amadey | f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8

Analysis

max time kernel
148s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
13-04-2023 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8.exe
Size

1.2MB
MD5

922b31538ca68987cf55a54d2d015333
SHA1

ab053cf478a6d7ad373814ec3bb43845942a6482
SHA256

f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8
SHA512

ac25634d74ce2ee6bf7232bd14335ce0288c785f3981937755b69ccd81b2dd12cd89a303859b651a90a313ac61d1e589b1bc60e69d0a2302170b3859abbb2cc5
SSDEEP

24576:IyJ/Ncu6zxuC2sohcplXWPO8q1iIqgh7NvoGEm82h4BPyVV1BxTaR1d2:PZNW9qcrXWPnvWQS8JBcBxM

Score

10^/10

amadey redline diro lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diro

185.161.248.90:4125

Attributes

auth_value
ae95bda0dd2e95169886a3a68138568b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr677675.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr677675.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr677675.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr677675.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr677675.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3652	un826684.exe
4608	un111934.exe
5008	pr677675.exe
4268	qu540558.exe
168	1.exe
212	rk578097.exe
4040	si154179.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr677675.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr677675.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un826684.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un826684.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un111934.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un111934.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4340	4040	WerFault.exe	73
1636	4040	WerFault.exe	73
4412	4040	WerFault.exe	73
1708	4040	WerFault.exe	73
2088	4040	WerFault.exe	73
4136	4040	WerFault.exe	73
3984	4040	WerFault.exe	73
4772	4040	WerFault.exe	73
2516	4040	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5008	pr677675.exe
5008	pr677675.exe
168	1.exe
168	1.exe
212	rk578097.exe
212	rk578097.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	pr677675.exe
Token: SeDebugPrivilege	4268	qu540558.exe
Token: SeDebugPrivilege	168	1.exe
Token: SeDebugPrivilege	212	rk578097.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4040	si154179.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 3652	420	f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8.exe	66
PID 420 wrote to memory of 3652	420	f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8.exe	66
PID 420 wrote to memory of 3652	420	f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8.exe	66
PID 3652 wrote to memory of 4608	3652	un826684.exe	67
PID 3652 wrote to memory of 4608	3652	un826684.exe	67
PID 3652 wrote to memory of 4608	3652	un826684.exe	67
PID 4608 wrote to memory of 5008	4608	un111934.exe	68
PID 4608 wrote to memory of 5008	4608	un111934.exe	68
PID 4608 wrote to memory of 5008	4608	un111934.exe	68
PID 4608 wrote to memory of 4268	4608	un111934.exe	69
PID 4608 wrote to memory of 4268	4608	un111934.exe	69
PID 4608 wrote to memory of 4268	4608	un111934.exe	69
PID 4268 wrote to memory of 168	4268	qu540558.exe	70
PID 4268 wrote to memory of 168	4268	qu540558.exe	70
PID 4268 wrote to memory of 168	4268	qu540558.exe	70
PID 3652 wrote to memory of 212	3652	un826684.exe	71
PID 3652 wrote to memory of 212	3652	un826684.exe	71
PID 3652 wrote to memory of 212	3652	un826684.exe	71
PID 420 wrote to memory of 4040	420	f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8.exe	73
PID 420 wrote to memory of 4040	420	f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8.exe	73
PID 420 wrote to memory of 4040	420	f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8.exe	73

C:\Users\Admin\AppData\Local\Temp\f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8.exe
"C:\Users\Admin\AppData\Local\Temp\f17ede0f57c607e5cce6bfa5a89b30ae547ff2dd9732b338e23f49c5935487a8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un826684.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un826684.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un111934.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un111934.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr677675.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr677675.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu540558.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu540558.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk578097.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk578097.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si154179.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si154179.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 636
    3⤵
    - Program crash
    PID:4340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 712
    3⤵
    - Program crash
    PID:1636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 852
    3⤵
    - Program crash
    PID:4412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 860
    3⤵
    - Program crash
    PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 888
    3⤵
    - Program crash
    PID:2088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 896
    3⤵
    - Program crash
    PID:4136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1136
    3⤵
    - Program crash
    PID:3984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1192
    3⤵
    - Program crash
    PID:4772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1172
    3⤵
    - Program crash
    PID:2516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si154179.exe

Filesize
397KB

MD5
bbbec5ce3b1279c6472793690cb1a268

SHA1
74ced06a77e3f7f0599292de1619afd378595a97

SHA256
4e396c3bcad1b9a096007f3126dddd3865ff9ff9413a4ae3c3cacc41cd4e21af

SHA512
f50d6644855b84ffee35a8470bc349bfffc8a6c6e9053cdec33d2374b00a473abda7fbb6d2dfe694d96b439d97832d65112c73d4e5c45077d86fe8e6b9053a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si154179.exe

