amadey | 770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077

Analysis

max time kernel
294s
max time network
150s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2023 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exe
Size

937KB
MD5

00a95e080fb463ebfe35d1370096f15c
SHA1

a78aefa47d9b9e2b6040407a0f6e7e448f7ddc9e
SHA256

770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077
SHA512

6a546fafc3add0291149fe31f2fb816995ead7940f0c95ee040f4d2ed60a2b51766b6c48e4eb37d4c0dd1f55ed8526291f0b557bc745d2671d4f78971b9adffe
SSDEEP

24576:QyXKetYq23Jp3Fhxqiv/yeInOVYYaQNPZh:XXKGYq23ll/i3YBNx

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr745368.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr745368.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr745368.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr745368.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr745368.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr745368.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1804-187-0x0000000002300000-0x0000000002346000-memory.dmp	family_redline
behavioral2/memory/1804-191-0x0000000004A40000-0x0000000004A84000-memory.dmp	family_redline
behavioral2/memory/1804-192-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-195-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-193-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-197-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-199-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-201-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-203-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-205-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-207-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-209-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-211-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-213-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-215-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-217-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-219-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-221-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-223-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral2/memory/1804-225-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

un339510.exeun276962.exepr745368.exequ870271.exerk430005.exesi461578.exe

pid process

3432 un339510.exe
1268 un276962.exe
1028 pr745368.exe
1804 qu870271.exe
1280 rk430005.exe
3212 si461578.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3432	un339510.exe
1268	un276962.exe
1028	pr745368.exe
1804	qu870271.exe
1280	rk430005.exe
3212	si461578.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr745368.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr745368.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr745368.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exeun339510.exeun276962.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un339510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un339510.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un276962.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un276962.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3248	3212	WerFault.exe	si461578.exe
3508	3212	WerFault.exe	si461578.exe
4080	3212	WerFault.exe	si461578.exe
692	3212	WerFault.exe	si461578.exe
3556	3212	WerFault.exe	si461578.exe
3016	3212	WerFault.exe	si461578.exe
3028	3212	WerFault.exe	si461578.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr745368.exequ870271.exerk430005.exe

pid process

1028 pr745368.exe
1028 pr745368.exe
1804 qu870271.exe
1804 qu870271.exe
1280 rk430005.exe
1280 rk430005.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr745368.exequ870271.exerk430005.exe

description pid process

Token: SeDebugPrivilege 1028 pr745368.exe
Token: SeDebugPrivilege 1804 qu870271.exe
Token: SeDebugPrivilege 1280 rk430005.exe

pid	process
1028	pr745368.exe
1028	pr745368.exe
1804	qu870271.exe
1804	qu870271.exe
1280	rk430005.exe
1280	rk430005.exe

description	pid	process
Token: SeDebugPrivilege	1028	pr745368.exe
Token: SeDebugPrivilege	1804	qu870271.exe
Token: SeDebugPrivilege	1280	rk430005.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exeun339510.exeun276962.exe

description	pid	process	target process
PID 2652 wrote to memory of 3432	2652	770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exe	un339510.exe
PID 2652 wrote to memory of 3432	2652	770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exe	un339510.exe
PID 2652 wrote to memory of 3432	2652	770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exe	un339510.exe
PID 3432 wrote to memory of 1268	3432	un339510.exe	un276962.exe
PID 3432 wrote to memory of 1268	3432	un339510.exe	un276962.exe
PID 3432 wrote to memory of 1268	3432	un339510.exe	un276962.exe
PID 1268 wrote to memory of 1028	1268	un276962.exe	pr745368.exe
PID 1268 wrote to memory of 1028	1268	un276962.exe	pr745368.exe
PID 1268 wrote to memory of 1028	1268	un276962.exe	pr745368.exe
PID 1268 wrote to memory of 1804	1268	un276962.exe	qu870271.exe
PID 1268 wrote to memory of 1804	1268	un276962.exe	qu870271.exe
PID 1268 wrote to memory of 1804	1268	un276962.exe	qu870271.exe
PID 3432 wrote to memory of 1280	3432	un339510.exe	rk430005.exe
PID 3432 wrote to memory of 1280	3432	un339510.exe	rk430005.exe
PID 3432 wrote to memory of 1280	3432	un339510.exe	rk430005.exe
PID 2652 wrote to memory of 3212	2652	770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exe	si461578.exe
PID 2652 wrote to memory of 3212	2652	770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exe	si461578.exe
PID 2652 wrote to memory of 3212	2652	770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exe	si461578.exe

C:\Users\Admin\AppData\Local\Temp\770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exe
"C:\Users\Admin\AppData\Local\Temp\770e6e134ccc60cc859558fd49538b9d2e18408f8cf34296faa923c23f8ee077.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un339510.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un339510.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3432

