amadey | f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9

Analysis

max time kernel
147s
max time network
115s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
13/04/2023, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9.exe
Size

1.1MB
MD5

2b76ea1cfc73f25feac5ec24212c2103
SHA1

794be4b35137a8990bd9382a1e33f6cd7391668f
SHA256

f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9
SHA512

ec8757281d47d988b22c5352b7ba2da6a77c3b84331351be22fd9dc9aa89097a6fcb86f9544680084961115aa33ccb88d733aadd2c807406a065096e24ac31d4
SSDEEP

24576:5ysFlqba4TQK7/WgBG77ahGyFBTm0fjQ1zvNAM:saEGYn//BG77aPS1z

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr038970.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2512	un715537.exe
3028	un513770.exe
3616	pr038970.exe
4624	qu150721.exe
2076	1.exe
4460	rk959703.exe
2072	si354426.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr038970.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un513770.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un513770.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un715537.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un715537.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4724	2072	WerFault.exe	73
4588	2072	WerFault.exe	73
1456	2072	WerFault.exe	73
2944	2072	WerFault.exe	73
4164	2072	WerFault.exe	73
1272	2072	WerFault.exe	73
2716	2072	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3616	pr038970.exe
3616	pr038970.exe
4460	rk959703.exe
2076	1.exe
4460	rk959703.exe
2076	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3616	pr038970.exe
Token: SeDebugPrivilege	4624	qu150721.exe
Token: SeDebugPrivilege	4460	rk959703.exe
Token: SeDebugPrivilege	2076	1.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2512	2460	f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9.exe	66
PID 2460 wrote to memory of 2512	2460	f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9.exe	66
PID 2460 wrote to memory of 2512	2460	f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9.exe	66
PID 2512 wrote to memory of 3028	2512	un715537.exe	67
PID 2512 wrote to memory of 3028	2512	un715537.exe	67
PID 2512 wrote to memory of 3028	2512	un715537.exe	67
PID 3028 wrote to memory of 3616	3028	un513770.exe	68
PID 3028 wrote to memory of 3616	3028	un513770.exe	68
PID 3028 wrote to memory of 3616	3028	un513770.exe	68
PID 3028 wrote to memory of 4624	3028	un513770.exe	69
PID 3028 wrote to memory of 4624	3028	un513770.exe	69
PID 3028 wrote to memory of 4624	3028	un513770.exe	69
PID 4624 wrote to memory of 2076	4624	qu150721.exe	70
PID 4624 wrote to memory of 2076	4624	qu150721.exe	70
PID 4624 wrote to memory of 2076	4624	qu150721.exe	70
PID 2512 wrote to memory of 4460	2512	un715537.exe	71
PID 2512 wrote to memory of 4460	2512	un715537.exe	71
PID 2512 wrote to memory of 4460	2512	un715537.exe	71
PID 2460 wrote to memory of 2072	2460	f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9.exe	73
PID 2460 wrote to memory of 2072	2460	f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9.exe	73
PID 2460 wrote to memory of 2072	2460	f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9.exe	73

C:\Users\Admin\AppData\Local\Temp\f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9.exe
"C:\Users\Admin\AppData\Local\Temp\f3d94074c8c2e06a3910a668f7460fa1c2f305975af706cc158c966d166de7c9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un715537.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un715537.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un513770.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un513770.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr038970.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr038970.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu150721.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu150721.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk959703.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk959703.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si354426.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si354426.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 648
    3⤵
    - Program crash
    PID:4724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 716
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 804
    3⤵
    - Program crash
    PID:1456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 884
    3⤵
    - Program crash
    PID:2944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 912
    3⤵
    - Program crash
    PID:4164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 596
    3⤵
    - Program crash
    PID:1272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1080
    3⤵
    - Program crash
    PID:2716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si354426.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si354426.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un715537.exe

Filesize
821KB

MD5
ef2ba00740819d45a2828d07e8dffd56

SHA1
5599f01bf4a9df0aaf8e4092b502ce6ed2079855

SHA256
b2a749e2724a0f770a5be2023033de61bc7e65819580fac6f84ab4e9daa922f5

SHA512
4f4a3bccfe51d6f90c737e6725f6d917d667382fca78260f9e8be462ad4db9cbac55343e01262dd673a6178377346b05d64db725200e65516d96f4d6546a96da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un715537.exe

