amadey | ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb

Analysis

max time kernel
147s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14-04-2023 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exe
Size

1.2MB
MD5

24c8abd1d35d74b68004fec5699fee90
SHA1

0ffa9d2d2ab87adf9c89b1e2cbe13afa92f2b7ea
SHA256

ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb
SHA512

f22c5d0f72f560f6a7b82e5bb711509a6a3e6a123359d34698056f46158d77e92372486fe6202c54d71fe23c78485f36d8cc6396afaad3bd950000a64342b2e6
SSDEEP

24576:0yqwyvAZwzb+kFkaSMR5MIFm4mYDltqVSZJskdSjmG6gZh:DqwgzCYf75p1rqVSfp0SG64

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr106304.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr106304.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr106304.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr106304.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr106304.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr106304.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 7 IoCs

Processes:

un615197.exeun884208.exepr106304.exequ903722.exe1.exerk605992.exesi618332.exe

pid process

2264 un615197.exe
2532 un884208.exe
2820 pr106304.exe
4644 qu903722.exe
3520 1.exe
2580 rk605992.exe
4240 si618332.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2264	un615197.exe
2532	un884208.exe
2820	pr106304.exe
4644	qu903722.exe
3520	1.exe
2580	rk605992.exe
4240	si618332.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr106304.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr106304.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr106304.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

un884208.exeef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exeun615197.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un884208.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un884208.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un615197.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un615197.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3976	4240	WerFault.exe	si618332.exe
4620	4240	WerFault.exe	si618332.exe
2832	4240	WerFault.exe	si618332.exe
1328	4240	WerFault.exe	si618332.exe
2144	4240	WerFault.exe	si618332.exe
4456	4240	WerFault.exe	si618332.exe
4608	4240	WerFault.exe	si618332.exe
1284	4240	WerFault.exe	si618332.exe
1292	4240	WerFault.exe	si618332.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr106304.exerk605992.exe1.exe

pid process

2820 pr106304.exe
2820 pr106304.exe
2580 rk605992.exe
3520 1.exe
2580 rk605992.exe
3520 1.exe

pid	process
2820	pr106304.exe
2820	pr106304.exe
2580	rk605992.exe
3520	1.exe
2580	rk605992.exe
3520	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pr106304.exequ903722.exe1.exerk605992.exe

description	pid	process
Token: SeDebugPrivilege	2820	pr106304.exe
Token: SeDebugPrivilege	4644	qu903722.exe
Token: SeDebugPrivilege	3520	1.exe
Token: SeDebugPrivilege	2580	rk605992.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

si618332.exe

pid process

4240 si618332.exe

pid	process
4240	si618332.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exeun615197.exeun884208.exequ903722.exe

description	pid	process	target process
PID 1688 wrote to memory of 2264	1688	ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exe	un615197.exe
PID 1688 wrote to memory of 2264	1688	ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exe	un615197.exe
PID 1688 wrote to memory of 2264	1688	ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exe	un615197.exe
PID 2264 wrote to memory of 2532	2264	un615197.exe	un884208.exe
PID 2264 wrote to memory of 2532	2264	un615197.exe	un884208.exe
PID 2264 wrote to memory of 2532	2264	un615197.exe	un884208.exe
PID 2532 wrote to memory of 2820	2532	un884208.exe	pr106304.exe
PID 2532 wrote to memory of 2820	2532	un884208.exe	pr106304.exe
PID 2532 wrote to memory of 2820	2532	un884208.exe	pr106304.exe
PID 2532 wrote to memory of 4644	2532	un884208.exe	qu903722.exe
PID 2532 wrote to memory of 4644	2532	un884208.exe	qu903722.exe
PID 2532 wrote to memory of 4644	2532	un884208.exe	qu903722.exe
PID 4644 wrote to memory of 3520	4644	qu903722.exe	1.exe
PID 4644 wrote to memory of 3520	4644	qu903722.exe	1.exe
PID 4644 wrote to memory of 3520	4644	qu903722.exe	1.exe
PID 2264 wrote to memory of 2580	2264	un615197.exe	rk605992.exe
PID 2264 wrote to memory of 2580	2264	un615197.exe	rk605992.exe
PID 2264 wrote to memory of 2580	2264	un615197.exe	rk605992.exe
PID 1688 wrote to memory of 4240	1688	ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exe	si618332.exe
PID 1688 wrote to memory of 4240	1688	ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exe	si618332.exe
PID 1688 wrote to memory of 4240	1688	ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exe	si618332.exe

