amadey | 112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4

Analysis

max time kernel
147s
max time network
113s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2023 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exe
Size

939KB
MD5

7e6381465d2766364e69b43264a028d1
SHA1

d7c1cba3f6deb6a8cd1c4fe4dfa82bbe8b40526a
SHA256

112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4
SHA512

08e9c08a8a6865da0c57d58c15ac16964907afb78c6c8c5e8ce91649bce5c41d4b05743c90eb90b69219f3f804e49dfc9b8f5dfc7f2b5ca8e19510eac02d2cd9
SSDEEP

12288:/Mrgy90Hat0dwVh0enTDzs+93zJQNRCK7rZfIqjV4oZmuaZ7gcM23T2nST1m76ZR:nyYdwVecT8+93zm/CIZfIqkqSTYATd

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr610589.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr610589.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr610589.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr610589.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr610589.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr610589.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1444-184-0x0000000002170000-0x00000000021B6000-memory.dmp	family_redline
behavioral1/memory/1444-185-0x0000000004F80000-0x0000000004FC4000-memory.dmp	family_redline
behavioral1/memory/1444-186-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-187-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-189-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-191-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-193-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-198-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-201-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-203-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-205-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-207-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-209-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-211-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-213-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-217-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-215-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-219-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-221-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline
behavioral1/memory/1444-223-0x0000000004F80000-0x0000000004FBF000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

un375220.exeun713642.exepr610589.exequ654552.exerk921339.exesi174887.exe

pid process

1848 un375220.exe
4380 un713642.exe
4396 pr610589.exe
1444 qu654552.exe
3628 rk921339.exe
1356 si174887.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1848	un375220.exe
4380	un713642.exe
4396	pr610589.exe
1444	qu654552.exe
3628	rk921339.exe
1356	si174887.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr610589.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr610589.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr610589.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exeun375220.exeun713642.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un375220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un375220.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un713642.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un713642.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1516	1356	WerFault.exe	si174887.exe
4472	1356	WerFault.exe	si174887.exe
4524	1356	WerFault.exe	si174887.exe
4428	1356	WerFault.exe	si174887.exe
3440	1356	WerFault.exe	si174887.exe
3036	1356	WerFault.exe	si174887.exe
3256	1356	WerFault.exe	si174887.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr610589.exequ654552.exerk921339.exe

pid process

4396 pr610589.exe
4396 pr610589.exe
1444 qu654552.exe
1444 qu654552.exe
3628 rk921339.exe
3628 rk921339.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr610589.exequ654552.exerk921339.exe

description pid process

Token: SeDebugPrivilege 4396 pr610589.exe
Token: SeDebugPrivilege 1444 qu654552.exe
Token: SeDebugPrivilege 3628 rk921339.exe

pid	process
4396	pr610589.exe
4396	pr610589.exe
1444	qu654552.exe
1444	qu654552.exe
3628	rk921339.exe
3628	rk921339.exe

description	pid	process
Token: SeDebugPrivilege	4396	pr610589.exe
Token: SeDebugPrivilege	1444	qu654552.exe
Token: SeDebugPrivilege	3628	rk921339.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exeun375220.exeun713642.exe

description	pid	process	target process
PID 3536 wrote to memory of 1848	3536	112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exe	un375220.exe
PID 3536 wrote to memory of 1848	3536	112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exe	un375220.exe
PID 3536 wrote to memory of 1848	3536	112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exe	un375220.exe
PID 1848 wrote to memory of 4380	1848	un375220.exe	un713642.exe
PID 1848 wrote to memory of 4380	1848	un375220.exe	un713642.exe
PID 1848 wrote to memory of 4380	1848	un375220.exe	un713642.exe
PID 4380 wrote to memory of 4396	4380	un713642.exe	pr610589.exe
PID 4380 wrote to memory of 4396	4380	un713642.exe	pr610589.exe
PID 4380 wrote to memory of 4396	4380	un713642.exe	pr610589.exe
PID 4380 wrote to memory of 1444	4380	un713642.exe	qu654552.exe
PID 4380 wrote to memory of 1444	4380	un713642.exe	qu654552.exe
PID 4380 wrote to memory of 1444	4380	un713642.exe	qu654552.exe
PID 1848 wrote to memory of 3628	1848	un375220.exe	rk921339.exe
PID 1848 wrote to memory of 3628	1848	un375220.exe	rk921339.exe
PID 1848 wrote to memory of 3628	1848	un375220.exe	rk921339.exe
PID 3536 wrote to memory of 1356	3536	112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exe	si174887.exe
PID 3536 wrote to memory of 1356	3536	112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exe	si174887.exe
PID 3536 wrote to memory of 1356	3536	112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exe	si174887.exe

