amadey | 21675cef02c5d516a93f59d70c16d083ffa8be9792fa8f40e53212708d321c6d

Analysis

max time kernel
132s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe
Size

1.0MB
MD5

db869d62f5f8401076718a70f48e586e
SHA1

424352327fdb3f8795505b26e11c856479aa493f
SHA256

006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb
SHA512

ce1e660929575deacaad46b9e52945d26a4a748e25d8bca28932493e43d67a683d5d917b53f171465d31488816b6ab9f7eebac67b723e085fb340644bd8b69c9
SSDEEP

24576:py5vrzFyTGc619B8SQEQasoju6DojiYiZnkClrK:cBPwTGc8nxPhZRZnkq

Score

10^/10

amadey healer redline fb0fb8 mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1472-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8216773.exe	family_redline
behavioral1/memory/4328-51-0x00000000002F0000-0x0000000000320000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explonde.exer4295390.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	r4295390.exe

Executes dropped EXE 10 IoCs

Processes:

z2659523.exez2727565.exez0654747.exez6790140.exeq1360990.exer4295390.exeexplonde.exes8216773.exeexplonde.exeexplonde.exe

pid	process
4708	z2659523.exe
2156	z2727565.exe
1260	z0654747.exe
4464	z6790140.exe
4020	q1360990.exe
1704	r4295390.exe
2088	explonde.exe
4328	s8216773.exe
4464	explonde.exe
3968	explonde.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exez2659523.exez2727565.exez0654747.exez6790140.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2659523.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2727565.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0654747.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z6790140.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

q1360990.exe

description pid process target process

PID 4020 set thread context of 1472 4020 q1360990.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2936 4020 WerFault.exe q1360990.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3644 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1472 AppLaunch.exe
1472 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1472 AppLaunch.exe

description	pid	process	target process
PID 4020 set thread context of 1472	4020	q1360990.exe	AppLaunch.exe

pid	pid_target	process	target process
2936	4020	WerFault.exe	q1360990.exe

pid	process
3644	schtasks.exe

pid	process
1472	AppLaunch.exe
1472	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1472	AppLaunch.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exez2659523.exez2727565.exez0654747.exez6790140.exeq1360990.exer4295390.exeexplonde.execmd.exe

