amadey | 2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072

Analysis

max time kernel
149s
max time network
106s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14/04/2023, 00:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072.exe
Size

1.1MB
MD5

52610e542122921d6f279d7a19eeebc9
SHA1

3db477264ffc5c10e3589c8d0ea3c4cf63a0d7fa
SHA256

2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072
SHA512

46f6c2f98a9a6554842641dd0a6cea3420676eaff4e9f140d9f12f3ae8eb5864b2719b0500f25906f691ac823e6238d9ef74dbf00362f795e42317e4a8f0dfac
SSDEEP

24576:DyYY2wRVPngbV47eZRNDd2WUVfg1BVZC8GkeaLbH3BkVIvONviT:WYUVPgeKZV9UFg1/oEHDvi

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr083510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr083510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr083510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr083510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr083510.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2676	un975422.exe
3252	un112544.exe
4960	pr083510.exe
3604	qu316379.exe
4216	1.exe
1780	rk701489.exe
3104	si991086.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr083510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr083510.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un112544.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un975422.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un975422.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un112544.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4960	3104	WerFault.exe	73
2916	3104	WerFault.exe	73
4720	3104	WerFault.exe	73
3804	3104	WerFault.exe	73
1392	3104	WerFault.exe	73
3840	3104	WerFault.exe	73
2080	3104	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4960	pr083510.exe
4960	pr083510.exe
1780	rk701489.exe
1780	rk701489.exe
4216	1.exe
4216	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4960	pr083510.exe
Token: SeDebugPrivilege	3604	qu316379.exe
Token: SeDebugPrivilege	1780	rk701489.exe
Token: SeDebugPrivilege	4216	1.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2676	2420	2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072.exe	66
PID 2420 wrote to memory of 2676	2420	2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072.exe	66
PID 2420 wrote to memory of 2676	2420	2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072.exe	66
PID 2676 wrote to memory of 3252	2676	un975422.exe	67
PID 2676 wrote to memory of 3252	2676	un975422.exe	67
PID 2676 wrote to memory of 3252	2676	un975422.exe	67
PID 3252 wrote to memory of 4960	3252	un112544.exe	68
PID 3252 wrote to memory of 4960	3252	un112544.exe	68
PID 3252 wrote to memory of 4960	3252	un112544.exe	68
PID 3252 wrote to memory of 3604	3252	un112544.exe	69
PID 3252 wrote to memory of 3604	3252	un112544.exe	69
PID 3252 wrote to memory of 3604	3252	un112544.exe	69
PID 3604 wrote to memory of 4216	3604	qu316379.exe	70
PID 3604 wrote to memory of 4216	3604	qu316379.exe	70
PID 3604 wrote to memory of 4216	3604	qu316379.exe	70
PID 2676 wrote to memory of 1780	2676	un975422.exe	71
PID 2676 wrote to memory of 1780	2676	un975422.exe	71
PID 2676 wrote to memory of 1780	2676	un975422.exe	71
PID 2420 wrote to memory of 3104	2420	2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072.exe	73
PID 2420 wrote to memory of 3104	2420	2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072.exe	73
PID 2420 wrote to memory of 3104	2420	2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072.exe	73

C:\Users\Admin\AppData\Local\Temp\2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072.exe
"C:\Users\Admin\AppData\Local\Temp\2a05cef1a7c0820a5e00ac96cec7991692a68328590e234e0fe44b0078c84072.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un975422.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un975422.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un112544.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un112544.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr083510.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr083510.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu316379.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu316379.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3604
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk701489.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk701489.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si991086.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si991086.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 640
    3⤵
    - Program crash
    PID:4960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 716
    3⤵
    - Program crash
    PID:2916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 776
    3⤵
    - Program crash
    PID:4720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 852
    3⤵
    - Program crash
    PID:3804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 884
    3⤵
    - Program crash
    PID:1392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 860
    3⤵
    - Program crash
    PID:3840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1080
    3⤵
    - Program crash
    PID:2080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si991086.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si991086.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un975422.exe

