3224-27-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3936-53-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/3936-54-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/3936-276-0x0000000073140000-0x00000000738F0000-memory.dmp

Filesize
7.7MB

Download
memory/3936-217-0x0000000008950000-0x00000000089C6000-memory.dmp

Filesize
472KB

Download
memory/3936-50-0x0000000073140000-0x00000000738F0000-memory.dmp

Filesize
7.7MB

Download
memory/3936-51-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/3936-218-0x0000000008930000-0x000000000894E000-memory.dmp

Filesize
120KB

Download
memory/3936-56-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3936-49-0x0000000000710000-0x000000000072E000-memory.dmp

Filesize
120KB

Download
memory/3936-52-0x00000000061F0000-0x0000000006808000-memory.dmp

Filesize
6.1MB

Download
memory/3936-55-0x0000000005CD0000-0x0000000005D0C000-memory.dmp

Filesize
240KB

Download
memory/3936-61-0x0000000008420000-0x0000000008486000-memory.dmp

Filesize
408KB

Download
memory/3936-60-0x0000000008C00000-0x000000000912C000-memory.dmp

Filesize
5.2MB

Download
memory/3936-59-0x0000000008500000-0x00000000086C2000-memory.dmp

Filesize
1.8MB

Download
memory/3936-58-0x00000000060A0000-0x00000000061AA000-memory.dmp

Filesize
1.0MB

Download
memory/3936-57-0x0000000005F00000-0x0000000005F4C000-memory.dmp

Filesize
304KB

Download