amadey | b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56

Analysis

max time kernel
300s
max time network
278s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
10-09-2023 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
Size

2.7MB
MD5

cf0a9195cb5140896bf44aa5264bcf9f
SHA1

dcd732395ed47e12574dcd2dd1da957fd56cd58a
SHA256

b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56
SHA512

338697f3db380c0f9b505524d5e1ac47b21cf6707e7d74342056c2c5bfebc7f583fa396026c753307a33efec58f69f314429514276a0b4d251437b7b6e8bc233
SSDEEP

49152:AbbbY6RZFHuL21BTS02JDwvcwB7DQbMdVoDUeTcMIAmsPCcKD:qjFHuLGyycwB7gaV8oMIAmLD

Score

10^/10

amadey laplas redline amadey_api clipper evasion infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

3.89

http://5.42.64.33/vu3skClDn/index.php

Attributes

install_dir
a304d35d74
install_file
yiueea.exe
strings_key
3ae6c4e6339065c6f5a368011bb5cb8c

rc4.plain

Extracted

Family

redline

Botnet

amadey_api

amadapi.tuktuk.ug:11290

Attributes

auth_value
a004bea47cf55a1c8841d46c3fe3e6f5

Extracted

Family

laplas

http://lpls.tuktuk.ug

Attributes

api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	winlog.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	winlog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	winlog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe

Executes dropped EXE 3 IoCs

pid	Process
1208	taskhost.exe
3744	winlog.exe
1276	ntlhost.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2608-0-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/2608-2-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/2608-3-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/2608-4-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/2608-5-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/4360-6-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/4360-7-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/4360-8-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/4360-9-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/4360-10-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/2608-11-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/2608-70-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/3060-519-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/3060-520-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/3060-521-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/3060-522-0x0000000001030000-0x000000000165E000-memory.dmp	themida
behavioral2/memory/3060-523-0x0000000001030000-0x000000000165E000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	winlog.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlog.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2608	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
4360	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
3744	winlog.exe
1276	ntlhost.exe
3060	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1208 set thread context of 1180	1208	taskhost.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
228	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	12	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2608	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
2608	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
4360	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
4360	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
1180	vbc.exe
1180	vbc.exe
1180	vbc.exe
3060	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
3060	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 228	2608	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe	70
PID 2608 wrote to memory of 228	2608	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe	70
PID 2608 wrote to memory of 228	2608	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe	70
PID 2608 wrote to memory of 1208	2608	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe	73
PID 2608 wrote to memory of 1208	2608	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe	73
PID 2608 wrote to memory of 1208	2608	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe	73
PID 1208 wrote to memory of 1180	1208	taskhost.exe	74
PID 1208 wrote to memory of 1180	1208	taskhost.exe	74
PID 1208 wrote to memory of 1180	1208	taskhost.exe	74
PID 1208 wrote to memory of 1180	1208	taskhost.exe	74
PID 1208 wrote to memory of 1180	1208	taskhost.exe	74
PID 2608 wrote to memory of 3744	2608	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe	75
PID 2608 wrote to memory of 3744	2608	b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe	75
PID 3744 wrote to memory of 1276	3744	winlog.exe	77
PID 3744 wrote to memory of 1276	3744	winlog.exe	77

C:\Users\Admin\AppData\Local\Temp\b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
"C:\Users\Admin\AppData\Local\Temp\b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe /TR "C:\Users\Admin\AppData\Local\Temp\b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe" /F
  2⤵
  - Creates scheduled task(s)
  PID:228
- C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- C:\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe
  "C:\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1276

C:\Users\Admin\AppData\Local\Temp\b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
C:\Users\Admin\AppData\Local\Temp\b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Users\Admin\AppData\Local\Temp\b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
C:\Users\Admin\AppData\Local\Temp\b41025e8d55470d9615a0d4a22249f96b46eac7c36fab65d3c20a6bec3d72c56.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe

Filesize
1.0MB

MD5
807d82efb54d554476db81199d897d77

SHA1
06931509b9f0b62631a1f245cd01f24b10eec76f

SHA256
3214992b4169da41cbbdc88d2a52e06730be033173b6b941d5d7de31ef6650c2

SHA512
82322da72f53d788b574e9f541850fcef00066f5ffbcce0ea7936e3d3b825bc6f3c873f4ec12cb8a599c93386152477e3593434a611587ae51faa6c55ed435d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe

