amadey | b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3

Analysis

max time kernel
149s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14-04-2023 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exe
Size

1.0MB
MD5

3951b6877c31c6de9d31da5aac42058e
SHA1

e41fa06c0aefb1bf4b629fcbf1eb517bb3a204b7
SHA256

b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3
SHA512

8ce5e6ea372d376245d7ad9de53cbbd8a4f926173ecaf9d81ed45bf21c2c9f6d05cfdd2f1f27729d86d57d6db83dc9c29976fa5db0fb2869d3f39a11e09d510a
SSDEEP

24576:xyd6v2au+MGwons9M/EWola7ozKSvJjRE1PAGjTyRyign:k8O+Qo6MNMzKShdE1nIh

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

it911365.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it911365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it911365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it911365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it911365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it911365.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 7 IoCs

Processes:

zido4038.exezihx2108.exeit911365.exejr078113.exe1.exekp694763.exelr294971.exe

pid process

4280 zido4038.exe
4612 zihx2108.exe
4960 it911365.exe
1460 jr078113.exe
2528 1.exe
2284 kp694763.exe
2692 lr294971.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

it911365.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it911365.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4280	zido4038.exe
4612	zihx2108.exe
4960	it911365.exe
1460	jr078113.exe
2528	1.exe
2284	kp694763.exe
2692	lr294971.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it911365.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exezido4038.exezihx2108.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zido4038.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zido4038.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zihx2108.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zihx2108.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2680	2692	WerFault.exe	lr294971.exe
4180	2692	WerFault.exe	lr294971.exe
3620	2692	WerFault.exe	lr294971.exe
4628	2692	WerFault.exe	lr294971.exe
3636	2692	WerFault.exe	lr294971.exe
1736	2692	WerFault.exe	lr294971.exe
2172	2692	WerFault.exe	lr294971.exe
3828	2692	WerFault.exe	lr294971.exe
3804	2692	WerFault.exe	lr294971.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

it911365.exe1.exekp694763.exe

pid process

4960 it911365.exe
4960 it911365.exe
2528 1.exe
2284 kp694763.exe
2284 kp694763.exe
2528 1.exe

pid	process
4960	it911365.exe
4960	it911365.exe
2528	1.exe
2284	kp694763.exe
2284	kp694763.exe
2528	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

it911365.exejr078113.exe1.exekp694763.exe

description	pid	process
Token: SeDebugPrivilege	4960	it911365.exe
Token: SeDebugPrivilege	1460	jr078113.exe
Token: SeDebugPrivilege	2528	1.exe
Token: SeDebugPrivilege	2284	kp694763.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lr294971.exe

pid process

2692 lr294971.exe

pid	process
2692	lr294971.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exezido4038.exezihx2108.exejr078113.exe

description	pid	process	target process
PID 4264 wrote to memory of 4280	4264	b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exe	zido4038.exe
PID 4264 wrote to memory of 4280	4264	b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exe	zido4038.exe
PID 4264 wrote to memory of 4280	4264	b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exe	zido4038.exe
PID 4280 wrote to memory of 4612	4280	zido4038.exe	zihx2108.exe
PID 4280 wrote to memory of 4612	4280	zido4038.exe	zihx2108.exe
PID 4280 wrote to memory of 4612	4280	zido4038.exe	zihx2108.exe
PID 4612 wrote to memory of 4960	4612	zihx2108.exe	it911365.exe
PID 4612 wrote to memory of 4960	4612	zihx2108.exe	it911365.exe
PID 4612 wrote to memory of 1460	4612	zihx2108.exe	jr078113.exe
PID 4612 wrote to memory of 1460	4612	zihx2108.exe	jr078113.exe
PID 4612 wrote to memory of 1460	4612	zihx2108.exe	jr078113.exe
PID 1460 wrote to memory of 2528	1460	jr078113.exe	1.exe
PID 1460 wrote to memory of 2528	1460	jr078113.exe	1.exe
PID 1460 wrote to memory of 2528	1460	jr078113.exe	1.exe
PID 4280 wrote to memory of 2284	4280	zido4038.exe	kp694763.exe
PID 4280 wrote to memory of 2284	4280	zido4038.exe	kp694763.exe
PID 4280 wrote to memory of 2284	4280	zido4038.exe	kp694763.exe
PID 4264 wrote to memory of 2692	4264	b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exe	lr294971.exe
PID 4264 wrote to memory of 2692	4264	b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exe	lr294971.exe
PID 4264 wrote to memory of 2692	4264	b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exe	lr294971.exe

