amadey | 97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2

Analysis

max time kernel
144s
max time network
112s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2023 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exe
Size

940KB
MD5

e0b7dbd2609cd6a54df5f5c2d8891e7e
SHA1

20f84c451d5d6da20c6e4a2d99d86564ac580aa1
SHA256

97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2
SHA512

f9f62401f406ab35f7a9c8b066b7dc0af11c69ea29275dfad7c23115fd3702702dc842dc0a2d930cb75cb38c81c3c5fce54112c32a62fa8b1acfe32f3459ebd0
SSDEEP

24576:JyN2O/3uXKzvnn/p87H+PHxIu8F8NDbwE:8c8uSe7H+ps8hbw

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr815297.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr815297.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr815297.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr815297.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr815297.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr815297.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1584-188-0x0000000002650000-0x0000000002696000-memory.dmp	family_redline
behavioral1/memory/1584-189-0x0000000004F60000-0x0000000004FA4000-memory.dmp	family_redline
behavioral1/memory/1584-190-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-191-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-193-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-195-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-197-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-199-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-201-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-203-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-205-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-207-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-209-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-211-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-213-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-215-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-217-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-219-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-221-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-223-0x0000000004F60000-0x0000000004F9F000-memory.dmp	family_redline
behavioral1/memory/1584-1107-0x00000000026B0000-0x00000000026C0000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

un046412.exeun771123.exepr815297.exequ029814.exerk421705.exesi662600.exe

pid process

1908 un046412.exe
2404 un771123.exe
2592 pr815297.exe
1584 qu029814.exe
3856 rk421705.exe
3584 si662600.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1908	un046412.exe
2404	un771123.exe
2592	pr815297.exe
1584	qu029814.exe
3856	rk421705.exe
3584	si662600.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr815297.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr815297.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr815297.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

un771123.exe97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exeun046412.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un771123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un771123.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un046412.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un046412.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3604	3584	WerFault.exe	si662600.exe
3768	3584	WerFault.exe	si662600.exe
2580	3584	WerFault.exe	si662600.exe
3712	3584	WerFault.exe	si662600.exe
2072	3584	WerFault.exe	si662600.exe
3744	3584	WerFault.exe	si662600.exe
2652	3584	WerFault.exe	si662600.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr815297.exequ029814.exerk421705.exe

pid process

2592 pr815297.exe
2592 pr815297.exe
1584 qu029814.exe
1584 qu029814.exe
3856 rk421705.exe
3856 rk421705.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr815297.exequ029814.exerk421705.exe

description pid process

Token: SeDebugPrivilege 2592 pr815297.exe
Token: SeDebugPrivilege 1584 qu029814.exe
Token: SeDebugPrivilege 3856 rk421705.exe

pid	process
2592	pr815297.exe
2592	pr815297.exe
1584	qu029814.exe
1584	qu029814.exe
3856	rk421705.exe
3856	rk421705.exe

description	pid	process
Token: SeDebugPrivilege	2592	pr815297.exe
Token: SeDebugPrivilege	1584	qu029814.exe
Token: SeDebugPrivilege	3856	rk421705.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exeun046412.exeun771123.exe

description	pid	process	target process
PID 2008 wrote to memory of 1908	2008	97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exe	un046412.exe
PID 2008 wrote to memory of 1908	2008	97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exe	un046412.exe
PID 2008 wrote to memory of 1908	2008	97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exe	un046412.exe
PID 1908 wrote to memory of 2404	1908	un046412.exe	un771123.exe
PID 1908 wrote to memory of 2404	1908	un046412.exe	un771123.exe
PID 1908 wrote to memory of 2404	1908	un046412.exe	un771123.exe
PID 2404 wrote to memory of 2592	2404	un771123.exe	pr815297.exe
PID 2404 wrote to memory of 2592	2404	un771123.exe	pr815297.exe
PID 2404 wrote to memory of 2592	2404	un771123.exe	pr815297.exe
PID 2404 wrote to memory of 1584	2404	un771123.exe	qu029814.exe
PID 2404 wrote to memory of 1584	2404	un771123.exe	qu029814.exe
PID 2404 wrote to memory of 1584	2404	un771123.exe	qu029814.exe
PID 1908 wrote to memory of 3856	1908	un046412.exe	rk421705.exe
PID 1908 wrote to memory of 3856	1908	un046412.exe	rk421705.exe
PID 1908 wrote to memory of 3856	1908	un046412.exe	rk421705.exe
PID 2008 wrote to memory of 3584	2008	97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exe	si662600.exe
PID 2008 wrote to memory of 3584	2008	97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exe	si662600.exe
PID 2008 wrote to memory of 3584	2008	97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exe	si662600.exe

