amadey | 1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff

Analysis

max time kernel
142s
max time network
109s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2023 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exe
Size

940KB
MD5

59ecda06d2977dc1e11d37bd6cb482f9
SHA1

53e8247ecea3e9730e9836ddf614ba915ed2f3d9
SHA256

1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff
SHA512

478e4388ddfb2982bc9ffeab3bb2b51b626aa0f6c374b18275a684643b8283a2f345da02fb4491386092bd4ac3b8e3f4ca4fab5b7014ba4f0a9375923a7c63b0
SSDEEP

24576:Nyn+aIhvCpzRAPyC7cx88/58IuR94yV3jStxHxy:on+hQpqPNs88Kd9l4xR

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr393820.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr393820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr393820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr393820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr393820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr393820.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2368-182-0x00000000021A0000-0x00000000021E6000-memory.dmp	family_redline
behavioral1/memory/2368-183-0x0000000002230000-0x0000000002274000-memory.dmp	family_redline
behavioral1/memory/2368-185-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-184-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-187-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-189-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-191-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-193-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-195-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-197-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-199-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-201-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-203-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-205-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-207-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-209-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-211-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-213-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-215-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline
behavioral1/memory/2368-217-0x0000000002230000-0x000000000226F000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

un297118.exeun809254.exepr393820.exequ160070.exerk769524.exesi842681.exe

pid process

3956 un297118.exe
4840 un809254.exe
2104 pr393820.exe
2368 qu160070.exe
4884 rk769524.exe
3736 si842681.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3956	un297118.exe
4840	un809254.exe
2104	pr393820.exe
2368	qu160070.exe
4884	rk769524.exe
3736	si842681.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr393820.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr393820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr393820.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

un809254.exe1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exeun297118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un809254.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un809254.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un297118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un297118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3720	3736	WerFault.exe	si842681.exe
4372	3736	WerFault.exe	si842681.exe
2756	3736	WerFault.exe	si842681.exe
4120	3736	WerFault.exe	si842681.exe
4368	3736	WerFault.exe	si842681.exe
4680	3736	WerFault.exe	si842681.exe
3352	3736	WerFault.exe	si842681.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr393820.exequ160070.exerk769524.exe

pid process

2104 pr393820.exe
2104 pr393820.exe
2368 qu160070.exe
2368 qu160070.exe
4884 rk769524.exe
4884 rk769524.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr393820.exequ160070.exerk769524.exe

description pid process

Token: SeDebugPrivilege 2104 pr393820.exe
Token: SeDebugPrivilege 2368 qu160070.exe
Token: SeDebugPrivilege 4884 rk769524.exe

pid	process
2104	pr393820.exe
2104	pr393820.exe
2368	qu160070.exe
2368	qu160070.exe
4884	rk769524.exe
4884	rk769524.exe

description	pid	process
Token: SeDebugPrivilege	2104	pr393820.exe
Token: SeDebugPrivilege	2368	qu160070.exe
Token: SeDebugPrivilege	4884	rk769524.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exeun297118.exeun809254.exe

description	pid	process	target process
PID 2588 wrote to memory of 3956	2588	1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exe	un297118.exe
PID 2588 wrote to memory of 3956	2588	1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exe	un297118.exe
PID 2588 wrote to memory of 3956	2588	1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exe	un297118.exe
PID 3956 wrote to memory of 4840	3956	un297118.exe	un809254.exe
PID 3956 wrote to memory of 4840	3956	un297118.exe	un809254.exe
PID 3956 wrote to memory of 4840	3956	un297118.exe	un809254.exe
PID 4840 wrote to memory of 2104	4840	un809254.exe	pr393820.exe
PID 4840 wrote to memory of 2104	4840	un809254.exe	pr393820.exe
PID 4840 wrote to memory of 2104	4840	un809254.exe	pr393820.exe
PID 4840 wrote to memory of 2368	4840	un809254.exe	qu160070.exe
PID 4840 wrote to memory of 2368	4840	un809254.exe	qu160070.exe
PID 4840 wrote to memory of 2368	4840	un809254.exe	qu160070.exe
PID 3956 wrote to memory of 4884	3956	un297118.exe	rk769524.exe
PID 3956 wrote to memory of 4884	3956	un297118.exe	rk769524.exe
PID 3956 wrote to memory of 4884	3956	un297118.exe	rk769524.exe
PID 2588 wrote to memory of 3736	2588	1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exe	si842681.exe
PID 2588 wrote to memory of 3736	2588	1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exe	si842681.exe
PID 2588 wrote to memory of 3736	2588	1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exe	si842681.exe

