amadey | c82ae04b929c0ce3df439d0b8e258703fccadfeeabd355706f8601104b52eec4

Analysis

max time kernel
133s
max time network
144s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-09-2023 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1f0253a23125b5bf1a4bac890ac4ddf.exe
Size

6.6MB
MD5

e1f0253a23125b5bf1a4bac890ac4ddf
SHA1

80efca30c866d7c6d55141ea714d73533c92878c
SHA256

c82ae04b929c0ce3df439d0b8e258703fccadfeeabd355706f8601104b52eec4
SHA512

f4c0b0f3f8868d2ef5c3d4e22ab971c654913a5b44bb784d6a4b05a9562905b9dc9d51811a93c9d1b9a25cc64d508a0b55c8dc26398a1b9dab7ed1a1dd87c911
SSDEEP

98304:mC0+v0HZRqvQatWSCG1EodfTRWAD7XPTl9H17aa2/96qtm6E2X2p8jzXPL42:mvIgDlSPC0rXDpaa2/hm6X2pCPP

Score

10^/10

amadey laplas redline 010923 clipper discovery evasion infostealer persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.88

5.42.64.33/vu3skClDn/index.php

Attributes

install_dir
0ac15cf625
install_file
yiueea.exe
strings_key
23e63d80d583519d75db46f354137051

rc4.plain

Extracted

Family

redline

Botnet

010923

happy1sept.tuktuk.ug:11290

Attributes

auth_value
8338bf26f599326ee45afe9d54f7ef8e

Extracted

Family

laplas

http://lpls.tuktuk.ug

Attributes

api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	winlog.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	winlog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	winlog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 5 IoCs

pid	Process
2740	taskhost.exe
2560	winlog.exe
1688	ntlhost.exe
1896	taskhost.exe
1452	taskhost.exe

Loads dropped DLL 5 IoCs

pid	Process
2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe
2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe
2560	winlog.exe
2740	taskhost.exe
2740	taskhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2208-2-0x0000000000DF0000-0x000000000184E000-memory.dmp	vmprotect
behavioral1/memory/2208-5-0x0000000000DF0000-0x000000000184E000-memory.dmp	vmprotect
behavioral1/memory/2208-38-0x0000000000DF0000-0x000000000184E000-memory.dmp	vmprotect
behavioral1/memory/580-173-0x0000000000DF0000-0x000000000184E000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	winlog.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2560	winlog.exe
1688	ntlhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 1452	2740	taskhost.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2448	schtasks.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	13	Go-http-client/1.1
HTTP User-Agent header	16	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe
2740	taskhost.exe
2740	taskhost.exe
580	e1f0253a23125b5bf1a4bac890ac4ddf.exe
1452	taskhost.exe
1452	taskhost.exe
1452	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	taskhost.exe
Token: SeDebugPrivilege	1452	taskhost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2448	2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe	28
PID 2208 wrote to memory of 2448	2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe	28
PID 2208 wrote to memory of 2448	2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe	28
PID 2208 wrote to memory of 2448	2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe	28
PID 2208 wrote to memory of 2740	2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe	30
PID 2208 wrote to memory of 2740	2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe	30
PID 2208 wrote to memory of 2740	2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe	30
PID 2208 wrote to memory of 2740	2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe	30
PID 2208 wrote to memory of 2560	2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe	32
PID 2208 wrote to memory of 2560	2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe	32
PID 2208 wrote to memory of 2560	2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe	32
PID 2208 wrote to memory of 2560	2208	e1f0253a23125b5bf1a4bac890ac4ddf.exe	32
PID 2560 wrote to memory of 1688	2560	winlog.exe	33
PID 2560 wrote to memory of 1688	2560	winlog.exe	33
PID 2560 wrote to memory of 1688	2560	winlog.exe	33
PID 2740 wrote to memory of 1896	2740	taskhost.exe	34
PID 2740 wrote to memory of 1896	2740	taskhost.exe	34
PID 2740 wrote to memory of 1896	2740	taskhost.exe	34
PID 2740 wrote to memory of 1896	2740	taskhost.exe	34
PID 2740 wrote to memory of 1452	2740	taskhost.exe	35
PID 2740 wrote to memory of 1452	2740	taskhost.exe	35
PID 2740 wrote to memory of 1452	2740	taskhost.exe	35
PID 2740 wrote to memory of 1452	2740	taskhost.exe	35
PID 2740 wrote to memory of 1452	2740	taskhost.exe	35
PID 2740 wrote to memory of 1452	2740	taskhost.exe	35
PID 2740 wrote to memory of 1452	2740	taskhost.exe	35
PID 2740 wrote to memory of 1452	2740	taskhost.exe	35
PID 2740 wrote to memory of 1452	2740	taskhost.exe	35
PID 2104 wrote to memory of 580	2104	taskeng.exe	38
PID 2104 wrote to memory of 580	2104	taskeng.exe	38
PID 2104 wrote to memory of 580	2104	taskeng.exe	38
PID 2104 wrote to memory of 580	2104	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\e1f0253a23125b5bf1a4bac890ac4ddf.exe
"C:\Users\Admin\AppData\Local\Temp\e1f0253a23125b5bf1a4bac890ac4ddf.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN e1f0253a23125b5bf1a4bac890ac4ddf.exe /TR "C:\Users\Admin\AppData\Local\Temp\e1f0253a23125b5bf1a4bac890ac4ddf.exe" /F
  2⤵
  - Creates scheduled task(s)
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe"
    3⤵
    - Executes dropped EXE
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- C:\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe
  "C:\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1688

