amadey | faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7

Analysis

max time kernel
145s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14-04-2023 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exe
Size

1.0MB
MD5

65a43551cbfcaec88d2106aa2ca0e9bc
SHA1

c285067684e451b5ec4717874bccaaa49ac04e0f
SHA256

faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7
SHA512

7457df9983fc2b608fbdca40212b536d01e7e11dd6e4372acd05ef999f8eefd60f0d495afc9583d12c9991a495c59027ff28ca3e5b9c4280b38c7926b38e1b1c
SSDEEP

24576:Ty0/Ar3TGc19d4ZkvmhUEenDIrvTqecQQp9Uy:m0/Art19d1OhgevTixp9

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

it240687.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it240687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it240687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it240687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it240687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it240687.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 7 IoCs

Processes:

ziyk2649.exeziSN3977.exeit240687.exejr892986.exe1.exekp256707.exelr229769.exe

pid process

3668 ziyk2649.exe
4700 ziSN3977.exe
4284 it240687.exe
2872 jr892986.exe
3912 1.exe
1520 kp256707.exe
2040 lr229769.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

it240687.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it240687.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3668	ziyk2649.exe
4700	ziSN3977.exe
4284	it240687.exe
2872	jr892986.exe
3912	1.exe
1520	kp256707.exe
2040	lr229769.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it240687.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ziyk2649.exeziSN3977.exefaa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziyk2649.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziSN3977.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziSN3977.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziyk2649.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2340	2040	WerFault.exe	lr229769.exe
3988	2040	WerFault.exe	lr229769.exe
4684	2040	WerFault.exe	lr229769.exe
4692	2040	WerFault.exe	lr229769.exe
4184	2040	WerFault.exe	lr229769.exe
2524	2040	WerFault.exe	lr229769.exe
4284	2040	WerFault.exe	lr229769.exe
4724	2040	WerFault.exe	lr229769.exe
4844	2040	WerFault.exe	lr229769.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

it240687.exekp256707.exe1.exe

pid process

4284 it240687.exe
4284 it240687.exe
1520 kp256707.exe
3912 1.exe
3912 1.exe
1520 kp256707.exe

pid	process
4284	it240687.exe
4284	it240687.exe
1520	kp256707.exe
3912	1.exe
3912	1.exe
1520	kp256707.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

it240687.exejr892986.exekp256707.exe1.exe

description	pid	process
Token: SeDebugPrivilege	4284	it240687.exe
Token: SeDebugPrivilege	2872	jr892986.exe
Token: SeDebugPrivilege	1520	kp256707.exe
Token: SeDebugPrivilege	3912	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lr229769.exe

pid process

2040 lr229769.exe

pid	process
2040	lr229769.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exeziyk2649.exeziSN3977.exejr892986.exe

description	pid	process	target process
PID 2968 wrote to memory of 3668	2968	faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exe	ziyk2649.exe
PID 2968 wrote to memory of 3668	2968	faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exe	ziyk2649.exe
PID 2968 wrote to memory of 3668	2968	faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exe	ziyk2649.exe
PID 3668 wrote to memory of 4700	3668	ziyk2649.exe	ziSN3977.exe
PID 3668 wrote to memory of 4700	3668	ziyk2649.exe	ziSN3977.exe
PID 3668 wrote to memory of 4700	3668	ziyk2649.exe	ziSN3977.exe
PID 4700 wrote to memory of 4284	4700	ziSN3977.exe	it240687.exe
PID 4700 wrote to memory of 4284	4700	ziSN3977.exe	it240687.exe
PID 4700 wrote to memory of 2872	4700	ziSN3977.exe	jr892986.exe
PID 4700 wrote to memory of 2872	4700	ziSN3977.exe	jr892986.exe
PID 4700 wrote to memory of 2872	4700	ziSN3977.exe	jr892986.exe
PID 2872 wrote to memory of 3912	2872	jr892986.exe	1.exe
PID 2872 wrote to memory of 3912	2872	jr892986.exe	1.exe
PID 2872 wrote to memory of 3912	2872	jr892986.exe	1.exe
PID 3668 wrote to memory of 1520	3668	ziyk2649.exe	kp256707.exe
PID 3668 wrote to memory of 1520	3668	ziyk2649.exe	kp256707.exe
PID 3668 wrote to memory of 1520	3668	ziyk2649.exe	kp256707.exe
PID 2968 wrote to memory of 2040	2968	faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exe	lr229769.exe
PID 2968 wrote to memory of 2040	2968	faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exe	lr229769.exe
PID 2968 wrote to memory of 2040	2968	faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exe	lr229769.exe