Filesize
397KB

MD5
bbbec5ce3b1279c6472793690cb1a268

SHA1
74ced06a77e3f7f0599292de1619afd378595a97

SHA256
4e396c3bcad1b9a096007f3126dddd3865ff9ff9413a4ae3c3cacc41cd4e21af

SHA512
f50d6644855b84ffee35a8470bc349bfffc8a6c6e9053cdec33d2374b00a473abda7fbb6d2dfe694d96b439d97832d65112c73d4e5c45077d86fe8e6b9053a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un826684.exe

Filesize
862KB

MD5
a77b71ee61c8e3f99eed8b3991dcf197

SHA1
71e73efded1e152e5284595ddf83d088ffa7ae42

SHA256
368fd347a6d7bfec6f0b9933f897d5d15f01599d3c4fcc163d79f8a8fe92654f

SHA512
3950f3e020ad9f9056919f7281f814ce81bee68a8ae1acbb18934d4d545f2f06c8955fd821b8e61ca91944bd61467f5ee40053cacd72cea13918fcb70c0820e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un826684.exe

Filesize
862KB

MD5
a77b71ee61c8e3f99eed8b3991dcf197

SHA1
71e73efded1e152e5284595ddf83d088ffa7ae42

SHA256
368fd347a6d7bfec6f0b9933f897d5d15f01599d3c4fcc163d79f8a8fe92654f

SHA512
3950f3e020ad9f9056919f7281f814ce81bee68a8ae1acbb18934d4d545f2f06c8955fd821b8e61ca91944bd61467f5ee40053cacd72cea13918fcb70c0820e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk578097.exe

Filesize
168KB

MD5
aa8bb998c46f60bacf91f98f8d4d7b5c

SHA1
61c7e314d916035128849f85a29b34ac1fb482e0

SHA256
7e0252d52b7ff9e4466411941eb98cc220824be0f2eefdfe38e6b494f1176131

SHA512
3e1e8400351fbeedbb0f07370260dea23782c24924482d33c54f9db9659c858c2ee89f69b9a8256b091efec0ea33b09e408e0d218769ca3e2cbd013dd935dde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk578097.exe

Filesize
168KB

MD5
aa8bb998c46f60bacf91f98f8d4d7b5c

SHA1
61c7e314d916035128849f85a29b34ac1fb482e0

SHA256
7e0252d52b7ff9e4466411941eb98cc220824be0f2eefdfe38e6b494f1176131

SHA512
3e1e8400351fbeedbb0f07370260dea23782c24924482d33c54f9db9659c858c2ee89f69b9a8256b091efec0ea33b09e408e0d218769ca3e2cbd013dd935dde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un111934.exe

Filesize
708KB

MD5
3fb0b0a93171d2b9337de0ace90a3099

SHA1
87233f2c761ae3d8dea72b0e6351dbab25fe956f

SHA256
fc552488db20e2cfcf45e78f92e7fba3f8858d9ba8d329994044211965f25ec1

SHA512
99a8e19651987a3b9162bdcd94d8139c10d7a8e6a53b3f982925594aeb12ed1f4a6d928f19ba44d971370951ac4d2928f35c9a5b262bb3823de81b14c091fe93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un111934.exe

Filesize
708KB

MD5
3fb0b0a93171d2b9337de0ace90a3099

SHA1
87233f2c761ae3d8dea72b0e6351dbab25fe956f

SHA256
fc552488db20e2cfcf45e78f92e7fba3f8858d9ba8d329994044211965f25ec1

SHA512
99a8e19651987a3b9162bdcd94d8139c10d7a8e6a53b3f982925594aeb12ed1f4a6d928f19ba44d971370951ac4d2928f35c9a5b262bb3823de81b14c091fe93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr677675.exe

Filesize
404KB

MD5
305f64d696ae67a0e1d8a2bd49654db1

SHA1
dcbf07ee45a8d0c2a21790bff1c00e5f755e5c67

SHA256
d5ab572b2b721e0bacf685992db63394a858cee3e50c75d87062213d9b1dd4cb

SHA512
89eaf9b53c6b9ea5dae827c59c91558fbb1963597c1caa95014d37fcf2c4e9fc24ece23a559f87ce90d69ae05fd4662a295abe4a51649b0ed169cf68f82d2999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr677675.exe

