amadey | 80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7

Analysis

max time kernel
142s
max time network
106s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2023 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exe
Size

936KB
MD5

939a4b91c94501a89951e4c9b2ef9dac
SHA1

7ee886a1b0668617d2d2b7f9cffabcde026dbdf9
SHA256

80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7
SHA512

fa77d1f442db8b2cd51ee6afd4e6a9b7093a035732af210eee444ef33d168fa2b9bb74635177c57d2d7059e3bb622d97513fb8fbe18d80f23fed0e4ef739cc92
SSDEEP

12288:WMrxSy90fbqhvOjNhacH7Vw3lneDbIzCpe+ahEWmKUZepuwE34x3+iCFzd28IczI:DSykqQ1Kj+ahtmKqeBT9+iKzd2ONrY

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr933416.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr933416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr933416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr933416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr933416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr933416.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1424-182-0x0000000002060000-0x00000000020A6000-memory.dmp	family_redline
behavioral1/memory/1424-183-0x0000000004A40000-0x0000000004A84000-memory.dmp	family_redline
behavioral1/memory/1424-184-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-185-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-187-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-189-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-191-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-193-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-195-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-197-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-199-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-202-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-206-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-205-0x0000000004AC0000-0x0000000004AD0000-memory.dmp	family_redline
behavioral1/memory/1424-210-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-208-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-212-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-214-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-216-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-218-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/1424-220-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

un913280.exeun295998.exepr933416.exequ603063.exerk464238.exesi734324.exe

pid process

3100 un913280.exe
4048 un295998.exe
5000 pr933416.exe
1424 qu603063.exe
4556 rk464238.exe
3108 si734324.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3100	un913280.exe
4048	un295998.exe
5000	pr933416.exe
1424	qu603063.exe
4556	rk464238.exe
3108	si734324.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr933416.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr933416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr933416.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

un913280.exeun295998.exe80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un913280.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un295998.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un295998.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un913280.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2488	3108	WerFault.exe	si734324.exe
3800	3108	WerFault.exe	si734324.exe
3844	3108	WerFault.exe	si734324.exe
3824	3108	WerFault.exe	si734324.exe
3448	3108	WerFault.exe	si734324.exe
4636	3108	WerFault.exe	si734324.exe
4016	3108	WerFault.exe	si734324.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr933416.exequ603063.exerk464238.exe

pid process

5000 pr933416.exe
5000 pr933416.exe
1424 qu603063.exe
1424 qu603063.exe
4556 rk464238.exe
4556 rk464238.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr933416.exequ603063.exerk464238.exe

description pid process

Token: SeDebugPrivilege 5000 pr933416.exe
Token: SeDebugPrivilege 1424 qu603063.exe
Token: SeDebugPrivilege 4556 rk464238.exe

pid	process
5000	pr933416.exe
5000	pr933416.exe
1424	qu603063.exe
1424	qu603063.exe
4556	rk464238.exe
4556	rk464238.exe

description	pid	process
Token: SeDebugPrivilege	5000	pr933416.exe
Token: SeDebugPrivilege	1424	qu603063.exe
Token: SeDebugPrivilege	4556	rk464238.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exeun913280.exeun295998.exe

description	pid	process	target process
PID 3728 wrote to memory of 3100	3728	80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exe	un913280.exe
PID 3728 wrote to memory of 3100	3728	80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exe	un913280.exe
PID 3728 wrote to memory of 3100	3728	80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exe	un913280.exe
PID 3100 wrote to memory of 4048	3100	un913280.exe	un295998.exe
PID 3100 wrote to memory of 4048	3100	un913280.exe	un295998.exe
PID 3100 wrote to memory of 4048	3100	un913280.exe	un295998.exe
PID 4048 wrote to memory of 5000	4048	un295998.exe	pr933416.exe
PID 4048 wrote to memory of 5000	4048	un295998.exe	pr933416.exe
PID 4048 wrote to memory of 5000	4048	un295998.exe	pr933416.exe
PID 4048 wrote to memory of 1424	4048	un295998.exe	qu603063.exe
PID 4048 wrote to memory of 1424	4048	un295998.exe	qu603063.exe
PID 4048 wrote to memory of 1424	4048	un295998.exe	qu603063.exe
PID 3100 wrote to memory of 4556	3100	un913280.exe	rk464238.exe
PID 3100 wrote to memory of 4556	3100	un913280.exe	rk464238.exe
PID 3100 wrote to memory of 4556	3100	un913280.exe	rk464238.exe
PID 3728 wrote to memory of 3108	3728	80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exe	si734324.exe
PID 3728 wrote to memory of 3108	3728	80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exe	si734324.exe
PID 3728 wrote to memory of 3108	3728	80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exe	si734324.exe

