amadey | 93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f

Analysis

max time kernel
140s
max time network
105s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2023 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exe
Size

940KB
MD5

387c8a1cedc463402460146a306ed2ee
SHA1

3e0863d369d7a82e7c0953d6bb7178152323fe6f
SHA256

93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f
SHA512

c9a3cd0142c236ffeeea8c99a888fbaf43d8d8077180015dcf290d5186b875b953c2a010dca67965dd6c10a5e8149878689cc445410b4c7cc697cc0860b5ca01
SSDEEP

24576:4y8MJoXgw0xqJz/KNVQ2bGMZhMRx4+Vj7Irdy0RpG0xb9/ut/x:/rCww0xG/KY2bbEb4+tERcC5S

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr845625.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr845625.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr845625.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr845625.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr845625.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr845625.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 22 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1440-184-0x0000000002430000-0x0000000002476000-memory.dmp	family_redline
behavioral1/memory/1440-185-0x0000000004F50000-0x0000000004F94000-memory.dmp	family_redline
behavioral1/memory/1440-186-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-187-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-189-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-191-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-193-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-195-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-197-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-199-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-201-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-203-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-205-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-207-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-211-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-209-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-213-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-215-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-217-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-219-0x0000000004F50000-0x0000000004F8F000-memory.dmp	family_redline
behavioral1/memory/1440-496-0x00000000006C0000-0x00000000006D0000-memory.dmp	family_redline
behavioral1/memory/1440-500-0x00000000006C0000-0x00000000006D0000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

un924479.exeun294396.exepr845625.exequ862783.exerk030554.exesi718448.exe

pid process

3968 un924479.exe
1420 un294396.exe
2068 pr845625.exe
1440 qu862783.exe
3776 rk030554.exe
4884 si718448.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3968	un924479.exe
1420	un294396.exe
2068	pr845625.exe
1440	qu862783.exe
3776	rk030554.exe
4884	si718448.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr845625.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr845625.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr845625.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exeun924479.exeun294396.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un924479.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un924479.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un294396.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un294396.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4360	4884	WerFault.exe	si718448.exe
4300	4884	WerFault.exe	si718448.exe
5048	4884	WerFault.exe	si718448.exe
3388	4884	WerFault.exe	si718448.exe
5020	4884	WerFault.exe	si718448.exe
5024	4884	WerFault.exe	si718448.exe
4248	4884	WerFault.exe	si718448.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr845625.exequ862783.exerk030554.exe

pid process

2068 pr845625.exe
2068 pr845625.exe
1440 qu862783.exe
1440 qu862783.exe
3776 rk030554.exe
3776 rk030554.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr845625.exequ862783.exerk030554.exe

description pid process

Token: SeDebugPrivilege 2068 pr845625.exe
Token: SeDebugPrivilege 1440 qu862783.exe
Token: SeDebugPrivilege 3776 rk030554.exe

pid	process
2068	pr845625.exe
2068	pr845625.exe
1440	qu862783.exe
1440	qu862783.exe
3776	rk030554.exe
3776	rk030554.exe

description	pid	process
Token: SeDebugPrivilege	2068	pr845625.exe
Token: SeDebugPrivilege	1440	qu862783.exe
Token: SeDebugPrivilege	3776	rk030554.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exeun924479.exeun294396.exe

description	pid	process	target process
PID 1608 wrote to memory of 3968	1608	93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exe	un924479.exe
PID 1608 wrote to memory of 3968	1608	93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exe	un924479.exe
PID 1608 wrote to memory of 3968	1608	93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exe	un924479.exe
PID 3968 wrote to memory of 1420	3968	un924479.exe	un294396.exe
PID 3968 wrote to memory of 1420	3968	un924479.exe	un294396.exe
PID 3968 wrote to memory of 1420	3968	un924479.exe	un294396.exe
PID 1420 wrote to memory of 2068	1420	un294396.exe	pr845625.exe
PID 1420 wrote to memory of 2068	1420	un294396.exe	pr845625.exe
PID 1420 wrote to memory of 2068	1420	un294396.exe	pr845625.exe
PID 1420 wrote to memory of 1440	1420	un294396.exe	qu862783.exe
PID 1420 wrote to memory of 1440	1420	un294396.exe	qu862783.exe
PID 1420 wrote to memory of 1440	1420	un294396.exe	qu862783.exe
PID 3968 wrote to memory of 3776	3968	un924479.exe	rk030554.exe
PID 3968 wrote to memory of 3776	3968	un924479.exe	rk030554.exe
PID 3968 wrote to memory of 3776	3968	un924479.exe	rk030554.exe
PID 1608 wrote to memory of 4884	1608	93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exe	si718448.exe
PID 1608 wrote to memory of 4884	1608	93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exe	si718448.exe
PID 1608 wrote to memory of 4884	1608	93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exe	si718448.exe

