amadey | bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38

Analysis

max time kernel
145s
max time network
102s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
13/04/2023, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38.exe
Size

1.1MB
MD5

aab703db6f8fbb055e3439cd1c99c231
SHA1

3c70ee2a9d0b6fd0eb4613783007bc68f3796efa
SHA256

bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38
SHA512

1abd7f73c23d9ba28790b3214051a1b3628015036f7ebe91bd7c5164109a55541aae9852f8e5a401a1b4094102c951ea4f704880f6a0464633cf0326d330f042
SSDEEP

24576:DysR66BTry5q3dZGesvCjFgRHaEYl/I7h1a3:WsR6qryjx6CaEYow

Score

10^/10

amadey redline diro lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diro

185.161.248.90:4125

Attributes

auth_value
ae95bda0dd2e95169886a3a68138568b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr076521.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr076521.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr076521.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr076521.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr076521.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2420	un602464.exe
2672	un494633.exe
3236	pr076521.exe
4672	qu706391.exe
4048	1.exe
4136	rk750632.exe
3060	si524076.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr076521.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr076521.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un602464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un602464.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un494633.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un494633.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1432	3060	WerFault.exe	73
2956	3060	WerFault.exe	73
2816	3060	WerFault.exe	73
5072	3060	WerFault.exe	73
3796	3060	WerFault.exe	73
2588	3060	WerFault.exe	73
2856	3060	WerFault.exe	73
3872	3060	WerFault.exe	73
1556	3060	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3236	pr076521.exe
3236	pr076521.exe
4136	rk750632.exe
4048	1.exe
4048	1.exe
4136	rk750632.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3236	pr076521.exe
Token: SeDebugPrivilege	4672	qu706391.exe
Token: SeDebugPrivilege	4136	rk750632.exe
Token: SeDebugPrivilege	4048	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3060	si524076.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2420	2320	bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38.exe	66
PID 2320 wrote to memory of 2420	2320	bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38.exe	66
PID 2320 wrote to memory of 2420	2320	bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38.exe	66
PID 2420 wrote to memory of 2672	2420	un602464.exe	67
PID 2420 wrote to memory of 2672	2420	un602464.exe	67
PID 2420 wrote to memory of 2672	2420	un602464.exe	67
PID 2672 wrote to memory of 3236	2672	un494633.exe	68
PID 2672 wrote to memory of 3236	2672	un494633.exe	68
PID 2672 wrote to memory of 3236	2672	un494633.exe	68
PID 2672 wrote to memory of 4672	2672	un494633.exe	69
PID 2672 wrote to memory of 4672	2672	un494633.exe	69
PID 2672 wrote to memory of 4672	2672	un494633.exe	69
PID 4672 wrote to memory of 4048	4672	qu706391.exe	70
PID 4672 wrote to memory of 4048	4672	qu706391.exe	70
PID 4672 wrote to memory of 4048	4672	qu706391.exe	70
PID 2420 wrote to memory of 4136	2420	un602464.exe	71
PID 2420 wrote to memory of 4136	2420	un602464.exe	71
PID 2420 wrote to memory of 4136	2420	un602464.exe	71
PID 2320 wrote to memory of 3060	2320	bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38.exe	73
PID 2320 wrote to memory of 3060	2320	bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38.exe	73
PID 2320 wrote to memory of 3060	2320	bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38.exe	73

C:\Users\Admin\AppData\Local\Temp\bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38.exe
"C:\Users\Admin\AppData\Local\Temp\bfaedf7e0129ae9339d6b6db2c9f3f0c10672ddca84ddd4e13abc593c8e39c38.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un602464.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un602464.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un494633.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un494633.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr076521.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr076521.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu706391.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu706391.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk750632.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk750632.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si524076.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si524076.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:3060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 616
    3⤵
    - Program crash
    PID:1432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 696
    3⤵
    - Program crash
    PID:2956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 836
    3⤵
    - Program crash
    PID:2816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 824
    3⤵
    - Program crash
    PID:5072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 892
    3⤵
    - Program crash
    PID:3796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 868
    3⤵
    - Program crash
    PID:2588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1116
    3⤵
    - Program crash
    PID:2856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1156
    3⤵
    - Program crash
    PID:3872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1128
    3⤵
    - Program crash
    PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si524076.exe

Filesize
270KB

MD5
a02f36c88a8d9d6c52ce96f0958eeb67

SHA1
65c718ef46f50d78e331f7abd703fb935ac431c2

SHA256
f9bb5ba8aa13c45e7e68df2cd855a08fa062e0d3b91a8bd3c58d020ac6bdcbf6

SHA512
dd7ab4e26b28a4a5304b6d68345765d54bf6b215e3a8377e12dc161a4f36808b031b762d271f15fd4f2f18f10aaa28511afd931cd938f39e72e38651c3b65bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si524076.exe