Filesize
821KB

MD5
ef2ba00740819d45a2828d07e8dffd56

SHA1
5599f01bf4a9df0aaf8e4092b502ce6ed2079855

SHA256
b2a749e2724a0f770a5be2023033de61bc7e65819580fac6f84ab4e9daa922f5

SHA512
4f4a3bccfe51d6f90c737e6725f6d917d667382fca78260f9e8be462ad4db9cbac55343e01262dd673a6178377346b05d64db725200e65516d96f4d6546a96da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk959703.exe

Filesize
168KB

MD5
e7b7af524bd3d5c1db28debc8f3a10b9

SHA1
1513483ddd21ebdf832cb062ba7d77706710f70e

SHA256
22854afd5802ee9ef223b016f31495c8846f232980ed9185bab1fd718cab9224

SHA512
ad2793f35f54ed89e409c3a70632d719cf788a4f78ad041b29bcce9f00cdb37ce1b1ef71f76f9f943e4344573cb3c0ef5b88b6b2aab200ee89847bd6614ffbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk959703.exe

Filesize
168KB

MD5
e7b7af524bd3d5c1db28debc8f3a10b9

SHA1
1513483ddd21ebdf832cb062ba7d77706710f70e

SHA256
22854afd5802ee9ef223b016f31495c8846f232980ed9185bab1fd718cab9224

SHA512
ad2793f35f54ed89e409c3a70632d719cf788a4f78ad041b29bcce9f00cdb37ce1b1ef71f76f9f943e4344573cb3c0ef5b88b6b2aab200ee89847bd6614ffbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un513770.exe

Filesize
667KB

MD5
9978a02db7d38d3cdc68bda877d0e6f7

SHA1
222aab3cf5d9ebe480df2f3638c963af5a68b992

SHA256
c268a20e39a40759b3ca09344927d8ad2403baa9f2c203604cccdc4a99f12f79

SHA512
9523ea0523cf989389e7ea82f4eec0821ae3754a7306bef46c698f9624b5ddb32ceeaabe3245ea751a9b2a4c29d9250aa9e39fe081332b0e31181d5f0034680b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un513770.exe

Filesize
667KB

MD5
9978a02db7d38d3cdc68bda877d0e6f7

SHA1
222aab3cf5d9ebe480df2f3638c963af5a68b992

SHA256
c268a20e39a40759b3ca09344927d8ad2403baa9f2c203604cccdc4a99f12f79

SHA512
9523ea0523cf989389e7ea82f4eec0821ae3754a7306bef46c698f9624b5ddb32ceeaabe3245ea751a9b2a4c29d9250aa9e39fe081332b0e31181d5f0034680b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr038970.exe

Filesize
318KB

MD5
42a723d1cd7a71a7eaf2a5447a857285

SHA1
9a1bf6f385221422f24ffea85f2f079705ea84c4

SHA256
7b41106a6c43c1a124bfe94ce666175a4c9ef0bdd3c5316357ad2a4d4dc3e6d6

SHA512
b929c88a07036420b4f8915585d64cebd1176f0c05974b99dda8e62cb92e927aad90165102106fc9b3dbf2a61dc30621bdb55222a5f26e78eb5ceb05211ccab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr038970.exe

Filesize
318KB

MD5
42a723d1cd7a71a7eaf2a5447a857285

SHA1
9a1bf6f385221422f24ffea85f2f079705ea84c4

SHA256
7b41106a6c43c1a124bfe94ce666175a4c9ef0bdd3c5316357ad2a4d4dc3e6d6

SHA512
b929c88a07036420b4f8915585d64cebd1176f0c05974b99dda8e62cb92e927aad90165102106fc9b3dbf2a61dc30621bdb55222a5f26e78eb5ceb05211ccab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu150721.exe

