amadey | 0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c

Analysis

max time kernel
142s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
13/04/2023, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c.exe
Size

964KB
MD5

2bc8bae2beb8c44c1966f05ddb642334
SHA1

cf45bf710e668df74b99f540b91ad26daeac60ff
SHA256

0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c
SHA512

0e76fc285d831ff2e773fb02b63e8ba28cc67f00b84baca0e81bd074504137742f66375b8f7949bfd63bb56d00cab159c8c92f28100722e22677ea9fdb7c69f3
SSDEEP

24576:Hy+s2RyfxnQ7VZ7LoeJuQzlV2UDGpkK8NODsTpYS9/:SxnQ7XoeMQzrxDGpcAsTpY

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it437099.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it437099.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it437099.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it437099.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it437099.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4100	ziXf0351.exe
3532	zitV8595.exe
4504	it437099.exe
4936	jr217325.exe
196	1.exe
1416	kp631976.exe
4312	lr705662.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it437099.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziXf0351.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziXf0351.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zitV8595.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zitV8595.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
5012	4312	WerFault.exe	73
2076	4312	WerFault.exe	73
3256	4312	WerFault.exe	73
4572	4312	WerFault.exe	73
4004	4312	WerFault.exe	73
1564	4312	WerFault.exe	73
4760	4312	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4504	it437099.exe
4504	it437099.exe
196	1.exe
1416	kp631976.exe
196	1.exe
1416	kp631976.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	it437099.exe
Token: SeDebugPrivilege	4936	jr217325.exe
Token: SeDebugPrivilege	196	1.exe
Token: SeDebugPrivilege	1416	kp631976.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 4100	996	0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c.exe	66
PID 996 wrote to memory of 4100	996	0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c.exe	66
PID 996 wrote to memory of 4100	996	0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c.exe	66
PID 4100 wrote to memory of 3532	4100	ziXf0351.exe	67
PID 4100 wrote to memory of 3532	4100	ziXf0351.exe	67
PID 4100 wrote to memory of 3532	4100	ziXf0351.exe	67
PID 3532 wrote to memory of 4504	3532	zitV8595.exe	68
PID 3532 wrote to memory of 4504	3532	zitV8595.exe	68
PID 3532 wrote to memory of 4936	3532	zitV8595.exe	69
PID 3532 wrote to memory of 4936	3532	zitV8595.exe	69
PID 3532 wrote to memory of 4936	3532	zitV8595.exe	69
PID 4936 wrote to memory of 196	4936	jr217325.exe	70
PID 4936 wrote to memory of 196	4936	jr217325.exe	70
PID 4936 wrote to memory of 196	4936	jr217325.exe	70
PID 4100 wrote to memory of 1416	4100	ziXf0351.exe	71
PID 4100 wrote to memory of 1416	4100	ziXf0351.exe	71
PID 4100 wrote to memory of 1416	4100	ziXf0351.exe	71
PID 996 wrote to memory of 4312	996	0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c.exe	73
PID 996 wrote to memory of 4312	996	0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c.exe	73
PID 996 wrote to memory of 4312	996	0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c.exe	73

C:\Users\Admin\AppData\Local\Temp\0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c.exe
"C:\Users\Admin\AppData\Local\Temp\0e8a2cfd9c7efe1ecdd2bc7f1aba8a3b958f3e8dd9e544fb0f3211d44715f63c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXf0351.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXf0351.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zitV8595.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zitV8595.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it437099.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it437099.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr217325.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr217325.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp631976.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp631976.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr705662.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr705662.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 644
    3⤵
    - Program crash
    PID:5012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 720
    3⤵
    - Program crash
    PID:2076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 848
    3⤵
    - Program crash
    PID:3256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 856
    3⤵
    - Program crash
    PID:4572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 884
    3⤵
    - Program crash
    PID:4004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 896
    3⤵
    - Program crash
    PID:1564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1084
    3⤵
    - Program crash
    PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr705662.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr705662.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXf0351.exe

