amadey | a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a

Analysis

max time kernel
50s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.9MB
MD5

1d272c9aa998704c62b578a03ea79db0
SHA1

0bfb5ffd37a278143649f15efbf3b8725b25f89b
SHA256

a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a
SHA512

8de05686653f6779327abd212946ea3bcad946fd6e014accd47d411d58c7eb95b62365e015daa0ea94d6bb5835227e7c657fca72a88a1de41674e99a078be6c8
SSDEEP

49152:0wH8eUbUu/g2CpfY3m9/Py/vxbhOQ1kK1dkUsVXos3xfHfMm3ScftLQJiME+N:0wT5u/g2CpfY3m9/PexbQAkK1dkh3xvL

Score

10^/10

amadey cryptbot lumma stealc 9c9aa5 stok discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

cryptbot

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://shineugler.biz/api

https://tacitglibbr.biz/api

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://drive-connect.cyou/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 5 IoCs

pid	Process
4944	skotes.exe
4760	IQ7ux2z.exe
896	31cbb836d0.exe
5272	31cbb836d0.exe
5812	skotes.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023c86-23074.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2256	file.exe
4944	skotes.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 896 set thread context of 5272	896	31cbb836d0.exe	101

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1548	1652	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IQ7ux2z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31cbb836d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31cbb836d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3296	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
6116	taskkill.exe
4308	taskkill.exe
3712	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2256	file.exe
2256	file.exe
4944	skotes.exe
4944	skotes.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	IQ7ux2z.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2256	file.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 4944	2256	file.exe	83
PID 2256 wrote to memory of 4944	2256	file.exe	83
PID 2256 wrote to memory of 4944	2256	file.exe	83
PID 4944 wrote to memory of 4760	4944	skotes.exe	97
PID 4944 wrote to memory of 4760	4944	skotes.exe	97
PID 4944 wrote to memory of 4760	4944	skotes.exe	97
PID 4944 wrote to memory of 896	4944	skotes.exe	98
PID 4944 wrote to memory of 896	4944	skotes.exe	98
PID 4944 wrote to memory of 896	4944	skotes.exe	98
PID 896 wrote to memory of 5272	896	31cbb836d0.exe	101
PID 896 wrote to memory of 5272	896	31cbb836d0.exe	101
PID 896 wrote to memory of 5272	896	31cbb836d0.exe	101
PID 896 wrote to memory of 5272	896	31cbb836d0.exe	101
PID 896 wrote to memory of 5272	896	31cbb836d0.exe	101
PID 896 wrote to memory of 5272	896	31cbb836d0.exe	101
PID 896 wrote to memory of 5272	896	31cbb836d0.exe	101
PID 896 wrote to memory of 5272	896	31cbb836d0.exe	101
PID 896 wrote to memory of 5272	896	31cbb836d0.exe	101
PID 896 wrote to memory of 5272	896	31cbb836d0.exe	101

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe
    "C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Users\Admin\AppData\Local\Temp\1015672001\31cbb836d0.exe
    "C:\Users\Admin\AppData\Local\Temp\1015672001\31cbb836d0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Users\Admin\AppData\Local\Temp\1015672001\31cbb836d0.exe
      "C:\Users\Admin\AppData\Local\Temp\1015672001\31cbb836d0.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5272
- - C:\Users\Admin\AppData\Local\Temp\1015673001\f3412d7efc.exe
    "C:\Users\Admin\AppData\Local\Temp\1015673001\f3412d7efc.exe"
    3⤵
    PID:6120
- - C:\Users\Admin\AppData\Local\Temp\1015674001\da7138c1ef.exe
    "C:\Users\Admin\AppData\Local\Temp\1015674001\da7138c1ef.exe"
    3⤵
    PID:5868
- - C:\Users\Admin\AppData\Local\Temp\1015675001\91a360ef96.exe
    "C:\Users\Admin\AppData\Local\Temp\1015675001\91a360ef96.exe"
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1015675001\91a360ef96.exe" & rd /s /q "C:\ProgramData\JWBIECJ5XBIE" & exit
      4⤵
      PID:5508
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:3296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1928
      4⤵
      Program crash
      PID:1548
- - C:\Users\Admin\AppData\Local\Temp\1015676001\07e8e33ef5.exe
    "C:\Users\Admin\AppData\Local\Temp\1015676001\07e8e33ef5.exe"
    3⤵
    PID:3608
- - C:\Users\Admin\AppData\Local\Temp\1015677001\da583c77ee.exe
    "C:\Users\Admin\AppData\Local\Temp\1015677001\da583c77ee.exe"
    3⤵
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\9G7T5VE00I1JV8KJQU.exe
      "C:\Users\Admin\AppData\Local\Temp\9G7T5VE00I1JV8KJQU.exe"
      4⤵
      PID:3208
- - C:\Users\Admin\AppData\Local\Temp\1015678001\d7afa2e12d.exe
    "C:\Users\Admin\AppData\Local\Temp\1015678001\d7afa2e12d.exe"
    3⤵
    PID:5940
- - C:\Users\Admin\AppData\Local\Temp\1015679001\70caf75065.exe
    "C:\Users\Admin\AppData\Local\Temp\1015679001\70caf75065.exe"
    3⤵
    PID:5996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:4308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:3712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:6116
- - C:\Users\Admin\AppData\Local\Temp\1015680001\7e1233f367.exe
    "C:\Users\Admin\AppData\Local\Temp\1015680001\7e1233f367.exe"
    3⤵
    PID:5052
- - C:\Users\Admin\AppData\Local\Temp\1015681001\318029e4fe.exe
    "C:\Users\Admin\AppData\Local\Temp\1015681001\318029e4fe.exe"
    3⤵
    PID:1468

