amadey | 666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528

Analysis

max time kernel
147s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14-04-2023 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exe
Size

1.0MB
MD5

4241ef02aad0d488b5bd30dea0d5bc86
SHA1

f2067606f267d3d1c244212db7b00c8823aa0158
SHA256

666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528
SHA512

d1a446f3cbd5a883518d6367cbca892e30ffc24e5e379e05b266c6e2e40913a2c26ebafb51c81ad8051c170dcf51dd9d2ad8277d4b309ffb7ed63e5633bcae73
SSDEEP

24576:TyufLCnop1UOAtywhgVb7xLuAJ7UXyKstruurWBJlay:muDCojUOAYwgXuEIFssurWP

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

it587221.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it587221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it587221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it587221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it587221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it587221.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 7 IoCs

Processes:

ziEY1388.exeziVY4870.exeit587221.exejr560860.exe1.exekp345832.exelr503276.exe

pid process

2612 ziEY1388.exe
4176 ziVY4870.exe
3376 it587221.exe
2636 jr560860.exe
4372 1.exe
2644 kp345832.exe
3608 lr503276.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

it587221.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it587221.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2612	ziEY1388.exe
4176	ziVY4870.exe
3376	it587221.exe
2636	jr560860.exe
4372	1.exe
2644	kp345832.exe
3608	lr503276.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it587221.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exeziEY1388.exeziVY4870.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziEY1388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziEY1388.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziVY4870.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziVY4870.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4628	3608	WerFault.exe	lr503276.exe
372	3608	WerFault.exe	lr503276.exe
3744	3608	WerFault.exe	lr503276.exe
2572	3608	WerFault.exe	lr503276.exe
4708	3608	WerFault.exe	lr503276.exe
1548	3608	WerFault.exe	lr503276.exe
1384	3608	WerFault.exe	lr503276.exe
4624	3608	WerFault.exe	lr503276.exe
3776	3608	WerFault.exe	lr503276.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

it587221.exekp345832.exe1.exe

pid process

3376 it587221.exe
3376 it587221.exe
2644 kp345832.exe
4372 1.exe
4372 1.exe
2644 kp345832.exe

pid	process
3376	it587221.exe
3376	it587221.exe
2644	kp345832.exe
4372	1.exe
4372	1.exe
2644	kp345832.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

it587221.exejr560860.exekp345832.exe1.exe

description	pid	process
Token: SeDebugPrivilege	3376	it587221.exe
Token: SeDebugPrivilege	2636	jr560860.exe
Token: SeDebugPrivilege	2644	kp345832.exe
Token: SeDebugPrivilege	4372	1.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exeziEY1388.exeziVY4870.exejr560860.exe

description	pid	process	target process
PID 2896 wrote to memory of 2612	2896	666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exe	ziEY1388.exe
PID 2896 wrote to memory of 2612	2896	666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exe	ziEY1388.exe
PID 2896 wrote to memory of 2612	2896	666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exe	ziEY1388.exe
PID 2612 wrote to memory of 4176	2612	ziEY1388.exe	ziVY4870.exe
PID 2612 wrote to memory of 4176	2612	ziEY1388.exe	ziVY4870.exe
PID 2612 wrote to memory of 4176	2612	ziEY1388.exe	ziVY4870.exe
PID 4176 wrote to memory of 3376	4176	ziVY4870.exe	it587221.exe
PID 4176 wrote to memory of 3376	4176	ziVY4870.exe	it587221.exe
PID 4176 wrote to memory of 2636	4176	ziVY4870.exe	jr560860.exe
PID 4176 wrote to memory of 2636	4176	ziVY4870.exe	jr560860.exe
PID 4176 wrote to memory of 2636	4176	ziVY4870.exe	jr560860.exe
PID 2636 wrote to memory of 4372	2636	jr560860.exe	1.exe
PID 2636 wrote to memory of 4372	2636	jr560860.exe	1.exe
PID 2636 wrote to memory of 4372	2636	jr560860.exe	1.exe
PID 2612 wrote to memory of 2644	2612	ziEY1388.exe	kp345832.exe
PID 2612 wrote to memory of 2644	2612	ziEY1388.exe	kp345832.exe
PID 2612 wrote to memory of 2644	2612	ziEY1388.exe	kp345832.exe
PID 2896 wrote to memory of 3608	2896	666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exe	lr503276.exe
PID 2896 wrote to memory of 3608	2896	666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exe	lr503276.exe
PID 2896 wrote to memory of 3608	2896	666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exe	lr503276.exe

