amadey | bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853

Analysis

max time kernel
145s
max time network
102s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14-04-2023 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exe
Size

1.0MB
MD5

12da1cb7a1fd4089e20de1b2ad5f985c
SHA1

de41a44dd354cee8579658f8aba60993894f8df2
SHA256

bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853
SHA512

dec328056b4cc3fa70d0175510ad5e9fc51801ec84bd12ebef01de3ac4cf642930c31c23012618636b576629d909d827eefd86f80be5f011b4061e4872644e5e
SSDEEP

24576:rykC4rb2ZU8CDhZ6WUk6ykgEVv049+1xZ8aN:ekC4/8Cvv6ykgEVv0ZV8

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

it901687.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it901687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it901687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it901687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it901687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it901687.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 7 IoCs

Processes:

ziVU8586.exeziVS1940.exeit901687.exejr945726.exe1.exekp627831.exelr031250.exe

pid process

3488 ziVU8586.exe
2692 ziVS1940.exe
3976 it901687.exe
3948 jr945726.exe
2312 1.exe
1504 kp627831.exe
2816 lr031250.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

it901687.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it901687.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3488	ziVU8586.exe
2692	ziVS1940.exe
3976	it901687.exe
3948	jr945726.exe
2312	1.exe
1504	kp627831.exe
2816	lr031250.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it901687.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ziVS1940.exebd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exeziVU8586.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziVS1940.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziVS1940.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziVU8586.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziVU8586.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3752	2816	WerFault.exe	lr031250.exe
3448	2816	WerFault.exe	lr031250.exe
2680	2816	WerFault.exe	lr031250.exe
2600	2816	WerFault.exe	lr031250.exe
5108	2816	WerFault.exe	lr031250.exe
5028	2816	WerFault.exe	lr031250.exe
1524	2816	WerFault.exe	lr031250.exe
4536	2816	WerFault.exe	lr031250.exe
4736	2816	WerFault.exe	lr031250.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

it901687.exe1.exekp627831.exe

pid process

3976 it901687.exe
3976 it901687.exe
2312 1.exe
1504 kp627831.exe
1504 kp627831.exe
2312 1.exe

pid	process
3976	it901687.exe
3976	it901687.exe
2312	1.exe
1504	kp627831.exe
1504	kp627831.exe
2312	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

it901687.exejr945726.exe1.exekp627831.exe

description	pid	process
Token: SeDebugPrivilege	3976	it901687.exe
Token: SeDebugPrivilege	3948	jr945726.exe
Token: SeDebugPrivilege	2312	1.exe
Token: SeDebugPrivilege	1504	kp627831.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lr031250.exe

pid process

2816 lr031250.exe

pid	process
2816	lr031250.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exeziVU8586.exeziVS1940.exejr945726.exe

description	pid	process	target process
PID 4024 wrote to memory of 3488	4024	bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exe	ziVU8586.exe
PID 4024 wrote to memory of 3488	4024	bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exe	ziVU8586.exe
PID 4024 wrote to memory of 3488	4024	bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exe	ziVU8586.exe
PID 3488 wrote to memory of 2692	3488	ziVU8586.exe	ziVS1940.exe
PID 3488 wrote to memory of 2692	3488	ziVU8586.exe	ziVS1940.exe
PID 3488 wrote to memory of 2692	3488	ziVU8586.exe	ziVS1940.exe
PID 2692 wrote to memory of 3976	2692	ziVS1940.exe	it901687.exe
PID 2692 wrote to memory of 3976	2692	ziVS1940.exe	it901687.exe
PID 2692 wrote to memory of 3948	2692	ziVS1940.exe	jr945726.exe
PID 2692 wrote to memory of 3948	2692	ziVS1940.exe	jr945726.exe
PID 2692 wrote to memory of 3948	2692	ziVS1940.exe	jr945726.exe
PID 3948 wrote to memory of 2312	3948	jr945726.exe	1.exe
PID 3948 wrote to memory of 2312	3948	jr945726.exe	1.exe
PID 3948 wrote to memory of 2312	3948	jr945726.exe	1.exe
PID 3488 wrote to memory of 1504	3488	ziVU8586.exe	kp627831.exe
PID 3488 wrote to memory of 1504	3488	ziVU8586.exe	kp627831.exe
PID 3488 wrote to memory of 1504	3488	ziVU8586.exe	kp627831.exe
PID 4024 wrote to memory of 2816	4024	bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exe	lr031250.exe
PID 4024 wrote to memory of 2816	4024	bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exe	lr031250.exe
PID 4024 wrote to memory of 2816	4024	bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exe	lr031250.exe