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:5812

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1652 -ip 1652
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe

Filesize
2.8MB

MD5
985a071afd1a3065488a92540c3bee93

SHA1
f5282fdbd3fbe681dd8485f37d6ba3d5ce59079f

SHA256
464e8781560aecb3764b8afad710aed0b8087b362e180bc3b18c84be5ef38089

SHA512
ff76a68533f86b2872c19722f8adb3fcba5f6bc802caa4dc6543447141b78d60db686d481a0e168afd58516d009fe551ee3113de6b3eb174eeee736cf304dd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015672001\31cbb836d0.exe

Filesize
710KB

MD5
28e568616a7b792cac1726deb77d9039

SHA1
39890a418fb391b823ed5084533e2e24dff021e1

SHA256
9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2

SHA512
85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015673001\f3412d7efc.exe

Filesize
4.2MB

MD5
3cdd95ff7c8fb061a1a077b9eed6af4f

SHA1
f8c42713f9c7c750406dde52859ca2b0f6d8a342

SHA256
9423f239cb53933a8e5585af76a49d471dbc4fab82c10b67e3c519def8eed56c

SHA512
9c57282f715b8f19463c071e99318ce9b00864cfcf30bbf376e827fad26240f7dbde2ccd2bcacc6813ab2fe0cb5f2534bcc298b4727253e46cab6b783466e868

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015674001\da7138c1ef.exe

Filesize
4.2MB

MD5
9d7ae4f4e2bc87a3ae1a13ddb7fb0724

SHA1
19ff6551bfbc6d2d984815622cfc1e82130a5833

SHA256
589e6c32c755c633910c40c121abfe8c0bc77059fafb0f93bde52ba79ba50583

SHA512
53d89e685407046c45a594538816b9469acd1f96d24e5dba962ed1351848d403b81f2164358680b4a2035b21022a131f4d5fa9c9b12858bdb8f79e1364c75f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015675001\91a360ef96.exe

Filesize
384KB

MD5
dfd5f78a711fa92337010ecc028470b4

SHA1
1a389091178f2be8ce486cd860de16263f8e902e

SHA256
da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d

SHA512
a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015676001\07e8e33ef5.exe

Filesize
1.7MB

MD5
6c1d0dabe1ec5e928f27b3223f25c26b

SHA1
e25ab704a6e9b3e4c30a6c1f7043598a13856ad9

SHA256
92228a0012605351cf08df9a2ad4b93fa552d7a75991f81fb80f1ae854a0e57d

SHA512
3a3f7af4f6018fcbd8c6f2871270504731cf269134453c9a146351c3e4a5c89165ecccafb3655d8b39c1ff1ec68f06e1851c0abd66d47602e1f0f8e36d4acfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015677001\da583c77ee.exe