C:\Users\Admin\AppData\Local\Temp\1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exe
"C:\Users\Admin\AppData\Local\Temp\1bfb25ea106b90d029f4822e733e881ad50bf0e2754a27052f19c4bfbcc178ff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un297118.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un297118.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un809254.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un809254.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr393820.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr393820.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu160070.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu160070.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk769524.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk769524.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si842681.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si842681.exe
2⤵
- Executes dropped EXE
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 616
3⤵
- Program crash
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 696
3⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 840
3⤵
- Program crash
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 852
3⤵
- Program crash
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 876
3⤵
- Program crash
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 736
3⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1068
3⤵
- Program crash
PID:3352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si842681.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si842681.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un297118.exe
Filesize
675KB

MD5
785954666d90c0578f1fb22e13435c2e

SHA1
b85d645a9657264ec7f72eb049c9fcf7e77ed0e8

SHA256
5df1557437f5f2d31c7f6c7c8e8f11c270ffbb98028baf4614579c4056e72727

SHA512
ef457869b819558211a66fa5eeb7bdd48ac65560d6db2b5b09ad70f47ed26e95a0158c910c81c2719fd443083d193e95ccfb7bef456f3dafbfecc8567f1a7e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un297118.exe
Filesize
675KB

MD5
785954666d90c0578f1fb22e13435c2e

SHA1
b85d645a9657264ec7f72eb049c9fcf7e77ed0e8

SHA256
5df1557437f5f2d31c7f6c7c8e8f11c270ffbb98028baf4614579c4056e72727

SHA512
ef457869b819558211a66fa5eeb7bdd48ac65560d6db2b5b09ad70f47ed26e95a0158c910c81c2719fd443083d193e95ccfb7bef456f3dafbfecc8567f1a7e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk769524.exe
Filesize
169KB

MD5
2278874f2ad6a124d6caefc7519269bd

SHA1
8d7f27b464e85377a173602ca8fbe52ec53d3702

SHA256
2beaae9cf999938d31171c74e1c8c96661427e9c70d681be29aadfacda97d873

SHA512
ed7473a31075290383d91a5a6748b0fd81c8b77b504e8ae98324e8ee7433631e0229a3a99ae035b63700426a873d1094fb0bfaf5e925206e2749114c9b0f28c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk769524.exe
Filesize
169KB

MD5
2278874f2ad6a124d6caefc7519269bd

SHA1
8d7f27b464e85377a173602ca8fbe52ec53d3702

SHA256
2beaae9cf999938d31171c74e1c8c96661427e9c70d681be29aadfacda97d873

SHA512
ed7473a31075290383d91a5a6748b0fd81c8b77b504e8ae98324e8ee7433631e0229a3a99ae035b63700426a873d1094fb0bfaf5e925206e2749114c9b0f28c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un809254.exe
Filesize
521KB

MD5
a6adbd8dd70d2ddcf4d1edc22e54b388

SHA1
94fc6b9cea02a3ea8ff70b73c3cb8abf71ed6dac

SHA256
befa652963d6f303d2a0b5cc132f156197f55e077ac9abd579359f59a270a3e5

SHA512
5d65f1ee86911680a467f69ce3e057800fb542af20e52c61f7c3d94b18a6283224a3a8b7b730921971080e4a77594897fbeebdd15eb702435b1204b8c73948bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un809254.exe
Filesize
521KB

MD5
a6adbd8dd70d2ddcf4d1edc22e54b388

SHA1
94fc6b9cea02a3ea8ff70b73c3cb8abf71ed6dac

SHA256
befa652963d6f303d2a0b5cc132f156197f55e077ac9abd579359f59a270a3e5

SHA512
5d65f1ee86911680a467f69ce3e057800fb542af20e52c61f7c3d94b18a6283224a3a8b7b730921971080e4a77594897fbeebdd15eb702435b1204b8c73948bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr393820.exe
Filesize
239KB

MD5
a488fae947e374b346ab8fe625c84c29

SHA1
4104a4b41a7a46f86f30b1ea0338ea7d1de50685

SHA256
03393aef509a2c2d491d3ef71b1402f17dbcee5ba133d411110fdc291df3205c

SHA512
abd1da8ea2642bfefa928721f846fa8fedba7d4ab3d383248fc6500f62fcfabcabf2fe19f5b92a113e280f246833ca2bd0de95bb03b1eb5fb19a103099ec584c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr393820.exe
Filesize
239KB