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un276962.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un276962.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr745368.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr745368.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu870271.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu870271.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk430005.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk430005.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si461578.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si461578.exe
2⤵
- Executes dropped EXE
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 616
3⤵
- Program crash
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 700
3⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 840
3⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 884
3⤵
- Program crash
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 856
3⤵
- Program crash
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 844
3⤵
- Program crash
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1080
3⤵
- Program crash
PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si461578.exe
Filesize
230KB

MD5
7d4cd4a44c1a62d13f282a450b4340aa

SHA1
02e032f246424d04d853fac9064b6958f94730f5

SHA256
96ef83cedeb8ba8eea7d700ac91410298f28cb3aa022a48d189f677981c59448

SHA512
f70e40e9a90912013f6ef36afe343c536d4918f718fa33decd12e03ed1abfcaf149c26b0b0b84964bd01939505ab1cb87d8121c340b2afd583a0d56855eba288

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si461578.exe
Filesize
230KB

MD5
7d4cd4a44c1a62d13f282a450b4340aa

SHA1
02e032f246424d04d853fac9064b6958f94730f5

SHA256
96ef83cedeb8ba8eea7d700ac91410298f28cb3aa022a48d189f677981c59448

SHA512
f70e40e9a90912013f6ef36afe343c536d4918f718fa33decd12e03ed1abfcaf149c26b0b0b84964bd01939505ab1cb87d8121c340b2afd583a0d56855eba288

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un339510.exe
Filesize
673KB

MD5
2954d95481cf73c3df8f31d5fb6d836e

SHA1
f22d306c1f69150b4cab703a4c22cb04fb958dff

SHA256
50bcd71fd8e677bed590797df1a71c0acbe2d473ee3e7539600a83b2a0310342

SHA512
35575054765b89dc1dee54b958582e875b16665ad54e0bbc5c09d3a64be67fac7237139f67e5db9c5ee2d7142ec9951a5ccc14e95c1ed7b1885e4183bf636d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un339510.exe
Filesize
673KB

MD5
2954d95481cf73c3df8f31d5fb6d836e

SHA1
f22d306c1f69150b4cab703a4c22cb04fb958dff

SHA256
50bcd71fd8e677bed590797df1a71c0acbe2d473ee3e7539600a83b2a0310342

SHA512
35575054765b89dc1dee54b958582e875b16665ad54e0bbc5c09d3a64be67fac7237139f67e5db9c5ee2d7142ec9951a5ccc14e95c1ed7b1885e4183bf636d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk430005.exe
Filesize
168KB

MD5
6464a92aa53df0900575af514a991687

SHA1
b21bc68ddebcdf54182723a01c241b180a01d7be

SHA256
53ea526c71d23c786ad00d3297f314b968096e31895837e16f9aa278fa9463bc

SHA512
a21ef245c30bd0d36ff9cbdda448190e2f4d656205cff2899b85bd294f76f7a60510307e5345d31f9cab5def914556cdb87f10b0fa4a98c300e076f71946d029

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk430005.exe
Filesize
168KB

MD5
6464a92aa53df0900575af514a991687

SHA1
b21bc68ddebcdf54182723a01c241b180a01d7be

SHA256
53ea526c71d23c786ad00d3297f314b968096e31895837e16f9aa278fa9463bc

SHA512
a21ef245c30bd0d36ff9cbdda448190e2f4d656205cff2899b85bd294f76f7a60510307e5345d31f9cab5def914556cdb87f10b0fa4a98c300e076f71946d029

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un276962.exe
Filesize
519KB

MD5
03baf3bbdbdafc22b654e290afac1409

SHA1
d6e74fc91dbcaae0a5c7dc8593a7d327b2fe3331

SHA256
db612bc08fafa2f65d09a5e98c20990e16052d2fe967b18ec91c0b09f369007e

SHA512
55b510ceb9c1f0536c346a30e1b558c0750b8242ab7e89df0eeed27b33307322e3079d0204685fdb5d655ec3083157516a5e02236f17943d06b1c853b943ead5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un276962.exe
Filesize
519KB

MD5
03baf3bbdbdafc22b654e290afac1409

SHA1
d6e74fc91dbcaae0a5c7dc8593a7d327b2fe3331

SHA256
db612bc08fafa2f65d09a5e98c20990e16052d2fe967b18ec91c0b09f369007e

SHA512
55b510ceb9c1f0536c346a30e1b558c0750b8242ab7e89df0eeed27b33307322e3079d0204685fdb5d655ec3083157516a5e02236f17943d06b1c853b943ead5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr745368.exe
Filesize
239KB

