amadey | a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce

Analysis

max time kernel
144s
max time network
100s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
12-04-2023 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce.exe
Size

1.1MB
MD5

c9727dd57031c749c61993ed6dcaa8c2
SHA1

e1c39d9fc6f03b79121b60523a8982206c688171
SHA256

a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce
SHA512

93acd6eb15a772179be9109f331cf10b8dfe1b6846c62434cdabf38d2fa555220d9f9fe47aea78832f28f02413b30edd2d603b8c656cb35953b4b554868070eb
SSDEEP

24576:WyML36s9kBe4PWijOURQZwlgP6AGlNrVZQSfZcKo2n:ljs9LGLeiJAQNrESfM

Score

10^/10

amadey redline diza lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diza

185.161.248.90:4125

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr637316.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr637316.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr637316.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr637316.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr637316.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3372	un265142.exe
4348	un979082.exe
4200	pr637316.exe
2372	qu430812.exe
2604	1.exe
2428	rk058196.exe
1764	si418780.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr637316.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr637316.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un265142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un265142.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un979082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un979082.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4232	1764	WerFault.exe	73
2348	1764	WerFault.exe	73
4600	1764	WerFault.exe	73
1104	1764	WerFault.exe	73
2224	1764	WerFault.exe	73
3788	1764	WerFault.exe	73
4084	1764	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4200	pr637316.exe
4200	pr637316.exe
2428	rk058196.exe
2604	1.exe
2428	rk058196.exe
2604	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	pr637316.exe
Token: SeDebugPrivilege	2372	qu430812.exe
Token: SeDebugPrivilege	2428	rk058196.exe
Token: SeDebugPrivilege	2604	1.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 3372	3240	a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce.exe	66
PID 3240 wrote to memory of 3372	3240	a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce.exe	66
PID 3240 wrote to memory of 3372	3240	a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce.exe	66
PID 3372 wrote to memory of 4348	3372	un265142.exe	67
PID 3372 wrote to memory of 4348	3372	un265142.exe	67
PID 3372 wrote to memory of 4348	3372	un265142.exe	67
PID 4348 wrote to memory of 4200	4348	un979082.exe	68
PID 4348 wrote to memory of 4200	4348	un979082.exe	68
PID 4348 wrote to memory of 4200	4348	un979082.exe	68
PID 4348 wrote to memory of 2372	4348	un979082.exe	69
PID 4348 wrote to memory of 2372	4348	un979082.exe	69
PID 4348 wrote to memory of 2372	4348	un979082.exe	69
PID 2372 wrote to memory of 2604	2372	qu430812.exe	70
PID 2372 wrote to memory of 2604	2372	qu430812.exe	70
PID 2372 wrote to memory of 2604	2372	qu430812.exe	70
PID 3372 wrote to memory of 2428	3372	un265142.exe	71
PID 3372 wrote to memory of 2428	3372	un265142.exe	71
PID 3372 wrote to memory of 2428	3372	un265142.exe	71
PID 3240 wrote to memory of 1764	3240	a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce.exe	73
PID 3240 wrote to memory of 1764	3240	a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce.exe	73
PID 3240 wrote to memory of 1764	3240	a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce.exe	73

C:\Users\Admin\AppData\Local\Temp\a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce.exe
"C:\Users\Admin\AppData\Local\Temp\a837a3d515c3f535a03cd966888bc6f156d2b002b15c9fba3ef95b96e90837ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un265142.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un265142.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un979082.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un979082.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr637316.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr637316.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu430812.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu430812.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk058196.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk058196.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si418780.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si418780.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 636
    3⤵
    - Program crash
    PID:4232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 712
    3⤵
    - Program crash
    PID:2348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 852
    3⤵
    - Program crash
    PID:4600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 860
    3⤵
    - Program crash
    PID:1104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 888
    3⤵
    - Program crash
    PID:2224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 900
    3⤵
    - Program crash
    PID:3788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1084
    3⤵
    - Program crash
    PID:4084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si418780.exe

Filesize
395KB

MD5
7ca9d2bcb6c660b4668312b1953e7e88

SHA1
8c6fc9f1d4db491b514348a0a69ad47f59713a55

SHA256
ab4eb6092f2cfe38465b6961ce44401b29ae7223acc9a17b0fc91c2e7f661415

SHA512
1beeec34e594550a1756a420955afcb498157e20170dee13f6adec5301d246e640c5f8024a5d68d7acc95e1c0c975a793e27669ae8bc9839de01567d9f127dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si418780.exe