Filesize
1.0MB

MD5
807d82efb54d554476db81199d897d77

SHA1
06931509b9f0b62631a1f245cd01f24b10eec76f

SHA256
3214992b4169da41cbbdc88d2a52e06730be033173b6b941d5d7de31ef6650c2

SHA512
82322da72f53d788b574e9f541850fcef00066f5ffbcce0ea7936e3d3b825bc6f3c873f4ec12cb8a599c93386152477e3593434a611587ae51faa6c55ed435d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe

Filesize
1.0MB

MD5
807d82efb54d554476db81199d897d77

SHA1
06931509b9f0b62631a1f245cd01f24b10eec76f

SHA256
3214992b4169da41cbbdc88d2a52e06730be033173b6b941d5d7de31ef6650c2

SHA512
82322da72f53d788b574e9f541850fcef00066f5ffbcce0ea7936e3d3b825bc6f3c873f4ec12cb8a599c93386152477e3593434a611587ae51faa6c55ed435d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe

Filesize
2.6MB

MD5
3f821e69fe1b38097b29ac284016858a

SHA1
3995cad76f1313243e5c8abce901876638575341

SHA256
203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08

SHA512
704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe

Filesize
2.6MB

MD5
3f821e69fe1b38097b29ac284016858a

SHA1
3995cad76f1313243e5c8abce901876638575341

SHA256
203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08

SHA512
704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe

Filesize
2.6MB

MD5
3f821e69fe1b38097b29ac284016858a

SHA1
3995cad76f1313243e5c8abce901876638575341

SHA256
203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08

SHA512
704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
837.6MB

MD5
4744ff68e18701cbe0e88223163fba40

SHA1
0980040bc5f45ea87b2952933706d6b339c582ae

SHA256
fb953525b4c6cd23a387c9711f550273cf636729bb500264506c26e80afbe80b

SHA512
0bfb317300ee2a4099db6b97bfe9e9a7e3fc6d78b942164ea507dc79ca0a9db95b2524ca792dd60319e42613630abbd9b8cc0385c68afcc4897a8432cd17b5a1

Download Submit
memory/1180-40-0x0000000072240000-0x000000007292E000-memory.dmp

Filesize
6.9MB

Download
memory/1180-45-0x0000000006860000-0x0000000006866000-memory.dmp

Filesize
24KB

Download
memory/1180-78-0x000000000E6E0000-0x000000000E756000-memory.dmp

Filesize
472KB

Download
memory/1180-74-0x0000000072240000-0x000000007292E000-memory.dmp

Filesize
6.9MB

Download
memory/1180-80-0x000000000E760000-0x000000000E7C6000-memory.dmp

Filesize
408KB

Download
memory/1180-83-0x000000000F8A0000-0x000000000FD9E000-memory.dmp

Filesize
5.0MB

Download
memory/1180-389-0x0000000010230000-0x00000000103F2000-memory.dmp

Filesize
1.8MB

Download
memory/1180-390-0x0000000011D80000-0x00000000122AC000-memory.dmp

Filesize
5.2MB

Download
memory/1180-57-0x000000000E490000-0x000000000E59A000-memory.dmp

Filesize
1.0MB

Download
memory/1180-58-0x0000000008EC0000-0x0000000008ED2000-memory.dmp

Filesize
72KB

Download
memory/1180-25-0x0000000000730000-0x0000000000760000-memory.dmp

Filesize
192KB

Download
memory/1180-59-0x0000000008EF0000-0x0000000008F00000-memory.dmp

Filesize
64KB

Download
memory/1180-512-0x0000000072240000-0x000000007292E000-memory.dmp

Filesize
6.9MB

Download
memory/1180-93-0x0000000008EF0000-0x0000000008F00000-memory.dmp

Filesize
64KB

Download
memory/1180-55-0x000000000E990000-0x000000000EF96000-memory.dmp

Filesize
6.0MB

Download
memory/1180-62-0x000000000E400000-0x000000000E44B000-memory.dmp

Filesize
300KB

Download
memory/1180-79-0x000000000E800000-0x000000000E892000-memory.dmp

Filesize
584KB

Download
memory/1180-61-0x000000000E3C0000-0x000000000E3FE000-memory.dmp

Filesize
248KB

Download
memory/1208-31-0x0000000001090000-0x00000000011EC000-memory.dmp

Filesize
1.4MB

Download
memory/1208-24-0x0000000001090000-0x00000000011EC000-memory.dmp

Filesize
1.4MB

Download
memory/1208-23-0x0000000001090000-0x00000000011EC000-memory.dmp

Filesize
1.4MB

Download
memory/1276-165-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-147-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-539-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-537-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-535-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-534-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-532-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-528-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-526-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-524-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-139-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-137-0x00007FFD00000000-0x00007FFD00002000-memory.dmp

