amadey | 21675cef02c5d516a93f59d70c16d083ffa8be9792fa8f40e53212708d321c6d

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29.exe
Size

1.0MB
MD5

6f6fa83bd35311c3f78ff4d29d1e8117
SHA1

1c261d1ed4efb7c407ed76784b008e04f49b3598
SHA256

8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29
SHA512

e4326312e9c0e5b6c36a8715cd55ce6ee87fbc2f28455c4d0f11dd620a999a935fb4ad03872aed880f142fe00757d851f56295bd2c96f0b725d6b42ba4fd6e66
SSDEEP

24576:EyyE63fdNtHwmIFlkWqno9rno4MBdTyaUPR12jpUF:TypFNtQmWqsh2dGdZ13

Score

10^/10

amadey mystic redline 59b440 mrak evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral14/files/0x0007000000023296-80.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	q5079007.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q5079007.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q5079007.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q5079007.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q5079007.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q5079007.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral14/files/0x0007000000023293-83.dat	family_redline
behavioral14/memory/4528-85-0x0000000000080000-0x00000000000B0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	r1778403.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 11 IoCs

pid	Process
5036	z5360701.exe
1368	z1708469.exe
2800	z5283722.exe
3448	z2036953.exe
3440	q5079007.exe
4416	r1778403.exe
4712	saves.exe
4152	s0222944.exe
4528	t2809250.exe
212	saves.exe
4608	saves.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	q5079007.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	q5079007.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5360701.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1708469.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5283722.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2036953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3440	q5079007.exe
3440	q5079007.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3440	q5079007.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 5036	4664	8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29.exe	91
PID 4664 wrote to memory of 5036	4664	8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29.exe	91
PID 4664 wrote to memory of 5036	4664	8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29.exe	91
PID 5036 wrote to memory of 1368	5036	z5360701.exe	92
PID 5036 wrote to memory of 1368	5036	z5360701.exe	92
PID 5036 wrote to memory of 1368	5036	z5360701.exe	92
PID 1368 wrote to memory of 2800	1368	z1708469.exe	93
PID 1368 wrote to memory of 2800	1368	z1708469.exe	93
PID 1368 wrote to memory of 2800	1368	z1708469.exe	93
PID 2800 wrote to memory of 3448	2800	z5283722.exe	94
PID 2800 wrote to memory of 3448	2800	z5283722.exe	94
PID 2800 wrote to memory of 3448	2800	z5283722.exe	94
PID 3448 wrote to memory of 3440	3448	z2036953.exe	95
PID 3448 wrote to memory of 3440	3448	z2036953.exe	95
PID 3448 wrote to memory of 3440	3448	z2036953.exe	95
PID 3448 wrote to memory of 4416	3448	z2036953.exe	101
PID 3448 wrote to memory of 4416	3448	z2036953.exe	101
PID 3448 wrote to memory of 4416	3448	z2036953.exe	101
PID 4416 wrote to memory of 4712	4416	r1778403.exe	104
PID 4416 wrote to memory of 4712	4416	r1778403.exe	104
PID 4416 wrote to memory of 4712	4416	r1778403.exe	104
PID 2800 wrote to memory of 4152	2800	z5283722.exe	105
PID 2800 wrote to memory of 4152	2800	z5283722.exe	105
PID 2800 wrote to memory of 4152	2800	z5283722.exe	105
PID 1368 wrote to memory of 4528	1368	z1708469.exe	106
PID 1368 wrote to memory of 4528	1368	z1708469.exe	106
PID 1368 wrote to memory of 4528	1368	z1708469.exe	106
PID 4712 wrote to memory of 3176	4712	saves.exe	107
PID 4712 wrote to memory of 3176	4712	saves.exe	107
PID 4712 wrote to memory of 3176	4712	saves.exe	107
PID 4712 wrote to memory of 2856	4712	saves.exe	109
PID 4712 wrote to memory of 2856	4712	saves.exe	109
PID 4712 wrote to memory of 2856	4712	saves.exe	109
PID 2856 wrote to memory of 400	2856	cmd.exe	111
PID 2856 wrote to memory of 400	2856	cmd.exe	111
PID 2856 wrote to memory of 400	2856	cmd.exe	111
PID 2856 wrote to memory of 4032	2856	cmd.exe	112
PID 2856 wrote to memory of 4032	2856	cmd.exe	112
PID 2856 wrote to memory of 4032	2856	cmd.exe	112
PID 2856 wrote to memory of 4696	2856	cmd.exe	113
PID 2856 wrote to memory of 4696	2856	cmd.exe	113
PID 2856 wrote to memory of 4696	2856	cmd.exe	113
PID 2856 wrote to memory of 4388	2856	cmd.exe	114
PID 2856 wrote to memory of 4388	2856	cmd.exe	114
PID 2856 wrote to memory of 4388	2856	cmd.exe	114
PID 2856 wrote to memory of 4392	2856	cmd.exe	115
PID 2856 wrote to memory of 4392	2856	cmd.exe	115
PID 2856 wrote to memory of 4392	2856	cmd.exe	115
PID 2856 wrote to memory of 556	2856	cmd.exe	116
PID 2856 wrote to memory of 556	2856	cmd.exe	116
PID 2856 wrote to memory of 556	2856	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29.exe
"C:\Users\Admin\AppData\Local\Temp\8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5360701.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5360701.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1708469.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1708469.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5283722.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5283722.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036953.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036953.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3448
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5079007.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5079007.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1778403.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1778403.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        8⤵
        Creates scheduled task(s)
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        9⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        9⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        9⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        9⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        9⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        9⤵
        