C:\Users\Admin\AppData\Local\Temp\97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exe
"C:\Users\Admin\AppData\Local\Temp\97a7ca29eed0366cca3daa4cefc16d045d32980349debb39933155a286ab47f2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un046412.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un046412.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un771123.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un771123.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr815297.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr815297.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu029814.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu029814.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk421705.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk421705.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si662600.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si662600.exe
2⤵
- Executes dropped EXE
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 616
3⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 696
3⤵
- Program crash
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 768
3⤵
- Program crash
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 844
3⤵
- Program crash
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 900
3⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 904
3⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1056
3⤵
- Program crash
PID:2652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si662600.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si662600.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un046412.exe
Filesize
674KB

MD5
206351d74c053105f312058aa59a1976

SHA1
336f4f5ee6ad99cb9202eda3e2f55cd0f694cb16

SHA256
58c5a94c818e8b8f4e6eb97e773dabd4cf74569d599e9954bec792c3044ac696

SHA512
30d311496f4ea19861129ab7b250e6943b4b33ff6413e4d4a395aaedaf5e90329a1f353f3b673529fb9b6f956c6b623a74a8d7aae11e1b097ae840c084a5816f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un046412.exe
Filesize
674KB

MD5
206351d74c053105f312058aa59a1976

SHA1
336f4f5ee6ad99cb9202eda3e2f55cd0f694cb16

SHA256
58c5a94c818e8b8f4e6eb97e773dabd4cf74569d599e9954bec792c3044ac696

SHA512
30d311496f4ea19861129ab7b250e6943b4b33ff6413e4d4a395aaedaf5e90329a1f353f3b673529fb9b6f956c6b623a74a8d7aae11e1b097ae840c084a5816f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk421705.exe
Filesize
169KB

MD5
e0d68f493f4008512799077447f583f5

SHA1
b0a0c90593fbdba9b0aa9a6d2afd7988013ea1f7

SHA256
4110578f8c6dd72c84c56184233db4e2f3f5bcf6c01b9cb041bf2de4b7cec1e7

SHA512
3984e4166c7e57ee8bf610752ad93b5b0297a88e029acce9aaf07af7c94c310fc32e3e316291932f36cc491ddcd3b6354ccfc355f4d0a3ab31e7b0bd1bd67d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk421705.exe
Filesize
169KB

MD5
e0d68f493f4008512799077447f583f5

SHA1
b0a0c90593fbdba9b0aa9a6d2afd7988013ea1f7

SHA256
4110578f8c6dd72c84c56184233db4e2f3f5bcf6c01b9cb041bf2de4b7cec1e7

SHA512
3984e4166c7e57ee8bf610752ad93b5b0297a88e029acce9aaf07af7c94c310fc32e3e316291932f36cc491ddcd3b6354ccfc355f4d0a3ab31e7b0bd1bd67d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un771123.exe
Filesize
520KB

MD5
83f68fe243864a283570464852c96380

SHA1
051e142237fc2691014f7a9f23a30732ddf3f6e3

SHA256
156628880d880268034ff47da59cbe84794e78520953eb931ccb02235bdaf7b6

SHA512
dc4e982d9fab910e95edc3524541e9e0def928df917a00395cc0104381ad73fa1d92ee43fabd731215d82ef1df3a71fa6acb32fbca82f9f720124ee2465bb617

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un771123.exe
Filesize
520KB

MD5
83f68fe243864a283570464852c96380

SHA1
051e142237fc2691014f7a9f23a30732ddf3f6e3

SHA256
156628880d880268034ff47da59cbe84794e78520953eb931ccb02235bdaf7b6

SHA512
dc4e982d9fab910e95edc3524541e9e0def928df917a00395cc0104381ad73fa1d92ee43fabd731215d82ef1df3a71fa6acb32fbca82f9f720124ee2465bb617

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr815297.exe
Filesize
239KB

MD5
795d93a1faf2964b51c1573207a40261

SHA1
38dce451f5bc14556ff2445b79260a89f3765cc9

SHA256
fbcc125ae81d10f36d4fb5c7b121541cc7dcfa35118b5d1c6d62bc3a2823a43d

SHA512
34676a3e8ed1ab06f125effc15c72bc48d79345748c24069e0875dde741535069effba5343ce56e8d8eb3193252946454d9f52a9471d30f7963443dee2663c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr815297.exe
Filesize
239KB