C:\Users\Admin\AppData\Local\Temp\112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exe
"C:\Users\Admin\AppData\Local\Temp\112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un375220.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un375220.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un713642.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un713642.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr610589.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr610589.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu654552.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu654552.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk921339.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk921339.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si174887.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si174887.exe
2⤵
- Executes dropped EXE
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 628
3⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 700
3⤵
- Program crash
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 800
3⤵
- Program crash
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 804
3⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 880
3⤵
- Program crash
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 888
3⤵
- Program crash
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1072
3⤵
- Program crash
PID:3256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si174887.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si174887.exe
Filesize
231KB

MD5
f8117f396c10315824172b564d08490e

SHA1
96c20a6f156aa6e75f75fa9038a8878d75401138

SHA256
7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

SHA512
60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un375220.exe
Filesize
674KB

MD5
7a352394adc8aa567d53f2298c69db51

SHA1
e92b31e4cf996ea907d9ab0ec3d535b7549db970

SHA256
e24e6d7a2b72959443213cbaa5aeff6454cecf8c46e0a835479c4664d5f09afc

SHA512
17d26ec077e843be2fb69680df0faf83184d502f933b751c448c7835e3e7d483296d40ebc53e21cfd1636171aa09ba90491d2108a698a80ec42ac75fd54d931f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un375220.exe
Filesize
674KB

MD5
7a352394adc8aa567d53f2298c69db51

SHA1
e92b31e4cf996ea907d9ab0ec3d535b7549db970

SHA256
e24e6d7a2b72959443213cbaa5aeff6454cecf8c46e0a835479c4664d5f09afc

SHA512
17d26ec077e843be2fb69680df0faf83184d502f933b751c448c7835e3e7d483296d40ebc53e21cfd1636171aa09ba90491d2108a698a80ec42ac75fd54d931f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk921339.exe
Filesize
169KB

MD5
097a30374d79160b16c51c060174d674

SHA1
dae5a6504f714c739d1ecabcb18fe6938cebde12

SHA256
ccd709edcdbdf1b46bd585179843c2bf6bc1e08697ab3e46b9546554fb20e32d

SHA512
77de00afe0910aa013baa8087a7c7fb012e696c103d821c0310051dd9be314af10f16767b88173a63e117a371e3cd7e555fccb57cc530a165ea87aef4f92dd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk921339.exe
Filesize
169KB

MD5
097a30374d79160b16c51c060174d674

SHA1
dae5a6504f714c739d1ecabcb18fe6938cebde12

SHA256
ccd709edcdbdf1b46bd585179843c2bf6bc1e08697ab3e46b9546554fb20e32d

SHA512
77de00afe0910aa013baa8087a7c7fb012e696c103d821c0310051dd9be314af10f16767b88173a63e117a371e3cd7e555fccb57cc530a165ea87aef4f92dd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un713642.exe
Filesize
520KB

MD5
6fbca9d85355f2f11e2c4e590072bc3d

SHA1
dec59dc1db1a12eb2375a14d6780e71d2128f3c3

SHA256
6b1a0ef861025a164e866e3fb5d5b1be2ed836d008a1c2e940ffd23b6c0d6d04

SHA512
258c2b1be6db20a010af5693109610e6eb4652030d4f56f5897b777cb24cd08bdb0e343c1d733c59b8757f057505b66748cf2816e08f5e07c538412bb4ac2285

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un713642.exe
Filesize
520KB

MD5
6fbca9d85355f2f11e2c4e590072bc3d

SHA1
dec59dc1db1a12eb2375a14d6780e71d2128f3c3

SHA256
6b1a0ef861025a164e866e3fb5d5b1be2ed836d008a1c2e940ffd23b6c0d6d04

SHA512
258c2b1be6db20a010af5693109610e6eb4652030d4f56f5897b777cb24cd08bdb0e343c1d733c59b8757f057505b66748cf2816e08f5e07c538412bb4ac2285

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr610589.exe
Filesize
239KB

MD5
3f96f5296376773c6a460c36d3a039d4

SHA1
0653f8caea7025dfecc78ff05f4c375f478f6571

SHA256
05040e0b28f4791e0c78f265f317dc135471a5f5d27bf19463c6f745f679fc89

SHA512
bd3b01d9422637610219c289589864528b78b5d3319bec19da4555d1f2d11830825208b87c9db04d0e3ce39d184a6ea5d161b652a84f816ca039047c2fab5768

