amadey | 879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a

Analysis

max time kernel
149s
max time network
107s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2023 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exe
Size

939KB
MD5

82b93aeff7b6e96a4b04f89e2eb80e6c
SHA1

8ea4bc024a73980aa392487262af2ba2026b6990
SHA256

879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a
SHA512

e5648aa5a4e029d190822dde4e74f99300c3c17502aa5a50ba5bff14944062e9f07add679d8d179e922ff32fc3945aa8e22bb0505bfa558154b052c2bbeb67b2
SSDEEP

12288:5MrQy90SHhGy8Ljm0h3Gr8ad2euu8idkss6K7CgtINYEwrLYRn8nSjCuu:Jykjxh3GrturZ96fgtINLaLYl8nIO

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr212242.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr212242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr212242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr212242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr212242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr212242.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1980-186-0x0000000002240000-0x0000000002286000-memory.dmp	family_redline
behavioral1/memory/1980-188-0x0000000002590000-0x00000000025D4000-memory.dmp	family_redline
behavioral1/memory/1980-192-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-195-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-197-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-193-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-199-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-201-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-203-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-205-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-207-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-209-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-211-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-213-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-215-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-217-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-219-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-221-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-223-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline
behavioral1/memory/1980-225-0x0000000002590000-0x00000000025CF000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

un448368.exeun833054.exepr212242.exequ537361.exerk637775.exesi251655.exe

pid process

2500 un448368.exe
2616 un833054.exe
4132 pr212242.exe
1980 qu537361.exe
2612 rk637775.exe
2188 si251655.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2500	un448368.exe
2616	un833054.exe
4132	pr212242.exe
1980	qu537361.exe
2612	rk637775.exe
2188	si251655.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr212242.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr212242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr212242.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

un833054.exe879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exeun448368.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un833054.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un833054.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un448368.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un448368.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4564	2188	WerFault.exe	si251655.exe
4980	2188	WerFault.exe	si251655.exe
4968	2188	WerFault.exe	si251655.exe
4436	2188	WerFault.exe	si251655.exe
3388	2188	WerFault.exe	si251655.exe
3284	2188	WerFault.exe	si251655.exe
4432	2188	WerFault.exe	si251655.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr212242.exequ537361.exerk637775.exe

pid process

4132 pr212242.exe
4132 pr212242.exe
1980 qu537361.exe
1980 qu537361.exe
2612 rk637775.exe
2612 rk637775.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr212242.exequ537361.exerk637775.exe

description pid process

Token: SeDebugPrivilege 4132 pr212242.exe
Token: SeDebugPrivilege 1980 qu537361.exe
Token: SeDebugPrivilege 2612 rk637775.exe

pid	process
4132	pr212242.exe
4132	pr212242.exe
1980	qu537361.exe
1980	qu537361.exe
2612	rk637775.exe
2612	rk637775.exe

description	pid	process
Token: SeDebugPrivilege	4132	pr212242.exe
Token: SeDebugPrivilege	1980	qu537361.exe
Token: SeDebugPrivilege	2612	rk637775.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exeun448368.exeun833054.exe

description	pid	process	target process
PID 2292 wrote to memory of 2500	2292	879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exe	un448368.exe
PID 2292 wrote to memory of 2500	2292	879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exe	un448368.exe
PID 2292 wrote to memory of 2500	2292	879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exe	un448368.exe
PID 2500 wrote to memory of 2616	2500	un448368.exe	un833054.exe
PID 2500 wrote to memory of 2616	2500	un448368.exe	un833054.exe
PID 2500 wrote to memory of 2616	2500	un448368.exe	un833054.exe
PID 2616 wrote to memory of 4132	2616	un833054.exe	pr212242.exe
PID 2616 wrote to memory of 4132	2616	un833054.exe	pr212242.exe
PID 2616 wrote to memory of 4132	2616	un833054.exe	pr212242.exe
PID 2616 wrote to memory of 1980	2616	un833054.exe	qu537361.exe
PID 2616 wrote to memory of 1980	2616	un833054.exe	qu537361.exe
PID 2616 wrote to memory of 1980	2616	un833054.exe	qu537361.exe
PID 2500 wrote to memory of 2612	2500	un448368.exe	rk637775.exe
PID 2500 wrote to memory of 2612	2500	un448368.exe	rk637775.exe
PID 2500 wrote to memory of 2612	2500	un448368.exe	rk637775.exe
PID 2292 wrote to memory of 2188	2292	879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exe	si251655.exe
PID 2292 wrote to memory of 2188	2292	879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exe	si251655.exe
PID 2292 wrote to memory of 2188	2292	879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exe	si251655.exe