C:\Users\Admin\AppData\Local\Temp\666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exe
"C:\Users\Admin\AppData\Local\Temp\666bd70dbb9f80016483ce571e316086eeceb490313b0a52fe150acee2494528.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEY1388.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEY1388.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVY4870.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVY4870.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it587221.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it587221.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr560860.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr560860.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp345832.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp345832.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr503276.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr503276.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 632
    3⤵
    - Program crash
    PID:4628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 708
    3⤵
    - Program crash
    PID:372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 804
    3⤵
    - Program crash
    PID:3744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 856
    3⤵
    - Program crash
    PID:2572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 884
    3⤵
    - Program crash
    PID:4708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 904
    3⤵
    - Program crash
    PID:1548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1128
    3⤵
    - Program crash
    PID:1384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1184
    3⤵
    - Program crash
    PID:4624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1164
    3⤵
    - Program crash
    PID:3776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr503276.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr503276.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEY1388.exe

Filesize
722KB

MD5
d1969c38c13a82b73c59574ab2732fd7

SHA1
4896b33b9ca42c2ccfc58aa83755153e5b9b6131

SHA256
b16b3cdf33fd3afc6740494bb8d7479462c6ef25614d08d693c7e397b6fc0238

SHA512
73fc6b68e817c92f49f5e6206b1db615e728a4f1ed2823041ba064b402a6c6fb9cf34e39e235d4fa291205041b16ab06bed8f4292d54d612e20dac89d45166ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEY1388.exe

Filesize
722KB

MD5
d1969c38c13a82b73c59574ab2732fd7

SHA1
4896b33b9ca42c2ccfc58aa83755153e5b9b6131

SHA256
b16b3cdf33fd3afc6740494bb8d7479462c6ef25614d08d693c7e397b6fc0238

SHA512
73fc6b68e817c92f49f5e6206b1db615e728a4f1ed2823041ba064b402a6c6fb9cf34e39e235d4fa291205041b16ab06bed8f4292d54d612e20dac89d45166ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp345832.exe

Filesize
169KB

MD5
6714078ff372ab127874f0620a039ed5

SHA1
d58be6c60523178af06baed5871440c88dfce478

SHA256
fd5bf202b39ae7513d76cf27902f8c47d0163e5f1505e43ecd3342298e93d755

SHA512
b70827167eafd191d7fa5879be020607d9c35fb670dd7c65e586d844c261f72b55e0798bbe2d73f2daa3c8dd8570f2a2a8d97dfb29d19b0b33eb9c1d26f9f347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp345832.exe

Filesize
169KB

MD5
6714078ff372ab127874f0620a039ed5

SHA1
d58be6c60523178af06baed5871440c88dfce478

SHA256
fd5bf202b39ae7513d76cf27902f8c47d0163e5f1505e43ecd3342298e93d755

SHA512
b70827167eafd191d7fa5879be020607d9c35fb670dd7c65e586d844c261f72b55e0798bbe2d73f2daa3c8dd8570f2a2a8d97dfb29d19b0b33eb9c1d26f9f347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVY4870.exe

Filesize
569KB

MD5
97744d0bf84a969e3791a5004b111669

SHA1
866e2dfc5ce825c1cf56e1fffd0d94200db6fcdd

SHA256
9060b6ee4dcb6daafe23fc0aeca92463ef70787e75990816db3eae1e26af843b

SHA512
32e1f1e16d89ff203ed86779999772763e9247f89a9a0650aa10622863d3dd98608fbffd3498dc0d11f356ab8ddead0ea4d8508264eea9081265fab57030fa5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVY4870.exe

Filesize
569KB

MD5
97744d0bf84a969e3791a5004b111669

SHA1
866e2dfc5ce825c1cf56e1fffd0d94200db6fcdd

SHA256
9060b6ee4dcb6daafe23fc0aeca92463ef70787e75990816db3eae1e26af843b

SHA512
32e1f1e16d89ff203ed86779999772763e9247f89a9a0650aa10622863d3dd98608fbffd3498dc0d11f356ab8ddead0ea4d8508264eea9081265fab57030fa5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it587221.exe

Filesize
11KB

MD5
20454f7830ca57a933dbbf80408bc954

SHA1
df86e9a8df4f6e0482ef9660b6e121b9ebdaadab

SHA256
4e19cd4c9ddea63202b1f3acdd1d0dc05561a32515a63eaf5e50971fba057cc9

SHA512
5d68f22ecddf91515ecd9212795efb920da68bcdea87f410e3005b5d54f0c26543920667ee980bfc2977258c87b1cb64825086db62c473c4a76fd06e66747d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it587221.exe