C:\Users\Admin\AppData\Local\Temp\80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exe
"C:\Users\Admin\AppData\Local\Temp\80c2bbf17a49dba79ca018c54f6f35ac8c3252e788c6780e940494cf0dacf6b7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un913280.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un913280.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un295998.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un295998.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr933416.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr933416.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu603063.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu603063.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1424
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk464238.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk464238.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si734324.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si734324.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 620
    3⤵
    - Program crash
    PID:2488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 696
    3⤵
    - Program crash
    PID:3800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 836
    3⤵
    - Program crash
    PID:3844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 824
    3⤵
    - Program crash
    PID:3824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 872
    3⤵
    - Program crash
    PID:3448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 884
    3⤵
    - Program crash
    PID:4636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1060
    3⤵
    - Program crash
    PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si734324.exe

Filesize
231KB

MD5
af7fca55ea436503f0fb684c1c158383

SHA1
c6e2a00e5a4854b2c103748d47ae18356e7efa0d

SHA256
cb3b7bdaee641f2225640efc12d83f616526cc985a22e0dfb6bed041d84a8c60

SHA512
f6d2b00dc84a58db17080766b05fe831d08fbf0f85750b611fcea55069622964d71473a40de64cd8fbcee7f39487e9087c632645d550f63d3ec87e2f3a36fe84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si734324.exe

Filesize
231KB

MD5
af7fca55ea436503f0fb684c1c158383

SHA1
c6e2a00e5a4854b2c103748d47ae18356e7efa0d

SHA256
cb3b7bdaee641f2225640efc12d83f616526cc985a22e0dfb6bed041d84a8c60

SHA512
f6d2b00dc84a58db17080766b05fe831d08fbf0f85750b611fcea55069622964d71473a40de64cd8fbcee7f39487e9087c632645d550f63d3ec87e2f3a36fe84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un913280.exe

Filesize
671KB

MD5
eb9a2afcb8f6f262bf8930b04e5076c8

SHA1
51ca72e319b10045c9be5ddb129c491aed624f52

SHA256
e00ad85466dde5532c9e70da3575f600e966af8f90a55fcfa61823c39add45d5

SHA512
116bd325e6eb5ccc3a89dcc08688decc88f411f87e7ba43fc58956a52be3045449fdcd5a4ab436bc21160578fce78b1759d89aa30d44b01aa42f2b3b9a6cbcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un913280.exe

Filesize
671KB

MD5
eb9a2afcb8f6f262bf8930b04e5076c8

SHA1
51ca72e319b10045c9be5ddb129c491aed624f52

SHA256
e00ad85466dde5532c9e70da3575f600e966af8f90a55fcfa61823c39add45d5

SHA512
116bd325e6eb5ccc3a89dcc08688decc88f411f87e7ba43fc58956a52be3045449fdcd5a4ab436bc21160578fce78b1759d89aa30d44b01aa42f2b3b9a6cbcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk464238.exe

Filesize
168KB

MD5
bc1c602b0a69620c79b22ca8b21f6bfb

SHA1
5d7902870895577564470a241f88c152d8b3621c

SHA256
828ffc5d2364949d0884b8f8c5c9211af8db69f54927446702397cc982bb6cf6

SHA512
42d1d89bd5861a3e37221691e72a14163fc76f293211c7a30319995051ec6802fca1f4c96d2d87edcb691cae031906ecc1ffcf61e6e34b12c125d7c5639fc5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk464238.exe

Filesize
168KB

MD5
bc1c602b0a69620c79b22ca8b21f6bfb

SHA1
5d7902870895577564470a241f88c152d8b3621c

SHA256
828ffc5d2364949d0884b8f8c5c9211af8db69f54927446702397cc982bb6cf6

SHA512
42d1d89bd5861a3e37221691e72a14163fc76f293211c7a30319995051ec6802fca1f4c96d2d87edcb691cae031906ecc1ffcf61e6e34b12c125d7c5639fc5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un295998.exe

Filesize
518KB

MD5
b0d521e90905666eb9e0444bfdaed76e

SHA1
e49126becb298911a7a4de1ea4a73cc3c08602d9

SHA256
7d1ffe8bf797cc58beb22c36b4baff8bf919318f66bd7f6b1202e79d1c7a29e6

SHA512
2a656ed62fc054fd75deff03cb8a1cdeebf696a29b779b9cd72ec66cbfa8184b6530ba151951299e47c1dfd1e5d96961a06c4b5f897f76bd1f1e558489929099

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un295998.exe

Filesize
518KB

MD5
b0d521e90905666eb9e0444bfdaed76e

SHA1
e49126becb298911a7a4de1ea4a73cc3c08602d9

SHA256
7d1ffe8bf797cc58beb22c36b4baff8bf919318f66bd7f6b1202e79d1c7a29e6

SHA512
2a656ed62fc054fd75deff03cb8a1cdeebf696a29b779b9cd72ec66cbfa8184b6530ba151951299e47c1dfd1e5d96961a06c4b5f897f76bd1f1e558489929099