C:\Users\Admin\AppData\Local\Temp\93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exe
"C:\Users\Admin\AppData\Local\Temp\93e35162e4ee24eb6fcdc1753856565b09e07456add3152f424dcb87309b559f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924479.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924479.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un294396.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un294396.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr845625.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr845625.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu862783.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu862783.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk030554.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk030554.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si718448.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si718448.exe
2⤵
- Executes dropped EXE
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 620
3⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 700
3⤵
- Program crash
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 840
3⤵
- Program crash
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 848
3⤵
- Program crash
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 876
3⤵
- Program crash
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 840
3⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1056
3⤵
- Program crash
PID:4248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si718448.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si718448.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924479.exe
Filesize
674KB

MD5
5b31ddc6f1ee7557f2f1034fc870fc63

SHA1
de772af2a810721bbe64261c50177821fc3e4e07

SHA256
627c746afc61a2d10768cf6e589cabd1870f090eba37e496a0ca6ce1aba9d82f

SHA512
f6c1c2f2eef9fa72e0ff373cd222a0e668b645675f01fb629692d8f6261b08c9123db395e4cf8ae73a9f005f68c6147dd332143bc4a9a08393ea5646d623367d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924479.exe
Filesize
674KB

MD5
5b31ddc6f1ee7557f2f1034fc870fc63

SHA1
de772af2a810721bbe64261c50177821fc3e4e07

SHA256
627c746afc61a2d10768cf6e589cabd1870f090eba37e496a0ca6ce1aba9d82f

SHA512
f6c1c2f2eef9fa72e0ff373cd222a0e668b645675f01fb629692d8f6261b08c9123db395e4cf8ae73a9f005f68c6147dd332143bc4a9a08393ea5646d623367d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk030554.exe
Filesize
169KB

MD5
c4561a458419638a3f1573cee6d312a6

SHA1
36b0a9acdf145b9ce804b7c4b0f4bf89251ca3f1

SHA256
122e558da22082f30a5c4bcc80585868bd72da802de479761fa70523d01e78ab

SHA512
18ec1488a86aedc688d7a56c785103256a99e364c4bf81b3bc56ce5baf332dba96dbd1b532bac522a61ef2029af97e66aef090fabcf4f7b202f8eea2cdb1356b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk030554.exe
Filesize
169KB

MD5
c4561a458419638a3f1573cee6d312a6

SHA1
36b0a9acdf145b9ce804b7c4b0f4bf89251ca3f1

SHA256
122e558da22082f30a5c4bcc80585868bd72da802de479761fa70523d01e78ab

SHA512
18ec1488a86aedc688d7a56c785103256a99e364c4bf81b3bc56ce5baf332dba96dbd1b532bac522a61ef2029af97e66aef090fabcf4f7b202f8eea2cdb1356b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un294396.exe
Filesize
521KB

MD5
5294dff4bdddedf6b5e54a3ff017ebab

SHA1
dd49532957b20d8cf25b929d79e59f1d30974f94

SHA256
67df50e482336666e9d23960f35a63fe0243b80948763e601a394d5b4c06eac3

SHA512
e2d9dfd7d8f7d81388b3ec11afd09a4923434e89855d611c5330ea11071babc1fa3bada5ff1d4cd3319069cabb2e719c7617567b78bf616d119c69f4a78bb034

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un294396.exe
Filesize
521KB

MD5
5294dff4bdddedf6b5e54a3ff017ebab

SHA1
dd49532957b20d8cf25b929d79e59f1d30974f94

SHA256
67df50e482336666e9d23960f35a63fe0243b80948763e601a394d5b4c06eac3

SHA512
e2d9dfd7d8f7d81388b3ec11afd09a4923434e89855d611c5330ea11071babc1fa3bada5ff1d4cd3319069cabb2e719c7617567b78bf616d119c69f4a78bb034

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr845625.exe
Filesize
239KB

MD5
cee2962daf7c675020c8a715ff99a500

SHA1
c88e5d03b11ecf07cbe4f75abae4689488b8d691

SHA256
17c6fba56fdd183732725b909a511d2ef279292ee24564edf6337ecae502105d

SHA512
ce3415028c92c5d20619a2c65759c4d1c1eccca770a9ef32c6d84f497ae50212329d2f7d4a3f8cf3fee15ed98beb40825208a8da9062185d833d2238ff8403c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr845625.exe
Filesize
239KB