Filesize
11KB

MD5
20454f7830ca57a933dbbf80408bc954

SHA1
df86e9a8df4f6e0482ef9660b6e121b9ebdaadab

SHA256
4e19cd4c9ddea63202b1f3acdd1d0dc05561a32515a63eaf5e50971fba057cc9

SHA512
5d68f22ecddf91515ecd9212795efb920da68bcdea87f410e3005b5d54f0c26543920667ee980bfc2977258c87b1cb64825086db62c473c4a76fd06e66747d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr560860.exe

Filesize
587KB

MD5
1411c9158ed43abce7c20885a043e243

SHA1
5d1b9e1edad71ffa7803ddaa79939a8395b78b22

SHA256
900b5ccd348c29ad83627395d9b071a9db8efddddf72e77ce9f9171ce2cd923b

SHA512
79a35b9068bc6ec1874cdb82a9df4125a9ce3205871d7844a77b1f0dbc16758a28f79a24d9d68b364802aecffaee21f26b73750ff535a102dceb58c07da9de1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr560860.exe

Filesize
587KB

MD5
1411c9158ed43abce7c20885a043e243

SHA1
5d1b9e1edad71ffa7803ddaa79939a8395b78b22

SHA256
900b5ccd348c29ad83627395d9b071a9db8efddddf72e77ce9f9171ce2cd923b

SHA512
79a35b9068bc6ec1874cdb82a9df4125a9ce3205871d7844a77b1f0dbc16758a28f79a24d9d68b364802aecffaee21f26b73750ff535a102dceb58c07da9de1e

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/2636-196-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-210-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-152-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2636-153-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2636-154-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2636-155-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-156-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-158-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-160-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-162-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-164-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-166-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-168-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-170-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-172-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-174-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-176-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-178-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-180-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-182-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-184-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-186-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-188-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-190-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-192-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-194-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-150-0x0000000004FF0000-0x00000000054EE000-memory.dmp

Filesize
5.0MB

Download
memory/2636-198-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-200-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-202-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-204-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-206-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-208-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-151-0x0000000002890000-0x00000000028F6000-memory.dmp

Filesize
408KB

Download
memory/2636-212-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-214-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-216-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-218-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/2636-2298-0x0000000005660000-0x0000000005692000-memory.dmp

Filesize
200KB

Download
memory/2636-2300-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2636-2302-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2636-2301-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2636-2303-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2636-148-0x0000000000B80000-0x0000000000BDB000-memory.dmp

Filesize
364KB

Download
memory/2636-149-0x0000000002690000-0x00000000026F8000-memory.dmp

Filesize
416KB

Download
memory/2644-2315-0x0000000000480000-0x00000000004B0000-memory.dmp

Filesize
192KB

Download
memory/2644-2317-0x000000000A770000-0x000000000AD76000-memory.dmp

Filesize
6.0MB

Download
memory/2644-2318-0x000000000A2B0000-0x000000000A3BA000-memory.dmp

Filesize
1.0MB

Download
memory/2644-2319-0x000000000A1C0000-0x000000000A1D2000-memory.dmp

Filesize
72KB

Download
memory/2644-2327-0x000000000B260000-0x000000000B2B0000-memory.dmp

Filesize
320KB

Download
memory/2644-2321-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2644-2331-0x000000000C280000-0x000000000C7AC000-memory.dmp

Filesize
5.2MB

Download
memory/2644-2323-0x000000000A260000-0x000000000A2AB000-memory.dmp

Filesize
300KB

Download
memory/2644-2316-0x0000000000B10000-0x0000000000B16000-memory.dmp

Filesize
24KB

Download
memory/2644-2325-0x000000000A650000-0x000000000A6E2000-memory.dmp

Filesize
584KB

Download
memory/2644-2328-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3376-142-0x0000000000A30000-0x0000000000A3A000-memory.dmp

Filesize
40KB

Download
memory/3608-2338-0x0000000000A60000-0x0000000000A9B000-memory.dmp

Filesize
236KB

Download
memory/4372-2324-0x0000000005C50000-0x0000000005CC6000-memory.dmp

Filesize
472KB

Download
memory/4372-2326-0x0000000005CD0000-0x0000000005D36000-memory.dmp

Filesize
408KB

Download
memory/4372-2329-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4372-2330-0x00000000074F0000-0x00000000076B2000-memory.dmp

Filesize
1.8MB

Download
memory/4372-2322-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4372-2320-0x0000000005940000-0x000000000597E000-memory.dmp

Filesize
248KB

Download
memory/4372-2311-0x0000000003160000-0x0000000003166000-memory.dmp

Filesize
24KB

Download
memory/4372-2310-0x0000000000FC0000-0x0000000000FEE000-memory.dmp

Filesize
184KB

Download