Filesize
820KB

MD5
377a219420c292d1eed2685914d648e4

SHA1
d021583234b2774072325bed6cab83486db08664

SHA256
5df6d9785604c6bd84f9de4151a3a5bf7ee9cbd299b14279b414280fbedb10c6

SHA512
244ad0e92adbfcdb9958589e24b5f1016875edbba5585a4599dd20fc9b4dca4ea95c778f6b36376872e75970bf5f359cdc158328db554ac47818d528005c773b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un975422.exe

Filesize
820KB

MD5
377a219420c292d1eed2685914d648e4

SHA1
d021583234b2774072325bed6cab83486db08664

SHA256
5df6d9785604c6bd84f9de4151a3a5bf7ee9cbd299b14279b414280fbedb10c6

SHA512
244ad0e92adbfcdb9958589e24b5f1016875edbba5585a4599dd20fc9b4dca4ea95c778f6b36376872e75970bf5f359cdc158328db554ac47818d528005c773b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk701489.exe

Filesize
168KB

MD5
52b032b6d26390a05b326ea041aa0b56

SHA1
ad9e3b649d027d07d7f0de1bb990ff18796599c8

SHA256
88b3d1384d1e15a17f488b57158e808387901c7eefca6a68c2838c39e84c696d

SHA512
394b9cad16b6acb87a27391704dceb2e4df1c6675a00f9f0bd0d6093486f28b4e9002effb92a78bfd9944cf9abaaf88e6255c3e203961f581cf5abee4cbda1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk701489.exe

Filesize
168KB

MD5
52b032b6d26390a05b326ea041aa0b56

SHA1
ad9e3b649d027d07d7f0de1bb990ff18796599c8

SHA256
88b3d1384d1e15a17f488b57158e808387901c7eefca6a68c2838c39e84c696d

SHA512
394b9cad16b6acb87a27391704dceb2e4df1c6675a00f9f0bd0d6093486f28b4e9002effb92a78bfd9944cf9abaaf88e6255c3e203961f581cf5abee4cbda1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un112544.exe

Filesize
666KB

MD5
7a7d3daa29f3bdc2849484c094dcac9b

SHA1
404547dd70a0cd9c6a91bae2b2c9c38fc2f094de

SHA256
7482f98bb3e1a27f9c8a2e586cbb04e67898d4a187e86ee74325d15bc380167e

SHA512
0fe4aca5716e3d8ea510b885587aefd2305df0ac095e8d5755b009df43490a20c6927765611eea3a64c7cdc761349ae7bc00b35dc5f18a2405d70ed2daae5b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un112544.exe

Filesize
666KB

MD5
7a7d3daa29f3bdc2849484c094dcac9b

SHA1
404547dd70a0cd9c6a91bae2b2c9c38fc2f094de

SHA256
7482f98bb3e1a27f9c8a2e586cbb04e67898d4a187e86ee74325d15bc380167e

SHA512
0fe4aca5716e3d8ea510b885587aefd2305df0ac095e8d5755b009df43490a20c6927765611eea3a64c7cdc761349ae7bc00b35dc5f18a2405d70ed2daae5b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr083510.exe

Filesize
318KB

MD5
7237f1fa8ce155aebe22ba31deecdbd7

SHA1
e48fd4954aba3155ba9adbec8bfc8c68a3469c6d

SHA256
237d884d22064cba565447e417f841345c6d9b3e900fd6f5fea12817e35fc36d

SHA512
cf5e86c91e82b6b1437b300784b79862b1a8969a0d122a68049665fedcd2e5f69ed56eb292710b2d05270d2705f8bff83e9b95d2b6ff2523bd125b8ed90bc3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr083510.exe

Filesize
318KB

MD5
7237f1fa8ce155aebe22ba31deecdbd7

SHA1
e48fd4954aba3155ba9adbec8bfc8c68a3469c6d

SHA256
237d884d22064cba565447e417f841345c6d9b3e900fd6f5fea12817e35fc36d

SHA512
cf5e86c91e82b6b1437b300784b79862b1a8969a0d122a68049665fedcd2e5f69ed56eb292710b2d05270d2705f8bff83e9b95d2b6ff2523bd125b8ed90bc3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu316379.exe