Filesize
680KB

MD5
40aa92db514c3e6a93dc2682995dd7e4

SHA1
6d0c65d5af2bce9e86583ee56781a104fba02a3b

SHA256
23babbb200bed18181d76ba267f06f19a2ec989c46e3279b333fbc5f49b1ee29

SHA512
ecaa3c90c8547a7c02f356f8a4f527ab7928a38848e58dcab24c2cba43bd78b555b55727c9ecc258aecac2b9fd76cf04443002b6fe12712f123357d479b364b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXf0351.exe

Filesize
680KB

MD5
40aa92db514c3e6a93dc2682995dd7e4

SHA1
6d0c65d5af2bce9e86583ee56781a104fba02a3b

SHA256
23babbb200bed18181d76ba267f06f19a2ec989c46e3279b333fbc5f49b1ee29

SHA512
ecaa3c90c8547a7c02f356f8a4f527ab7928a38848e58dcab24c2cba43bd78b555b55727c9ecc258aecac2b9fd76cf04443002b6fe12712f123357d479b364b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp631976.exe

Filesize
168KB

MD5
e618f23d2bee5b660a6fcc7b714a5e29

SHA1
1ca9202538f2b0b428edc5f2b3276050c7c580d0

SHA256
292e1ca94be63d00220952855ba19bacb441bd0481264c75fc2e204297b8a656

SHA512
18ce787aac9bec8e3332aff12bc2a8418e4a0b428339ee5fb384ceeb5ed86a639287bd7d306f86302e95fe74d824a3a81ee655f338bd77478eb05e71a29e99e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp631976.exe

Filesize
168KB

MD5
e618f23d2bee5b660a6fcc7b714a5e29

SHA1
1ca9202538f2b0b428edc5f2b3276050c7c580d0

SHA256
292e1ca94be63d00220952855ba19bacb441bd0481264c75fc2e204297b8a656

SHA512
18ce787aac9bec8e3332aff12bc2a8418e4a0b428339ee5fb384ceeb5ed86a639287bd7d306f86302e95fe74d824a3a81ee655f338bd77478eb05e71a29e99e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zitV8595.exe

Filesize
526KB

MD5
1c26f29435c2b19b00f64dd23e4b716d

SHA1
6e08512952c632a07d6429aed00901cecdc3307f

SHA256
6bd9592df5002ea190ae88ca2aa2bbe417b94c36eabcf91395eae297ce69cdbc

SHA512
77e0bd0b9523101e17586f6a307fe8af30d72dc6b393603c48a471043c03f1f3490fef0769302edf820cb6bc840159bfc6019574ebb96054ba9bf73055d37343

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zitV8595.exe

Filesize
526KB

MD5
1c26f29435c2b19b00f64dd23e4b716d

SHA1
6e08512952c632a07d6429aed00901cecdc3307f

SHA256
6bd9592df5002ea190ae88ca2aa2bbe417b94c36eabcf91395eae297ce69cdbc

SHA512
77e0bd0b9523101e17586f6a307fe8af30d72dc6b393603c48a471043c03f1f3490fef0769302edf820cb6bc840159bfc6019574ebb96054ba9bf73055d37343

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it437099.exe

Filesize
11KB

MD5
c1c020c59cdf379c115377423ebcd969

SHA1
156ff2c61339f776ce26be8f4489fbb5966ec1f7

SHA256
2990ab23d14cb70a564db14a77dd09a8afff17f1f344d4163042860879ed430d

SHA512
994e5cd7be3d64988c5d795afef7f8b92fb3c335291fefc9b2b4f8a99e037f3c42fe2728bc31453ddd2bee3a6d41325f1b1743cf813780eb9fa91212b9c71ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it437099.exe

Filesize
11KB

MD5
c1c020c59cdf379c115377423ebcd969

SHA1
156ff2c61339f776ce26be8f4489fbb5966ec1f7

SHA256
2990ab23d14cb70a564db14a77dd09a8afff17f1f344d4163042860879ed430d

SHA512
994e5cd7be3d64988c5d795afef7f8b92fb3c335291fefc9b2b4f8a99e037f3c42fe2728bc31453ddd2bee3a6d41325f1b1743cf813780eb9fa91212b9c71ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr217325.exe