C:\Users\Admin\AppData\Local\Temp\b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exe
"C:\Users\Admin\AppData\Local\Temp\b1600c947e9f6b98eda0e41c89bf807ad449a0176407dab8edc6e98b47d0fdd3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zido4038.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zido4038.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihx2108.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihx2108.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911365.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911365.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr078113.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr078113.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694763.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694763.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr294971.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr294971.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 628
    3⤵
    - Program crash
    PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 704
    3⤵
    - Program crash
    PID:4180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 844
    3⤵
    - Program crash
    PID:3620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 852
    3⤵
    - Program crash
    PID:4628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 892
    3⤵
    - Program crash
    PID:3636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 908
    3⤵
    - Program crash
    PID:1736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1120
    3⤵
    - Program crash
    PID:2172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1148
    3⤵
    - Program crash
    PID:3828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1096
    3⤵
    - Program crash
    PID:3804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr294971.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr294971.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zido4038.exe

Filesize
723KB

MD5
d5d874512e2bc4bb277af698017ef706

SHA1
b1a1240a31ae12f98918147f775700e6c10be510

SHA256
4ac465140e5a42ffe7b53f7beabd8bdd75567ec3af8557650902f03297408bd3

SHA512
e71feb7446819be63bfcc53e621971a9e0d2d5f88f133cbdc86acc4cbb2a29eeb2537bee47c9c4f04784bb2d6efb130042379393874b0eab1bad2daad97eb5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zido4038.exe

Filesize
723KB

MD5
d5d874512e2bc4bb277af698017ef706

SHA1
b1a1240a31ae12f98918147f775700e6c10be510

SHA256
4ac465140e5a42ffe7b53f7beabd8bdd75567ec3af8557650902f03297408bd3

SHA512
e71feb7446819be63bfcc53e621971a9e0d2d5f88f133cbdc86acc4cbb2a29eeb2537bee47c9c4f04784bb2d6efb130042379393874b0eab1bad2daad97eb5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694763.exe

Filesize
169KB

MD5
94dbc677f498c11c05f997d3525e8c02

SHA1
de651918ef7923a425f1e493ce5bfd261a872884

SHA256
793ed19f51ac59ff0092b145e4e9170e93199787a20686c55321d36c4fd188b7

SHA512
2c797cd32bcae69e7a13515077389965ad2d230f12f03ec4a2bf5f21afa153481bd2d02c7ecb09c6ca618abb5f4f944abb58298eed72195caae110b4a982d43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694763.exe

Filesize
169KB

MD5
94dbc677f498c11c05f997d3525e8c02

SHA1
de651918ef7923a425f1e493ce5bfd261a872884

SHA256
793ed19f51ac59ff0092b145e4e9170e93199787a20686c55321d36c4fd188b7

SHA512
2c797cd32bcae69e7a13515077389965ad2d230f12f03ec4a2bf5f21afa153481bd2d02c7ecb09c6ca618abb5f4f944abb58298eed72195caae110b4a982d43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihx2108.exe

Filesize
569KB

MD5
898d6afd145cc94e29be0ff68288ade2

SHA1
39bce7811960d1077bd93d6d82b3bfbbda3f9d0d

SHA256
6725b688371e5a114e61fb03c55f94a041d42ba49dfc5a813e8a744ad943666d

SHA512
66cf6aa23486cd563327ac92bdc7baa9ed9bf20599c7fc6c89e53454ab4a2ef45f6d5b824703a57b96fecd84df10ff8bf7e3915e812ae1cdcae556df26c37c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihx2108.exe

Filesize
569KB

MD5
898d6afd145cc94e29be0ff68288ade2

SHA1
39bce7811960d1077bd93d6d82b3bfbbda3f9d0d

SHA256
6725b688371e5a114e61fb03c55f94a041d42ba49dfc5a813e8a744ad943666d

SHA512
66cf6aa23486cd563327ac92bdc7baa9ed9bf20599c7fc6c89e53454ab4a2ef45f6d5b824703a57b96fecd84df10ff8bf7e3915e812ae1cdcae556df26c37c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911365.exe

Filesize
11KB

MD5
4759c87cb8aae3b368ce489ed3888406

SHA1
428b9a715af61d129a9a86145884f344a557f1aa

SHA256
48ebc806315e6f54059fd03b98c5c853e0e3a457b1f1d8dc6fa61f57470b7f62

SHA512
e8b16bbc37b67efcbee78d2085487f57d909e4e84160e6fbef838a403f5642d86b330db35ea0887b89629176ed684a8d2c4ef76a32724dbb4b35aead6ef16d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911365.exe