Filesize
270KB

MD5
a02f36c88a8d9d6c52ce96f0958eeb67

SHA1
65c718ef46f50d78e331f7abd703fb935ac431c2

SHA256
f9bb5ba8aa13c45e7e68df2cd855a08fa062e0d3b91a8bd3c58d020ac6bdcbf6

SHA512
dd7ab4e26b28a4a5304b6d68345765d54bf6b215e3a8377e12dc161a4f36808b031b762d271f15fd4f2f18f10aaa28511afd931cd938f39e72e38651c3b65bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un602464.exe

Filesize
817KB

MD5
54024cacfee47b2f69dbe0665a90da67

SHA1
6781c490182b655df247b4ac5e1de5dde4abdd11

SHA256
0dc19e7e9dee67a612d90ebf86d9dbb9c86858978cc9e46d8af9b540941d84da

SHA512
bd3470703b24c2c27052eb1356e3ab2bfa8a64ceb1de29ce104beeb99ac7f266e65c45ce18b033772550810edf312c632054d217e5de22f1aeef185808ed759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un602464.exe

Filesize
817KB

MD5
54024cacfee47b2f69dbe0665a90da67

SHA1
6781c490182b655df247b4ac5e1de5dde4abdd11

SHA256
0dc19e7e9dee67a612d90ebf86d9dbb9c86858978cc9e46d8af9b540941d84da

SHA512
bd3470703b24c2c27052eb1356e3ab2bfa8a64ceb1de29ce104beeb99ac7f266e65c45ce18b033772550810edf312c632054d217e5de22f1aeef185808ed759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk750632.exe

Filesize
168KB

MD5
596283bd8f5605f6e84e01fdc7e7dd7b

SHA1
3858e10bdb908839591d0778461f800bbde4a4db

SHA256
dc7930ff49f44a9175a231d87f3bb6043cdb3a96cd958f56f9d229f51a4ed31c

SHA512
18ff9c22399045272718f75aefb42b542d5d06d87654b394e3e89ffe40c7b6e4d67fde037963717e86e90bf36024bf22259593416efbf469dd9a919f41db5de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk750632.exe

Filesize
168KB

MD5
596283bd8f5605f6e84e01fdc7e7dd7b

SHA1
3858e10bdb908839591d0778461f800bbde4a4db

SHA256
dc7930ff49f44a9175a231d87f3bb6043cdb3a96cd958f56f9d229f51a4ed31c

SHA512
18ff9c22399045272718f75aefb42b542d5d06d87654b394e3e89ffe40c7b6e4d67fde037963717e86e90bf36024bf22259593416efbf469dd9a919f41db5de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un494633.exe

Filesize
664KB

MD5
4d50d850b3cac6d755657fd8ed91a6c2

SHA1
2a20bd63d6df9c7d9a0cf7b0f2ffe4dcc60cd92c

SHA256
167515d4bcb528d2b3d24285fc348741f12a2852b2f556a51a14da16cc226305

SHA512
d12c6938a19ca8b9aa13370e8e66a587214c7241f61d52555104429c5bd63fa1dec5dc34ce34b207887352b6b4dd0bde014f321cddecd7d28cb0b0d25fb075e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un494633.exe

Filesize
664KB

MD5
4d50d850b3cac6d755657fd8ed91a6c2

SHA1
2a20bd63d6df9c7d9a0cf7b0f2ffe4dcc60cd92c

SHA256
167515d4bcb528d2b3d24285fc348741f12a2852b2f556a51a14da16cc226305

SHA512
d12c6938a19ca8b9aa13370e8e66a587214c7241f61d52555104429c5bd63fa1dec5dc34ce34b207887352b6b4dd0bde014f321cddecd7d28cb0b0d25fb075e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr076521.exe

Filesize
279KB

MD5
2967c5dfda06a8e8acf0160a4885c6c3

SHA1
4898512740b46845be257b9021bd6b35f593eb9b

SHA256
09e7e83eea9e0f387823c18f13e3291c99fd743846fbfda9b6c7be5c18866f62

SHA512
dee341e0a4b53d642d542da66673086c8248402657adc17e4d7222770cd2deca2718f6ded3adfcf049e521c4a2d4fcf9ee498641289e634698d0377af84f1384

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr076521.exe

Filesize
279KB

MD5
2967c5dfda06a8e8acf0160a4885c6c3

SHA1
4898512740b46845be257b9021bd6b35f593eb9b

SHA256
09e7e83eea9e0f387823c18f13e3291c99fd743846fbfda9b6c7be5c18866f62

SHA512
dee341e0a4b53d642d542da66673086c8248402657adc17e4d7222770cd2deca2718f6ded3adfcf049e521c4a2d4fcf9ee498641289e634698d0377af84f1384