C:\Users\Admin\AppData\Local\Temp\879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exe
"C:\Users\Admin\AppData\Local\Temp\879b448d106609740709c131cad2fad7d523c7fe3ac15470cefd0892d788d35a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un448368.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un448368.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2500

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un833054.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un833054.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr212242.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr212242.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu537361.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu537361.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk637775.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk637775.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si251655.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si251655.exe
2⤵
- Executes dropped EXE
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 616
3⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 696
3⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 836
3⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 844
3⤵
- Program crash
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 872
3⤵
- Program crash
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 848
3⤵
- Program crash
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1064
3⤵
- Program crash
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si251655.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si251655.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un448368.exe
Filesize
674KB

MD5
fbe05b05fdf3efdcace14efa1a59b43a

SHA1
4742f31135ee5d326cd0144604232184dbb30510

SHA256
2b7f87851b879dd42236d01cd5565d3337fb1b6445b9c86b5f86eec5a1b7f45e

SHA512
aa69121ccb0ab7be022842635f7963bc16ffed1b8a1fbc23dfebcdf769a2656a9b240704aae1dc02dc198ea97e5ee39201fd5e3db5cd281add73a42a2fd5c0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un448368.exe
Filesize
674KB

MD5
fbe05b05fdf3efdcace14efa1a59b43a

SHA1
4742f31135ee5d326cd0144604232184dbb30510

SHA256
2b7f87851b879dd42236d01cd5565d3337fb1b6445b9c86b5f86eec5a1b7f45e

SHA512
aa69121ccb0ab7be022842635f7963bc16ffed1b8a1fbc23dfebcdf769a2656a9b240704aae1dc02dc198ea97e5ee39201fd5e3db5cd281add73a42a2fd5c0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk637775.exe
Filesize
169KB

MD5
dc9846f1416a57341dddfdee329ddc9c

SHA1
1651c2d49f6bae08a8a0e54d49ca07843e1e5e27

SHA256
6660f3c5292559b311b973c9c3ba511c981102ed21382d4fce0de9f252be4727

SHA512
ed9e3515bb76ccca3dc334e0fae02565286c009ce9682aaaec65394384555de08f7cbac1a9e5ec56dd1f6e5700bde640363627227fe686013ede7d65f38d67e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk637775.exe
Filesize
169KB

MD5
dc9846f1416a57341dddfdee329ddc9c

SHA1
1651c2d49f6bae08a8a0e54d49ca07843e1e5e27

SHA256
6660f3c5292559b311b973c9c3ba511c981102ed21382d4fce0de9f252be4727

SHA512
ed9e3515bb76ccca3dc334e0fae02565286c009ce9682aaaec65394384555de08f7cbac1a9e5ec56dd1f6e5700bde640363627227fe686013ede7d65f38d67e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un833054.exe
Filesize
520KB

MD5
350bbcccef44374ef6505d0582dea60d

SHA1
ce37de10d30f1237005a3a4232415d92362ce0e5

SHA256
cf089cf38ceb2b7e9e58b2fb2c4d82bba54674aa1d86a482c80b09922b2e4e3c

SHA512
5a39698bd373a7ffbfa9ac6ec439dff480f5553b45f04ad5d3a1bba2689e1a7a594f936bcbbb8f7ff9683c620f0e7840e0dcd759aebb700fa55d9ee623e96809

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un833054.exe
Filesize
520KB

MD5
350bbcccef44374ef6505d0582dea60d

SHA1
ce37de10d30f1237005a3a4232415d92362ce0e5

SHA256
cf089cf38ceb2b7e9e58b2fb2c4d82bba54674aa1d86a482c80b09922b2e4e3c

SHA512
5a39698bd373a7ffbfa9ac6ec439dff480f5553b45f04ad5d3a1bba2689e1a7a594f936bcbbb8f7ff9683c620f0e7840e0dcd759aebb700fa55d9ee623e96809

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr212242.exe
Filesize
239KB

MD5
4bbb73579fb955b54d07c12ed2e00cbe

SHA1
623fec2f569ad1142db1cd92feee640fcaa45634

SHA256
62d9be9c53cfa93be47e00f195bd35d6e9cab9b53a33f2e7865fc1fecb5e280d

SHA512
d0bfef73abee95fa7945bb3799face38d665f6267eca70881d94ea4f34258067200d9437c878952dd73788be81cd0951e89e3c822e4185fe9f014fb73d64a7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr212242.exe
Filesize
239KB