Filesize
8KB

Download
memory/1276-135-0x00007FFD114A0000-0x00007FFD116E9000-memory.dmp

Filesize
2.3MB

Download
memory/1276-133-0x00007FFD00030000-0x00007FFD00031000-memory.dmp

Filesize
4KB

Download
memory/1276-129-0x00007FFD13E00000-0x00007FFD13EAE000-memory.dmp

Filesize
696KB

Download
memory/1276-517-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-131-0x00007FFD13E00000-0x00007FFD13EAE000-memory.dmp

Filesize
696KB

Download
memory/1276-160-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-516-0x00007FFD141F0000-0x00007FFD143CB000-memory.dmp

Filesize
1.9MB

Download
memory/1276-515-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-514-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-511-0x00007FFD114A0000-0x00007FFD116E9000-memory.dmp

Filesize
2.3MB

Download
memory/1276-151-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-399-0x00007FFD13E00000-0x00007FFD13EAE000-memory.dmp

Filesize
696KB

Download
memory/1276-397-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-155-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-158-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-178-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-173-0x00007FFD141F0000-0x00007FFD143CB000-memory.dmp

Filesize
1.9MB

Download
memory/1276-171-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-120-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-143-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/1276-163-0x0000000000C30000-0x0000000001498000-memory.dmp

Filesize
8.4MB

Download
memory/2608-4-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/2608-5-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/2608-0-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/2608-3-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/2608-2-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/2608-1-0x00000000772B4000-0x00000000772B5000-memory.dmp

Filesize
4KB

Download
memory/2608-11-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/2608-70-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/3060-519-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/3060-520-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/3060-521-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/3060-522-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/3060-523-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/3744-75-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-60-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-123-0x00007FFD13E00000-0x00007FFD13EAE000-memory.dmp

Filesize
696KB

Download
memory/3744-125-0x00007FFD114A0000-0x00007FFD116E9000-memory.dmp

Filesize
2.3MB

Download
memory/3744-119-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-99-0x00007FFD141F0000-0x00007FFD143CB000-memory.dmp

Filesize
1.9MB

Download
memory/3744-98-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-86-0x00007FFD13E00000-0x00007FFD13EAE000-memory.dmp

Filesize
696KB

Download
memory/3744-52-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-82-0x00007FFD00000000-0x00007FFD00002000-memory.dmp

Filesize
8KB

Download
memory/3744-81-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-53-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-50-0x00007FFD00030000-0x00007FFD00031000-memory.dmp

Filesize
4KB

Download
memory/3744-54-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-77-0x00007FFD114A0000-0x00007FFD116E9000-memory.dmp

Filesize
2.3MB

Download
memory/3744-76-0x00007FFD13E00000-0x00007FFD13EAE000-memory.dmp

Filesize
696KB

Download
memory/3744-51-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-56-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-73-0x00007FFD141F0000-0x00007FFD143CB000-memory.dmp

Filesize
1.9MB

Download
memory/3744-72-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-69-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-68-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-65-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-44-0x0000000000D50000-0x00000000015B8000-memory.dmp

Filesize
8.4MB

Download
memory/3744-46-0x00007FFD13E00000-0x00007FFD13EAE000-memory.dmp

Filesize
696KB

Download
memory/3744-128-0x00007FFD141F0000-0x00007FFD143CB000-memory.dmp

Filesize
1.9MB

Download
memory/3744-47-0x00007FFD114A0000-0x00007FFD116E9000-memory.dmp

Filesize
2.3MB

Download
memory/3744-48-0x00007FFD00000000-0x00007FFD00002000-memory.dmp

Filesize
8KB

Download
memory/3744-49-0x00007FFD13E00000-0x00007FFD13EAE000-memory.dmp

Filesize
696KB

Download
memory/4360-10-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/4360-9-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/4360-8-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/4360-7-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download
memory/4360-6-0x0000000001030000-0x000000000165E000-memory.dmp

Filesize
6.2MB

Download