amadey | 68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327

Analysis

max time kernel
148s
max time network
115s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2023 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exe
Size

940KB
MD5

43ed72dd88b85aee45175ca7b4746a6a
SHA1

4b153dfe6369aab119a814a3f02d6bb2336df62e
SHA256

68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327
SHA512

5014f90dbffa505bafc35ef6857a7d511da585c344d71d50ad69a9d429f36242ea84c07a5a29082354d7f438e313676730c5fc5723c47da53910f95670b8534f
SSDEEP

24576:jyAs6Cl7NcW5bl6QpniZiIZuiFLffmmq+Od:2hDRywhn77iZx4

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr841955.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr841955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr841955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr841955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr841955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr841955.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1960-186-0x0000000002520000-0x0000000002566000-memory.dmp	family_redline
behavioral1/memory/1960-187-0x0000000004A20000-0x0000000004A64000-memory.dmp	family_redline
behavioral1/memory/1960-193-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-195-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-192-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-197-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-199-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-201-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-203-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-205-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-207-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-209-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-211-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-213-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-215-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-217-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-219-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-221-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-223-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/1960-225-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

un024830.exeun616046.exepr841955.exequ866836.exerk016389.exesi536900.exe

pid process

2532 un024830.exe
2904 un616046.exe
4052 pr841955.exe
1960 qu866836.exe
3720 rk016389.exe
2728 si536900.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2532	un024830.exe
2904	un616046.exe
4052	pr841955.exe
1960	qu866836.exe
3720	rk016389.exe
2728	si536900.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr841955.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr841955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr841955.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exeun024830.exeun616046.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un024830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un024830.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un616046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un616046.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4784	2728	WerFault.exe	si536900.exe
776	2728	WerFault.exe	si536900.exe
2060	2728	WerFault.exe	si536900.exe
4376	2728	WerFault.exe	si536900.exe
4364	2728	WerFault.exe	si536900.exe
3132	2728	WerFault.exe	si536900.exe
4420	2728	WerFault.exe	si536900.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr841955.exequ866836.exerk016389.exe

pid process

4052 pr841955.exe
4052 pr841955.exe
1960 qu866836.exe
1960 qu866836.exe
3720 rk016389.exe
3720 rk016389.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr841955.exequ866836.exerk016389.exe

description pid process

Token: SeDebugPrivilege 4052 pr841955.exe
Token: SeDebugPrivilege 1960 qu866836.exe
Token: SeDebugPrivilege 3720 rk016389.exe

pid	process
4052	pr841955.exe
4052	pr841955.exe
1960	qu866836.exe
1960	qu866836.exe
3720	rk016389.exe
3720	rk016389.exe

description	pid	process
Token: SeDebugPrivilege	4052	pr841955.exe
Token: SeDebugPrivilege	1960	qu866836.exe
Token: SeDebugPrivilege	3720	rk016389.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exeun024830.exeun616046.exe

description	pid	process	target process
PID 2264 wrote to memory of 2532	2264	68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exe	un024830.exe
PID 2264 wrote to memory of 2532	2264	68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exe	un024830.exe
PID 2264 wrote to memory of 2532	2264	68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exe	un024830.exe
PID 2532 wrote to memory of 2904	2532	un024830.exe	un616046.exe
PID 2532 wrote to memory of 2904	2532	un024830.exe	un616046.exe
PID 2532 wrote to memory of 2904	2532	un024830.exe	un616046.exe
PID 2904 wrote to memory of 4052	2904	un616046.exe	pr841955.exe
PID 2904 wrote to memory of 4052	2904	un616046.exe	pr841955.exe
PID 2904 wrote to memory of 4052	2904	un616046.exe	pr841955.exe
PID 2904 wrote to memory of 1960	2904	un616046.exe	qu866836.exe
PID 2904 wrote to memory of 1960	2904	un616046.exe	qu866836.exe
PID 2904 wrote to memory of 1960	2904	un616046.exe	qu866836.exe
PID 2532 wrote to memory of 3720	2532	un024830.exe	rk016389.exe
PID 2532 wrote to memory of 3720	2532	un024830.exe	rk016389.exe
PID 2532 wrote to memory of 3720	2532	un024830.exe	rk016389.exe
PID 2264 wrote to memory of 2728	2264	68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exe	si536900.exe
PID 2264 wrote to memory of 2728	2264	68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exe	si536900.exe
PID 2264 wrote to memory of 2728	2264	68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exe	si536900.exe

C:\Users\Admin\AppData\Local\Temp\68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exe
"C:\Users\Admin\AppData\Local\Temp\68ba6d5af3d879cd821ec56e3d6f6f47047e175f1df018d365606d7c1df63327.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024830.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024830.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un616046.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un616046.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr841955.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr841955.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu866836.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu866836.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk016389.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk016389.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si536900.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si536900.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 620
    3⤵
    - Program crash
    PID:4784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 700
    3⤵
    - Program crash
    PID:776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 772
    3⤵
    - Program crash
    PID:2060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 852
    3⤵
    - Program crash
    PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 908
    3⤵
    - Program crash
    PID:4364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 948
    3⤵
    - Program crash
    PID:3132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1084
    3⤵
    - Program crash
    PID:4420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si536900.exe