Filesize
395KB

MD5
7ca9d2bcb6c660b4668312b1953e7e88

SHA1
8c6fc9f1d4db491b514348a0a69ad47f59713a55

SHA256
ab4eb6092f2cfe38465b6961ce44401b29ae7223acc9a17b0fc91c2e7f661415

SHA512
1beeec34e594550a1756a420955afcb498157e20170dee13f6adec5301d246e640c5f8024a5d68d7acc95e1c0c975a793e27669ae8bc9839de01567d9f127dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un265142.exe

Filesize
851KB

MD5
cc41121b99e4dc3c9a606f82225ab963

SHA1
d6837a92ffbe87581a76e6f20c618100cef0868c

SHA256
9c629087cbfd07d365be3b94bf4baee8c852844860234d25f282e558fafedd54

SHA512
77c136c841577a496b7c888010414cc297c40281904f68fce9366568d6a3f90eb38dd5a0b13a6eb9b63d6dbfb4f5cc3ccc72b30accc69d9153c1403899e90be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un265142.exe

Filesize
851KB

MD5
cc41121b99e4dc3c9a606f82225ab963

SHA1
d6837a92ffbe87581a76e6f20c618100cef0868c

SHA256
9c629087cbfd07d365be3b94bf4baee8c852844860234d25f282e558fafedd54

SHA512
77c136c841577a496b7c888010414cc297c40281904f68fce9366568d6a3f90eb38dd5a0b13a6eb9b63d6dbfb4f5cc3ccc72b30accc69d9153c1403899e90be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk058196.exe

Filesize
168KB

MD5
c52ebada00a59ec1f651a0e9fbcef2eb

SHA1
e1941278df76616f1ca3202ef2a9f99d2592d52f

SHA256
35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e

SHA512
6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk058196.exe

Filesize
168KB

MD5
c52ebada00a59ec1f651a0e9fbcef2eb

SHA1
e1941278df76616f1ca3202ef2a9f99d2592d52f

SHA256
35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e

SHA512
6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un979082.exe

Filesize
697KB

MD5
29de1cf75e70fabd3e84fa55cba9514d

SHA1
8ce15d6ba8eb393a670ea3054ac81491ac4719f0

SHA256
cfd513fc472a778f8c71a8c7409f7b8826e7200bdc9b53298123421355167abe

SHA512
a7a539670f4b663dd56f89547dd2bd1739ee2195f55fca8b3503e3df1145ef75d6f56895d05322a14f3caddb76958a4cd93c13e9535158bee1cf92a494569fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un979082.exe

Filesize
697KB

MD5
29de1cf75e70fabd3e84fa55cba9514d

SHA1
8ce15d6ba8eb393a670ea3054ac81491ac4719f0

SHA256
cfd513fc472a778f8c71a8c7409f7b8826e7200bdc9b53298123421355167abe

SHA512
a7a539670f4b663dd56f89547dd2bd1739ee2195f55fca8b3503e3df1145ef75d6f56895d05322a14f3caddb76958a4cd93c13e9535158bee1cf92a494569fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr637316.exe

Filesize
403KB

MD5
eb7addffc12f02f727de9d627b8c1f8b

SHA1
d2d04260b73770e51a60baf68ee393c61431f624

SHA256
0d5a7705d2c8c73da6cecf16da415be4d2f1daf1c96e255dfb03da90e5d35ed2

SHA512
abc682ed269aa243780d0edead4b87289841c0cebf7d4877bd9744a9eb914cd535fc0de7f440f6d1c71177ecf6920f73b9a296ec9c3d72d9713b1a92ec6e0a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr637316.exe

Filesize
403KB

MD5
eb7addffc12f02f727de9d627b8c1f8b

SHA1
d2d04260b73770e51a60baf68ee393c61431f624

SHA256
0d5a7705d2c8c73da6cecf16da415be4d2f1daf1c96e255dfb03da90e5d35ed2

SHA512
abc682ed269aa243780d0edead4b87289841c0cebf7d4877bd9744a9eb914cd535fc0de7f440f6d1c71177ecf6920f73b9a296ec9c3d72d9713b1a92ec6e0a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu430812.exe

