amadey | c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67

Analysis

max time kernel
146s
max time network
104s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14-04-2023 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exe
Size

1.2MB
MD5

86644f8bd03e3c88a075555bd0a4f7e2
SHA1

e793ad38bb5aeaff867cc44fb7ecfd00b10d39b6
SHA256

c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67
SHA512

91a1df6af342996d48fe3937771634b42a50ffca02f72194969198f69b4adbd886cc2d750ee72a8134c7d92b25813c8324d7ebae2877ad117721e3b0f3332ec6
SSDEEP

24576:Oy1hRJytmWfT6yaifJflFW+VTgL6owY9YmFnSZJFZA8SVwPzBfvVE:d1hRJImYTUcRmqTg1dFnSfTtDfvV

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr224677.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr224677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr224677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr224677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr224677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr224677.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 7 IoCs

Processes:

un268728.exeun285675.exepr224677.exequ070048.exe1.exerk694932.exesi577765.exe

pid process

2572 un268728.exe
3088 un285675.exe
4876 pr224677.exe
2116 qu070048.exe
4832 1.exe
3468 rk694932.exe
428 si577765.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2572	un268728.exe
3088	un285675.exe
4876	pr224677.exe
2116	qu070048.exe
4832	1.exe
3468	rk694932.exe
428	si577765.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr224677.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr224677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr224677.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exeun268728.exeun285675.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un268728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un268728.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un285675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un285675.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4356	428	WerFault.exe	si577765.exe
4452	428	WerFault.exe	si577765.exe
4608	428	WerFault.exe	si577765.exe
2936	428	WerFault.exe	si577765.exe
4300	428	WerFault.exe	si577765.exe
2800	428	WerFault.exe	si577765.exe
3924	428	WerFault.exe	si577765.exe
1536	428	WerFault.exe	si577765.exe
1240	428	WerFault.exe	si577765.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr224677.exe1.exerk694932.exe

pid process

4876 pr224677.exe
4876 pr224677.exe
4832 1.exe
3468 rk694932.exe
4832 1.exe
3468 rk694932.exe

pid	process
4876	pr224677.exe
4876	pr224677.exe
4832	1.exe
3468	rk694932.exe
4832	1.exe
3468	rk694932.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pr224677.exequ070048.exe1.exerk694932.exe

description	pid	process
Token: SeDebugPrivilege	4876	pr224677.exe
Token: SeDebugPrivilege	2116	qu070048.exe
Token: SeDebugPrivilege	4832	1.exe
Token: SeDebugPrivilege	3468	rk694932.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

si577765.exe

pid process

428 si577765.exe

pid	process
428	si577765.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exeun268728.exeun285675.exequ070048.exe

description	pid	process	target process
PID 2496 wrote to memory of 2572	2496	c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exe	un268728.exe
PID 2496 wrote to memory of 2572	2496	c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exe	un268728.exe
PID 2496 wrote to memory of 2572	2496	c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exe	un268728.exe
PID 2572 wrote to memory of 3088	2572	un268728.exe	un285675.exe
PID 2572 wrote to memory of 3088	2572	un268728.exe	un285675.exe
PID 2572 wrote to memory of 3088	2572	un268728.exe	un285675.exe
PID 3088 wrote to memory of 4876	3088	un285675.exe	pr224677.exe
PID 3088 wrote to memory of 4876	3088	un285675.exe	pr224677.exe
PID 3088 wrote to memory of 4876	3088	un285675.exe	pr224677.exe
PID 3088 wrote to memory of 2116	3088	un285675.exe	qu070048.exe
PID 3088 wrote to memory of 2116	3088	un285675.exe	qu070048.exe
PID 3088 wrote to memory of 2116	3088	un285675.exe	qu070048.exe
PID 2116 wrote to memory of 4832	2116	qu070048.exe	1.exe
PID 2116 wrote to memory of 4832	2116	qu070048.exe	1.exe
PID 2116 wrote to memory of 4832	2116	qu070048.exe	1.exe
PID 2572 wrote to memory of 3468	2572	un268728.exe	rk694932.exe
PID 2572 wrote to memory of 3468	2572	un268728.exe	rk694932.exe
PID 2572 wrote to memory of 3468	2572	un268728.exe	rk694932.exe
PID 2496 wrote to memory of 428	2496	c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exe	si577765.exe
PID 2496 wrote to memory of 428	2496	c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exe	si577765.exe
PID 2496 wrote to memory of 428	2496	c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exe	si577765.exe

