amadey | d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe

Analysis

max time kernel
147s
max time network
105s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14-04-2023 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exe
Size

1.0MB
MD5

a848ad62fa6f2c2687b359aa4dcc8580
SHA1

fa20236bfb90db6fc9b96814d25d7a184655d62d
SHA256

d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe
SHA512

780f9b373f02614327c1c1733be71edeb1e966e2eb7c84e7eff275cf09bdecebe3f18c2ef5b8dd6a55a1621800b0aa51313bd07334032b8f853a65515396632c
SSDEEP

24576:4yYS9EBlGOPabWVCQnLcTZorsc8dirOw5odVSy7e37ORYTsDK:/j9EBlYWVclors8y7e37ORw

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

it981875.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it981875.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it981875.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it981875.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it981875.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it981875.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 7 IoCs

Processes:

zivu9098.exezizU1144.exeit981875.exejr725889.exe1.exekp367657.exelr790955.exe

pid process

2508 zivu9098.exe
2980 zizU1144.exe
3244 it981875.exe
2088 jr725889.exe
5112 1.exe
4252 kp367657.exe
3944 lr790955.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

it981875.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it981875.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2508	zivu9098.exe
2980	zizU1144.exe
3244	it981875.exe
2088	jr725889.exe
5112	1.exe
4252	kp367657.exe
3944	lr790955.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it981875.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zivu9098.exezizU1144.exed967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zivu9098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zivu9098.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zizU1144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zizU1144.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4864	3944	WerFault.exe	lr790955.exe
3728	3944	WerFault.exe	lr790955.exe
3748	3944	WerFault.exe	lr790955.exe
2776	3944	WerFault.exe	lr790955.exe
3796	3944	WerFault.exe	lr790955.exe
4952	3944	WerFault.exe	lr790955.exe
2880	3944	WerFault.exe	lr790955.exe
4948	3944	WerFault.exe	lr790955.exe
2056	3944	WerFault.exe	lr790955.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

it981875.exe1.exekp367657.exe

pid process

3244 it981875.exe
3244 it981875.exe
5112 1.exe
4252 kp367657.exe
4252 kp367657.exe
5112 1.exe

pid	process
3244	it981875.exe
3244	it981875.exe
5112	1.exe
4252	kp367657.exe
4252	kp367657.exe
5112	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

it981875.exejr725889.exe1.exekp367657.exe

description	pid	process
Token: SeDebugPrivilege	3244	it981875.exe
Token: SeDebugPrivilege	2088	jr725889.exe
Token: SeDebugPrivilege	5112	1.exe
Token: SeDebugPrivilege	4252	kp367657.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lr790955.exe

pid process

3944 lr790955.exe

pid	process
3944	lr790955.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exezivu9098.exezizU1144.exejr725889.exe

description	pid	process	target process
PID 2488 wrote to memory of 2508	2488	d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exe	zivu9098.exe
PID 2488 wrote to memory of 2508	2488	d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exe	zivu9098.exe
PID 2488 wrote to memory of 2508	2488	d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exe	zivu9098.exe
PID 2508 wrote to memory of 2980	2508	zivu9098.exe	zizU1144.exe
PID 2508 wrote to memory of 2980	2508	zivu9098.exe	zizU1144.exe
PID 2508 wrote to memory of 2980	2508	zivu9098.exe	zizU1144.exe
PID 2980 wrote to memory of 3244	2980	zizU1144.exe	it981875.exe
PID 2980 wrote to memory of 3244	2980	zizU1144.exe	it981875.exe
PID 2980 wrote to memory of 2088	2980	zizU1144.exe	jr725889.exe
PID 2980 wrote to memory of 2088	2980	zizU1144.exe	jr725889.exe
PID 2980 wrote to memory of 2088	2980	zizU1144.exe	jr725889.exe
PID 2088 wrote to memory of 5112	2088	jr725889.exe	1.exe
PID 2088 wrote to memory of 5112	2088	jr725889.exe	1.exe
PID 2088 wrote to memory of 5112	2088	jr725889.exe	1.exe
PID 2508 wrote to memory of 4252	2508	zivu9098.exe	kp367657.exe
PID 2508 wrote to memory of 4252	2508	zivu9098.exe	kp367657.exe
PID 2508 wrote to memory of 4252	2508	zivu9098.exe	kp367657.exe
PID 2488 wrote to memory of 3944	2488	d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exe	lr790955.exe
PID 2488 wrote to memory of 3944	2488	d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exe	lr790955.exe
PID 2488 wrote to memory of 3944	2488	d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exe	lr790955.exe