Filesize
587KB

MD5
d2be08a2f7a75361b7bce5eeb4ff02bc

SHA1
a29c975f8618013bbc18437ffaa679ebc4733da2

SHA256
1d6b31d3f733955cfcb633c2909e64702d9aea0e376894775679d0d3854afb06

SHA512
b4f41d36e6c2b5b36210f4537c88707c7dfee1be6aa47820b4e9250a28c1432824541add97450e74e85e2e95f2cff0ced7083efeaff48227331a21db6ea8249a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu430812.exe

Filesize
587KB

MD5
d2be08a2f7a75361b7bce5eeb4ff02bc

SHA1
a29c975f8618013bbc18437ffaa679ebc4733da2

SHA256
1d6b31d3f733955cfcb633c2909e64702d9aea0e376894775679d0d3854afb06

SHA512
b4f41d36e6c2b5b36210f4537c88707c7dfee1be6aa47820b4e9250a28c1432824541add97450e74e85e2e95f2cff0ced7083efeaff48227331a21db6ea8249a

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/1764-2369-0x0000000002360000-0x000000000239B000-memory.dmp

Filesize
236KB

Download
memory/2372-220-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-204-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-314-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2372-316-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2372-312-0x00000000009A0000-0x00000000009FB000-memory.dmp

Filesize
364KB

Download
memory/2372-200-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-218-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-216-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-214-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-212-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-210-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-208-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-206-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-318-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2372-202-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-198-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-2333-0x00000000029E0000-0x0000000002A12000-memory.dmp

Filesize
200KB

Download
memory/2372-2337-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2372-185-0x00000000026C0000-0x0000000002728000-memory.dmp

Filesize
416KB

Download
memory/2372-186-0x0000000002890000-0x00000000028F6000-memory.dmp

Filesize
408KB

Download
memory/2372-187-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-188-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-190-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-192-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-194-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2372-196-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2428-2347-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/2428-2355-0x000000000A380000-0x000000000A3CB000-memory.dmp

Filesize
300KB

Download
memory/2428-2348-0x0000000004D20000-0x0000000004D26000-memory.dmp

Filesize
24KB

Download
memory/2428-2361-0x000000000B410000-0x000000000B460000-memory.dmp

Filesize
320KB

Download
memory/2428-2360-0x000000000C070000-0x000000000C59C000-memory.dmp

Filesize
5.2MB

Download
memory/2428-2359-0x000000000B470000-0x000000000B632000-memory.dmp

Filesize
1.8MB

Download
memory/2428-2349-0x000000000A730000-0x000000000AD36000-memory.dmp

Filesize
6.0MB

Download
memory/2428-2357-0x000000000A640000-0x000000000A6D2000-memory.dmp

Filesize
584KB

Download
memory/2428-2350-0x000000000A270000-0x000000000A37A000-memory.dmp

Filesize
1.0MB

Download
memory/2428-2354-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2604-2342-0x0000000000310000-0x000000000033E000-memory.dmp

Filesize
184KB

Download
memory/2604-2353-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/2604-2352-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2604-2351-0x0000000004C10000-0x0000000004C22000-memory.dmp

Filesize
72KB

Download
memory/2604-2356-0x0000000004FA0000-0x0000000005016000-memory.dmp

Filesize
472KB

Download
memory/2604-2358-0x0000000005020000-0x0000000005086000-memory.dmp

Filesize
408KB

Download
memory/2604-2362-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/2604-2346-0x0000000002480000-0x0000000002486000-memory.dmp

Filesize
24KB

Download
memory/4200-163-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-165-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-149-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-146-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4200-147-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4200-151-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-145-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4200-153-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-155-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-157-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-159-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-161-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-180-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4200-148-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-167-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-169-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-171-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-173-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-175-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/4200-176-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4200-177-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4200-178-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4200-144-0x0000000004E70000-0x0000000004E88000-memory.dmp

Filesize
96KB

Download
memory/4200-143-0x0000000005000000-0x00000000054FE000-memory.dmp

Filesize
5.0MB

Download
memory/4200-142-0x0000000004E00000-0x0000000004E1A000-memory.dmp

Filesize
104KB

Download