amadey | 85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c

Analysis

max time kernel
146s
max time network
103s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
13-04-2023 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c.exe
Size

1.2MB
MD5

e67a3f1742c895c9bd37e3db844c68a2
SHA1

b8420be8cfaee673ba95009e3d60fcacad161266
SHA256

85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c
SHA512

381e782c3c44151b545385e83f0aba9337c8b899dd729ff7d9d63d1be2df245d6101f5aac9789d58b0b0663bc368563dd5b4b12f3c4e62d61d66c7239cb5d8db
SSDEEP

24576:Py25ysqrrT1eUHbO/KuW30qVhIuvzZNm8k5QSND9+jpZr:awi1zHy3kb7y89qYjj

Score

10^/10

amadey redline diro lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diro

185.161.248.90:4125

Attributes

auth_value
ae95bda0dd2e95169886a3a68138568b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr776495.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr776495.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr776495.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr776495.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr776495.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2484	un208591.exe
2592	un026843.exe
3084	pr776495.exe
1356	qu099326.exe
3428	1.exe
1632	rk746418.exe
4088	si153582.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr776495.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr776495.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un208591.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un026843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un026843.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un208591.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4696	4088	WerFault.exe	73
2808	4088	WerFault.exe	73
5012	4088	WerFault.exe	73
3084	4088	WerFault.exe	73
2732	4088	WerFault.exe	73
3052	4088	WerFault.exe	73
2240	4088	WerFault.exe	73
1344	4088	WerFault.exe	73
4592	4088	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3084	pr776495.exe
3084	pr776495.exe
1632	rk746418.exe
1632	rk746418.exe
3428	1.exe
3428	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	pr776495.exe
Token: SeDebugPrivilege	1356	qu099326.exe
Token: SeDebugPrivilege	1632	rk746418.exe
Token: SeDebugPrivilege	3428	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4088	si153582.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2484	2236	85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c.exe	66
PID 2236 wrote to memory of 2484	2236	85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c.exe	66
PID 2236 wrote to memory of 2484	2236	85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c.exe	66
PID 2484 wrote to memory of 2592	2484	un208591.exe	67
PID 2484 wrote to memory of 2592	2484	un208591.exe	67
PID 2484 wrote to memory of 2592	2484	un208591.exe	67
PID 2592 wrote to memory of 3084	2592	un026843.exe	68
PID 2592 wrote to memory of 3084	2592	un026843.exe	68
PID 2592 wrote to memory of 3084	2592	un026843.exe	68
PID 2592 wrote to memory of 1356	2592	un026843.exe	69
PID 2592 wrote to memory of 1356	2592	un026843.exe	69
PID 2592 wrote to memory of 1356	2592	un026843.exe	69
PID 1356 wrote to memory of 3428	1356	qu099326.exe	70
PID 1356 wrote to memory of 3428	1356	qu099326.exe	70
PID 1356 wrote to memory of 3428	1356	qu099326.exe	70
PID 2484 wrote to memory of 1632	2484	un208591.exe	71
PID 2484 wrote to memory of 1632	2484	un208591.exe	71
PID 2484 wrote to memory of 1632	2484	un208591.exe	71
PID 2236 wrote to memory of 4088	2236	85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c.exe	73
PID 2236 wrote to memory of 4088	2236	85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c.exe	73
PID 2236 wrote to memory of 4088	2236	85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c.exe	73

C:\Users\Admin\AppData\Local\Temp\85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c.exe
"C:\Users\Admin\AppData\Local\Temp\85ebf911d03983e6e8b7fadfff4a91722ee9d2ec30203cd8389379ba7070993c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un208591.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un208591.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un026843.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un026843.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu099326.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu099326.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk746418.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk746418.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si153582.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si153582.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 632
    3⤵
    - Program crash
    PID:4696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 708
    3⤵
    - Program crash
    PID:2808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 812
    3⤵
    - Program crash
    PID:5012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 856
    3⤵
    - Program crash
    PID:3084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 892
    3⤵
    - Program crash
    PID:2732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 932
    3⤵
    - Program crash
    PID:3052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1124
    3⤵
    - Program crash
    PID:2240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1156
    3⤵
    - Program crash
    PID:1344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1212
    3⤵
    - Program crash
    PID:4592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si153582.exe

Filesize
397KB

MD5
4d611f4112ed8379871f8bcb211ca4a3

SHA1
5da68386eaf519b34f8de099d3443379ab027ef7

SHA256
a76929112fba2a0c2a7eaf33e6fef368ba8f828ec791192b7a44b13fb86ed80e

SHA512
4801282feec1c85982f1eceaba0293f99b64a001b7ff3c7e46e147d10f88ede3dd421c67117ccc19ac2b3e4245009bbecb5de497c5c0cd4c4ae120717ab310a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si153582.exe