Filesize
1.8MB

MD5
a26561072a2f9f8d37cd3033c70ba3cc

SHA1
4c9cb01e8e0e68a2a6a840c6d50d1c094037fc85

SHA256
8d5a0cf5acb3c50c2f2616b76d187853ef9408fa4c227fd5ad68aded4c9915ba

SHA512
08669dac4835c60370c8ab5c082772247200270b5acc604413c8f55966e0f06b1bc4c20dd9a75451dd5043e04ca7d2e32b0c26007a18e83ee085722d9ade482a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015678001\d7afa2e12d.exe

Filesize
1.7MB

MD5
26dfd4e4ae9e14a8e1fc8040aff03605

SHA1
5dbe49b962b6e7183cc8d9170072e8cfd4409b07

SHA256
aacee4744f2f51a58eafac85825e8058ecd2944cffa57b384387b83be39453cf

SHA512
0eaa02a0655cb22287a454d802a6dcfc6529c3b11027006b606002265247665c5d35211dc1685097131e15cba24723c5fe9d0eab3b769bfcc64973c067cb993c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015679001\70caf75065.exe

Filesize
947KB

MD5
f30e464f0a632c379dcb7ac28fda1177

SHA1
d6aeac7924402f8be8a438b5fdd0c60a6519bdbd

SHA256
f1423f4cd5d5a2a74ca67e4c095c5a9fc0093c2aee4d18711850428468ca51de

SHA512
85ddaa24d5be46f512e2286c7ac9bc6fb264ad0a641ef851fdb083aa6cd5be83b581e9e99ba69954193192f7838b99be72bf44b4a4e1cc9fad1fe9162ee83ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015680001\7e1233f367.exe

Filesize
2.7MB

MD5
c64dbd250a13e12310835e529aa4d6b7

SHA1
fd117208778d7a9410b613ead8b786c711b6ec6a

SHA256
e5236fec424be118d05079de19f90a26358f69044a5be884158a1fc90e3c890e

SHA512
b1294b9663c682569cd8fc401839bb9a50eee7fefb18bf2b9a607f989262a63fdaa5ec941c829a945f4d93bfcbc70d5a33ba95310d9b1f57280beebf7e8e8bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015681001\318029e4fe.exe

Filesize
2.8MB

MD5
24e63d17a0a5c427a27fe6b04c9721a5

SHA1
92fc0a561812cda4306ca990f376f02669e318aa

SHA256
fa8d7b1ba57650187e73565cdd08cef8a64c18dbcddecb3841d4eb914fcef1ae

SHA512
a37f743459c91d56eb9727d8c81c35fadd72f5cf19eb802baeed7d427c5c131a5d48ec4e4a38ea701533a517b711fe65783ccf65ed55c534c3b24c6a10a7aa20

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015681001\318029e4fe.exe

Filesize
3.1MB

MD5
da20e575ced8167250e95e5bb4a186f6

SHA1
761f7763a66260d6cd2b5d4672430795026fbdaa

SHA256
08a8b32844cfc87025b97eafc2f3b2e794b8139abb4e60326608b5909cc8350b

SHA512
558b82a1f2cc931655992e258776203b8dca88fff741085c88eaffdb1c5ff313d073a313bac5502429995da71d35814da372485d5387c32731ce3e4706baf46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015681001\318029e4fe.exe

Filesize
3.4MB

MD5
6cc971339e2c468e8bb2f6e4055e5ee5

SHA1
e9c70aef7a41ffea6a6070312f0563d4016a788e

SHA256
ce4ef41f481d978cd884ae9450df66fdabd01db4ddf676d7a96c59a2740cb4aa

SHA512
daed2264ac8dd66336291603275bcb0dbdf80ac87a64646e9543e13a4fd9f6e66f320b410e4c5099c0558f0aefcb51df33a363451493cf9166ead04e2116aff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.9MB

MD5
1d272c9aa998704c62b578a03ea79db0

SHA1
0bfb5ffd37a278143649f15efbf3b8725b25f89b

SHA256
a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a

SHA512
8de05686653f6779327abd212946ea3bcad946fd6e014accd47d411d58c7eb95b62365e015daa0ea94d6bb5835227e7c657fca72a88a1de41674e99a078be6c8

Download Submit
memory/1368-19316-0x0000000000BF0000-0x0000000001081000-memory.dmp