Filesize
231KB

MD5
5a531a1495614605383afe7a35731a7a

SHA1
f00c58c5745c7adeb14b5b176fc0cd8d6d694bb6

SHA256
2aa40e53a153a68c6fd28793fdd06fa3bcbe4658820261607f6f4f8ecd3b8c2d

SHA512
906eb4afa865e09a68e5f40e48837bf576ced8218e8545daa25bd1ac0bea2087f77c9905d143c243cb3cbf04b3472c049620e2b51ccf243ac75f7134376e4aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si536900.exe

Filesize
231KB

MD5
5a531a1495614605383afe7a35731a7a

SHA1
f00c58c5745c7adeb14b5b176fc0cd8d6d694bb6

SHA256
2aa40e53a153a68c6fd28793fdd06fa3bcbe4658820261607f6f4f8ecd3b8c2d

SHA512
906eb4afa865e09a68e5f40e48837bf576ced8218e8545daa25bd1ac0bea2087f77c9905d143c243cb3cbf04b3472c049620e2b51ccf243ac75f7134376e4aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024830.exe

Filesize
675KB

MD5
ebb5445d82a871a111be51adaf160758

SHA1
db3addc428652724f671500c7a15676c6d7d47d6

SHA256
2f9ac4650f84cda727ec4c461748f5a3a4acf26264342edebc4e23cd270dbeff

SHA512
979c753f41f9a143d75ce11ebac777410fe620ed7ef56ff1390ddb17ccc372fc5ec4ee838a2d2339bdbd9d397681d2ab048d149f86a149841c165dc81d0c25f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024830.exe

Filesize
675KB

MD5
ebb5445d82a871a111be51adaf160758

SHA1
db3addc428652724f671500c7a15676c6d7d47d6

SHA256
2f9ac4650f84cda727ec4c461748f5a3a4acf26264342edebc4e23cd270dbeff

SHA512
979c753f41f9a143d75ce11ebac777410fe620ed7ef56ff1390ddb17ccc372fc5ec4ee838a2d2339bdbd9d397681d2ab048d149f86a149841c165dc81d0c25f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk016389.exe

Filesize
169KB

MD5
4d958645f944812a04c7187f5fc89683

SHA1
87250541381019d1addc0c50d12e98c098ed025b

SHA256
16e432550b9c7c4d17730e3a2baadd032ef4930e47e64b06b5cda3f2d2d58103

SHA512
205f133b38c8c89d1b5caa0ed5f0b3531e3164814443de056eb16d874161b7d97601f7a84a862a22ed1d02248211db60dc2a063a87f19b9c443c0cb0a4a830b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk016389.exe

Filesize
169KB

MD5
4d958645f944812a04c7187f5fc89683

SHA1
87250541381019d1addc0c50d12e98c098ed025b

SHA256
16e432550b9c7c4d17730e3a2baadd032ef4930e47e64b06b5cda3f2d2d58103

SHA512
205f133b38c8c89d1b5caa0ed5f0b3531e3164814443de056eb16d874161b7d97601f7a84a862a22ed1d02248211db60dc2a063a87f19b9c443c0cb0a4a830b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un616046.exe

Filesize
521KB

MD5
1679d1afcce865b1f2a7899d357253f0

SHA1
82eeb7ea9095a240d6ec9367ebe09516a88772ba

SHA256
6e8f38288e95a501ae74e151c5650689b19ecfcb4e7e7eab388d8faa2ef3bf2f

SHA512
4dfe4f11976201d2d900e2d8d66e2bec45e9a0d3f1bc7d6791ae440bcb81079a86bbef946613233446c97a61bf68d3603e872d14bf64822dc55409406f957b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un616046.exe

Filesize
521KB

MD5
1679d1afcce865b1f2a7899d357253f0

SHA1
82eeb7ea9095a240d6ec9367ebe09516a88772ba

SHA256
6e8f38288e95a501ae74e151c5650689b19ecfcb4e7e7eab388d8faa2ef3bf2f

SHA512
4dfe4f11976201d2d900e2d8d66e2bec45e9a0d3f1bc7d6791ae440bcb81079a86bbef946613233446c97a61bf68d3603e872d14bf64822dc55409406f957b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr841955.exe