Filesize
397KB

MD5
4d611f4112ed8379871f8bcb211ca4a3

SHA1
5da68386eaf519b34f8de099d3443379ab027ef7

SHA256
a76929112fba2a0c2a7eaf33e6fef368ba8f828ec791192b7a44b13fb86ed80e

SHA512
4801282feec1c85982f1eceaba0293f99b64a001b7ff3c7e46e147d10f88ede3dd421c67117ccc19ac2b3e4245009bbecb5de497c5c0cd4c4ae120717ab310a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un208591.exe

Filesize
862KB

MD5
ac5ca689e6070201b5f0a9cf423d277b

SHA1
3c211418c686a3e2b4ecc027d88bf84dcccc988a

SHA256
73fd85954398a6586b3ff629920ebd0fdc9d7f7ededfb438575bdc960dfd5590

SHA512
130bddd3ee7d0138d95aa700b45b72cae8164ba39a5e2336f5424e7b19bef3a85dba4a3cc4a976be2141903f4745907b58e3b36a20008ea5d323968b23942e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un208591.exe

Filesize
862KB

MD5
ac5ca689e6070201b5f0a9cf423d277b

SHA1
3c211418c686a3e2b4ecc027d88bf84dcccc988a

SHA256
73fd85954398a6586b3ff629920ebd0fdc9d7f7ededfb438575bdc960dfd5590

SHA512
130bddd3ee7d0138d95aa700b45b72cae8164ba39a5e2336f5424e7b19bef3a85dba4a3cc4a976be2141903f4745907b58e3b36a20008ea5d323968b23942e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk746418.exe

Filesize
168KB

MD5
aa8bb998c46f60bacf91f98f8d4d7b5c

SHA1
61c7e314d916035128849f85a29b34ac1fb482e0

SHA256
7e0252d52b7ff9e4466411941eb98cc220824be0f2eefdfe38e6b494f1176131

SHA512
3e1e8400351fbeedbb0f07370260dea23782c24924482d33c54f9db9659c858c2ee89f69b9a8256b091efec0ea33b09e408e0d218769ca3e2cbd013dd935dde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk746418.exe

Filesize
168KB

MD5
aa8bb998c46f60bacf91f98f8d4d7b5c

SHA1
61c7e314d916035128849f85a29b34ac1fb482e0

SHA256
7e0252d52b7ff9e4466411941eb98cc220824be0f2eefdfe38e6b494f1176131

SHA512
3e1e8400351fbeedbb0f07370260dea23782c24924482d33c54f9db9659c858c2ee89f69b9a8256b091efec0ea33b09e408e0d218769ca3e2cbd013dd935dde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un026843.exe

Filesize
708KB

MD5
4b825f6a084d5e3bd711f2f634813ba0

SHA1
c67911903c7dd538319646f63f61cca94cd0d4c7

SHA256
2762ac94d8b4d682f2668e9b7e9622f7780e6ffb71d1b892f9e30521cd043c64

SHA512
14657dda014f7871fb1288ea78ff0026b589a6cdac3208bb7fad129db546b60461d4f7e1a0d29301baa3cc3bc5f0de0bcfaea2f36bd369307cf17b96bb9210bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un026843.exe

Filesize
708KB

MD5
4b825f6a084d5e3bd711f2f634813ba0

SHA1
c67911903c7dd538319646f63f61cca94cd0d4c7

SHA256
2762ac94d8b4d682f2668e9b7e9622f7780e6ffb71d1b892f9e30521cd043c64

SHA512
14657dda014f7871fb1288ea78ff0026b589a6cdac3208bb7fad129db546b60461d4f7e1a0d29301baa3cc3bc5f0de0bcfaea2f36bd369307cf17b96bb9210bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe

Filesize
404KB

MD5
2a0416295de9cc413f5ebb18fb4cb31c

SHA1
7d4db9d8c9a095adcfe6e04c1405ac7e3ac6576a

SHA256
57232c2d0e46628b65d787836e304ed09822f033e73345794393740b0d59f100

SHA512
359c1c07622aaf7c37a86b6216b1198a6ad9fe49f97981698d81c0a3283af816ed5e5c65e88307ac610dd4f80c8b3af5025451e847dcfb635edbda751d220c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe

Filesize
404KB

MD5
2a0416295de9cc413f5ebb18fb4cb31c

SHA1
7d4db9d8c9a095adcfe6e04c1405ac7e3ac6576a

SHA256
57232c2d0e46628b65d787836e304ed09822f033e73345794393740b0d59f100

SHA512
359c1c07622aaf7c37a86b6216b1198a6ad9fe49f97981698d81c0a3283af816ed5e5c65e88307ac610dd4f80c8b3af5025451e847dcfb635edbda751d220c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu099326.exe

Filesize
588KB

MD5
0ed9ace25377cf95eca960af07c17bc0

SHA1
3659f09bc07edee2373226bbecbc2696510c69f6

SHA256
e545e3700e26aae0861f17fe90d61267255853605a4aa9eee3596baedcd51f87

SHA512
d968982c98db3a6639aa54f8b28c97d625bc2c9fa0d1f1c8148d8d0b9c5d0e5340069837128f34c6f629e123fcf12afeff99dbf4986d194e8b57aa775ad41c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu099326.exe

Filesize
588KB

MD5
0ed9ace25377cf95eca960af07c17bc0

SHA1
3659f09bc07edee2373226bbecbc2696510c69f6

SHA256
e545e3700e26aae0861f17fe90d61267255853605a4aa9eee3596baedcd51f87

SHA512
d968982c98db3a6639aa54f8b28c97d625bc2c9fa0d1f1c8148d8d0b9c5d0e5340069837128f34c6f629e123fcf12afeff99dbf4986d194e8b57aa775ad41c01

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/1356-199-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-195-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-2336-0x0000000002960000-0x0000000002992000-memory.dmp

Filesize
200KB

Download
memory/1356-227-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-225-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-223-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-221-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-219-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-217-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-211-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-215-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-214-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/1356-212-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/1356-210-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/1356-205-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-208-0x0000000000990000-0x00000000009EB000-memory.dmp

Filesize
364KB

Download
memory/1356-207-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-203-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-201-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-197-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-193-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-188-0x00000000026D0000-0x0000000002738000-memory.dmp

Filesize
416KB

Download
memory/1356-189-0x0000000004FA0000-0x0000000005006000-memory.dmp

Filesize
408KB

Download
memory/1356-190-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1356-191-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1632-2349-0x0000000002700000-0x0000000002706000-memory.dmp

Filesize
24KB

Download
memory/1632-2348-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download
memory/1632-2365-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/1632-2363-0x0000000006250000-0x00000000062A0000-memory.dmp

Filesize
320KB

Download
memory/1632-2358-0x0000000005170000-0x00000000051E6000-memory.dmp

Filesize
472KB

Download
memory/1632-2357-0x0000000004FF0000-0x000000000503B000-memory.dmp

Filesize
300KB

Download
memory/1632-2356-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/1632-2352-0x0000000004EE0000-0x0000000004FEA000-memory.dmp

Filesize
1.0MB

Download
memory/1632-2351-0x00000000053E0000-0x00000000059E6000-memory.dmp

Filesize
6.0MB

Download
memory/3084-171-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-147-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3084-173-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-150-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-169-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-167-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-165-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-163-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-161-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-159-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-157-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-155-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-148-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3084-183-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/3084-146-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3084-145-0x0000000004E90000-0x0000000004EA8000-memory.dmp

Filesize
96KB

Download
memory/3084-143-0x0000000002410000-0x000000000242A000-memory.dmp

Filesize
104KB

Download
memory/3084-177-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-153-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-175-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-178-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/3084-179-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3084-144-0x0000000004FE0000-0x00000000054DE000-memory.dmp

Filesize
5.0MB

Download
memory/3084-151-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3084-149-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3084-180-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3084-181-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3428-2350-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/3428-2359-0x000000000AA30000-0x000000000AAC2000-memory.dmp

Filesize
584KB

Download
memory/3428-2360-0x000000000AAD0000-0x000000000AB36000-memory.dmp

Filesize
408KB

Download
memory/3428-2361-0x000000000B6A0000-0x000000000B862000-memory.dmp

Filesize
1.8MB

Download
memory/3428-2362-0x000000000BDA0000-0x000000000C2CC000-memory.dmp

Filesize
5.2MB

Download
memory/3428-2355-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/3428-2364-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/3428-2354-0x0000000009EA0000-0x0000000009EDE000-memory.dmp

Filesize
248KB

Download
memory/3428-2353-0x0000000009E40000-0x0000000009E52000-memory.dmp

Filesize
72KB

Download
memory/3428-2346-0x0000000000110000-0x000000000013E000-memory.dmp

Filesize
184KB

Download
memory/4088-2372-0x0000000002430000-0x000000000246B000-memory.dmp

Filesize
236KB

Download