C:\Users\Admin\AppData\Local\Temp\d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exe
"C:\Users\Admin\AppData\Local\Temp\d967b0ea08307693a92fc9dcd0a36ae84237358ab46a953ad3343b46d988ddfe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivu9098.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivu9098.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zizU1144.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zizU1144.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it981875.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it981875.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr725889.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr725889.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp367657.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp367657.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr790955.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr790955.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:3944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 632
    3⤵
    - Program crash
    PID:4864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 708
    3⤵
    - Program crash
    PID:3728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 808
    3⤵
    - Program crash
    PID:3748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 856
    3⤵
    - Program crash
    PID:2776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 884
    3⤵
    - Program crash
    PID:3796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 904
    3⤵
    - Program crash
    PID:4952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1128
    3⤵
    - Program crash
    PID:2880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1172
    3⤵
    - Program crash
    PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1128
    3⤵
    - Program crash
    PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr790955.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr790955.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivu9098.exe

Filesize
722KB

MD5
122648dfb08d92c8984953308b56c095

SHA1
0ef0bf799accd3ef940ea45fc5404d73d947b5d9

SHA256
91088428a3984a188e20344254e0b23f85d3c0ae1242954162df743202c3fd69

SHA512
f5b9788c04c5ee9b2c6f88aa3fa70de176951767f31417db391c75d1a082ada6dbbde714f7f2ecd85fd582d1fc5e57ac71603d88aaf15b51c0864345f28aa1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivu9098.exe

Filesize
722KB

MD5
122648dfb08d92c8984953308b56c095

SHA1
0ef0bf799accd3ef940ea45fc5404d73d947b5d9

SHA256
91088428a3984a188e20344254e0b23f85d3c0ae1242954162df743202c3fd69

SHA512
f5b9788c04c5ee9b2c6f88aa3fa70de176951767f31417db391c75d1a082ada6dbbde714f7f2ecd85fd582d1fc5e57ac71603d88aaf15b51c0864345f28aa1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp367657.exe

Filesize
169KB

MD5
a8b85a5f8889ce168b4f919fb9ce2f45

SHA1
771ecb726eca61aa193c269a459a2e47403be0a9

SHA256
9d577a4a81667d9a0cf1aabc7d2ecdebee3c4057885501a4c2369099c43291d4

SHA512
6c61de6ca5aa21f8b7d0772ed224f2203754e14808a69ff624c4e6fd55ba1d73d6b815ea2f8b72ebfbb92d29215f180f8d26e178acbda638d071e73be92e6db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp367657.exe

Filesize
169KB

MD5
a8b85a5f8889ce168b4f919fb9ce2f45

SHA1
771ecb726eca61aa193c269a459a2e47403be0a9

SHA256
9d577a4a81667d9a0cf1aabc7d2ecdebee3c4057885501a4c2369099c43291d4

SHA512
6c61de6ca5aa21f8b7d0772ed224f2203754e14808a69ff624c4e6fd55ba1d73d6b815ea2f8b72ebfbb92d29215f180f8d26e178acbda638d071e73be92e6db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zizU1144.exe

Filesize
569KB

MD5
b122a62e4a001fe72ee0c2599eba083c

SHA1
255db61bac349fe0e887ca4b0991e59e63c16da6

SHA256
6670b54fe0bb0752dc3dd7d45dfe002142b8b5713f4828c8260fce404e816eac

SHA512
d2765836b0c8ee3862b09470e061d48e52ab62e28b3fb8211ac3c1d855ae8c05a9bf736154b6ec0a0b48012fe321620c42bb98fe6f8f91bb63986717a8ff7426

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zizU1144.exe

Filesize
569KB

MD5
b122a62e4a001fe72ee0c2599eba083c

SHA1
255db61bac349fe0e887ca4b0991e59e63c16da6

SHA256
6670b54fe0bb0752dc3dd7d45dfe002142b8b5713f4828c8260fce404e816eac

SHA512
d2765836b0c8ee3862b09470e061d48e52ab62e28b3fb8211ac3c1d855ae8c05a9bf736154b6ec0a0b48012fe321620c42bb98fe6f8f91bb63986717a8ff7426

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it981875.exe

Filesize
11KB

MD5
537f4effeddafb4635414ed13aae8ee5

SHA1
43314e01e51a12f558eca3d28ce902a15d280f17

SHA256
95b64baafed7f9a424807342d685b88178c2ed3e36e89484c79d9ccf0956fcdb

SHA512
58259d9dfe26bda77e1fc1dd3b278b75e219274151ebc2720ba2be8b45e7b407a670058980f6fb8c971b3deda628f7b84c7a2978ee79afa32dc36dcb1211f341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it981875.exe