Filesize
404KB

MD5
305f64d696ae67a0e1d8a2bd49654db1

SHA1
dcbf07ee45a8d0c2a21790bff1c00e5f755e5c67

SHA256
d5ab572b2b721e0bacf685992db63394a858cee3e50c75d87062213d9b1dd4cb

SHA512
89eaf9b53c6b9ea5dae827c59c91558fbb1963597c1caa95014d37fcf2c4e9fc24ece23a559f87ce90d69ae05fd4662a295abe4a51649b0ed169cf68f82d2999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu540558.exe

Filesize
588KB

MD5
bc1e71d7c41063b3db2530089966432d

SHA1
8a73131b9d878a462f11d613b3c601a6723687d2

SHA256
263555c6c11f01e88e9e2c6fbc824b118db95b2c0b7704d89e24631d083aa522

SHA512
9a6cf1d3142d5c61708d5a36cddc1f2c80d1e44c0bc40969d8352becf4fa23767fb49526448312b8ccebb0b82acd7457099f943c6b0396673a5120bbee181b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu540558.exe

Filesize
588KB

MD5
bc1e71d7c41063b3db2530089966432d

SHA1
8a73131b9d878a462f11d613b3c601a6723687d2

SHA256
263555c6c11f01e88e9e2c6fbc824b118db95b2c0b7704d89e24631d083aa522

SHA512
9a6cf1d3142d5c61708d5a36cddc1f2c80d1e44c0bc40969d8352becf4fa23767fb49526448312b8ccebb0b82acd7457099f943c6b0396673a5120bbee181b99

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/168-2352-0x00000000067B0000-0x0000000006800000-memory.dmp

Filesize
320KB

Download
memory/168-2335-0x0000000000E40000-0x0000000000E6E000-memory.dmp

Filesize
184KB

Download
memory/168-2353-0x0000000007350000-0x0000000007512000-memory.dmp

Filesize
1.8MB

Download
memory/168-2354-0x00000000080D0000-0x00000000085FC000-memory.dmp

Filesize
5.2MB

Download
memory/168-2348-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/168-2346-0x0000000005820000-0x000000000586B000-memory.dmp

Filesize
300KB

Download
memory/168-2356-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/168-2344-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/168-2343-0x0000000005930000-0x0000000005A3A000-memory.dmp

Filesize
1.0MB

Download
memory/168-2339-0x00000000015C0000-0x00000000015C6000-memory.dmp

Filesize
24KB

Download
memory/212-2349-0x000000000AA60000-0x000000000AAD6000-memory.dmp

Filesize
472KB

Download
memory/212-2341-0x00000000011E0000-0x00000000011E6000-memory.dmp

Filesize
24KB

Download
memory/212-2342-0x000000000ACD0000-0x000000000B2D6000-memory.dmp

Filesize
6.0MB

Download
memory/212-2340-0x00000000009B0000-0x00000000009E0000-memory.dmp

Filesize
192KB

Download
memory/212-2345-0x000000000A740000-0x000000000A77E000-memory.dmp

Filesize
248KB

Download
memory/212-2347-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/212-2350-0x000000000AB80000-0x000000000AC12000-memory.dmp

Filesize
584KB

Download
memory/212-2351-0x000000000AC20000-0x000000000AC86000-memory.dmp

Filesize
408KB

Download
memory/212-2355-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/4040-2363-0x00000000008A0000-0x00000000008DB000-memory.dmp

Filesize
236KB

Download
memory/4268-196-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-180-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/4268-188-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-190-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-192-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-194-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-184-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-198-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-200-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-202-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-204-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-206-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-208-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-209-0x00000000024C0000-0x000000000251B000-memory.dmp

Filesize
364KB

Download
memory/4268-211-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/4268-213-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/4268-215-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/4268-212-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-216-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-218-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-2327-0x0000000005650000-0x0000000005682000-memory.dmp

Filesize
200KB

Download
memory/4268-182-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-181-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-186-0x0000000005480000-0x00000000054E0000-memory.dmp

Filesize
384KB

Download
memory/4268-179-0x0000000002910000-0x0000000002978000-memory.dmp

Filesize
416KB

Download
memory/5008-155-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-171-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-153-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-169-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-167-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-165-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-163-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-161-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-151-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-157-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-139-0x00000000024C0000-0x00000000024DA000-memory.dmp

Filesize
104KB

Download
memory/5008-172-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/5008-159-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-149-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-147-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-145-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-144-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/5008-143-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/5008-142-0x0000000000950000-0x000000000097D000-memory.dmp

Filesize
180KB

Download
memory/5008-141-0x0000000002660000-0x0000000002678000-memory.dmp

Filesize
96KB

Download
memory/5008-140-0x0000000004FC0000-0x00000000054BE000-memory.dmp

Filesize
5.0MB

Download
memory/5008-174-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download