amadey | 141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012

Analysis

max time kernel
144s
max time network
139s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
12/04/2023, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012.exe
Size

1.2MB
MD5

0857d0224d5da928bb7bf3b0956882eb
SHA1

3fafd97cfd9e667220f81a500737495974d77f39
SHA256

141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012
SHA512

1db10630027db974014c06c7ff956c52a7e24a743b77e7e510fef28fe8577449234370946a5dd00a0d1a2d5ee82167f4245dca8a269b5a7b597273fddf2c689b
SSDEEP

24576:myX03EjT5mbXgmLO0gEQSMTq6G3ax5wGut/zM+Suc9oU1i:1X0ETo/L7rXcPx5tYY5uc9oe

Score

10^/10

amadey redline diza lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diza

185.161.248.90:4125

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr953489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr953489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr953489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr953489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr953489.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3548	un016226.exe
2348	un395575.exe
5108	pr953489.exe
4616	qu107857.exe
196	1.exe
2104	rk730310.exe
2260	si083144.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr953489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr953489.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un016226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un016226.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un395575.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un395575.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4920	2260	WerFault.exe	73
4240	2260	WerFault.exe	73
3112	2260	WerFault.exe	73
2148	2260	WerFault.exe	73
4080	2260	WerFault.exe	73
4820	2260	WerFault.exe	73
5108	2260	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5108	pr953489.exe
5108	pr953489.exe
196	1.exe
2104	rk730310.exe
2104	rk730310.exe
196	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	pr953489.exe
Token: SeDebugPrivilege	4616	qu107857.exe
Token: SeDebugPrivilege	196	1.exe
Token: SeDebugPrivilege	2104	rk730310.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 3548	4124	141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012.exe	66
PID 4124 wrote to memory of 3548	4124	141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012.exe	66
PID 4124 wrote to memory of 3548	4124	141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012.exe	66
PID 3548 wrote to memory of 2348	3548	un016226.exe	67
PID 3548 wrote to memory of 2348	3548	un016226.exe	67
PID 3548 wrote to memory of 2348	3548	un016226.exe	67
PID 2348 wrote to memory of 5108	2348	un395575.exe	68
PID 2348 wrote to memory of 5108	2348	un395575.exe	68
PID 2348 wrote to memory of 5108	2348	un395575.exe	68
PID 2348 wrote to memory of 4616	2348	un395575.exe	69
PID 2348 wrote to memory of 4616	2348	un395575.exe	69
PID 2348 wrote to memory of 4616	2348	un395575.exe	69
PID 4616 wrote to memory of 196	4616	qu107857.exe	70
PID 4616 wrote to memory of 196	4616	qu107857.exe	70
PID 4616 wrote to memory of 196	4616	qu107857.exe	70
PID 3548 wrote to memory of 2104	3548	un016226.exe	71
PID 3548 wrote to memory of 2104	3548	un016226.exe	71
PID 3548 wrote to memory of 2104	3548	un016226.exe	71
PID 4124 wrote to memory of 2260	4124	141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012.exe	73
PID 4124 wrote to memory of 2260	4124	141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012.exe	73
PID 4124 wrote to memory of 2260	4124	141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012.exe	73

C:\Users\Admin\AppData\Local\Temp\141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012.exe
"C:\Users\Admin\AppData\Local\Temp\141567ba6c7793ac8e6fc7acbae7b6a1f23fbd1f1fa65d2caecf7e3e48423012.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un016226.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un016226.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un395575.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un395575.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr953489.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr953489.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu107857.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu107857.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk730310.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk730310.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si083144.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si083144.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 632
    3⤵
    - Program crash
    PID:4920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 708
    3⤵
    - Program crash
    PID:4240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 844
    3⤵
    - Program crash
    PID:3112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 856
    3⤵
    - Program crash
    PID:2148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 884
    3⤵
    - Program crash
    PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 872
    3⤵
    - Program crash
    PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1080
    3⤵
    - Program crash
    PID:5108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si083144.exe

Filesize
396KB

MD5
0ab19756efd0997332573b304b2f8438

SHA1
95e29705d69644160deec6a8d0f998049dc5e49e

SHA256
b252d1fff720056585c7bddff4bf8df3f81d99ec6c07613eae1adfde0c51c835

SHA512
f0f59fcd172f8ad521816f6cab7da001b835ba16130e2dcb754c532cc0adf8cefff62527cf6aba9945b3ef5bd4877e43191cd6a361cc39e55e77242952f8a13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si083144.exe