MD5
a488fae947e374b346ab8fe625c84c29

SHA1
4104a4b41a7a46f86f30b1ea0338ea7d1de50685

SHA256
03393aef509a2c2d491d3ef71b1402f17dbcee5ba133d411110fdc291df3205c

SHA512
abd1da8ea2642bfefa928721f846fa8fedba7d4ab3d383248fc6500f62fcfabcabf2fe19f5b92a113e280f246833ca2bd0de95bb03b1eb5fb19a103099ec584c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu160070.exe
Filesize
297KB

MD5
1087370d7fe41454a81e9c5c1ddbca86

SHA1
a3f91e8f4cf91745085793e8971f68355ce5e8e2

SHA256
d36b2e8393a0d3adaaca6c734c0ca7ebc94a0795472efd195a60ff1568c3770a

SHA512
b37915257f852f58d160e8e54140093ac00c4ce4a68dc359608b09c8112148d30377c70400ff0f5fd6ee03da85c03a926a424fb87c24c3b813fef8951ded6352

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu160070.exe
Filesize
297KB

MD5
1087370d7fe41454a81e9c5c1ddbca86

SHA1
a3f91e8f4cf91745085793e8971f68355ce5e8e2

SHA256
d36b2e8393a0d3adaaca6c734c0ca7ebc94a0795472efd195a60ff1568c3770a

SHA512
b37915257f852f58d160e8e54140093ac00c4ce4a68dc359608b09c8112148d30377c70400ff0f5fd6ee03da85c03a926a424fb87c24c3b813fef8951ded6352

Download Submit
memory/2104-145-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-159-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-141-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2104-142-0x0000000004C30000-0x000000000512E000-memory.dmp

Filesize
5.0MB

Download
memory/2104-143-0x0000000000830000-0x0000000000848000-memory.dmp

Filesize
96KB

Download
memory/2104-144-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-139-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/2104-147-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-149-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-151-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-153-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-155-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-157-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-140-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2104-161-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-163-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-165-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-167-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-169-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-171-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2104-172-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2104-173-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2104-174-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2104-175-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2104-177-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2104-138-0x0000000000790000-0x00000000007AA000-memory.dmp

Filesize
104KB

Download
memory/2368-184-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-1094-0x0000000005740000-0x0000000005D46000-memory.dmp

Filesize
6.0MB

Download
memory/2368-183-0x0000000002230000-0x0000000002274000-memory.dmp

Filesize
272KB

Download
memory/2368-187-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-189-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-191-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-193-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-195-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-197-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-199-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-201-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-203-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-205-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-207-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-209-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-211-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-213-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-215-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-217-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-330-0x00000000005C0000-0x000000000060B000-memory.dmp

Filesize
300KB

Download
memory/2368-331-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/2368-333-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/2368-336-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/2368-185-0x0000000002230000-0x000000000226F000-memory.dmp

Filesize
252KB

Download
memory/2368-1095-0x0000000005190000-0x000000000529A000-memory.dmp

Filesize
1.0MB

Download
memory/2368-1096-0x00000000052D0000-0x00000000052E2000-memory.dmp

Filesize
72KB

Download
memory/2368-1097-0x00000000052F0000-0x000000000532E000-memory.dmp

Filesize
248KB

Download
memory/2368-1098-0x0000000005440000-0x000000000548B000-memory.dmp

Filesize
300KB

Download
memory/2368-1099-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/2368-1100-0x00000000062A0000-0x0000000006332000-memory.dmp

Filesize
584KB

Download
memory/2368-1101-0x0000000006340000-0x00000000063B6000-memory.dmp

Filesize
472KB

Download
memory/2368-1102-0x00000000063E0000-0x0000000006430000-memory.dmp

Filesize
320KB

Download
memory/2368-1104-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/2368-1105-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/2368-1106-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/2368-1107-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/2368-1108-0x00000000066C0000-0x0000000006882000-memory.dmp

Filesize
1.8MB

Download
memory/2368-1109-0x0000000006890000-0x0000000006DBC000-memory.dmp

Filesize
5.2MB

Download
memory/2368-182-0x00000000021A0000-0x00000000021E6000-memory.dmp

Filesize
280KB

Download
memory/3736-1125-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/4884-1116-0x0000000004D20000-0x0000000004D26000-memory.dmp

Filesize
24KB

Download
memory/4884-1117-0x000000000A4C0000-0x000000000A50B000-memory.dmp

Filesize
300KB

Download
memory/4884-1118-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/4884-1115-0x00000000005B0000-0x00000000005E0000-memory.dmp

Filesize
192KB

Download
memory/4884-1119-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download