amadey | 57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3

Analysis

max time kernel
150s
max time network
106s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14-04-2023 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exe
Size

1.2MB
MD5

a8242b478f97b1d0c322c2d6c4130030
SHA1

c6a4c1e7d5625a8d7bc7eaf8c1933af958b02be6
SHA256

57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3
SHA512

7dfe2a31cd23f13e791bbbce9bc29116a26a6233446cfb1372d6498462101e21008716839b9e80cc0e50ae142705c01cf74addc196b71bffb8376fa5d58cede4
SSDEEP

24576:eyjJvp3YdIf0vWUdZhwOREVfNYLKCDuTro0Fp/4/pEiVpbXeXE:tjYyfMWUdZhTEIKwuE0Fp/4/pdN

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr163893.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr163893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr163893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr163893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr163893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr163893.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 7 IoCs

Processes:

un713450.exeun289459.exepr163893.exequ817428.exe1.exerk445241.exesi734617.exe

pid process

5052 un713450.exe
824 un289459.exe
2592 pr163893.exe
2200 qu817428.exe
2196 1.exe
3236 rk445241.exe
3268 si734617.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5052	un713450.exe
824	un289459.exe
2592	pr163893.exe
2200	qu817428.exe
2196	1.exe
3236	rk445241.exe
3268	si734617.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr163893.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr163893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr163893.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exeun713450.exeun289459.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un713450.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un713450.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un289459.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un289459.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1548	3268	WerFault.exe	si734617.exe
988	3268	WerFault.exe	si734617.exe
4816	3268	WerFault.exe	si734617.exe
3032	3268	WerFault.exe	si734617.exe
4836	3268	WerFault.exe	si734617.exe
4188	3268	WerFault.exe	si734617.exe
4156	3268	WerFault.exe	si734617.exe
2592	3268	WerFault.exe	si734617.exe
2092	3268	WerFault.exe	si734617.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr163893.exe1.exerk445241.exe

pid process

2592 pr163893.exe
2592 pr163893.exe
2196 1.exe
3236 rk445241.exe
3236 rk445241.exe
2196 1.exe

pid	process
2592	pr163893.exe
2592	pr163893.exe
2196	1.exe
3236	rk445241.exe
3236	rk445241.exe
2196	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pr163893.exequ817428.exe1.exerk445241.exe

description	pid	process
Token: SeDebugPrivilege	2592	pr163893.exe
Token: SeDebugPrivilege	2200	qu817428.exe
Token: SeDebugPrivilege	2196	1.exe
Token: SeDebugPrivilege	3236	rk445241.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exeun713450.exeun289459.exequ817428.exe

description	pid	process	target process
PID 1704 wrote to memory of 5052	1704	57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exe	un713450.exe
PID 1704 wrote to memory of 5052	1704	57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exe	un713450.exe
PID 1704 wrote to memory of 5052	1704	57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exe	un713450.exe
PID 5052 wrote to memory of 824	5052	un713450.exe	un289459.exe
PID 5052 wrote to memory of 824	5052	un713450.exe	un289459.exe
PID 5052 wrote to memory of 824	5052	un713450.exe	un289459.exe
PID 824 wrote to memory of 2592	824	un289459.exe	pr163893.exe
PID 824 wrote to memory of 2592	824	un289459.exe	pr163893.exe
PID 824 wrote to memory of 2592	824	un289459.exe	pr163893.exe
PID 824 wrote to memory of 2200	824	un289459.exe	qu817428.exe
PID 824 wrote to memory of 2200	824	un289459.exe	qu817428.exe
PID 824 wrote to memory of 2200	824	un289459.exe	qu817428.exe
PID 2200 wrote to memory of 2196	2200	qu817428.exe	1.exe
PID 2200 wrote to memory of 2196	2200	qu817428.exe	1.exe
PID 2200 wrote to memory of 2196	2200	qu817428.exe	1.exe
PID 5052 wrote to memory of 3236	5052	un713450.exe	rk445241.exe
PID 5052 wrote to memory of 3236	5052	un713450.exe	rk445241.exe
PID 5052 wrote to memory of 3236	5052	un713450.exe	rk445241.exe
PID 1704 wrote to memory of 3268	1704	57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exe	si734617.exe
PID 1704 wrote to memory of 3268	1704	57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exe	si734617.exe
PID 1704 wrote to memory of 3268	1704	57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exe	si734617.exe