Filesize
502KB

MD5
db2be11ffa96c4b2e82199aaf4a97aab

SHA1
06846d0f05f22cac0255c6b8da1490053482de8f

SHA256
8d1a74f2620be95c1a7605ffec1350019396c4f16cda7810d540cc9ccedcb02d

SHA512
d4563d88cab89d6ee98f82f1805098693448d05320dde151594ee5bab5928b32076edd7321a0e03afd4eb25064c92f5533e1fe5865160f1eb7430fa2ffaf728a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu150721.exe

Filesize
502KB

MD5
db2be11ffa96c4b2e82199aaf4a97aab

SHA1
06846d0f05f22cac0255c6b8da1490053482de8f

SHA256
8d1a74f2620be95c1a7605ffec1350019396c4f16cda7810d540cc9ccedcb02d

SHA512
d4563d88cab89d6ee98f82f1805098693448d05320dde151594ee5bab5928b32076edd7321a0e03afd4eb25064c92f5533e1fe5865160f1eb7430fa2ffaf728a

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/2072-2368-0x0000000000740000-0x000000000077B000-memory.dmp

Filesize
236KB

Download
memory/2076-2346-0x0000000005630000-0x0000000005C36000-memory.dmp

Filesize
6.0MB

Download
memory/2076-2351-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/2076-2343-0x0000000000D70000-0x0000000000D76000-memory.dmp

Filesize
24KB

Download
memory/2076-2353-0x00000000052F0000-0x0000000005366000-memory.dmp

Filesize
472KB

Download
memory/2076-2339-0x0000000000660000-0x000000000068E000-memory.dmp

Filesize
184KB

Download
memory/2076-2356-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/2076-2358-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/2076-2359-0x0000000006B50000-0x0000000006D12000-memory.dmp

Filesize
1.8MB

Download
memory/2076-2361-0x0000000006380000-0x00000000063D0000-memory.dmp

Filesize
320KB

Download
memory/3616-164-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-166-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-173-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3616-174-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/3616-176-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3616-170-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-168-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-140-0x0000000000610000-0x000000000063D000-memory.dmp

Filesize
180KB

Download
memory/3616-141-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/3616-142-0x0000000002200000-0x000000000221A000-memory.dmp

Filesize
104KB

Download
memory/3616-143-0x0000000004C00000-0x00000000050FE000-memory.dmp

Filesize
5.0MB

Download
memory/3616-152-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-144-0x00000000022C0000-0x00000000022D8000-memory.dmp

Filesize
96KB

Download
memory/3616-145-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-160-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-172-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-146-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-162-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-148-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-158-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-156-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-150-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3616-154-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4460-2355-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/4460-2348-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/4460-2347-0x0000000004C10000-0x0000000004D1A000-memory.dmp

Filesize
1.0MB

Download
memory/4460-2349-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4460-2345-0x0000000006E80000-0x0000000006E86000-memory.dmp

Filesize
24KB

Download
memory/4460-2350-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/4460-2352-0x0000000004D20000-0x0000000004D6B000-memory.dmp

Filesize
300KB

Download
memory/4460-2344-0x0000000000240000-0x0000000000270000-memory.dmp

Filesize
192KB

Download
memory/4460-2354-0x0000000004EC0000-0x0000000004F36000-memory.dmp

Filesize
472KB

Download
memory/4460-2357-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/4460-2360-0x00000000083C0000-0x00000000088EC000-memory.dmp

Filesize
5.2MB

Download
memory/4624-194-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-2331-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/4624-2329-0x0000000005300000-0x0000000005332000-memory.dmp

Filesize
200KB

Download
memory/4624-225-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/4624-223-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/4624-221-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/4624-219-0x0000000000690000-0x00000000006EB000-memory.dmp

Filesize
364KB

Download
memory/4624-216-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-214-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-212-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-210-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-208-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-206-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-204-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-202-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-200-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-198-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-196-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-192-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-190-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-188-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-186-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-184-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-183-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4624-182-0x00000000028D0000-0x0000000002936000-memory.dmp

Filesize
408KB

Download
memory/4624-181-0x00000000007E0000-0x0000000000848000-memory.dmp

Filesize
416KB

Download