Filesize
502KB

MD5
c9beb29b87cf9d2d255ad25faca97d40

SHA1
fb19adb519f944742019bc376b1c5501e089624a

SHA256
f0c16d5fab8d669eef12b0ba3ad1ee60d8acb6636e9a1ec6c572d1041c2ab5ac

SHA512
d5acdee2a2439de6a8258bcefdab064d1d444f0ffb26a404f09f2804531ca728c82487c75d63528bf2ac0d7d92d2ee472a6a8a31bb9b3105cdae49b5e4e649a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr217325.exe

Filesize
502KB

MD5
c9beb29b87cf9d2d255ad25faca97d40

SHA1
fb19adb519f944742019bc376b1c5501e089624a

SHA256
f0c16d5fab8d669eef12b0ba3ad1ee60d8acb6636e9a1ec6c572d1041c2ab5ac

SHA512
d5acdee2a2439de6a8258bcefdab064d1d444f0ffb26a404f09f2804531ca728c82487c75d63528bf2ac0d7d92d2ee472a6a8a31bb9b3105cdae49b5e4e649a4

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/196-2321-0x0000000006A80000-0x0000000006C42000-memory.dmp

Filesize
1.8MB

Download
memory/196-2325-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/196-2304-0x0000000000D00000-0x0000000000D2E000-memory.dmp

Filesize
184KB

Download
memory/196-2320-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/196-2305-0x0000000002D90000-0x0000000002D96000-memory.dmp

Filesize
24KB

Download
memory/196-2312-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/196-2318-0x0000000005990000-0x0000000005A06000-memory.dmp

Filesize
472KB

Download
memory/196-2317-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/196-2315-0x00000000056C0000-0x000000000570B000-memory.dmp

Filesize
300KB

Download
memory/1416-2316-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/1416-2314-0x0000000009FC0000-0x0000000009FFE000-memory.dmp

Filesize
248KB

Download
memory/1416-2313-0x0000000009F60000-0x0000000009F72000-memory.dmp

Filesize
72KB

Download
memory/1416-2324-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/1416-2311-0x000000000A4A0000-0x000000000AAA6000-memory.dmp

Filesize
6.0MB

Download
memory/1416-2310-0x00000000049A0000-0x00000000049A6000-memory.dmp

Filesize
24KB

Download
memory/1416-2309-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1416-2322-0x000000000BD80000-0x000000000C2AC000-memory.dmp

Filesize
5.2MB

Download
memory/1416-2319-0x000000000A400000-0x000000000A492000-memory.dmp

Filesize
584KB

Download
memory/1416-2323-0x000000000B5D0000-0x000000000B620000-memory.dmp

Filesize
320KB

Download
memory/4312-2332-0x0000000000610000-0x000000000064B000-memory.dmp

Filesize
236KB

Download
memory/4504-141-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/4936-162-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-181-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4936-195-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-197-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-199-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-201-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-203-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-205-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-207-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-211-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-209-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-213-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-215-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-217-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-2296-0x00000000052F0000-0x0000000005322000-memory.dmp

Filesize
200KB

Download
memory/4936-193-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-191-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-189-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-182-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-185-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-183-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4936-187-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-178-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-179-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4936-176-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-174-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-172-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-170-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-168-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-166-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-164-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-160-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-158-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-156-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-154-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-152-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-151-0x0000000002740000-0x00000000027A0000-memory.dmp

Filesize
384KB

Download
memory/4936-150-0x0000000002740000-0x00000000027A6000-memory.dmp

Filesize
408KB

Download
memory/4936-149-0x0000000004CF0000-0x00000000051EE000-memory.dmp

Filesize
5.0MB

Download
memory/4936-148-0x00000000025C0000-0x0000000002628000-memory.dmp

Filesize
416KB

Download
memory/4936-147-0x0000000000640000-0x000000000069B000-memory.dmp

Filesize
364KB

Download