amadey | 155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088

Analysis

max time kernel
143s
max time network
110s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2023 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exe
Size

940KB
MD5

383e2f203e560447cb3ab3446955e82b
SHA1

e704b45d65a64da5927381ea35b149b205a58281
SHA256

155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088
SHA512

451f0a9a37553ae5ae47fed3c401a6709f50313c54ed206e12f87875ff245fd3827d9e4e2b7312854a8e411bcf8273bf313c5d7c601a3164037b5e9a04705b7d
SSDEEP

24576:wyfkyYSrM7g2zPwRm24b7BhEdIFBzP5/ooKziU:3sXSgFPI63BUMx/HKz

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr809730.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr809730.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr809730.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr809730.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr809730.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr809730.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2668-188-0x00000000007F0000-0x0000000000836000-memory.dmp	family_redline
behavioral1/memory/2668-192-0x0000000002220000-0x0000000002264000-memory.dmp	family_redline
behavioral1/memory/2668-193-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-194-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-196-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-198-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-200-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-202-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-204-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-206-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-208-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-210-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-218-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-216-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-214-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-212-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-220-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-222-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-224-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-226-0x0000000002220000-0x000000000225F000-memory.dmp	family_redline
behavioral1/memory/2668-1110-0x0000000004BB0000-0x0000000004BC0000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

un768443.exeun951267.exepr809730.exequ198214.exerk446460.exesi900715.exe

pid process

2808 un768443.exe
5092 un951267.exe
4596 pr809730.exe
2668 qu198214.exe
488 rk446460.exe
4688 si900715.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2808	un768443.exe
5092	un951267.exe
4596	pr809730.exe
2668	qu198214.exe
488	rk446460.exe
4688	si900715.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr809730.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr809730.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr809730.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exeun768443.exeun951267.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un768443.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un768443.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un951267.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un951267.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4376	4688	WerFault.exe	si900715.exe
4068	4688	WerFault.exe	si900715.exe
4340	4688	WerFault.exe	si900715.exe
4344	4688	WerFault.exe	si900715.exe
5036	4688	WerFault.exe	si900715.exe
1388	4688	WerFault.exe	si900715.exe
4308	4688	WerFault.exe	si900715.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr809730.exequ198214.exerk446460.exe

pid process

4596 pr809730.exe
4596 pr809730.exe
2668 qu198214.exe
2668 qu198214.exe
488 rk446460.exe
488 rk446460.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr809730.exequ198214.exerk446460.exe

description pid process

Token: SeDebugPrivilege 4596 pr809730.exe
Token: SeDebugPrivilege 2668 qu198214.exe
Token: SeDebugPrivilege 488 rk446460.exe

pid	process
4596	pr809730.exe
4596	pr809730.exe
2668	qu198214.exe
2668	qu198214.exe
488	rk446460.exe
488	rk446460.exe

description	pid	process
Token: SeDebugPrivilege	4596	pr809730.exe
Token: SeDebugPrivilege	2668	qu198214.exe
Token: SeDebugPrivilege	488	rk446460.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exeun768443.exeun951267.exe

description	pid	process	target process
PID 2544 wrote to memory of 2808	2544	155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exe	un768443.exe
PID 2544 wrote to memory of 2808	2544	155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exe	un768443.exe
PID 2544 wrote to memory of 2808	2544	155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exe	un768443.exe
PID 2808 wrote to memory of 5092	2808	un768443.exe	un951267.exe
PID 2808 wrote to memory of 5092	2808	un768443.exe	un951267.exe
PID 2808 wrote to memory of 5092	2808	un768443.exe	un951267.exe
PID 5092 wrote to memory of 4596	5092	un951267.exe	pr809730.exe
PID 5092 wrote to memory of 4596	5092	un951267.exe	pr809730.exe
PID 5092 wrote to memory of 4596	5092	un951267.exe	pr809730.exe
PID 5092 wrote to memory of 2668	5092	un951267.exe	qu198214.exe
PID 5092 wrote to memory of 2668	5092	un951267.exe	qu198214.exe
PID 5092 wrote to memory of 2668	5092	un951267.exe	qu198214.exe
PID 2808 wrote to memory of 488	2808	un768443.exe	rk446460.exe
PID 2808 wrote to memory of 488	2808	un768443.exe	rk446460.exe
PID 2808 wrote to memory of 488	2808	un768443.exe	rk446460.exe
PID 2544 wrote to memory of 4688	2544	155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exe	si900715.exe
PID 2544 wrote to memory of 4688	2544	155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exe	si900715.exe
PID 2544 wrote to memory of 4688	2544	155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exe	si900715.exe