Filesize
4.6MB

Download
memory/1368-22881-0x0000000000BF0000-0x0000000001081000-memory.dmp

Filesize
4.6MB

Download
memory/2256-18-0x0000000000D20000-0x0000000001044000-memory.dmp

Filesize
3.1MB

Download
memory/2256-0-0x0000000000D20000-0x0000000001044000-memory.dmp

Filesize
3.1MB

Download
memory/2256-4-0x0000000000D20000-0x0000000001044000-memory.dmp

Filesize
3.1MB

Download
memory/2256-3-0x0000000000D20000-0x0000000001044000-memory.dmp

Filesize
3.1MB

Download
memory/2256-2-0x0000000000D21000-0x0000000000D4F000-memory.dmp

Filesize
184KB

Download
memory/2256-1-0x0000000077554000-0x0000000077556000-memory.dmp

Filesize
8KB

Download
memory/3608-19722-0x0000000000F90000-0x000000000141B000-memory.dmp

Filesize
4.5MB

Download
memory/3608-16628-0x0000000000F90000-0x000000000141B000-memory.dmp

Filesize
4.5MB

Download
memory/3608-29843-0x0000000000F90000-0x000000000141B000-memory.dmp

Filesize
4.5MB

Download
memory/4760-81-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-43-0x000000007316E000-0x000000007316F000-memory.dmp

Filesize
4KB

Download
memory/4760-54-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-49-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-48-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-87-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-105-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-109-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-107-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-103-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-101-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-99-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-97-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-95-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-93-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-91-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-89-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-85-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-83-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-57-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-79-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-77-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-75-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-71-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-69-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-65-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-63-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-59-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-2596-0x0000000073160000-0x0000000073910000-memory.dmp

Filesize
7.7MB

Download
memory/4760-2595-0x000000007316E000-0x000000007316F000-memory.dmp

Filesize
4KB

Download
memory/4760-55-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-61-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-44-0x0000000000FC0000-0x0000000001298000-memory.dmp

Filesize
2.8MB

Download
memory/4760-45-0x0000000005DD0000-0x0000000005FEC000-memory.dmp

Filesize
2.1MB

Download
memory/4760-46-0x0000000073160000-0x0000000073910000-memory.dmp

Filesize
7.7MB

Download
memory/4760-47-0x0000000073160000-0x0000000073910000-memory.dmp

Filesize
7.7MB

Download
memory/4760-67-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-51-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4760-73-0x0000000005DD0000-0x0000000005FE6000-memory.dmp

Filesize
2.1MB

Download
memory/4944-24-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/4944-20-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/4944-16-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/4944-22-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/4944-19-0x0000000000D91000-0x0000000000DBF000-memory.dmp

Filesize
184KB

Download
memory/4944-23-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/4944-21-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/5052-27807-0x0000000000F00000-0x00000000011B4000-memory.dmp

Filesize
2.7MB

Download
memory/5052-27808-0x0000000000F00000-0x00000000011B4000-memory.dmp

Filesize
2.7MB

Download
memory/5052-31426-0x0000000000F00000-0x00000000011B4000-memory.dmp

Filesize
2.7MB

Download
memory/5052-30102-0x0000000000F00000-0x00000000011B4000-memory.dmp

Filesize
2.7MB

Download
memory/5052-26507-0x0000000000F00000-0x00000000011B4000-memory.dmp

Filesize
2.7MB

Download
memory/5812-7204-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/5812-8479-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/5868-13372-0x0000000000350000-0x0000000000F7F000-memory.dmp

Filesize
12.2MB

Download
memory/5868-18257-0x0000000000350000-0x0000000000F7F000-memory.dmp

Filesize
12.2MB

Download
memory/5868-16749-0x0000000000350000-0x0000000000F7F000-memory.dmp

Filesize
12.2MB

Download
memory/5940-24066-0x0000000000E00000-0x0000000001484000-memory.dmp

Filesize
6.5MB

Download
memory/5940-21747-0x0000000000E00000-0x0000000001484000-memory.dmp

Filesize
6.5MB

Download
memory/5944-24220-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/5944-23229-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/6120-8480-0x00000000006B0000-0x00000000012A0000-memory.dmp

Filesize
11.9MB

Download
memory/6120-11437-0x00000000006B0000-0x00000000012A0000-memory.dmp

Filesize
11.9MB

Download
memory/6120-12673-0x00000000006B0000-0x00000000012A0000-memory.dmp

Filesize
11.9MB

Download