C:\Users\Admin\AppData\Local\Temp\57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exe
"C:\Users\Admin\AppData\Local\Temp\57e9724d3774e2a2df293d71d5586f6e66556c2164c043a523bf9174a848f1b3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un713450.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un713450.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un289459.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un289459.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr163893.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr163893.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu817428.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu817428.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk445241.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk445241.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si734617.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si734617.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 632
    3⤵
    - Program crash
    PID:1548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 708
    3⤵
    - Program crash
    PID:988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 784
    3⤵
    - Program crash
    PID:4816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 856
    3⤵
    - Program crash
    PID:3032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 892
    3⤵
    - Program crash
    PID:4836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 872
    3⤵
    - Program crash
    PID:4188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1128
    3⤵
    - Program crash
    PID:4156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1152
    3⤵
    - Program crash
    PID:2592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1160
    3⤵
    - Program crash
    PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si734617.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si734617.exe

Filesize
396KB

MD5
2d5adc88b61f67dd4a3d0af63556a9b2

SHA1
be2a227a96abc93b9ae975d80e298b30f7397ff9

SHA256
1e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318

SHA512
e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un713450.exe

Filesize
860KB

MD5
a26a95699d5c6def45919c8a53283ad6

SHA1
d0f91fa48674737a7cfc6c9449f4aeba8f41d26a

SHA256
0928eccbd8dd3cfcd33ae0d4b79dad8f4d923c2b1085e41d452c8e3e301296da

SHA512
fcef88b690765ee81d5bd3bb9dea7f46934ca8bdfb91b68e76d0413752ff3e662837c9bb1a47023e7a3500ceb83c2cbb6d30b4c55ada5cfdc1727c3fdd77577f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un713450.exe

Filesize
860KB

MD5
a26a95699d5c6def45919c8a53283ad6

SHA1
d0f91fa48674737a7cfc6c9449f4aeba8f41d26a

SHA256
0928eccbd8dd3cfcd33ae0d4b79dad8f4d923c2b1085e41d452c8e3e301296da

SHA512
fcef88b690765ee81d5bd3bb9dea7f46934ca8bdfb91b68e76d0413752ff3e662837c9bb1a47023e7a3500ceb83c2cbb6d30b4c55ada5cfdc1727c3fdd77577f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk445241.exe

Filesize
169KB

MD5
b87d3ee86618df2ecbdcdc6643b7ed56

SHA1
8bd84522607c1a597589a873a1aec0e8945272bb

SHA256
a2c42def4c5b4f6672b75774cd24b5cb540f763e5da829bcb05d029cd9a5a722

SHA512
0dc045b56f944d6d9a4feaa24a81adf61d273799d91c5f2395b5a715df5e66d18668e3a30ce8e02a170bc21e262b6ce87a7e6fc9b0e5502d6a071480a02f1702

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk445241.exe

Filesize
169KB

MD5
b87d3ee86618df2ecbdcdc6643b7ed56

SHA1
8bd84522607c1a597589a873a1aec0e8945272bb

SHA256
a2c42def4c5b4f6672b75774cd24b5cb540f763e5da829bcb05d029cd9a5a722

SHA512
0dc045b56f944d6d9a4feaa24a81adf61d273799d91c5f2395b5a715df5e66d18668e3a30ce8e02a170bc21e262b6ce87a7e6fc9b0e5502d6a071480a02f1702

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un289459.exe

Filesize
707KB

MD5
e91157869869e7e3dbbbaf8eef499956

SHA1
0ebe1823e233419b744415f777ec7ca216173828

SHA256
8ac9bfb4f958bea595a40830fec884e058e5a1f2d77d6c80a33c4d7d014ff946

SHA512
3b207b519fba44e0c1e310aa6d3c25fbde55a4ffeab609fc37141a097f1f1332c183452e168272327e19a60245288703b522d710baafd5ead8cac6d0b1380401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un289459.exe

Filesize
707KB

MD5
e91157869869e7e3dbbbaf8eef499956

SHA1
0ebe1823e233419b744415f777ec7ca216173828

SHA256
8ac9bfb4f958bea595a40830fec884e058e5a1f2d77d6c80a33c4d7d014ff946

SHA512
3b207b519fba44e0c1e310aa6d3c25fbde55a4ffeab609fc37141a097f1f1332c183452e168272327e19a60245288703b522d710baafd5ead8cac6d0b1380401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr163893.exe

Filesize
404KB

MD5
8696da168892dda25c535c80dde4ffa4

SHA1
8355d227f4bb0b2517c6a89c7a63a6c6cf11f453

SHA256
3f4345b105486959dee9e6fc82f27f5437e4dbddcff4fdb3ed6b88a563d64cf7

SHA512
341758c01dbd281d892ecc723534e408b90c1cb1dc82b20b0786d613fb0fc1cb2519501d24c9a1d30c47e0b58abf98d3a62f4543b364cab61e576049fdb9b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr163893.exe