C:\Users\Admin\AppData\Local\Temp\155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exe
"C:\Users\Admin\AppData\Local\Temp\155290fe9b1f6e206bf093be68a5bd5b848b87d724d705239d2419750531f088.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un768443.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un768443.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un951267.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un951267.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr809730.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr809730.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu198214.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu198214.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446460.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446460.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si900715.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si900715.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 608
    3⤵
    - Program crash
    PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 696
    3⤵
    - Program crash
    PID:4068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 832
    3⤵
    - Program crash
    PID:4340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 844
    3⤵
    - Program crash
    PID:4344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 872
    3⤵
    - Program crash
    PID:5036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 888
    3⤵
    - Program crash
    PID:1388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1068
    3⤵
    - Program crash
    PID:4308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si900715.exe

Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si900715.exe

Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un768443.exe

Filesize
675KB

MD5
a399e5fa307d1a04fecfbc569357e6ec

SHA1
ef02d30bacb9aa28782e8e9fff64d229de371959

SHA256
4e64f714952413c162cf4406314b1beabf71e9538d12d4412c9845e28f0a1f25

SHA512
749edd7916e6704e5e9a96ff00fcd3019844c4a96ac03fd347b862efbb5c1cee4b0ec19a67feb11c587f6f856cc18db6023625f92a20639b0bebeafbfb1afe3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un768443.exe

Filesize
675KB

MD5
a399e5fa307d1a04fecfbc569357e6ec

SHA1
ef02d30bacb9aa28782e8e9fff64d229de371959

SHA256
4e64f714952413c162cf4406314b1beabf71e9538d12d4412c9845e28f0a1f25

SHA512
749edd7916e6704e5e9a96ff00fcd3019844c4a96ac03fd347b862efbb5c1cee4b0ec19a67feb11c587f6f856cc18db6023625f92a20639b0bebeafbfb1afe3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446460.exe

Filesize
168KB

MD5
d4718e53a98b274117dd713b94b49485

SHA1
9e30a0decdf6087ee01ac6e9e10dbb5b15a44b15

SHA256
64fa5e9034d985ec381eb7fe62ac329ebc0c2c0b275697e0d3896841240bad75

SHA512
16eba5d5547543b6d7c9ce3cda68da352b3bb72ba265f70fedc66408f7cccc526a5a42aa3fd48b66a9407d1b2d3ecdf7b840cd63c607b16811ced6489e7bdb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446460.exe

Filesize
168KB

MD5
d4718e53a98b274117dd713b94b49485

SHA1
9e30a0decdf6087ee01ac6e9e10dbb5b15a44b15

SHA256
64fa5e9034d985ec381eb7fe62ac329ebc0c2c0b275697e0d3896841240bad75

SHA512
16eba5d5547543b6d7c9ce3cda68da352b3bb72ba265f70fedc66408f7cccc526a5a42aa3fd48b66a9407d1b2d3ecdf7b840cd63c607b16811ced6489e7bdb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un951267.exe

Filesize
521KB

MD5
d896fe1243313b89bd9a45d67e403c47

SHA1
9be4ffe17e8f078ca29b9df10c0b5e93efde3437

SHA256
f614f0631965966417cc8ebf7ecc262b9a5415891ef40545db61f2aa4410a86f

SHA512
2f31870d8f7bbd197f454317c612c68ad52081a7150d159ad42fd57d707922b7346e611b6188f7dc815179f318c1e7a5d0c21a1248544329d6374fca2daa2f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un951267.exe

Filesize
521KB

MD5
d896fe1243313b89bd9a45d67e403c47

SHA1
9be4ffe17e8f078ca29b9df10c0b5e93efde3437

SHA256
f614f0631965966417cc8ebf7ecc262b9a5415891ef40545db61f2aa4410a86f

SHA512
2f31870d8f7bbd197f454317c612c68ad52081a7150d159ad42fd57d707922b7346e611b6188f7dc815179f318c1e7a5d0c21a1248544329d6374fca2daa2f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr809730.exe

Filesize
239KB

MD5
757975b4e248fb8f6fcbc597c5d41404

SHA1
5db5832c888e40c157875fcc6822e75334794424

SHA256
def2fef7c257370600c3219d016d4169a41b6ff5722788738be8a5b6c6e12923

SHA512
178709d89f429d7c888984a5df6f5fb6158e61108bbb93bebca6c7a94020213345ef2a5e2800ddc3c0d0b773f9d04fb026fd0d76d649ed801d04b49c724418a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr809730.exe