C:\Users\Admin\AppData\Local\Temp\bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exe
"C:\Users\Admin\AppData\Local\Temp\bd28199ea4825945634f93fcd39aedb3041d4c7f10f9d1dce1d30f0d566f8853.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVU8586.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVU8586.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVS1940.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVS1940.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it901687.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it901687.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr945726.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr945726.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3948
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp627831.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp627831.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr031250.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr031250.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 632
    3⤵
    - Program crash
    PID:3752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 708
    3⤵
    - Program crash
    PID:3448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 848
    3⤵
    - Program crash
    PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 712
    3⤵
    - Program crash
    PID:2600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 884
    3⤵
    - Program crash
    PID:5108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 936
    3⤵
    - Program crash
    PID:5028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1132
    3⤵
    - Program crash
    PID:1524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1168
    3⤵
    - Program crash
    PID:4536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1176
    3⤵
    - Program crash
    PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr031250.exe

Filesize
397KB

MD5
73322119dde2931ef4675da872b6e388

SHA1
666909e836d4896520d7b01669820f0e8eb103a1

SHA256
a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3

SHA512
360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr031250.exe

Filesize
397KB

MD5
73322119dde2931ef4675da872b6e388

SHA1
666909e836d4896520d7b01669820f0e8eb103a1

SHA256
a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3

SHA512
360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVU8586.exe

Filesize
724KB

MD5
e52f6b10189f2dd9d77c545f917aa343

SHA1
66ac6ae30b9ee92da5fc07ce6c73d7916c52aff1

SHA256
691e694c47151b0d8529cf288654979234bc4aa0d38a0a5b1c8b51002700528a

SHA512
688e3167abadceb7b594a60356fb53e21318614b9b97c74cc435af680fdebc7aadb1721d1bfea59147f4e71df92deef5cce97af5d35a8fee274aaa3f080564b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVU8586.exe

Filesize
724KB

MD5
e52f6b10189f2dd9d77c545f917aa343

SHA1
66ac6ae30b9ee92da5fc07ce6c73d7916c52aff1

SHA256
691e694c47151b0d8529cf288654979234bc4aa0d38a0a5b1c8b51002700528a

SHA512
688e3167abadceb7b594a60356fb53e21318614b9b97c74cc435af680fdebc7aadb1721d1bfea59147f4e71df92deef5cce97af5d35a8fee274aaa3f080564b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp627831.exe

Filesize
169KB

MD5
611a4d1e0d6e2a48bb7f8a50c3b62110

SHA1
9d4711b0d861cc0d723b9cabda31033b8a7d7b74

SHA256
e6d6d6477be8f9b4085b35d4216ff09f023b6281256dcf0d9b11d02a86500130

SHA512
408df6839d630a57198e4145e556e8a91f40b8b7b90d1a9963ec07967d686f7b9245f76347fa502a899e810d5cd810cc9daa1a37e6d6e2fc2e2f41d9ed23b09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp627831.exe

Filesize
169KB

MD5
611a4d1e0d6e2a48bb7f8a50c3b62110

SHA1
9d4711b0d861cc0d723b9cabda31033b8a7d7b74

SHA256
e6d6d6477be8f9b4085b35d4216ff09f023b6281256dcf0d9b11d02a86500130

SHA512
408df6839d630a57198e4145e556e8a91f40b8b7b90d1a9963ec07967d686f7b9245f76347fa502a899e810d5cd810cc9daa1a37e6d6e2fc2e2f41d9ed23b09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVS1940.exe

Filesize
570KB

MD5
48dfb5880c1ade79b599e3591545d62f

SHA1
0ced866332783bd1890054aed16963c8a4f121bf

SHA256
d4e836726ed138f7afc35ceff14bdb8d4efb1c0eb79a4f7d1706d3d60778cd52

SHA512
7912f154f7267f54450e8407eb1fe293ce6320a2268e59adbbf60dc74b7901ad1ceaf4591683b8c1dcc154b718b1f33f6ec4c78bdd33b532db98150188148d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVS1940.exe

Filesize
570KB

MD5
48dfb5880c1ade79b599e3591545d62f

SHA1
0ced866332783bd1890054aed16963c8a4f121bf

SHA256
d4e836726ed138f7afc35ceff14bdb8d4efb1c0eb79a4f7d1706d3d60778cd52

SHA512
7912f154f7267f54450e8407eb1fe293ce6320a2268e59adbbf60dc74b7901ad1ceaf4591683b8c1dcc154b718b1f33f6ec4c78bdd33b532db98150188148d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it901687.exe

Filesize
11KB

MD5
5351d5b837b1c194f04c00cdd4af2e8d

SHA1
d82acdc0184300435e358c1733b01701f72fd732

SHA256
4de455193d3dbaf0b0262b2cd3d553da7cd1c314d27e8abb1619447d5cfd0301

SHA512
859b193f058d77f4922fcd8a539fb72146e70e48e0582ce927b5cac95dfd190236ffa92ea35db23bd35a3a6100308fb1a86963a906b420a4c8a303017a5caa3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it901687.exe