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu706391.exe

Filesize
463KB

MD5
aafb7abd10aa64483a09fda63d00a069

SHA1
a57bca7395d42e3062cf6455e92b3d17e9bdf20c

SHA256
53c34a4a1d8f1280702ab9dc8d5c6d456eea5da9072fc4604441fe7082ee4741

SHA512
066ee4d6426fb31673a52c69b6635d9d023ebca0453b30b5e3d63aa8b86e404f8732f8e7c04bc40300dc859b04ae55813dab7e1694a28eb49bb106e0d23481a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu706391.exe

Filesize
463KB

MD5
aafb7abd10aa64483a09fda63d00a069

SHA1
a57bca7395d42e3062cf6455e92b3d17e9bdf20c

SHA256
53c34a4a1d8f1280702ab9dc8d5c6d456eea5da9072fc4604441fe7082ee4741

SHA512
066ee4d6426fb31673a52c69b6635d9d023ebca0453b30b5e3d63aa8b86e404f8732f8e7c04bc40300dc859b04ae55813dab7e1694a28eb49bb106e0d23481a0

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/3060-2370-0x00000000004C0000-0x00000000004FB000-memory.dmp

Filesize
236KB

Download
memory/3236-174-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-176-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3236-160-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-164-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-172-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-170-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-168-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-166-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-158-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-150-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-175-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3236-162-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-177-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3236-178-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3236-180-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3236-152-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-154-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-156-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-148-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-147-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3236-146-0x00000000049E0000-0x00000000049F8000-memory.dmp

Filesize
96KB

Download
memory/3236-145-0x0000000004A30000-0x0000000004F2E000-memory.dmp

Filesize
5.0MB

Download
memory/3236-144-0x0000000002500000-0x000000000251A000-memory.dmp

Filesize
104KB

Download
memory/3236-143-0x00000000004C0000-0x00000000004ED000-memory.dmp

Filesize
180KB

Download
memory/4048-2346-0x00000000053E0000-0x00000000053E6000-memory.dmp

Filesize
24KB

Download
memory/4048-2342-0x0000000000C70000-0x0000000000C9E000-memory.dmp

Filesize
184KB

Download
memory/4048-2363-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/4048-2360-0x0000000006AA0000-0x0000000006C62000-memory.dmp

Filesize
1.8MB

Download
memory/4048-2359-0x0000000006880000-0x00000000068D0000-memory.dmp

Filesize
320KB

Download
memory/4048-2358-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/4048-2354-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/4048-2350-0x0000000005660000-0x000000000576A000-memory.dmp

Filesize
1.0MB

Download
memory/4048-2349-0x0000000005B60000-0x0000000006166000-memory.dmp

Filesize
6.0MB

Download
memory/4136-2356-0x0000000004D80000-0x0000000004DF6000-memory.dmp

Filesize
472KB

Download
memory/4136-2347-0x00000000000F0000-0x0000000000120000-memory.dmp

Filesize
192KB

Download
memory/4136-2362-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4136-2361-0x0000000007E30000-0x000000000835C000-memory.dmp

Filesize
5.2MB

Download
memory/4136-2357-0x0000000004EA0000-0x0000000004F32000-memory.dmp

Filesize
584KB

Download
memory/4136-2355-0x0000000004AB0000-0x0000000004AFB000-memory.dmp

Filesize
300KB

Download
memory/4136-2353-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4136-2352-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/4136-2351-0x00000000049F0000-0x0000000004A02000-memory.dmp

Filesize
72KB

Download
memory/4136-2348-0x0000000002120000-0x0000000002126000-memory.dmp

Filesize
24KB

Download
memory/4672-196-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-208-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-215-0x0000000001E80000-0x0000000001EDB000-memory.dmp

Filesize
364KB

Download
memory/4672-192-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-194-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-190-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-188-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-214-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-212-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-210-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-2333-0x00000000052E0000-0x0000000005312000-memory.dmp

Filesize
200KB

Download
memory/4672-224-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-222-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-2340-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/4672-221-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/4672-198-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-218-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-206-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-204-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-202-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-219-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/4672-217-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/4672-200-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-187-0x00000000050B0000-0x0000000005110000-memory.dmp

Filesize
384KB

Download
memory/4672-186-0x00000000050B0000-0x0000000005116000-memory.dmp

Filesize
408KB

Download
memory/4672-185-0x0000000004AF0000-0x0000000004B58000-memory.dmp

Filesize
416KB

Download