MD5
4bbb73579fb955b54d07c12ed2e00cbe

SHA1
623fec2f569ad1142db1cd92feee640fcaa45634

SHA256
62d9be9c53cfa93be47e00f195bd35d6e9cab9b53a33f2e7865fc1fecb5e280d

SHA512
d0bfef73abee95fa7945bb3799face38d665f6267eca70881d94ea4f34258067200d9437c878952dd73788be81cd0951e89e3c822e4185fe9f014fb73d64a7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu537361.exe
Filesize
297KB

MD5
b7b85511351ea4378841a613a3024093

SHA1
b39a3e79fb927941dd91569f0c9c2e82453380a9

SHA256
8a7e77ff54fd78f6e8a5a9e340485aaf3bb9f274429775cbd81dcc05f780956f

SHA512
cb80d01cdc56de8ea5e9c61e48f5520788eb875169b915ec20f87360f011935058dfb40c4fe1e5295b482a71463b8b19ca068f8889ed28c019b3a1360cebd081

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu537361.exe
Filesize
297KB

MD5
b7b85511351ea4378841a613a3024093

SHA1
b39a3e79fb927941dd91569f0c9c2e82453380a9

SHA256
8a7e77ff54fd78f6e8a5a9e340485aaf3bb9f274429775cbd81dcc05f780956f

SHA512
cb80d01cdc56de8ea5e9c61e48f5520788eb875169b915ec20f87360f011935058dfb40c4fe1e5295b482a71463b8b19ca068f8889ed28c019b3a1360cebd081

Download Submit
memory/1980-1101-0x00000000051B0000-0x00000000051EE000-memory.dmp

Filesize
248KB

Download
memory/1980-1106-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1980-1114-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1980-1113-0x0000000006B10000-0x0000000006B60000-memory.dmp

Filesize
320KB

Download
memory/1980-1112-0x0000000006A90000-0x0000000006B06000-memory.dmp

Filesize
472KB

Download
memory/1980-1111-0x0000000006420000-0x000000000694C000-memory.dmp

Filesize
5.2MB

Download
memory/1980-1110-0x0000000006250000-0x0000000006412000-memory.dmp

Filesize
1.8MB

Download
memory/1980-1109-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/1980-1108-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/1980-1107-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1980-1105-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1980-1103-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1980-1102-0x0000000005300000-0x000000000534B000-memory.dmp

Filesize
300KB

Download
memory/1980-1100-0x0000000005190000-0x00000000051A2000-memory.dmp

Filesize
72KB

Download
memory/1980-1099-0x0000000005080000-0x000000000518A000-memory.dmp

Filesize
1.0MB

Download
memory/1980-1098-0x0000000005690000-0x0000000005C96000-memory.dmp

Filesize
6.0MB

Download
memory/1980-225-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-223-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-221-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-219-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-217-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-186-0x0000000002240000-0x0000000002286000-memory.dmp

Filesize
280KB

Download
memory/1980-188-0x0000000002590000-0x00000000025D4000-memory.dmp

Filesize
272KB

Download
memory/1980-189-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1980-187-0x0000000000510000-0x000000000055B000-memory.dmp

Filesize
300KB

Download
memory/1980-190-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1980-191-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1980-192-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-195-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-197-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-193-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-199-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-201-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-203-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-205-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-207-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-209-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-211-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-213-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/1980-215-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/2188-1129-0x0000000000580000-0x00000000005BB000-memory.dmp

Filesize
236KB

Download
memory/2612-1120-0x0000000000F80000-0x0000000000FB0000-memory.dmp

Filesize
192KB

Download
memory/2612-1123-0x0000000003250000-0x0000000003260000-memory.dmp

Filesize
64KB

Download
memory/2612-1122-0x0000000005A80000-0x0000000005ACB000-memory.dmp

Filesize
300KB

Download
memory/2612-1121-0x0000000003240000-0x0000000003246000-memory.dmp

Filesize
24KB

Download
memory/4132-163-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-155-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-173-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-147-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/4132-171-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-169-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-167-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-150-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-165-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-148-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/4132-161-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-159-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-157-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-175-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-153-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-151-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-146-0x0000000002590000-0x00000000025A8000-memory.dmp

Filesize
96KB

Download
memory/4132-145-0x0000000004A20000-0x0000000004F1E000-memory.dmp

Filesize
5.0MB

Download
memory/4132-177-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4132-178-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4132-179-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/4132-181-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4132-144-0x0000000001F90000-0x0000000001FAA000-memory.dmp

Filesize
104KB

Download
memory/4132-143-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download
memory/4132-149-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download