C:\Users\Admin\AppData\Local\Temp\c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exe
"C:\Users\Admin\AppData\Local\Temp\c064130aa8f1fac83e2eccec22f9d5b383a4ec0a7ca8464864dfbdf5ee34aa67.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un268728.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un268728.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un285675.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un285675.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr224677.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr224677.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu070048.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu070048.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk694932.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk694932.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si577765.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si577765.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 632
    3⤵
    - Program crash
    PID:4356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 708
    3⤵
    - Program crash
    PID:4452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 848
    3⤵
    - Program crash
    PID:4608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 856
    3⤵
    - Program crash
    PID:2936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 892
    3⤵
    - Program crash
    PID:4300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 684
    3⤵
    - Program crash
    PID:2800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 1124
    3⤵
    - Program crash
    PID:3924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 1156
    3⤵
    - Program crash
    PID:1536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 1228
    3⤵
    - Program crash
    PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si577765.exe

Filesize
397KB

MD5
73322119dde2931ef4675da872b6e388

SHA1
666909e836d4896520d7b01669820f0e8eb103a1

SHA256
a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3

SHA512
360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si577765.exe

Filesize
397KB

MD5
73322119dde2931ef4675da872b6e388

SHA1
666909e836d4896520d7b01669820f0e8eb103a1

SHA256
a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3

SHA512
360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un268728.exe

Filesize
863KB

MD5
9cefdab66587bcd6c561182375c2c61a

SHA1
e7c69327ae9f1dc9d8331a8c9b0ccb116b5c1f5d

SHA256
f3cab2447940c1d47c81857f92c77be63c9ebd40df9972c88f657f4e267a54dc

SHA512
aba42707b24a040522a2267902151809b1586e3bdd9b1336620924e82447d06db48eb6373e9b64c0cc7724c14638819d7073dc4025bd8ab48cf9f38c7ad8a8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un268728.exe

Filesize
863KB

MD5
9cefdab66587bcd6c561182375c2c61a

SHA1
e7c69327ae9f1dc9d8331a8c9b0ccb116b5c1f5d

SHA256
f3cab2447940c1d47c81857f92c77be63c9ebd40df9972c88f657f4e267a54dc

SHA512
aba42707b24a040522a2267902151809b1586e3bdd9b1336620924e82447d06db48eb6373e9b64c0cc7724c14638819d7073dc4025bd8ab48cf9f38c7ad8a8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk694932.exe

Filesize
169KB

MD5
ec81d266b1abb15b70b77004d78f7e1e

SHA1
dfeaa6d9e34350a535cf09486d77c05309fd6036

SHA256
18a6bd9177414481f6d8c1648a41e35bc8c8eea4e62bbd7abc463944b47d2d84

SHA512
1d6054bcde5d5a7104ed493230d7b003e00d8352256cca77b1aed5d62ba4eddd9d6d56ecebf48c2c1d4db93d7e7e59473266163d312b31dd1bda54a0894903f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk694932.exe

Filesize
169KB

MD5
ec81d266b1abb15b70b77004d78f7e1e

SHA1
dfeaa6d9e34350a535cf09486d77c05309fd6036

SHA256
18a6bd9177414481f6d8c1648a41e35bc8c8eea4e62bbd7abc463944b47d2d84

SHA512
1d6054bcde5d5a7104ed493230d7b003e00d8352256cca77b1aed5d62ba4eddd9d6d56ecebf48c2c1d4db93d7e7e59473266163d312b31dd1bda54a0894903f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un285675.exe

Filesize
709KB

MD5
fe6f210c22f94abbb2f46875daf6fb68

SHA1
dbd6feeb22074a36b0ba0ac41eb5c6ff8ef9b02c

SHA256
19f50eda9885ad9275a16aea9c3284f3d151305c356fd4c28fa579fa68145dc2

SHA512
d5e6a581809143ddcb4bbee47558700c56e7275e7e1283caf4660d28c31125c62e75ba4e53c4db440a1fbf5c6a4c2c77b99ecd648aa5682d3db722b113627224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un285675.exe

Filesize
709KB

MD5
fe6f210c22f94abbb2f46875daf6fb68

SHA1
dbd6feeb22074a36b0ba0ac41eb5c6ff8ef9b02c

SHA256
19f50eda9885ad9275a16aea9c3284f3d151305c356fd4c28fa579fa68145dc2

SHA512
d5e6a581809143ddcb4bbee47558700c56e7275e7e1283caf4660d28c31125c62e75ba4e53c4db440a1fbf5c6a4c2c77b99ecd648aa5682d3db722b113627224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr224677.exe

Filesize
405KB

MD5
49866406f5ebefcb6158548734b153e2

SHA1
0fad2d0e5b3926a97a448b043c478f64be462909

SHA256
046b8741dd8bf436b843264356a63b1a242ac215f670dd4ff421a1aa969ac3ec

SHA512
5b1de917c8ca427409516d37d6d00526745fdce3cf4365cee0660e8f5542e55edf041247eea087cf3e369f6b5f713cacb6ebb95a5d379542a6a26cfba4cb6e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr224677.exe