description	pid	process	target process
PID 5044 wrote to memory of 4708	5044	006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe	z2659523.exe
PID 5044 wrote to memory of 4708	5044	006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe	z2659523.exe
PID 5044 wrote to memory of 4708	5044	006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe	z2659523.exe
PID 4708 wrote to memory of 2156	4708	z2659523.exe	z2727565.exe
PID 4708 wrote to memory of 2156	4708	z2659523.exe	z2727565.exe
PID 4708 wrote to memory of 2156	4708	z2659523.exe	z2727565.exe
PID 2156 wrote to memory of 1260	2156	z2727565.exe	z0654747.exe
PID 2156 wrote to memory of 1260	2156	z2727565.exe	z0654747.exe
PID 2156 wrote to memory of 1260	2156	z2727565.exe	z0654747.exe
PID 1260 wrote to memory of 4464	1260	z0654747.exe	z6790140.exe
PID 1260 wrote to memory of 4464	1260	z0654747.exe	z6790140.exe
PID 1260 wrote to memory of 4464	1260	z0654747.exe	z6790140.exe
PID 4464 wrote to memory of 4020	4464	z6790140.exe	q1360990.exe
PID 4464 wrote to memory of 4020	4464	z6790140.exe	q1360990.exe
PID 4464 wrote to memory of 4020	4464	z6790140.exe	q1360990.exe
PID 4020 wrote to memory of 1472	4020	q1360990.exe	AppLaunch.exe
PID 4020 wrote to memory of 1472	4020	q1360990.exe	AppLaunch.exe
PID 4020 wrote to memory of 1472	4020	q1360990.exe	AppLaunch.exe
PID 4020 wrote to memory of 1472	4020	q1360990.exe	AppLaunch.exe
PID 4020 wrote to memory of 1472	4020	q1360990.exe	AppLaunch.exe
PID 4020 wrote to memory of 1472	4020	q1360990.exe	AppLaunch.exe
PID 4020 wrote to memory of 1472	4020	q1360990.exe	AppLaunch.exe
PID 4020 wrote to memory of 1472	4020	q1360990.exe	AppLaunch.exe
PID 4464 wrote to memory of 1704	4464	z6790140.exe	r4295390.exe
PID 4464 wrote to memory of 1704	4464	z6790140.exe	r4295390.exe
PID 4464 wrote to memory of 1704	4464	z6790140.exe	r4295390.exe
PID 1704 wrote to memory of 2088	1704	r4295390.exe	explonde.exe
PID 1704 wrote to memory of 2088	1704	r4295390.exe	explonde.exe
PID 1704 wrote to memory of 2088	1704	r4295390.exe	explonde.exe
PID 1260 wrote to memory of 4328	1260	z0654747.exe	s8216773.exe
PID 1260 wrote to memory of 4328	1260	z0654747.exe	s8216773.exe
PID 1260 wrote to memory of 4328	1260	z0654747.exe	s8216773.exe
PID 2088 wrote to memory of 3644	2088	explonde.exe	schtasks.exe
PID 2088 wrote to memory of 3644	2088	explonde.exe	schtasks.exe
PID 2088 wrote to memory of 3644	2088	explonde.exe	schtasks.exe
PID 2088 wrote to memory of 2780	2088	explonde.exe	cmd.exe
PID 2088 wrote to memory of 2780	2088	explonde.exe	cmd.exe
PID 2088 wrote to memory of 2780	2088	explonde.exe	cmd.exe
PID 2780 wrote to memory of 1452	2780	cmd.exe	cmd.exe
PID 2780 wrote to memory of 1452	2780	cmd.exe	cmd.exe
PID 2780 wrote to memory of 1452	2780	cmd.exe	cmd.exe
PID 2780 wrote to memory of 5040	2780	cmd.exe	cacls.exe
PID 2780 wrote to memory of 5040	2780	cmd.exe	cacls.exe
PID 2780 wrote to memory of 5040	2780	cmd.exe	cacls.exe
PID 2780 wrote to memory of 1396	2780	cmd.exe	cacls.exe
PID 2780 wrote to memory of 1396	2780	cmd.exe	cacls.exe
PID 2780 wrote to memory of 1396	2780	cmd.exe	cacls.exe
PID 2780 wrote to memory of 5116	2780	cmd.exe	cmd.exe
PID 2780 wrote to memory of 5116	2780	cmd.exe	cmd.exe
PID 2780 wrote to memory of 5116	2780	cmd.exe	cmd.exe
PID 2780 wrote to memory of 4628	2780	cmd.exe	cacls.exe
PID 2780 wrote to memory of 4628	2780	cmd.exe	cacls.exe
PID 2780 wrote to memory of 4628	2780	cmd.exe	cacls.exe
PID 2780 wrote to memory of 4080	2780	cmd.exe	cacls.exe
PID 2780 wrote to memory of 4080	2780	cmd.exe	cacls.exe
PID 2780 wrote to memory of 4080	2780	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe
"C:\Users\Admin\AppData\Local\Temp\006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2659523.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2659523.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2727565.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2727565.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0654747.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0654747.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6790140.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6790140.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1360990.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1360990.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 552
7⤵
- Program crash
PID:2936

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4295390.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4295390.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
8⤵
- Creates scheduled task(s)
PID:3644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
8⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
9⤵
PID:1452

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
9⤵
PID:5040

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
9⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
9⤵
PID:5116

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
9⤵
PID:4628

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
9⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8216773.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8216773.exe
5⤵
- Executes dropped EXE
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4020 -ip 4020
1⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2659523.exe
Filesize
836KB

MD5
a540d41f4170487ff29efb26404a666d

SHA1
28b5ba1040eda234c4334a976d00ae356512485d

SHA256
6c1eb8e10013afe3d1332b19a07549f15099a0b4c8216248a5d3f109173c728b

SHA512
f57dd8b899ac5b05a879ed02c71d94453b617252bed29c820ac753697c351a96ac31221e798f86015cd3b6639b38185339686693a55dc8b1298bf0230d81c1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2727565.exe
Filesize
606KB