MD5
0631f0801d90e081969e054e75bcf169

SHA1
76898df589c6fcb730da926511f32fc6cb982dfc

SHA256
218d8ebc6ab8fcca3a15dabc76c5359da14ff31680c261aa0ffb3286b22e11c7

SHA512
40a970f41f3d972ba1eb8cc9a04b2384d4c035b44d723ca25d28fa3746f71c5b3ef82da09b2d630bb142bfa8981e76021bea32defd84bd7c5b0d4af9a44c3439

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr745368.exe
Filesize
239KB

MD5
0631f0801d90e081969e054e75bcf169

SHA1
76898df589c6fcb730da926511f32fc6cb982dfc

SHA256
218d8ebc6ab8fcca3a15dabc76c5359da14ff31680c261aa0ffb3286b22e11c7

SHA512
40a970f41f3d972ba1eb8cc9a04b2384d4c035b44d723ca25d28fa3746f71c5b3ef82da09b2d630bb142bfa8981e76021bea32defd84bd7c5b0d4af9a44c3439

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu870271.exe
Filesize
298KB

MD5
08cd45fe8c25de1352cb98a5bff7f5a0

SHA1
ded38ad9b71d9b18af2dda06990be93080440b57

SHA256
219524745a2325543d09013b7434fcf17bd14b89bc53aa5184465954b45642c4

SHA512
384ffabc2cfafa01b3ac707e884d79051834188b1faafbad307641f481f7e46ee1eff5228ef2cec80dc3ca5fd46c96a5cc7abd4c49668628b90b264ff0b12038

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu870271.exe
Filesize
298KB

MD5
08cd45fe8c25de1352cb98a5bff7f5a0

SHA1
ded38ad9b71d9b18af2dda06990be93080440b57

SHA256
219524745a2325543d09013b7434fcf17bd14b89bc53aa5184465954b45642c4

SHA512
384ffabc2cfafa01b3ac707e884d79051834188b1faafbad307641f481f7e46ee1eff5228ef2cec80dc3ca5fd46c96a5cc7abd4c49668628b90b264ff0b12038

Download Submit
memory/1028-155-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-180-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1028-147-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-150-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1028-148-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1028-149-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-152-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1028-153-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-143-0x0000000002210000-0x000000000222A000-memory.dmp

Filesize
104KB

Download
memory/1028-157-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-159-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-161-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-163-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-165-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-167-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-169-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-171-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-173-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-175-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-177-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1028-178-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1028-181-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1028-146-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/1028-182-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1028-144-0x0000000004C00000-0x00000000050FE000-memory.dmp

Filesize
5.0MB

Download
memory/1028-145-0x0000000002470000-0x0000000002488000-memory.dmp

Filesize
96KB

Download
memory/1280-1119-0x00000000000F0000-0x0000000000120000-memory.dmp

Filesize
192KB

Download
memory/1280-1123-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/1280-1120-0x00000000009C0000-0x00000000009C6000-memory.dmp

Filesize
24KB

Download
memory/1280-1122-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/1280-1121-0x000000000A000000-0x000000000A04B000-memory.dmp

Filesize
300KB

Download
memory/1804-190-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1804-193-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-197-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-199-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-201-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-203-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-205-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-207-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-209-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-211-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-213-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-215-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-217-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-219-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-221-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-223-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-225-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-1098-0x0000000005710000-0x0000000005D16000-memory.dmp

Filesize
6.0MB

Download
memory/1804-1099-0x0000000005100000-0x000000000520A000-memory.dmp

Filesize
1.0MB

Download
memory/1804-1100-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1804-1101-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/1804-1102-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1804-1103-0x0000000005310000-0x000000000535B000-memory.dmp

Filesize
300KB

Download
memory/1804-1105-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1804-1106-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1804-1107-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/1804-1108-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/1804-1109-0x0000000006250000-0x0000000006412000-memory.dmp

Filesize
1.8MB

Download
memory/1804-1110-0x0000000006420000-0x000000000694C000-memory.dmp

Filesize
5.2MB

Download
memory/1804-195-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-192-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1804-191-0x0000000004A40000-0x0000000004A84000-memory.dmp

Filesize
272KB

Download
memory/1804-189-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1804-188-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/1804-187-0x0000000002300000-0x0000000002346000-memory.dmp

Filesize
280KB

Download
memory/1804-1111-0x0000000006B90000-0x0000000006C06000-memory.dmp

Filesize
472KB

Download
memory/1804-1112-0x0000000006C10000-0x0000000006C60000-memory.dmp

Filesize
320KB

Download
memory/1804-1113-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/3212-1129-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download