C:\Users\Admin\AppData\Local\Temp\faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exe
"C:\Users\Admin\AppData\Local\Temp\faa7c0017112b51acfc2e2983298622adb49598cbc95dea7743185845cf619d7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyk2649.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyk2649.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziSN3977.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziSN3977.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it240687.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it240687.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr892986.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr892986.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp256707.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp256707.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr229769.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr229769.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 628
    3⤵
    - Program crash
    PID:2340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 704
    3⤵
    - Program crash
    PID:3988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 844
    3⤵
    - Program crash
    PID:4684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 856
    3⤵
    - Program crash
    PID:4692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 880
    3⤵
    - Program crash
    PID:4184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 892
    3⤵
    - Program crash
    PID:2524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1120
    3⤵
    - Program crash
    PID:4284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1152
    3⤵
    - Program crash
    PID:4724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1080
    3⤵
    - Program crash
    PID:4844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr229769.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr229769.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyk2649.exe

Filesize
723KB

MD5
23bfa8249a4f2f5933d05dd316a0ce14

SHA1
33ddf7ad2106a1690cb32b0c1a4541c915ea2349

SHA256
8a4cc675fb641859267ae8db515c462eb4f13a9b323c268c127eb47f04174e90

SHA512
e0c89d07756c2164eb48a55ab4010593bd76a3a666e4d4fef79b232b49b98cb1df764964c4bec39ada5b4b6eb50788bddd0aa926d3d0af01ee1576ab7da863fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyk2649.exe

Filesize
723KB

MD5
23bfa8249a4f2f5933d05dd316a0ce14

SHA1
33ddf7ad2106a1690cb32b0c1a4541c915ea2349

SHA256
8a4cc675fb641859267ae8db515c462eb4f13a9b323c268c127eb47f04174e90

SHA512
e0c89d07756c2164eb48a55ab4010593bd76a3a666e4d4fef79b232b49b98cb1df764964c4bec39ada5b4b6eb50788bddd0aa926d3d0af01ee1576ab7da863fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp256707.exe

Filesize
169KB

MD5
0d2108ebdbdd7532cdceee438e9775a0

SHA1
3bd38f5a007dbc6b3a9b89351b2d010eb3ed1a8a

SHA256
2485ab543d6ea9c687cec3a8f8c02cba5078e7ec13007d56b6dbfcb4cb76c653

SHA512
316fd1297517884fca86945d557a9ef9885793c6ec2e2313dfa2de30c831866aa7d9f9479c22a72c3ea97f3d703542b5bdc8f42e7a5825256376e5dc06bf1c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp256707.exe

Filesize
169KB

MD5
0d2108ebdbdd7532cdceee438e9775a0

SHA1
3bd38f5a007dbc6b3a9b89351b2d010eb3ed1a8a

SHA256
2485ab543d6ea9c687cec3a8f8c02cba5078e7ec13007d56b6dbfcb4cb76c653

SHA512
316fd1297517884fca86945d557a9ef9885793c6ec2e2313dfa2de30c831866aa7d9f9479c22a72c3ea97f3d703542b5bdc8f42e7a5825256376e5dc06bf1c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziSN3977.exe

Filesize
569KB

MD5
f57a7adf01f3f1d4247304d5e6d21c15

SHA1
a88c1e273c70905ece37d2738298ee60fb1c47d1

SHA256
b4d62565f31d5c72d303f8bded3c65dc660509920d9090a4cf9ad8edd5a5f04f

SHA512
ca4a0a2246b74d2cdaa55f36d0f4f809eafb322201d674eba7f1add770f07b2824a96c398657c2c21ff70264543ffd9b99fe7f8a57827b0a65fcc36e2f105c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziSN3977.exe

Filesize
569KB

MD5
f57a7adf01f3f1d4247304d5e6d21c15

SHA1
a88c1e273c70905ece37d2738298ee60fb1c47d1

SHA256
b4d62565f31d5c72d303f8bded3c65dc660509920d9090a4cf9ad8edd5a5f04f

SHA512
ca4a0a2246b74d2cdaa55f36d0f4f809eafb322201d674eba7f1add770f07b2824a96c398657c2c21ff70264543ffd9b99fe7f8a57827b0a65fcc36e2f105c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it240687.exe

Filesize
11KB

MD5
0275292746345cf1d25eb98e85a1e303

SHA1
44ae85bf3d04c671b24ecf1f2443d2616250597a

SHA256
7093677c45f9bca8be3607ec1fcbe23f81a9c64ace7d8d4b2dfcd829aa2ef95b

SHA512
8fa68da3d52c93ee6406641f700c369edab62179c1a22eba49e7dfe33d7a7a93a7c38c1b9064b30d732fb22e570a409a0e22222f3c6468b13f9570f6075fd1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it240687.exe