MD5
1c514a4baabea74ed855fcbd5c81fd0f

SHA1
e2d447c0a5b108ee783b3628134d2ebb54211a1c

SHA256
4303f079f488faaab40e67a5da959503e0f34480be9f9d5497dd6a84640fa45a

SHA512
95113ceb793eac5214ff5e5539bd32e1a335d721bc052e3a0c0d1d05f37f16fbb7b5fd6511a86d568f7e76ebf980507e8c6531564d827e84e0d743ba2d28bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0654747.exe
Filesize
424KB

MD5
5e939336744cc1ca7c326acd817b9cbd

SHA1
d11cf08a9630cdbb2c98b6f4a645f3cc56b6008f

SHA256
77c30326c817a747d38caf56e6d01c13be2056debe10be70617af1a12a15831b

SHA512
b0a84737a660f80fb7e08afcff50753f5b84a7f575d681a1be599a23780de026f1574d5ae2f999a29507ba05cf9725320073e922437c4df1c4133c4d34b6ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8216773.exe
Filesize
176KB

MD5
d88e3b43da0d1c09a99ab842c2d2bfe6

SHA1
272696386bcd61a9e08b7a06a90845f12bb4958b

SHA256
b52c869d6ef71ad7990ff2d9a57dc407fd5fa2803a8773d0370055614ec1345f

SHA512
9cc4d0b52cf44935e8ea6d6dc8be5b8644c010d146d08cb98b915d58d286b6689170df8084291039a0bf409474c3a96850242e514b2c1183a1af63f70d5cb362

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6790140.exe
Filesize
268KB

MD5
7136162ef2592358fe37200250184cca

SHA1
4c02c65f24fd145f8c7d0b2ae02f1399153eb8f7

SHA256
53894a0210489cf341910d7fd82413bfccf557796c2f823d4fca6711b4812b1f

SHA512
a3b5744127325752baaef907bf1d8377fcaa1f9dde50ff0ea75c1fb94d79734cdc55423257e076004a69ddb20fcc7ec29a642b0a5bf694fef7d9ce9de84832a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1360990.exe
Filesize
126KB

MD5
5c674cc90bd4867f466fec5b977263a7

SHA1
0f98429978ca843ac6bfed21ee05936015f5d628

SHA256
ee4de150ce2bc17e0e47dc0825469ff00138c057562657b54ca45dbbba4c1961

SHA512
862378fba4aa7bc5ccbb7ec2a425ef853031e7255fdc6c723a0be8c569fe9120954b8ca52c9a7108d9c34146dfc6cf682bf4d29d0ba9ff63e284605cd6cbc610

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4295390.exe
Filesize
222KB

MD5
4dfb81d60b9ad24be9d08894f6a3effd

SHA1
a28474cf67d54735630afa7d523860c1846a61bc

SHA256
4469d03e30861b2c39c4d162c1c884eec5e2185aab92bb65c5dcad12ebbd817e

SHA512
764470cecfe284c5e0eb5abeb03b6626e122c75837439b2e73a365d7f6b14d5a14c10104e1d9fce129c264b60c9c8451a89e43ee034f4fcf6c9da68c2b0585eb

Download Submit
memory/1472-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4328-51-0x00000000002F0000-0x0000000000320000-memory.dmp

Filesize
192KB

Download
memory/4328-52-0x0000000002430000-0x0000000002436000-memory.dmp

Filesize
24KB

Download
memory/4328-53-0x00000000052A0000-0x00000000058B8000-memory.dmp

Filesize
6.1MB

Download
memory/4328-54-0x0000000004D90000-0x0000000004E9A000-memory.dmp

Filesize
1.0MB

Download
memory/4328-55-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/4328-56-0x0000000004CA0000-0x0000000004CDC000-memory.dmp

Filesize
240KB

Download
memory/4328-57-0x0000000004D20000-0x0000000004D6C000-memory.dmp

Filesize
304KB

Download