Filesize
502KB

MD5
563862471bc2a838ac3afa71e53a62af

SHA1
89b6d9f86ea91b4a243984dd00a8519b5a5ec9b3

SHA256
32f1d74ada49a79fcaaa3e122c934457799e94a5ec82404dd06153e990a97dad

SHA512
edc093c049b7072aef676681313808e3414aeeb127c4e1f6f86a60d2b63b4c62527ddfda73ae02c0a0108ed49b3fbeab4480e2fb86c0f88544c7ac25a96a2ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu316379.exe

Filesize
502KB

MD5
563862471bc2a838ac3afa71e53a62af

SHA1
89b6d9f86ea91b4a243984dd00a8519b5a5ec9b3

SHA256
32f1d74ada49a79fcaaa3e122c934457799e94a5ec82404dd06153e990a97dad

SHA512
edc093c049b7072aef676681313808e3414aeeb127c4e1f6f86a60d2b63b4c62527ddfda73ae02c0a0108ed49b3fbeab4480e2fb86c0f88544c7ac25a96a2ee7

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/1780-2350-0x0000000002950000-0x0000000002956000-memory.dmp

Filesize
24KB

Download
memory/1780-2354-0x000000000A4D0000-0x000000000A50E000-memory.dmp

Filesize
248KB

Download
memory/1780-2352-0x000000000A550000-0x000000000A65A000-memory.dmp

Filesize
1.0MB

Download
memory/1780-2351-0x000000000AA10000-0x000000000B016000-memory.dmp

Filesize
6.0MB

Download
memory/1780-2357-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1780-2349-0x0000000000740000-0x0000000000770000-memory.dmp

Filesize
192KB

Download
memory/1780-2360-0x000000000A870000-0x000000000A8D6000-memory.dmp

Filesize
408KB

Download
memory/1780-2361-0x000000000BE20000-0x000000000BFE2000-memory.dmp

Filesize
1.8MB

Download
memory/1780-2362-0x000000000C520000-0x000000000CA4C000-memory.dmp

Filesize
5.2MB

Download
memory/1780-2364-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1780-2365-0x000000000B720000-0x000000000B770000-memory.dmp

Filesize
320KB

Download
memory/3104-2372-0x0000000002120000-0x000000000215B000-memory.dmp

Filesize
236KB

Download
memory/3604-2335-0x00000000052E0000-0x0000000005312000-memory.dmp

Filesize
200KB

Download
memory/3604-267-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/3604-263-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/3604-266-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/3604-262-0x00000000005B0000-0x000000000060B000-memory.dmp

Filesize
364KB

Download
memory/3604-222-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-220-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-2337-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/3604-187-0x00000000023C0000-0x0000000002428000-memory.dmp

Filesize
416KB

Download
memory/3604-188-0x0000000004BD0000-0x0000000004C36000-memory.dmp

Filesize
408KB

Download
memory/3604-189-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-190-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-192-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-194-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-196-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-198-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-200-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-202-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-204-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-206-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-208-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-210-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-212-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-214-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-216-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/3604-218-0x0000000004BD0000-0x0000000004C30000-memory.dmp

Filesize
384KB

Download
memory/4216-2344-0x00000000006E0000-0x000000000070E000-memory.dmp

Filesize
184KB

Download
memory/4216-2345-0x0000000002760000-0x0000000002766000-memory.dmp

Filesize
24KB

Download
memory/4216-2363-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/4216-2359-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/4216-2358-0x0000000005370000-0x00000000053E6000-memory.dmp

Filesize
472KB

Download
memory/4216-2356-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/4216-2355-0x00000000050A0000-0x00000000050EB000-memory.dmp

Filesize
300KB

Download
memory/4216-2353-0x0000000005000000-0x0000000005012000-memory.dmp

Filesize
72KB

Download
memory/4960-155-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-177-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-167-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-171-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-165-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-163-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-161-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-159-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-157-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-182-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4960-173-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-153-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-175-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-169-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-151-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-178-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4960-179-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/4960-150-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4960-149-0x0000000002460000-0x0000000002478000-memory.dmp

Filesize
96KB

Download
memory/4960-148-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/4960-180-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/4960-147-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/4960-146-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/4960-145-0x0000000004A40000-0x0000000004F3E000-memory.dmp

Filesize
5.0MB

Download
memory/4960-144-0x0000000002230000-0x000000000224A000-memory.dmp

Filesize
104KB

Download
memory/4960-143-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download