Filesize
11KB

MD5
0275292746345cf1d25eb98e85a1e303

SHA1
44ae85bf3d04c671b24ecf1f2443d2616250597a

SHA256
7093677c45f9bca8be3607ec1fcbe23f81a9c64ace7d8d4b2dfcd829aa2ef95b

SHA512
8fa68da3d52c93ee6406641f700c369edab62179c1a22eba49e7dfe33d7a7a93a7c38c1b9064b30d732fb22e570a409a0e22222f3c6468b13f9570f6075fd1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr892986.exe

Filesize
588KB

MD5
7f1333f9725565236494650f846d6ce3

SHA1
6d99ab18350127fbc66ef35836ecac9a4b7a43aa

SHA256
289f5d571fc47735b0386c5828013a02b8b13de26ce51d324927c4a0914ee4a3

SHA512
4094cc8ae14651366e4529e370214ef6084f5826ceebfe491215cba5dd2f06c8345e09c8ade87d9f997d75e6825731bba31fc9354e4763f9e72ab53632a67ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr892986.exe

Filesize
588KB

MD5
7f1333f9725565236494650f846d6ce3

SHA1
6d99ab18350127fbc66ef35836ecac9a4b7a43aa

SHA256
289f5d571fc47735b0386c5828013a02b8b13de26ce51d324927c4a0914ee4a3

SHA512
4094cc8ae14651366e4529e370214ef6084f5826ceebfe491215cba5dd2f06c8345e09c8ade87d9f997d75e6825731bba31fc9354e4763f9e72ab53632a67ef4

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/1520-2314-0x000000000A880000-0x000000000A892000-memory.dmp

Filesize
72KB

Download
memory/1520-2321-0x000000000ADC0000-0x000000000AE26000-memory.dmp

Filesize
408KB

Download
memory/1520-2317-0x000000000A8E0000-0x000000000A91E000-memory.dmp

Filesize
248KB

Download
memory/1520-2315-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/1520-2322-0x000000000B900000-0x000000000B950000-memory.dmp

Filesize
320KB

Download
memory/1520-2313-0x000000000A950000-0x000000000AA5A000-memory.dmp

Filesize
1.0MB

Download
memory/1520-2311-0x0000000001330000-0x0000000001336000-memory.dmp

Filesize
24KB

Download
memory/1520-2310-0x0000000000B50000-0x0000000000B80000-memory.dmp

Filesize
192KB

Download
memory/1520-2323-0x000000000C160000-0x000000000C322000-memory.dmp

Filesize
1.8MB

Download
memory/1520-2324-0x000000000C860000-0x000000000CD8C000-memory.dmp

Filesize
5.2MB

Download
memory/1520-2325-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/2040-2333-0x0000000000960000-0x000000000099B000-memory.dmp

Filesize
236KB

Download
memory/2872-198-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-170-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-178-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-180-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-184-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-182-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-186-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-188-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-190-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-192-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-194-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-196-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-174-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-200-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-202-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-204-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-206-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-208-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-210-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-212-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-214-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-216-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-218-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-2297-0x0000000002940000-0x0000000002972000-memory.dmp

Filesize
200KB

Download
memory/2872-172-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-176-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-148-0x00000000028A0000-0x0000000002908000-memory.dmp

Filesize
416KB

Download
memory/2872-168-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-166-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-164-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-149-0x0000000000880000-0x00000000008DB000-memory.dmp

Filesize
364KB

Download
memory/2872-162-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-150-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/2872-160-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-158-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-156-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-154-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/2872-155-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2872-153-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/2872-151-0x0000000004FE0000-0x00000000054DE000-memory.dmp

Filesize
5.0MB

Download
memory/2872-152-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/3912-2320-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/3912-2319-0x0000000005490000-0x0000000005506000-memory.dmp

Filesize
472KB

Download
memory/3912-2318-0x00000000051C0000-0x000000000520B000-memory.dmp

Filesize
300KB

Download
memory/3912-2316-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/3912-2312-0x00000000057D0000-0x0000000005DD6000-memory.dmp

Filesize
6.0MB

Download
memory/3912-2326-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/3912-2309-0x0000000001210000-0x0000000001216000-memory.dmp

Filesize
24KB

Download
memory/3912-2305-0x0000000000800000-0x000000000082E000-memory.dmp

Filesize
184KB

Download
memory/4284-142-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download