MD5
cee2962daf7c675020c8a715ff99a500

SHA1
c88e5d03b11ecf07cbe4f75abae4689488b8d691

SHA256
17c6fba56fdd183732725b909a511d2ef279292ee24564edf6337ecae502105d

SHA512
ce3415028c92c5d20619a2c65759c4d1c1eccca770a9ef32c6d84f497ae50212329d2f7d4a3f8cf3fee15ed98beb40825208a8da9062185d833d2238ff8403c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu862783.exe
Filesize
297KB

MD5
c57dd13e40d7ce68a68de4cb23f16136

SHA1
3c1e3deef595b0d47c3850ccfe6bdbe80c045398

SHA256
53bc52cd257faf0132ba6037bbe0e4afc81db88cd7fc28898188b60b53b0e986

SHA512
afae80dde57fc07b05c2ebd76c39234b0b8588a67afd75bd39afb389564abeb634aa801f9a4fa951fca758649c03635c0950e52a8d2e9e6612ea345cd39da5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu862783.exe
Filesize
297KB

MD5
c57dd13e40d7ce68a68de4cb23f16136

SHA1
3c1e3deef595b0d47c3850ccfe6bdbe80c045398

SHA256
53bc52cd257faf0132ba6037bbe0e4afc81db88cd7fc28898188b60b53b0e986

SHA512
afae80dde57fc07b05c2ebd76c39234b0b8588a67afd75bd39afb389564abeb634aa801f9a4fa951fca758649c03635c0950e52a8d2e9e6612ea345cd39da5ea

Download Submit
memory/1440-1100-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/1440-1105-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/1440-1112-0x0000000006FD0000-0x0000000007020000-memory.dmp

Filesize
320KB

Download
memory/1440-1111-0x0000000006F50000-0x0000000006FC6000-memory.dmp

Filesize
472KB

Download
memory/1440-1110-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/1440-1109-0x00000000067A0000-0x0000000006CCC000-memory.dmp

Filesize
5.2MB

Download
memory/1440-1108-0x00000000065D0000-0x0000000006792000-memory.dmp

Filesize
1.8MB

Download
memory/1440-1107-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/1440-1106-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/1440-1103-0x00000000062B0000-0x0000000006342000-memory.dmp

Filesize
584KB

Download
memory/1440-1102-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/1440-1101-0x0000000005440000-0x000000000548B000-memory.dmp

Filesize
300KB

Download
memory/1440-1099-0x00000000052F0000-0x000000000532E000-memory.dmp

Filesize
248KB

Download
memory/1440-1098-0x00000000052D0000-0x00000000052E2000-memory.dmp

Filesize
72KB

Download
memory/1440-1097-0x0000000005190000-0x000000000529A000-memory.dmp

Filesize
1.0MB

Download
memory/1440-1096-0x0000000005720000-0x0000000005D26000-memory.dmp

Filesize
6.0MB

Download
memory/1440-500-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/1440-498-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/1440-496-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/1440-494-0x00000000005D0000-0x000000000061B000-memory.dmp

Filesize
300KB

Download
memory/1440-184-0x0000000002430000-0x0000000002476000-memory.dmp

Filesize
280KB

Download
memory/1440-185-0x0000000004F50000-0x0000000004F94000-memory.dmp

Filesize
272KB

Download
memory/1440-186-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-187-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-189-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-191-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-193-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-195-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-197-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-199-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-201-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-203-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-205-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-207-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-211-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-209-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-213-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-215-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-217-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/1440-219-0x0000000004F50000-0x0000000004F8F000-memory.dmp

Filesize
252KB

Download
memory/2068-162-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-176-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2068-147-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-177-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2068-160-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-175-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2068-174-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-172-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-146-0x0000000002360000-0x0000000002378000-memory.dmp

Filesize
96KB

Download
memory/2068-168-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-170-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-158-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-150-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-164-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-179-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2068-148-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-166-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-156-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-154-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-152-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/2068-145-0x0000000004D10000-0x000000000520E000-memory.dmp

Filesize
5.0MB

Download
memory/2068-144-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2068-142-0x0000000002000000-0x000000000201A000-memory.dmp

Filesize
104KB

Download
memory/2068-143-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/3776-1120-0x000000000A930000-0x000000000A97B000-memory.dmp

Filesize
300KB

Download
memory/3776-1121-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/3776-1119-0x00000000012A0000-0x00000000012A6000-memory.dmp

Filesize
24KB

Download
memory/3776-1118-0x0000000000A20000-0x0000000000A50000-memory.dmp

Filesize
192KB

Download
memory/4884-1127-0x0000000000580000-0x00000000005BB000-memory.dmp

Filesize
236KB

Download