C:\Users\Admin\AppData\Local\Temp\e1f0253a23125b5bf1a4bac890ac4ddf.exe
C:\Users\Admin\AppData\Local\Temp\e1f0253a23125b5bf1a4bac890ac4ddf.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:580

C:\Windows\system32\taskeng.exe
taskeng.exe {452D452B-F99F-4AF4-A725-7959B774E3BD} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe

Filesize
1.7MB

MD5
d3ec7e37c4d7c6d7adab1ccaa50ce27c

SHA1
8c13c02fcbb52cf0476aa8ed046f75d0371883dc

SHA256
71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db

SHA512
62ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe

Filesize
1.7MB

MD5
d3ec7e37c4d7c6d7adab1ccaa50ce27c

SHA1
8c13c02fcbb52cf0476aa8ed046f75d0371883dc

SHA256
71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db

SHA512
62ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe

Filesize
1.7MB

MD5
d3ec7e37c4d7c6d7adab1ccaa50ce27c

SHA1
8c13c02fcbb52cf0476aa8ed046f75d0371883dc

SHA256
71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db

SHA512
62ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe

Filesize
1.7MB

MD5
d3ec7e37c4d7c6d7adab1ccaa50ce27c

SHA1
8c13c02fcbb52cf0476aa8ed046f75d0371883dc

SHA256
71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db

SHA512
62ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe

Filesize
1.7MB

MD5
d3ec7e37c4d7c6d7adab1ccaa50ce27c

SHA1
8c13c02fcbb52cf0476aa8ed046f75d0371883dc

SHA256
71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db

SHA512
62ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe

Filesize
3.5MB

MD5
062fe47e8efc9041880ed273eda7c8f3

SHA1
b77fffa5fce64689758a7180477ffa25bd62f509

SHA256
589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344

SHA512
67a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe

Filesize
3.5MB

MD5
062fe47e8efc9041880ed273eda7c8f3

SHA1
b77fffa5fce64689758a7180477ffa25bd62f509

SHA256
589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344

SHA512
67a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe

Filesize
3.5MB

MD5
062fe47e8efc9041880ed273eda7c8f3

SHA1
b77fffa5fce64689758a7180477ffa25bd62f509

SHA256
589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344

SHA512
67a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
728.5MB

MD5
4f5f35d0dfdedc26e778a6ea079c29f5

SHA1
0582e100eedf0071f19b3dbccea94fa52f23d49b

SHA256
08deeec5cdd73027920d3e12bd0e3e01bab2d279745e5f871f2975bd2e443fb4

SHA512
b0bacf367c445074ae60e5d4b836091d2da69ebbf01e4648e03ef349c16ca1673ad3c2f0b9fb9d7b2d937aed49769812d28ba057fc6e3b3648ac26fedd459755

Download Submit
\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe

Filesize
1.7MB

MD5
d3ec7e37c4d7c6d7adab1ccaa50ce27c

SHA1
8c13c02fcbb52cf0476aa8ed046f75d0371883dc

SHA256
71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db

SHA512
62ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d

Download Submit
\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe

Filesize
1.7MB

MD5
d3ec7e37c4d7c6d7adab1ccaa50ce27c

SHA1
8c13c02fcbb52cf0476aa8ed046f75d0371883dc

SHA256
71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db

SHA512
62ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d

Download Submit
\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe

Filesize
1.7MB

MD5
d3ec7e37c4d7c6d7adab1ccaa50ce27c

SHA1
8c13c02fcbb52cf0476aa8ed046f75d0371883dc

SHA256
71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db

SHA512
62ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d

Download Submit
\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe

Filesize
3.5MB

MD5
062fe47e8efc9041880ed273eda7c8f3

SHA1
b77fffa5fce64689758a7180477ffa25bd62f509

SHA256
589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344

SHA512
67a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
728.5MB

MD5
4f5f35d0dfdedc26e778a6ea079c29f5

SHA1
0582e100eedf0071f19b3dbccea94fa52f23d49b

SHA256
08deeec5cdd73027920d3e12bd0e3e01bab2d279745e5f871f2975bd2e443fb4

SHA512
b0bacf367c445074ae60e5d4b836091d2da69ebbf01e4648e03ef349c16ca1673ad3c2f0b9fb9d7b2d937aed49769812d28ba057fc6e3b3648ac26fedd459755