Filesize
239KB

MD5
757975b4e248fb8f6fcbc597c5d41404

SHA1
5db5832c888e40c157875fcc6822e75334794424

SHA256
def2fef7c257370600c3219d016d4169a41b6ff5722788738be8a5b6c6e12923

SHA512
178709d89f429d7c888984a5df6f5fb6158e61108bbb93bebca6c7a94020213345ef2a5e2800ddc3c0d0b773f9d04fb026fd0d76d649ed801d04b49c724418a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu198214.exe

Filesize
297KB

MD5
53e48e0376295b8f0cad56e566fcb822

SHA1
7f9351539fe5bebe2c33f68773d09451c68b752e

SHA256
a659fd1c94ff9e5b37f58f98c0e3acb6cdc918974e275f252b16aef336314af9

SHA512
f10c6c2d772e50ead860d67d131c4e7bec6d60f5ad356c49e91c13b8a30534e43072286f4253e5b2a192298fe796fff68def9eae66c511d3dc03713afe4e87ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu198214.exe

Filesize
297KB

MD5
53e48e0376295b8f0cad56e566fcb822

SHA1
7f9351539fe5bebe2c33f68773d09451c68b752e

SHA256
a659fd1c94ff9e5b37f58f98c0e3acb6cdc918974e275f252b16aef336314af9

SHA512
f10c6c2d772e50ead860d67d131c4e7bec6d60f5ad356c49e91c13b8a30534e43072286f4253e5b2a192298fe796fff68def9eae66c511d3dc03713afe4e87ba

Download Submit
memory/488-1125-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/488-1121-0x00000000006D0000-0x0000000000700000-memory.dmp

Filesize
192KB

Download
memory/488-1122-0x0000000000D50000-0x0000000000D56000-memory.dmp

Filesize
24KB

Download
memory/488-1123-0x000000000A4B0000-0x000000000A4FB000-memory.dmp

Filesize
300KB

Download
memory/488-1124-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2668-1104-0x0000000005310000-0x000000000535B000-memory.dmp

Filesize
300KB

Download
memory/2668-1108-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/2668-1115-0x00000000078C0000-0x0000000007DEC000-memory.dmp

Filesize
5.2MB

Download
memory/2668-1114-0x00000000076F0000-0x00000000078B2000-memory.dmp

Filesize
1.8MB

Download
memory/2668-1113-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2668-1112-0x00000000063C0000-0x0000000006410000-memory.dmp

Filesize
320KB

Download
memory/2668-1111-0x0000000006340000-0x00000000063B6000-memory.dmp

Filesize
472KB

Download
memory/2668-1110-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2668-1109-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2668-1107-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/2668-1105-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2668-1103-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/2668-1102-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/2668-1101-0x00000000050C0000-0x00000000051CA000-memory.dmp

Filesize
1.0MB

Download
memory/2668-1100-0x00000000056D0000-0x0000000005CD6000-memory.dmp

Filesize
6.0MB

Download
memory/2668-421-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2668-226-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-224-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-188-0x00000000007F0000-0x0000000000836000-memory.dmp

Filesize
280KB

Download
memory/2668-189-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/2668-190-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2668-192-0x0000000002220000-0x0000000002264000-memory.dmp

Filesize
272KB

Download
memory/2668-191-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2668-193-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-194-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-196-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-198-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-200-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-202-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-204-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-206-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-208-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-210-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-218-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-216-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-214-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-212-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-220-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/2668-222-0x0000000002220000-0x000000000225F000-memory.dmp

Filesize
252KB

Download
memory/4596-167-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-144-0x0000000004C00000-0x00000000050FE000-memory.dmp

Filesize
5.0MB

Download
memory/4596-183-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4596-181-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4596-180-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4596-179-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4596-178-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4596-153-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-177-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-175-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-159-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-173-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-171-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-157-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-148-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4596-165-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-163-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-161-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-155-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-149-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-151-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-150-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4596-147-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4596-146-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4596-145-0x00000000021C0000-0x00000000021D8000-memory.dmp

Filesize
96KB

Download
memory/4596-169-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/4596-143-0x0000000002000000-0x000000000201A000-memory.dmp

Filesize
104KB

Download
memory/4688-1131-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download