C:\Users\Admin\AppData\Local\Temp\ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exe
"C:\Users\Admin\AppData\Local\Temp\ef4b347cf7bcedfd164572507e21d4733de10cf14bd1cba44130527da60384bb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un615197.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un615197.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un884208.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un884208.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr106304.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr106304.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu903722.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu903722.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk605992.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk605992.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si618332.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si618332.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 628
    3⤵
    - Program crash
    PID:3976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 704
    3⤵
    - Program crash
    PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 840
    3⤵
    - Program crash
    PID:2832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 852
    3⤵
    - Program crash
    PID:1328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 880
    3⤵
    - Program crash
    PID:2144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 940
    3⤵
    - Program crash
    PID:4456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1120
    3⤵
    - Program crash
    PID:4608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1192
    3⤵
    - Program crash
    PID:1284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1168
    3⤵
    - Program crash
    PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si618332.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si618332.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un615197.exe

Filesize
863KB

MD5
be14241eac7c404622d6a21a9a322a44

SHA1
b0f87e5c369fbdd43ac932df4289d59f13f2f06b

SHA256
5b3e89e012e8483c03693e5884269e5982b77a33598934f99de09645d78e9b1f

SHA512
8d2e3e1ad82151d2fd11ee4b29564185b34bee7950d57aa8b0d9ea9cb894acf9d688d54f2b8d955ae3663693df668e810cc98c35c488580fca2981ff2257fe1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un615197.exe

Filesize
863KB

MD5
be14241eac7c404622d6a21a9a322a44

SHA1
b0f87e5c369fbdd43ac932df4289d59f13f2f06b

SHA256
5b3e89e012e8483c03693e5884269e5982b77a33598934f99de09645d78e9b1f

SHA512
8d2e3e1ad82151d2fd11ee4b29564185b34bee7950d57aa8b0d9ea9cb894acf9d688d54f2b8d955ae3663693df668e810cc98c35c488580fca2981ff2257fe1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk605992.exe

Filesize
169KB

MD5
8e0ffcb0d089bec5d291d5e0fbbf0f92

SHA1
1dd37e621e08633886154e5b23e658ea5c655252

SHA256
13948682f5afd9b84ad7f96f3b70e427a5f2a4ae3b31a2324204cf493a7b9905

SHA512
5ad28d0e29e7c85737f82b937a2123f7b6c37f82b4f2f25b16e88bfc765b79dd2465e7005d4b566cf7feb9c5894f7f9dc989f53d7a798092a685e0a1649e8ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk605992.exe

Filesize
169KB

MD5
8e0ffcb0d089bec5d291d5e0fbbf0f92

SHA1
1dd37e621e08633886154e5b23e658ea5c655252

SHA256
13948682f5afd9b84ad7f96f3b70e427a5f2a4ae3b31a2324204cf493a7b9905

SHA512
5ad28d0e29e7c85737f82b937a2123f7b6c37f82b4f2f25b16e88bfc765b79dd2465e7005d4b566cf7feb9c5894f7f9dc989f53d7a798092a685e0a1649e8ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un884208.exe

Filesize
709KB

MD5
dbbbdbbf088014b7c09a3cf3bb1df674

SHA1
df474655c2bccf317202e8dad06b1d74f16bf606

SHA256
ed10f8e5b67e573165aa9aa9905a51382f9e931f8b9703d2d49069655dcc7ce1

SHA512
0750efe0f2715f40c667b87cc49efe2327cfdef27ec5d57719d5f40e6892da11e87a056781f3708ec2e2c4661b17eece80a6d9a1df5ccfa9d7c1d108a6aa5225

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un884208.exe

Filesize
709KB

MD5
dbbbdbbf088014b7c09a3cf3bb1df674

SHA1
df474655c2bccf317202e8dad06b1d74f16bf606

SHA256
ed10f8e5b67e573165aa9aa9905a51382f9e931f8b9703d2d49069655dcc7ce1

SHA512
0750efe0f2715f40c667b87cc49efe2327cfdef27ec5d57719d5f40e6892da11e87a056781f3708ec2e2c4661b17eece80a6d9a1df5ccfa9d7c1d108a6aa5225

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr106304.exe

Filesize
405KB

MD5
b6b4c9a0057c6444005fdad5f49884b8

SHA1
d44c3b1adec3492cc82a0280ff0fcd7593aa41ea

SHA256
8e2a510d5047a4b741af6a02d14093b3f9dc2328a5fe3909f4cfe6ec8104a8e0

SHA512
c3abe4336a9667e65db8795e364476d6a55e23d49b641cb28bde8cdf2492d19ce55945e8d4472df95b8be9137b5e1513cbdaef53ed5749c79e11d6debd7766d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr106304.exe