Download Submit
memory/580-173-0x0000000000DF0000-0x000000000184E000-memory.dmp

Filesize
10.4MB

Download
memory/580-176-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/580-179-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/1452-181-0x00000000008E0000-0x0000000000920000-memory.dmp

Filesize
256KB

Download
memory/1452-178-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/1452-164-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/1452-166-0x00000000008E0000-0x0000000000920000-memory.dmp

Filesize
256KB

Download
memory/1452-162-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/1452-161-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1452-191-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/1688-160-0x000007FEFCEB0000-0x000007FEFCF1C000-memory.dmp

Filesize
432KB

Download
memory/1688-116-0x0000000000AA0000-0x0000000001338000-memory.dmp

Filesize
8.6MB

Download
memory/1688-126-0x000007FEFCEB0000-0x000007FEFCF1C000-memory.dmp

Filesize
432KB

Download
memory/1688-134-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1688-136-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/1688-141-0x0000000000AA0000-0x0000000001338000-memory.dmp

Filesize
8.6MB

Download
memory/1688-163-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/1688-124-0x000007FEFCEB0000-0x000007FEFCF1C000-memory.dmp

Filesize
432KB

Download
memory/1688-132-0x000007FEFCEB0000-0x000007FEFCF1C000-memory.dmp

Filesize
432KB

Download
memory/1688-167-0x0000000000AA0000-0x0000000001338000-memory.dmp

Filesize
8.6MB

Download
memory/1688-128-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/1688-127-0x000007FEFCEB0000-0x000007FEFCF1C000-memory.dmp

Filesize
432KB

Download
memory/1688-159-0x0000000000AA0000-0x0000000001338000-memory.dmp

Filesize
8.6MB

Download
memory/2208-59-0x0000000004620000-0x0000000004EB8000-memory.dmp

Filesize
8.6MB

Download
memory/2208-3-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2208-5-0x0000000000DF0000-0x000000000184E000-memory.dmp

Filesize
10.4MB

Download
memory/2208-38-0x0000000000DF0000-0x000000000184E000-memory.dmp

Filesize
10.4MB

Download
memory/2208-7-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2208-2-0x0000000000DF0000-0x000000000184E000-memory.dmp

Filesize
10.4MB

Download
memory/2208-8-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/2208-0-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2208-37-0x0000000004620000-0x0000000004EB8000-memory.dmp

Filesize
8.6MB

Download
memory/2560-39-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-63-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2560-62-0x000007FEFCEB0000-0x000007FEFCF1C000-memory.dmp

Filesize
432KB

Download
memory/2560-61-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-60-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-56-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-55-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-53-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-52-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-51-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-50-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-49-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-47-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-44-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-45-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/2560-115-0x000007FEFCEB0000-0x000007FEFCF1C000-memory.dmp

Filesize
432KB

Download
memory/2560-113-0x0000000028500000-0x0000000028D98000-memory.dmp

Filesize
8.6MB

Download
memory/2560-112-0x0000000001070000-0x0000000001908000-memory.dmp

Filesize
8.6MB

Download
memory/2560-43-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2560-42-0x000007FEFCEB0000-0x000007FEFCF1C000-memory.dmp

Filesize
432KB

Download
memory/2560-41-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2560-40-0x000007FEFCEB0000-0x000007FEFCF1C000-memory.dmp

Filesize
432KB

Download
memory/2560-118-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2740-46-0x0000000000AD0000-0x0000000000B10000-memory.dmp

Filesize
256KB

Download
memory/2740-84-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-80-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-78-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-90-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-120-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-94-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-100-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-104-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-110-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-130-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2740-117-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-106-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-102-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-98-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-96-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-92-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-88-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-86-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-157-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-82-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-76-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-74-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-72-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-70-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-67-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-66-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2740-65-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2740-64-0x0000000000AD0000-0x0000000000B10000-memory.dmp

Filesize
256KB

Download
memory/2740-58-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-54-0x0000000000A20000-0x0000000000A98000-memory.dmp

Filesize
480KB

Download
memory/2740-48-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2740-26-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-25-0x0000000000B20000-0x0000000000CDC000-memory.dmp

Filesize
1.7MB

Download