Filesize
404KB

MD5
8696da168892dda25c535c80dde4ffa4

SHA1
8355d227f4bb0b2517c6a89c7a63a6c6cf11f453

SHA256
3f4345b105486959dee9e6fc82f27f5437e4dbddcff4fdb3ed6b88a563d64cf7

SHA512
341758c01dbd281d892ecc723534e408b90c1cb1dc82b20b0786d613fb0fc1cb2519501d24c9a1d30c47e0b58abf98d3a62f4543b364cab61e576049fdb9b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu817428.exe

Filesize
587KB

MD5
bc102071a7d096a8a13a03d84a9be964

SHA1
5d5972ccc851ed82dd0892cecafe5a03a905e2b0

SHA256
7dca62fd2a71959998c8069845ea128973bfbd06a9cd3b07021ffb453abd307b

SHA512
dae71415f0910721d3ddcc2ee03451c2c83c62563379285653dc4e2be0634b20ec67ff3b2050ba1d6f8cdc31ccc5bee49318baa08805214c03672c7d9a92435a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu817428.exe

Filesize
587KB

MD5
bc102071a7d096a8a13a03d84a9be964

SHA1
5d5972ccc851ed82dd0892cecafe5a03a905e2b0

SHA256
7dca62fd2a71959998c8069845ea128973bfbd06a9cd3b07021ffb453abd307b

SHA512
dae71415f0910721d3ddcc2ee03451c2c83c62563379285653dc4e2be0634b20ec67ff3b2050ba1d6f8cdc31ccc5bee49318baa08805214c03672c7d9a92435a

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/2196-2357-0x0000000005F60000-0x0000000005FB0000-memory.dmp

Filesize
320KB

Download
memory/2196-2356-0x00000000052C0000-0x0000000005326000-memory.dmp

Filesize
408KB

Download
memory/2196-2352-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2196-2349-0x0000000004DD0000-0x0000000004E0E000-memory.dmp

Filesize
248KB

Download
memory/2196-2358-0x0000000006180000-0x0000000006342000-memory.dmp

Filesize
1.8MB

Download
memory/2196-2361-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2196-2341-0x0000000000B70000-0x0000000000B76000-memory.dmp

Filesize
24KB

Download
memory/2196-2339-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/2200-199-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-324-0x0000000000990000-0x00000000009EB000-memory.dmp

Filesize
364KB

Download
memory/2200-2330-0x0000000005670000-0x00000000056A2000-memory.dmp

Filesize
200KB

Download
memory/2200-2331-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2200-330-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2200-328-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2200-325-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2200-217-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-215-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-213-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-182-0x0000000002730000-0x0000000002798000-memory.dmp

Filesize
416KB

Download
memory/2200-183-0x0000000002930000-0x0000000002996000-memory.dmp

Filesize
408KB

Download
memory/2200-184-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-185-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-187-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-189-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-191-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-193-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-195-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-197-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-211-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-201-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-203-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-205-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-207-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2200-209-0x0000000002930000-0x0000000002990000-memory.dmp

Filesize
384KB

Download
memory/2592-154-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-147-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-164-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-177-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/2592-175-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/2592-166-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-174-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-172-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-170-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-168-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-145-0x0000000004E20000-0x000000000531E000-memory.dmp

Filesize
5.0MB

Download
memory/2592-162-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-150-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-152-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-146-0x0000000004D30000-0x0000000004D48000-memory.dmp

Filesize
96KB

Download
memory/2592-148-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-140-0x0000000002850000-0x000000000286A000-memory.dmp

Filesize
104KB

Download
memory/2592-141-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2592-160-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-142-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2592-143-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2592-156-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2592-144-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2592-158-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/3236-2346-0x000000000B020000-0x000000000B626000-memory.dmp

Filesize
6.0MB

Download
memory/3236-2353-0x000000000ADA0000-0x000000000AE16000-memory.dmp

Filesize
472KB

Download
memory/3236-2354-0x000000000AEC0000-0x000000000AF52000-memory.dmp

Filesize
584KB

Download
memory/3236-2355-0x000000000AF60000-0x000000000AFC6000-memory.dmp

Filesize
408KB

Download
memory/3236-2351-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/3236-2350-0x000000000AAD0000-0x000000000AB1B000-memory.dmp

Filesize
300KB

Download
memory/3236-2348-0x000000000AA30000-0x000000000AA42000-memory.dmp

Filesize
72KB

Download
memory/3236-2359-0x000000000C900000-0x000000000CE2C000-memory.dmp

Filesize
5.2MB

Download
memory/3236-2360-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/3236-2347-0x000000000AB20000-0x000000000AC2A000-memory.dmp

Filesize
1.0MB

Download
memory/3236-2345-0x00000000054A0000-0x00000000054A6000-memory.dmp

Filesize
24KB

Download
memory/3236-2344-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/3268-2368-0x0000000000970000-0x00000000009AB000-memory.dmp

Filesize
236KB

Download