Filesize
405KB

MD5
49866406f5ebefcb6158548734b153e2

SHA1
0fad2d0e5b3926a97a448b043c478f64be462909

SHA256
046b8741dd8bf436b843264356a63b1a242ac215f670dd4ff421a1aa969ac3ec

SHA512
5b1de917c8ca427409516d37d6d00526745fdce3cf4365cee0660e8f5542e55edf041247eea087cf3e369f6b5f713cacb6ebb95a5d379542a6a26cfba4cb6e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu070048.exe

Filesize
588KB

MD5
9ee41f97e84ec698aa6fd545e1e69d2c

SHA1
bc5c2be2f143b0e0adc25153264855a3b2675704

SHA256
9ac4f94e53b2af60f263257cfbb4a988685da2b588f0a2026473af371ffe8ad4

SHA512
309bf33751eb9a95bbf8242034d8413397f645664ad6b5f40b69a827b73515955b9dffea68bb5b365992977e5e08cb870cd0a7500e79b77ccd6ba7f18353c9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu070048.exe

Filesize
588KB

MD5
9ee41f97e84ec698aa6fd545e1e69d2c

SHA1
bc5c2be2f143b0e0adc25153264855a3b2675704

SHA256
9ac4f94e53b2af60f263257cfbb4a988685da2b588f0a2026473af371ffe8ad4

SHA512
309bf33751eb9a95bbf8242034d8413397f645664ad6b5f40b69a827b73515955b9dffea68bb5b365992977e5e08cb870cd0a7500e79b77ccd6ba7f18353c9a4

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/428-2368-0x0000000002450000-0x000000000248B000-memory.dmp

Filesize
236KB

Download
memory/2116-198-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-214-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-2333-0x0000000005630000-0x0000000005662000-memory.dmp

Filesize
200KB

Download
memory/2116-231-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2116-229-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2116-226-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2116-224-0x0000000002490000-0x00000000024EB000-memory.dmp

Filesize
364KB

Download
memory/2116-220-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-218-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-216-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-212-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-210-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-208-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-206-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-204-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-202-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-200-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-185-0x0000000004EF0000-0x0000000004F58000-memory.dmp

Filesize
416KB

Download
memory/2116-186-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/2116-187-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-188-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-190-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-192-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-194-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/2116-196-0x0000000005460000-0x00000000054C0000-memory.dmp

Filesize
384KB

Download
memory/3468-2353-0x00000000010A0000-0x00000000010B0000-memory.dmp

Filesize
64KB

Download
memory/3468-2362-0x00000000010A0000-0x00000000010B0000-memory.dmp

Filesize
64KB

Download
memory/3468-2346-0x00000000007E0000-0x0000000000810000-memory.dmp

Filesize
192KB

Download
memory/3468-2347-0x00000000028E0000-0x00000000028E6000-memory.dmp

Filesize
24KB

Download
memory/3468-2350-0x000000000A510000-0x000000000A522000-memory.dmp

Filesize
72KB

Download
memory/3468-2351-0x000000000A570000-0x000000000A5AE000-memory.dmp

Filesize
248KB

Download
memory/3468-2352-0x000000000A6F0000-0x000000000A73B000-memory.dmp

Filesize
300KB

Download
memory/4832-2358-0x000000000AEF0000-0x000000000AF40000-memory.dmp

Filesize
320KB

Download
memory/4832-2354-0x0000000004890000-0x00000000048A0000-memory.dmp

Filesize
64KB

Download
memory/4832-2355-0x000000000A0C0000-0x000000000A136000-memory.dmp

Filesize
472KB

Download
memory/4832-2356-0x000000000A1E0000-0x000000000A272000-memory.dmp

Filesize
584KB

Download
memory/4832-2357-0x000000000A140000-0x000000000A1A6000-memory.dmp

Filesize
408KB

Download
memory/4832-2341-0x0000000000010000-0x000000000003E000-memory.dmp

Filesize
184KB

Download
memory/4832-2349-0x0000000009E30000-0x0000000009F3A000-memory.dmp

Filesize
1.0MB

Download
memory/4832-2348-0x000000000A330000-0x000000000A936000-memory.dmp

Filesize
6.0MB

Download
memory/4832-2359-0x000000000B740000-0x000000000B902000-memory.dmp

Filesize
1.8MB

Download
memory/4832-2360-0x000000000BE40000-0x000000000C36C000-memory.dmp

Filesize
5.2MB

Download
memory/4832-2345-0x0000000000790000-0x0000000000796000-memory.dmp

Filesize
24KB

Download
memory/4876-171-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-151-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-147-0x00000000024D0000-0x00000000024E8000-memory.dmp

Filesize
96KB

Download
memory/4876-146-0x0000000004FB0000-0x00000000054AE000-memory.dmp

Filesize
5.0MB

Download
memory/4876-149-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-159-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-161-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-163-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-165-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-167-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-169-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-148-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-173-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-157-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-175-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-176-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4876-177-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4876-178-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4876-180-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4876-155-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-153-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/4876-145-0x0000000002480000-0x000000000249A000-memory.dmp

Filesize
104KB

Download
memory/4876-144-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4876-143-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download