Filesize
396KB

MD5
0ab19756efd0997332573b304b2f8438

SHA1
95e29705d69644160deec6a8d0f998049dc5e49e

SHA256
b252d1fff720056585c7bddff4bf8df3f81d99ec6c07613eae1adfde0c51c835

SHA512
f0f59fcd172f8ad521816f6cab7da001b835ba16130e2dcb754c532cc0adf8cefff62527cf6aba9945b3ef5bd4877e43191cd6a361cc39e55e77242952f8a13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un016226.exe

Filesize
862KB

MD5
af2264a7fd1cdbaf7e4951e5fcc8fcd5

SHA1
6fbdf95634682dcafd74599fcb4d76c5db57a810

SHA256
66218c5453df24a8dd0e7856331d950789ba540b5b973b69d6d40e50fdb16288

SHA512
af65dd6291fa3bf0245b581b228e24503b20b1c7b9a546cde27b9de2d22ba8a9b946b0de383457e29214be7ac3844bd51210f5df788f3662488f8e054417b395

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un016226.exe

Filesize
862KB

MD5
af2264a7fd1cdbaf7e4951e5fcc8fcd5

SHA1
6fbdf95634682dcafd74599fcb4d76c5db57a810

SHA256
66218c5453df24a8dd0e7856331d950789ba540b5b973b69d6d40e50fdb16288

SHA512
af65dd6291fa3bf0245b581b228e24503b20b1c7b9a546cde27b9de2d22ba8a9b946b0de383457e29214be7ac3844bd51210f5df788f3662488f8e054417b395

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk730310.exe

Filesize
168KB

MD5
c52ebada00a59ec1f651a0e9fbcef2eb

SHA1
e1941278df76616f1ca3202ef2a9f99d2592d52f

SHA256
35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e

SHA512
6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk730310.exe

Filesize
168KB

MD5
c52ebada00a59ec1f651a0e9fbcef2eb

SHA1
e1941278df76616f1ca3202ef2a9f99d2592d52f

SHA256
35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e

SHA512
6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un395575.exe

Filesize
708KB

MD5
fb53e16b74698183097410ac50af3c7d

SHA1
65994ea1e47815af88a237ccd2ed0de2c21bfb98

SHA256
dfcf853d84f8a60bffb63a32b3eea369bbe12b6e439cde9f99f14bf3e5db8184

SHA512
64099e28f20c4fe4d1c386c0ffec59f4e2c6f25004eef2208ca226766e930dec8cf3201d526325cebeb9fb422d05b77c64c0adcc6d49192c1294767ad703eec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un395575.exe

Filesize
708KB

MD5
fb53e16b74698183097410ac50af3c7d

SHA1
65994ea1e47815af88a237ccd2ed0de2c21bfb98

SHA256
dfcf853d84f8a60bffb63a32b3eea369bbe12b6e439cde9f99f14bf3e5db8184

SHA512
64099e28f20c4fe4d1c386c0ffec59f4e2c6f25004eef2208ca226766e930dec8cf3201d526325cebeb9fb422d05b77c64c0adcc6d49192c1294767ad703eec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr953489.exe

Filesize
405KB

MD5
e9c862be7d0f1974ebb8329134589bbb

SHA1
6da32f103ddf9db44ca6369cd5701e20818a44bc

SHA256
03a28e71d8f4e542e95a28e78cb98dadc6868cf78a9c436d383556087c9667b1

SHA512
3f4ee9591b2679b962d9bdd04f31a8aeafca4a68f4691477897bd96ddf3d098e09ecac7dc272b197289980a72a0a87688ae8cb0be3d4b126364e4fb56e977d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr953489.exe

Filesize
405KB

MD5
e9c862be7d0f1974ebb8329134589bbb

SHA1
6da32f103ddf9db44ca6369cd5701e20818a44bc

SHA256
03a28e71d8f4e542e95a28e78cb98dadc6868cf78a9c436d383556087c9667b1

SHA512
3f4ee9591b2679b962d9bdd04f31a8aeafca4a68f4691477897bd96ddf3d098e09ecac7dc272b197289980a72a0a87688ae8cb0be3d4b126364e4fb56e977d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu107857.exe