        PID:556
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0222944.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0222944.exe
        5⤵
        Executes dropped EXE
        
        PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2809250.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2809250.exe
      4⤵
      Executes dropped EXE
      PID:4528

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5360701.exe

Filesize
931KB

MD5
3775f829d1cc599b41b24ab92b8a48f1

SHA1
7891e6c04160af42b9aec5042089e8226e7dd819

SHA256
31b6bb35984382e8174886cd6194ec7711e9a665b453e30efaf41e4280ef3f82

SHA512
412ff7b4e7bbbadf00a78c9d710da7dc78dd400ebc45aebb6a8a890cf85d0f51865f890bd114ede37bb15ebe22c2604992cbc2c2fc9ad3678dcaa1dbdfdd95b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1708469.exe

Filesize
706KB

MD5
d77462ca803076ffe8c5c3a05f282797

SHA1
7ea4dc46f18421d058575b6f7c7ea2062b33625d

SHA256
d91a7a4aff3cf9cd085253704b46cf3a90ec13a38d74f68d34ca5aec7bf8bb91

SHA512
3d772bce807474c3d70d8c22d135923af870746f1e08577ea00e0f9cb8c6a05deabad9b86c33de2642e61a9abac046175139e75cf1d359c7c859545ed2395816

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2809250.exe

Filesize
173KB

MD5
1941740d8804f18df66cccc6ba9df8ca

SHA1
d057a7277640b8de39b1a142050ae735425c18a0

SHA256
f7c6509cb5e52be2c60c6894d7eac6d20231273834b06a03f317eb935ea91767

SHA512
48a1a44f02888078a4440de4f0ed9ced55b2b36b39e6ab487c04926aa1c40d498f69e0fbcb2aa58f6c39e7ebe15b1b7de702824d4361cc7e4fb8a2ebf71e6be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5283722.exe

Filesize
550KB

MD5
e9c7ca9876e3171377c2a1eef98fd93d

SHA1
4ae7a5ebd1e1f5ac5d7fca0ed0088537bfd1c9a3

SHA256
b48e9739bb813e8dfb34785463e6b82e3dbdabcbe3b7717f175931cf7840a468

SHA512
86028ceaa16191fbf26c4fee60c2b57bcddab428fb4042c9101bd9523e4d55dea55a0d2d99d507ffb1c107d8e9ea45fc937ef76d9780b00c72571176f65a6710

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0222944.exe

Filesize
141KB

MD5
302789c3e287939e16689820bc63c54a

SHA1
911ceca379e0d501e30e1801e0619bde06316ac7

SHA256
de4f554b7edd3c86a5496b91ab9a2e9b82f48117cbc5a0cdb877d5c2fb98ae20

SHA512
8e11e440c0acd367f58efa77aa2a97da40dc7be81c2506b2b5724de6c4d1dbcedb3bf0720076ded540407d70e68eb26ab08f5c25b48a04181cbd944f5be287d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036953.exe

Filesize
384KB

MD5
ed418e6d351c2a9575309e7ef8f602aa

SHA1
de1bbe74fd1debc8204233a830654c0211afb4e5

SHA256
c407a0dc77da6a3091d7be5498158e8eeb0f7eac17cfa26b2a6b7bf0ea61a85e

SHA512
7bfa1dbbe13a75671550ad30e081636d69c1592fd55439eed54f231335038a11b3583cd68618372d9daf79a57d6c8cc29d8743e97819538c44a3735faf3945fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5079007.exe

Filesize
185KB

MD5
79f358a075289df05c79f515f8169bda

SHA1
8d22bf836d7ac869ec0bd2f6f164b430c3a1e81e

SHA256
88a6bfb2159550d3737073fa3fe6aa52a9c3a0d287faa1c04b2135be5d903ec5

SHA512
5fe865bfbfbc04c1df735f777a3bb94896a924eb461f942271183cbdde877c8f5eb4b6f7f36e68c8fd33532e99c9f923347c8c7988cb2bbde7d3b132a73e1518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1778403.exe

Filesize
335KB

MD5
72ad8f0bb261d256abff8afc7617304c

SHA1
54d616c1051cceb8b5c11cc2cce1ce98d7363cb8

SHA256
102d484f486fcaedef53ef16b93c84f049512855e46489498c6abc2893163535

SHA512
fa00f6417e2ea3c197777afc016a72cc56b0557e40a9eca2ee05575d43fb7ba17832a004a9d72e0f4741a1bdd1b29bbb4d218ebba6bd9887ab23f145f567e182

Download Submit
memory/3440-46-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-39-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-63-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-61-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-59-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-57-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-53-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-51-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-49-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-48-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-43-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-41-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-55-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-65-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-38-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3440-37-0x0000000004990000-0x00000000049AC000-memory.dmp

Filesize
112KB

Download
memory/3440-36-0x0000000004A90000-0x0000000005034000-memory.dmp

Filesize
5.6MB

Download
memory/3440-35-0x0000000002040000-0x000000000205E000-memory.dmp

Filesize
120KB

Download
memory/4528-85-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/4528-86-0x0000000002220000-0x0000000002226000-memory.dmp

Filesize
24KB

Download
memory/4528-87-0x0000000004FD0000-0x00000000055E8000-memory.dmp

Filesize
6.1MB

Download
memory/4528-88-0x0000000004AD0000-0x0000000004BDA000-memory.dmp

Filesize
1.0MB

Download
memory/4528-89-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/4528-90-0x0000000004A60000-0x0000000004A9C000-memory.dmp

Filesize
240KB

Download
memory/4528-91-0x0000000004BE0000-0x0000000004C2C000-memory.dmp

Filesize
304KB

Download