Filesize
11KB

MD5
4759c87cb8aae3b368ce489ed3888406

SHA1
428b9a715af61d129a9a86145884f344a557f1aa

SHA256
48ebc806315e6f54059fd03b98c5c853e0e3a457b1f1d8dc6fa61f57470b7f62

SHA512
e8b16bbc37b67efcbee78d2085487f57d909e4e84160e6fbef838a403f5642d86b330db35ea0887b89629176ed684a8d2c4ef76a32724dbb4b35aead6ef16d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr078113.exe

Filesize
588KB

MD5
a6f26848afe6de730a49442241bc4c85

SHA1
07ccf6545d17a3fc5c623a907d1ecf6926e9c44b

SHA256
fabc427c85659e9de01ddd2357b34517fe43b6efc93c5cdeead1d8e7a83b09ed

SHA512
22c0a25d867923c714a8a3d1241aa5d96a4fc879fdb1678d3deda0fa33566c3edecc8a7c8e414d5d030640487c01ac1b0457b44943d4ad97e3b5557c2eb7f31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr078113.exe

Filesize
588KB

MD5
a6f26848afe6de730a49442241bc4c85

SHA1
07ccf6545d17a3fc5c623a907d1ecf6926e9c44b

SHA256
fabc427c85659e9de01ddd2357b34517fe43b6efc93c5cdeead1d8e7a83b09ed

SHA512
22c0a25d867923c714a8a3d1241aa5d96a4fc879fdb1678d3deda0fa33566c3edecc8a7c8e414d5d030640487c01ac1b0457b44943d4ad97e3b5557c2eb7f31f

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/1460-196-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-210-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-153-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-154-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-156-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-158-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-160-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-162-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-164-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-166-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-168-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-170-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-172-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-174-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-176-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-178-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-180-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-182-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-184-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-186-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-188-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-190-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-192-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-194-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-151-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/1460-198-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-200-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-202-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-204-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-206-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-208-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-152-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/1460-212-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-214-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-216-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/1460-2295-0x0000000005770000-0x00000000057A2000-memory.dmp

Filesize
200KB

Download
memory/1460-150-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/1460-149-0x0000000002370000-0x00000000023CB000-memory.dmp

Filesize
364KB

Download
memory/1460-148-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/1460-147-0x0000000005060000-0x000000000555E000-memory.dmp

Filesize
5.0MB

Download
memory/1460-146-0x0000000002900000-0x0000000002968000-memory.dmp

Filesize
416KB

Download
memory/2284-2321-0x000000000C0B0000-0x000000000C5DC000-memory.dmp

Filesize
5.2MB

Download
memory/2284-2324-0x000000000B860000-0x000000000B8B0000-memory.dmp

Filesize
320KB

Download
memory/2284-2309-0x0000000002400000-0x0000000002406000-memory.dmp

Filesize
24KB

Download
memory/2284-2310-0x000000000A6D0000-0x000000000ACD6000-memory.dmp

Filesize
6.0MB

Download
memory/2284-2311-0x000000000A1D0000-0x000000000A2DA000-memory.dmp

Filesize
1.0MB

Download
memory/2284-2308-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/2284-2313-0x000000000A160000-0x000000000A19E000-memory.dmp

Filesize
248KB

Download
memory/2284-2314-0x000000000A2E0000-0x000000000A32B000-memory.dmp

Filesize
300KB

Download
memory/2284-2323-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/2284-2316-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/2284-2317-0x000000000A480000-0x000000000A4F6000-memory.dmp

Filesize
472KB

Download
memory/2528-2312-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2528-2319-0x0000000005340000-0x00000000053A6000-memory.dmp

Filesize
408KB

Download
memory/2528-2320-0x0000000006200000-0x00000000063C2000-memory.dmp

Filesize
1.8MB

Download
memory/2528-2318-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/2528-2322-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2528-2315-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2528-2307-0x0000000004C60000-0x0000000004C66000-memory.dmp

Filesize
24KB

Download
memory/2528-2304-0x00000000004B0000-0x00000000004DE000-memory.dmp

Filesize
184KB

Download
memory/2692-2331-0x0000000000960000-0x000000000099B000-memory.dmp

Filesize
236KB

Download
memory/4960-140-0x0000000000F50000-0x0000000000F5A000-memory.dmp

Filesize
40KB

Download