Filesize
588KB

MD5
a75afa539486cba433979023ded5004b

SHA1
32ba44fd9c80076121b26f4e46353b01b0427481

SHA256
54da1e0e16d1627f94d21dd1463e87fd52f4e0608ced083c681397fc79a17359

SHA512
6ea322586df0d559b5309b1fb8016a68eeb9f2638c9d1e78edbb9844a277549302e5d0cf32e10ab8358ba69f1d25fb5abc19b1f2f3b05fefc69c88d16e0f1a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu107857.exe

Filesize
588KB

MD5
a75afa539486cba433979023ded5004b

SHA1
32ba44fd9c80076121b26f4e46353b01b0427481

SHA256
54da1e0e16d1627f94d21dd1463e87fd52f4e0608ced083c681397fc79a17359

SHA512
6ea322586df0d559b5309b1fb8016a68eeb9f2638c9d1e78edbb9844a277549302e5d0cf32e10ab8358ba69f1d25fb5abc19b1f2f3b05fefc69c88d16e0f1a3c

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/196-2355-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/196-2358-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/196-2359-0x0000000006950000-0x0000000006B12000-memory.dmp

Filesize
1.8MB

Download
memory/196-2352-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/196-2339-0x0000000000520000-0x000000000054E000-memory.dmp

Filesize
184KB

Download
memory/196-2350-0x0000000004EE0000-0x0000000004F2B000-memory.dmp

Filesize
300KB

Download
memory/196-2341-0x0000000000EC0000-0x0000000000EC6000-memory.dmp

Filesize
24KB

Download
memory/196-2360-0x00000000076D0000-0x0000000007BFC000-memory.dmp

Filesize
5.2MB

Download
memory/2104-2353-0x0000000005690000-0x0000000005706000-memory.dmp

Filesize
472KB

Download
memory/2104-2346-0x0000000005900000-0x0000000005F06000-memory.dmp

Filesize
6.0MB

Download
memory/2104-2345-0x00000000051B0000-0x00000000051B6000-memory.dmp

Filesize
24KB

Download
memory/2104-2344-0x0000000000A00000-0x0000000000A30000-memory.dmp

Filesize
192KB

Download
memory/2104-2347-0x0000000005400000-0x000000000550A000-memory.dmp

Filesize
1.0MB

Download
memory/2104-2348-0x0000000005310000-0x0000000005322000-memory.dmp

Filesize
72KB

Download
memory/2104-2349-0x0000000005370000-0x00000000053AE000-memory.dmp

Filesize
248KB

Download
memory/2104-2351-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2104-2354-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/2104-2356-0x0000000006620000-0x0000000006670000-memory.dmp

Filesize
320KB

Download
memory/2104-2357-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2260-2367-0x0000000002370000-0x00000000023AB000-memory.dmp

Filesize
236KB

Download
memory/4616-192-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-2331-0x0000000005650000-0x0000000005682000-memory.dmp

Filesize
200KB

Download
memory/4616-184-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/4616-185-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-186-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-188-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-190-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-194-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-183-0x0000000002870000-0x00000000028D8000-memory.dmp

Filesize
416KB

Download
memory/4616-196-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-198-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-200-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-202-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-204-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-208-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-206-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-210-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-212-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-214-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-216-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-218-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4616-229-0x0000000000AA0000-0x0000000000AFB000-memory.dmp

Filesize
364KB

Download
memory/4616-232-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/4616-230-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/4616-233-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/5108-158-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-140-0x00000000027A0000-0x00000000027B8000-memory.dmp

Filesize
96KB

Download
memory/5108-175-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/5108-174-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/5108-173-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/5108-172-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-170-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-168-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-166-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-164-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-162-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-154-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-176-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/5108-178-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/5108-160-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-152-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-150-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-148-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-146-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-145-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-144-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/5108-143-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/5108-141-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/5108-142-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/5108-156-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/5108-139-0x0000000004E00000-0x00000000052FE000-memory.dmp

Filesize
5.0MB

Download
memory/5108-138-0x00000000023D0000-0x00000000023EA000-memory.dmp

Filesize
104KB

Download