Filesize
11KB

MD5
537f4effeddafb4635414ed13aae8ee5

SHA1
43314e01e51a12f558eca3d28ce902a15d280f17

SHA256
95b64baafed7f9a424807342d685b88178c2ed3e36e89484c79d9ccf0956fcdb

SHA512
58259d9dfe26bda77e1fc1dd3b278b75e219274151ebc2720ba2be8b45e7b407a670058980f6fb8c971b3deda628f7b84c7a2978ee79afa32dc36dcb1211f341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr725889.exe

Filesize
587KB

MD5
374c268373ab24a7a4301640fe81770c

SHA1
6a0045dd84941b9c21b1eb9b89d3d0dcecd02ae9

SHA256
274b937e5bef9020027147cb6841f2b73246e6fc0d0e8e132bbd5da8b1f870d9

SHA512
d03058ae3ac0d10dc2b5feeb975bff9b2b3d48dac112456e23ffba0998f88d41e86fb19ba092ef1a0d6441c8be4b54abcb96d801b6c6ca2de383a00e8f59a220

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr725889.exe

Filesize
587KB

MD5
374c268373ab24a7a4301640fe81770c

SHA1
6a0045dd84941b9c21b1eb9b89d3d0dcecd02ae9

SHA256
274b937e5bef9020027147cb6841f2b73246e6fc0d0e8e132bbd5da8b1f870d9

SHA512
d03058ae3ac0d10dc2b5feeb975bff9b2b3d48dac112456e23ffba0998f88d41e86fb19ba092ef1a0d6441c8be4b54abcb96d801b6c6ca2de383a00e8f59a220

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/2088-194-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-208-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-153-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-155-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-157-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-159-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-161-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-163-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-165-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-167-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-169-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2088-171-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2088-170-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-174-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2088-173-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-176-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-178-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-180-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-182-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-184-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-186-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-188-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-190-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-192-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-151-0x0000000002880000-0x00000000028E6000-memory.dmp

Filesize
408KB

Download
memory/2088-196-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-198-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-200-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-202-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-204-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-206-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-152-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-210-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-212-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-214-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-216-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-218-0x0000000002880000-0x00000000028E0000-memory.dmp

Filesize
384KB

Download
memory/2088-2298-0x0000000002960000-0x0000000002992000-memory.dmp

Filesize
200KB

Download
memory/2088-148-0x00000000009A0000-0x00000000009FB000-memory.dmp

Filesize
364KB

Download
memory/2088-149-0x00000000025B0000-0x0000000002618000-memory.dmp

Filesize
416KB

Download
memory/2088-150-0x00000000050A0000-0x000000000559E000-memory.dmp

Filesize
5.0MB

Download
memory/3244-142-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/3944-2335-0x0000000000990000-0x00000000009CB000-memory.dmp

Filesize
236KB

Download
memory/4252-2321-0x000000000A100000-0x000000000A176000-memory.dmp

Filesize
472KB

Download
memory/4252-2312-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/4252-2313-0x000000000A2D0000-0x000000000A8D6000-memory.dmp

Filesize
6.0MB

Download
memory/4252-2314-0x0000000009E50000-0x0000000009F5A000-memory.dmp

Filesize
1.0MB

Download
memory/4252-2311-0x0000000000050000-0x0000000000080000-memory.dmp

Filesize
192KB

Download
memory/4252-2328-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/4252-2325-0x000000000BCB0000-0x000000000C1DC000-memory.dmp

Filesize
5.2MB

Download
memory/4252-2319-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/4252-2324-0x000000000B5B0000-0x000000000B772000-memory.dmp

Filesize
1.8MB

Download
memory/5112-2315-0x0000000005510000-0x0000000005522000-memory.dmp

Filesize
72KB

Download
memory/5112-2322-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/5112-2323-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/5112-2320-0x0000000005880000-0x00000000058F6000-memory.dmp

Filesize
472KB

Download
memory/5112-2318-0x00000000055B0000-0x00000000055FB000-memory.dmp

Filesize
300KB

Download
memory/5112-2326-0x0000000006900000-0x0000000006950000-memory.dmp

Filesize
320KB

Download
memory/5112-2327-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/5112-2317-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/5112-2316-0x0000000005570000-0x00000000055AE000-memory.dmp

Filesize
248KB

Download
memory/5112-2306-0x0000000000BF0000-0x0000000000C1E000-memory.dmp

Filesize
184KB

Download
memory/5112-2310-0x0000000001580000-0x0000000001586000-memory.dmp

Filesize
24KB

Download