Filesize
11KB

MD5
5351d5b837b1c194f04c00cdd4af2e8d

SHA1
d82acdc0184300435e358c1733b01701f72fd732

SHA256
4de455193d3dbaf0b0262b2cd3d553da7cd1c314d27e8abb1619447d5cfd0301

SHA512
859b193f058d77f4922fcd8a539fb72146e70e48e0582ce927b5cac95dfd190236ffa92ea35db23bd35a3a6100308fb1a86963a906b420a4c8a303017a5caa3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr945726.exe

Filesize
588KB

MD5
765f8b90744d5feeca73268929311626

SHA1
a6b2ec27d5165d36d1456743e0a9e8603cc71783

SHA256
b916a2923f0dc77d6594b31b07b8db00d92d1b8861322d0b7e54006c5dbf78a8

SHA512
2095eea792ebe4c9527051f4b57d7a487b76570b03075f13ebed4105188adb6ec4a94322c80e10a6b687264875c0729b576cb03a82ea22e5854cfb494046c3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr945726.exe

Filesize
588KB

MD5
765f8b90744d5feeca73268929311626

SHA1
a6b2ec27d5165d36d1456743e0a9e8603cc71783

SHA256
b916a2923f0dc77d6594b31b07b8db00d92d1b8861322d0b7e54006c5dbf78a8

SHA512
2095eea792ebe4c9527051f4b57d7a487b76570b03075f13ebed4105188adb6ec4a94322c80e10a6b687264875c0729b576cb03a82ea22e5854cfb494046c3f3

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/1504-2322-0x000000000AC40000-0x000000000ACA6000-memory.dmp

Filesize
408KB

Download
memory/1504-2312-0x0000000001130000-0x0000000001136000-memory.dmp

Filesize
24KB

Download
memory/1504-2311-0x00000000009D0000-0x0000000000A00000-memory.dmp

Filesize
192KB

Download
memory/1504-2321-0x000000000ABA0000-0x000000000AC32000-memory.dmp

Filesize
584KB

Download
memory/1504-2320-0x000000000AA80000-0x000000000AAF6000-memory.dmp

Filesize
472KB

Download
memory/1504-2325-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/1504-2319-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/1504-2314-0x000000000A7D0000-0x000000000A8DA000-memory.dmp

Filesize
1.0MB

Download
memory/1504-2317-0x000000000A8E0000-0x000000000A92B000-memory.dmp

Filesize
300KB

Download
memory/2312-2316-0x0000000004F80000-0x0000000004FBE000-memory.dmp

Filesize
248KB

Download
memory/2312-2315-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/2312-2318-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2312-2313-0x0000000005550000-0x0000000005B56000-memory.dmp

Filesize
6.0MB

Download
memory/2312-2323-0x0000000005EC0000-0x0000000005F10000-memory.dmp

Filesize
320KB

Download
memory/2312-2326-0x0000000006A70000-0x0000000006C32000-memory.dmp

Filesize
1.8MB

Download
memory/2312-2310-0x0000000004EC0000-0x0000000004EC6000-memory.dmp

Filesize
24KB

Download
memory/2312-2324-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2312-2327-0x00000000097F0000-0x0000000009D1C000-memory.dmp

Filesize
5.2MB

Download
memory/2312-2306-0x0000000000610000-0x000000000063E000-memory.dmp

Filesize
184KB

Download
memory/2816-2334-0x0000000002340000-0x000000000237B000-memory.dmp

Filesize
236KB

Download
memory/3948-162-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-182-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-194-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-198-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-196-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-202-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-200-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-206-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-204-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-212-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-216-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-218-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-214-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-210-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-208-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-2297-0x0000000005020000-0x0000000005052000-memory.dmp

Filesize
200KB

Download
memory/3948-2299-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3948-190-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-186-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-188-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-184-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-192-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-180-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-178-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-176-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-174-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-172-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-170-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-166-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-168-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-164-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-160-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-158-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-156-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-155-0x00000000028E0000-0x0000000002940000-memory.dmp

Filesize
384KB

Download
memory/3948-154-0x00000000028E0000-0x0000000002946000-memory.dmp

Filesize
408KB

Download
memory/3948-153-0x0000000005080000-0x000000000557E000-memory.dmp

Filesize
5.0MB

Download
memory/3948-152-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3948-151-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3948-150-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3948-149-0x0000000000A90000-0x0000000000AEB000-memory.dmp

Filesize
364KB

Download
memory/3948-148-0x0000000002870000-0x00000000028D8000-memory.dmp

Filesize
416KB

Download
memory/3976-142-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download