Filesize
405KB

MD5
b6b4c9a0057c6444005fdad5f49884b8

SHA1
d44c3b1adec3492cc82a0280ff0fcd7593aa41ea

SHA256
8e2a510d5047a4b741af6a02d14093b3f9dc2328a5fe3909f4cfe6ec8104a8e0

SHA512
c3abe4336a9667e65db8795e364476d6a55e23d49b641cb28bde8cdf2492d19ce55945e8d4472df95b8be9137b5e1513cbdaef53ed5749c79e11d6debd7766d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu903722.exe

Filesize
588KB

MD5
0937602153c52bca51b1175d5a828c48

SHA1
202e8407a4984c847697f758b9d18047de42ff6c

SHA256
6034a8977dcbcc6278be461ce4d34c0a5438578e507f9fa8e2756cbad251ab91

SHA512
3359b8f7ecdddbe362534f81ea10271ecaa8d6079761a9d502cfe56b0448434f80a1039311dc17cf83ddbe0617062073cb13dfee608838b2ce015e4cd824fbb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu903722.exe

Filesize
588KB

MD5
0937602153c52bca51b1175d5a828c48

SHA1
202e8407a4984c847697f758b9d18047de42ff6c

SHA256
6034a8977dcbcc6278be461ce4d34c0a5438578e507f9fa8e2756cbad251ab91

SHA512
3359b8f7ecdddbe362534f81ea10271ecaa8d6079761a9d502cfe56b0448434f80a1039311dc17cf83ddbe0617062073cb13dfee608838b2ce015e4cd824fbb5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/2580-2359-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/2580-2349-0x00000000011F0000-0x00000000011F6000-memory.dmp

Filesize
24KB

Download
memory/2580-2347-0x0000000000A00000-0x0000000000A30000-memory.dmp

Filesize
192KB

Download
memory/2580-2352-0x0000000005320000-0x0000000005332000-memory.dmp

Filesize
72KB

Download
memory/2580-2354-0x00000000053D0000-0x000000000541B000-memory.dmp

Filesize
300KB

Download
memory/2580-2355-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/2580-2357-0x0000000005690000-0x0000000005706000-memory.dmp

Filesize
472KB

Download
memory/2580-2362-0x0000000007C40000-0x000000000816C000-memory.dmp

Filesize
5.2MB

Download
memory/2580-2363-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/2820-166-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-160-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-174-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-176-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-177-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/2820-178-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2820-179-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2820-181-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/2820-170-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-168-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-162-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-143-0x0000000000B20000-0x0000000000B3A000-memory.dmp

Filesize
104KB

Download
memory/2820-145-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2820-152-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-144-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2820-146-0x0000000004E70000-0x000000000536E000-memory.dmp

Filesize
5.0MB

Download
memory/2820-172-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-164-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-158-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-147-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2820-156-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-148-0x00000000026D0000-0x00000000026E8000-memory.dmp

Filesize
96KB

Download
memory/2820-154-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-149-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2820-150-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3520-2361-0x0000000005F10000-0x00000000060D2000-memory.dmp

Filesize
1.8MB

Download
memory/3520-2353-0x0000000004A10000-0x0000000004A4E000-memory.dmp

Filesize
248KB

Download
memory/3520-2351-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

Filesize
1.0MB

Download
memory/3520-2350-0x00000000050D0000-0x00000000056D6000-memory.dmp

Filesize
6.0MB

Download
memory/3520-2348-0x0000000000840000-0x0000000000846000-memory.dmp

Filesize
24KB

Download
memory/3520-2356-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/3520-2358-0x0000000004E80000-0x0000000004F12000-memory.dmp

Filesize
584KB

Download
memory/3520-2360-0x0000000005BF0000-0x0000000005C40000-memory.dmp

Filesize
320KB

Download
memory/3520-2364-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/3520-2343-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/4240-2371-0x0000000002470000-0x00000000024AB000-memory.dmp

Filesize
236KB

Download
memory/4644-195-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/4644-2336-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/4644-2334-0x00000000027B0000-0x00000000027E2000-memory.dmp

Filesize
200KB

Download
memory/4644-225-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-223-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-221-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-219-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-217-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-215-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-213-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-211-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-209-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-207-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-205-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-194-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-203-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-197-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/4644-201-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-199-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/4644-198-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-193-0x00000000009C0000-0x0000000000A1B000-memory.dmp

Filesize
364KB

Download
memory/4644-191-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-189-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-188-0x00000000054C0000-0x0000000005520000-memory.dmp

Filesize
384KB

Download
memory/4644-187-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/4644-186-0x0000000004F10000-0x0000000004F78000-memory.dmp

Filesize
416KB

Download