MD5
795d93a1faf2964b51c1573207a40261

SHA1
38dce451f5bc14556ff2445b79260a89f3765cc9

SHA256
fbcc125ae81d10f36d4fb5c7b121541cc7dcfa35118b5d1c6d62bc3a2823a43d

SHA512
34676a3e8ed1ab06f125effc15c72bc48d79345748c24069e0875dde741535069effba5343ce56e8d8eb3193252946454d9f52a9471d30f7963443dee2663c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu029814.exe
Filesize
297KB

MD5
5ce542c74af55f9064d9b2a840732622

SHA1
43d895892c8fe8c996dc9d2e46ff726263772aa4

SHA256
31afbefaed8c0f4d8f0ae10468c55bb0ebfadd64f58bec3c87d3456a7b43cd31

SHA512
a5ba21be9554c69e782265d465134b1fd79c31057e61028ea50784913c04c459cdec2e4389ef86ad6851f0256f957aba70f3b97594a515b75808743da6bc7249

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu029814.exe
Filesize
297KB

MD5
5ce542c74af55f9064d9b2a840732622

SHA1
43d895892c8fe8c996dc9d2e46ff726263772aa4

SHA256
31afbefaed8c0f4d8f0ae10468c55bb0ebfadd64f58bec3c87d3456a7b43cd31

SHA512
a5ba21be9554c69e782265d465134b1fd79c31057e61028ea50784913c04c459cdec2e4389ef86ad6851f0256f957aba70f3b97594a515b75808743da6bc7249

Download Submit
memory/1584-1104-0x0000000005300000-0x000000000534B000-memory.dmp

Filesize
300KB

Download
memory/1584-1107-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1584-1116-0x00000000068A0000-0x0000000006DCC000-memory.dmp

Filesize
5.2MB

Download
memory/1584-1115-0x00000000066D0000-0x0000000006892000-memory.dmp

Filesize
1.8MB

Download
memory/1584-1114-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1584-1113-0x0000000006410000-0x0000000006460000-memory.dmp

Filesize
320KB

Download
memory/1584-1112-0x0000000006390000-0x0000000006406000-memory.dmp

Filesize
472KB

Download
memory/1584-1111-0x0000000006040000-0x00000000060D2000-memory.dmp

Filesize
584KB

Download
memory/1584-1110-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/1584-1109-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1584-1108-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1584-1105-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1584-1103-0x00000000051B0000-0x00000000051EE000-memory.dmp

Filesize
248KB

Download
memory/1584-1102-0x0000000005190000-0x00000000051A2000-memory.dmp

Filesize
72KB

Download
memory/1584-1101-0x0000000005050000-0x000000000515A000-memory.dmp

Filesize
1.0MB

Download
memory/1584-1100-0x00000000055E0000-0x0000000005BE6000-memory.dmp

Filesize
6.0MB

Download
memory/1584-340-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1584-336-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1584-339-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1584-335-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/1584-223-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-221-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-219-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-188-0x0000000002650000-0x0000000002696000-memory.dmp

Filesize
280KB

Download
memory/1584-189-0x0000000004F60000-0x0000000004FA4000-memory.dmp

Filesize
272KB

Download
memory/1584-190-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-191-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-193-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-195-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-197-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-199-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-201-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-203-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-205-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-207-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-209-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-211-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-213-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-215-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/1584-217-0x0000000004F60000-0x0000000004F9F000-memory.dmp

Filesize
252KB

Download
memory/2592-163-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-144-0x00000000006D0000-0x00000000006EA000-memory.dmp

Filesize
104KB

Download
memory/2592-183-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2592-181-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/2592-180-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/2592-179-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/2592-148-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/2592-177-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-175-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-173-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-171-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-147-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/2592-169-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-150-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-167-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-149-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/2592-178-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2592-161-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-159-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-157-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-155-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-153-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-151-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2592-146-0x0000000002280000-0x0000000002298000-memory.dmp

Filesize
96KB

Download
memory/2592-145-0x0000000004A50000-0x0000000004F4E000-memory.dmp

Filesize
5.0MB

Download
memory/2592-143-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download
memory/2592-165-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/3584-1131-0x0000000000590000-0x00000000005CB000-memory.dmp

Filesize
236KB

Download
memory/3856-1124-0x0000000009E20000-0x0000000009E6B000-memory.dmp

Filesize
300KB

Download
memory/3856-1125-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/3856-1123-0x00000000047F0000-0x00000000047F6000-memory.dmp

Filesize
24KB

Download
memory/3856-1122-0x0000000000040000-0x0000000000070000-memory.dmp

Filesize
192KB

Download