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr610589.exe
Filesize
239KB

MD5
3f96f5296376773c6a460c36d3a039d4

SHA1
0653f8caea7025dfecc78ff05f4c375f478f6571

SHA256
05040e0b28f4791e0c78f265f317dc135471a5f5d27bf19463c6f745f679fc89

SHA512
bd3b01d9422637610219c289589864528b78b5d3319bec19da4555d1f2d11830825208b87c9db04d0e3ce39d184a6ea5d161b652a84f816ca039047c2fab5768

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu654552.exe
Filesize
297KB

MD5
dece3d43df88e7270ec7fe58e058c083

SHA1
d2b700eb8a82905bd9e8da6a853167c62be255a8

SHA256
5e7fa0efce4f725ba72a99bd64c70f315e3cbccdf6b7d85955957070b2631ea8

SHA512
0cf109d4d9d9ae4645cd65f38f4ffd80f8bf5ac70ff24e95b9ea5bc6b1a80d52b08cc0336a8ca8c9d62c6a44d1c1cc79730059d42b30c1b8c1803a6b516f92b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu654552.exe
Filesize
297KB

MD5
dece3d43df88e7270ec7fe58e058c083

SHA1
d2b700eb8a82905bd9e8da6a853167c62be255a8

SHA256
5e7fa0efce4f725ba72a99bd64c70f315e3cbccdf6b7d85955957070b2631ea8

SHA512
0cf109d4d9d9ae4645cd65f38f4ffd80f8bf5ac70ff24e95b9ea5bc6b1a80d52b08cc0336a8ca8c9d62c6a44d1c1cc79730059d42b30c1b8c1803a6b516f92b0

Download Submit
memory/1356-1127-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1444-1100-0x0000000005910000-0x000000000595B000-memory.dmp

Filesize
300KB

Download
memory/1444-1102-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/1444-1112-0x0000000007F60000-0x0000000007FB0000-memory.dmp

Filesize
320KB

Download
memory/1444-1111-0x0000000007EE0000-0x0000000007F56000-memory.dmp

Filesize
472KB

Download
memory/1444-1110-0x00000000077D0000-0x0000000007CFC000-memory.dmp

Filesize
5.2MB

Download
memory/1444-1109-0x0000000007600000-0x00000000077C2000-memory.dmp

Filesize
1.8MB

Download
memory/1444-1108-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1444-1107-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1444-1106-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1444-1105-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1444-1104-0x0000000006160000-0x00000000061F2000-memory.dmp

Filesize
584KB

Download
memory/1444-1101-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1444-1099-0x00000000057C0000-0x00000000057FE000-memory.dmp

Filesize
248KB

Download
memory/1444-1098-0x00000000057A0000-0x00000000057B2000-memory.dmp

Filesize
72KB

Download
memory/1444-1097-0x0000000005660000-0x000000000576A000-memory.dmp

Filesize
1.0MB

Download
memory/1444-1096-0x0000000004FD0000-0x00000000055D6000-memory.dmp

Filesize
6.0MB

Download
memory/1444-223-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-221-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-219-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-215-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-217-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-213-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-184-0x0000000002170000-0x00000000021B6000-memory.dmp

Filesize
280KB

Download
memory/1444-185-0x0000000004F80000-0x0000000004FC4000-memory.dmp

Filesize
272KB

Download
memory/1444-186-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-187-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-189-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-191-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-194-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/1444-195-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1444-193-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-199-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1444-198-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-197-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1444-201-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-203-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-205-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-207-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-209-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/1444-211-0x0000000004F80000-0x0000000004FBF000-memory.dmp

Filesize
252KB

Download
memory/3628-1118-0x0000000000630000-0x0000000000660000-memory.dmp

Filesize
192KB

Download
memory/3628-1121-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/3628-1120-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/3628-1119-0x0000000000E70000-0x0000000000E76000-memory.dmp

Filesize
24KB

Download
memory/4396-163-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-157-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-174-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4396-173-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-171-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-169-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-144-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4396-167-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-147-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-165-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-145-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4396-161-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-159-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-175-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4396-155-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-153-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-151-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-149-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-143-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4396-142-0x0000000002260000-0x0000000002278000-memory.dmp

Filesize
96KB

Download
memory/4396-176-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4396-177-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4396-179-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4396-146-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/4396-141-0x0000000004C30000-0x000000000512E000-memory.dmp

Filesize
5.0MB

Download
memory/4396-140-0x00000000020C0000-0x00000000020DA000-memory.dmp

Filesize
104KB

Download
memory/4396-139-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download