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr933416.exe

Filesize
239KB

MD5
d76892f112401df8c89f627c56d285ad

SHA1
5a42387cd3ae21571caf6a5883a9dd1efaf3eb67

SHA256
edc2ee4f8fac9dc73b71dcc10e656ade564c2a5f1583f757d781c105b00ee901

SHA512
b7449864bc275cad71f512ba2276f239eb6ab6750bb8bedc7410afb76f683898f8233b3dc4a070361425298b951b565ba4092d3b34ffa81d720dede3511332db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr933416.exe

Filesize
239KB

MD5
d76892f112401df8c89f627c56d285ad

SHA1
5a42387cd3ae21571caf6a5883a9dd1efaf3eb67

SHA256
edc2ee4f8fac9dc73b71dcc10e656ade564c2a5f1583f757d781c105b00ee901

SHA512
b7449864bc275cad71f512ba2276f239eb6ab6750bb8bedc7410afb76f683898f8233b3dc4a070361425298b951b565ba4092d3b34ffa81d720dede3511332db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu603063.exe

Filesize
297KB

MD5
37fdfdf6c5559aee86804a3d5d5e964f

SHA1
c7794e8f98af31efcf5b617380f57a8c5abb7544

SHA256
3594d0f0dd3ca6594b9f787d0eb2ef633f38ff14277aca2ab5959b0545f00128

SHA512
cc1d8dd29e826f44614355cd1a4a33fc54bf236ec098f6319142f79ed5f1d425ed318e75ccd55034bb5969ec61dc595a81371606bf464e0895a6805d843033e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu603063.exe

Filesize
297KB

MD5
37fdfdf6c5559aee86804a3d5d5e964f

SHA1
c7794e8f98af31efcf5b617380f57a8c5abb7544

SHA256
3594d0f0dd3ca6594b9f787d0eb2ef633f38ff14277aca2ab5959b0545f00128

SHA512
cc1d8dd29e826f44614355cd1a4a33fc54bf236ec098f6319142f79ed5f1d425ed318e75ccd55034bb5969ec61dc595a81371606bf464e0895a6805d843033e0

Download Submit
memory/1424-1096-0x00000000051B0000-0x00000000051EE000-memory.dmp

Filesize
248KB

Download
memory/1424-1101-0x0000000006160000-0x00000000061F2000-memory.dmp

Filesize
584KB

Download
memory/1424-1108-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1424-1107-0x0000000006C00000-0x0000000006C50000-memory.dmp

Filesize
320KB

Download
memory/1424-1106-0x0000000006B80000-0x0000000006BF6000-memory.dmp

Filesize
472KB

Download
memory/1424-1104-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1424-1105-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1424-1103-0x0000000006410000-0x000000000693C000-memory.dmp

Filesize
5.2MB

Download
memory/1424-1102-0x0000000006240000-0x0000000006402000-memory.dmp

Filesize
1.8MB

Download
memory/1424-1099-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/1424-1098-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1424-1097-0x0000000005300000-0x000000000534B000-memory.dmp

Filesize
300KB

Download
memory/1424-1095-0x0000000005190000-0x00000000051A2000-memory.dmp

Filesize
72KB

Download
memory/1424-1094-0x0000000005050000-0x000000000515A000-memory.dmp

Filesize
1.0MB

Download
memory/1424-1093-0x00000000055E0000-0x0000000005BE6000-memory.dmp

Filesize
6.0MB

Download
memory/1424-220-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-218-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-216-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-214-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-212-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-208-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-210-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-182-0x0000000002060000-0x00000000020A6000-memory.dmp

Filesize
280KB

Download
memory/1424-183-0x0000000004A40000-0x0000000004A84000-memory.dmp

Filesize
272KB

Download
memory/1424-184-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-185-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-187-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-189-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-191-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-193-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-195-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-197-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-199-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-201-0x0000000001E60000-0x0000000001EAB000-memory.dmp

Filesize
300KB

Download
memory/1424-202-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-203-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1424-206-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1424-205-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3108-1124-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/4556-1114-0x0000000000EB0000-0x0000000000EE0000-memory.dmp

Filesize
192KB

Download
memory/4556-1118-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/4556-1117-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/4556-1116-0x000000000ADC0000-0x000000000AE0B000-memory.dmp

Filesize
300KB

Download
memory/4556-1115-0x0000000001600000-0x0000000001606000-memory.dmp

Filesize
24KB

Download
memory/5000-170-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-152-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-143-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-168-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-142-0x0000000002280000-0x0000000002298000-memory.dmp

Filesize
96KB

Download
memory/5000-166-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-164-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-162-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-146-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-160-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-158-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-156-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-154-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-171-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/5000-150-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-148-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/5000-141-0x0000000004C20000-0x000000000511E000-memory.dmp

Filesize
5.0MB

Download
memory/5000-140-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/5000-172-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/5000-173-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5000-175-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/5000-176-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/5000-177-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5000-139-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/5000-138-0x00000000006C0000-0x00000000006DA000-memory.dmp

Filesize
104KB

Download
memory/5000-144-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download