Filesize
239KB

MD5
ed706b75ec2eeb81406c9a48e8467e33

SHA1
87eeecc1de6327cc51e7fd2ae95545f84951a54d

SHA256
a80e200393a19bf016b0922337c3e015d602e93bb85412ae9f3b99d62598e52a

SHA512
350d15779ff9cb989b4b20c70e19e9e15fbb3a96d5dbaff351bbd252e49325ce3c5fb4bd70bd56286d2bc741d1c3d93991de71ea7be54f85906b9b3a610817d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr841955.exe

Filesize
239KB

MD5
ed706b75ec2eeb81406c9a48e8467e33

SHA1
87eeecc1de6327cc51e7fd2ae95545f84951a54d

SHA256
a80e200393a19bf016b0922337c3e015d602e93bb85412ae9f3b99d62598e52a

SHA512
350d15779ff9cb989b4b20c70e19e9e15fbb3a96d5dbaff351bbd252e49325ce3c5fb4bd70bd56286d2bc741d1c3d93991de71ea7be54f85906b9b3a610817d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu866836.exe

Filesize
297KB

MD5
2bb2cb1685ce3d63888163bdd9af974f

SHA1
530e9b57eda819bca9950631090d405310c9e920

SHA256
e618735a917c79b094c3d56c043cfdb88b13621eb8edaa4db09d989a27439066

SHA512
99405e2d2d77a3a9d64cd45bd15e0303d8ef53e9ad6e331ce1a6c5c4a21df41bd4f439983e04ca4928bed5941f9f41788c7261aed8ac1c5ffa47f1c2fa436654

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu866836.exe

Filesize
297KB

MD5
2bb2cb1685ce3d63888163bdd9af974f

SHA1
530e9b57eda819bca9950631090d405310c9e920

SHA256
e618735a917c79b094c3d56c043cfdb88b13621eb8edaa4db09d989a27439066

SHA512
99405e2d2d77a3a9d64cd45bd15e0303d8ef53e9ad6e331ce1a6c5c4a21df41bd4f439983e04ca4928bed5941f9f41788c7261aed8ac1c5ffa47f1c2fa436654

Download Submit
memory/1960-1101-0x00000000051B0000-0x00000000051EE000-memory.dmp

Filesize
248KB

Download
memory/1960-1106-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1960-1114-0x0000000006890000-0x0000000006DBC000-memory.dmp

Filesize
5.2MB

Download
memory/1960-1113-0x00000000066C0000-0x0000000006882000-memory.dmp

Filesize
1.8MB

Download
memory/1960-1112-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1960-1111-0x0000000006650000-0x00000000066A0000-memory.dmp

Filesize
320KB

Download
memory/1960-1110-0x00000000065D0000-0x0000000006646000-memory.dmp

Filesize
472KB

Download
memory/1960-1109-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/1960-1108-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/1960-1107-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1960-1105-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1960-1103-0x0000000005300000-0x000000000534B000-memory.dmp

Filesize
300KB

Download
memory/1960-1102-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1960-1100-0x0000000005190000-0x00000000051A2000-memory.dmp

Filesize
72KB

Download
memory/1960-1099-0x0000000005050000-0x000000000515A000-memory.dmp

Filesize
1.0MB

Download
memory/1960-1098-0x00000000055E0000-0x0000000005BE6000-memory.dmp

Filesize
6.0MB

Download
memory/1960-225-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-223-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-221-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-219-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-217-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-186-0x0000000002520000-0x0000000002566000-memory.dmp

Filesize
280KB

Download
memory/1960-187-0x0000000004A20000-0x0000000004A64000-memory.dmp

Filesize
272KB

Download
memory/1960-188-0x00000000006A0000-0x00000000006EB000-memory.dmp

Filesize
300KB

Download
memory/1960-189-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1960-190-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1960-191-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1960-193-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-195-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-192-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-197-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-199-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-201-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-203-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-205-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-207-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-209-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-211-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-213-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/1960-215-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/2728-1129-0x0000000000590000-0x00000000005CB000-memory.dmp

Filesize
236KB

Download
memory/3720-1120-0x0000000000B50000-0x0000000000B80000-memory.dmp

Filesize
192KB

Download
memory/3720-1123-0x000000000A930000-0x000000000A97B000-memory.dmp

Filesize
300KB

Download
memory/3720-1122-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/3720-1121-0x0000000002CC0000-0x0000000002CC6000-memory.dmp

Filesize
24KB

Download
memory/4052-164-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-156-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-174-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-147-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/4052-172-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-170-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-168-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-150-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-166-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-148-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/4052-162-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-160-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-158-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-176-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-154-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-152-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4052-146-0x0000000002580000-0x0000000002598000-memory.dmp

Filesize
96KB

Download
memory/4052-145-0x0000000004A70000-0x0000000004F6E000-memory.dmp

Filesize
5.0MB

Download
memory/4052-177-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4052-178-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/4052-179-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/4052-181-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4052-144-0x0000000002220000-0x000000000223A000-memory.dmp

Filesize
104KB

Download
memory/4052-143-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4052-149-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download