amadey | b0b4664013262a48fa9543ed9c651c34c9a7233678882f16d86e779c0a9a39ca

Analysis

max time kernel
102s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28/10/2022, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0b4664013262a48fa9543ed9c651c34c9a7233678882f16d86e779c0a9a39ca.exe
Size

293KB
MD5

3776556daf53e7da67e1f0714c292ba0
SHA1

04b54e2e1bb59cfe0736c03dfe2e8437d99ee5fd
SHA256

b0b4664013262a48fa9543ed9c651c34c9a7233678882f16d86e779c0a9a39ca
SHA512

56f011965d2b1fd60d4661abb5cac96fe359db4812071910cb4b842a778052829914ab8006f7056410e500602ce6c9af700d9708f4b3278f36313dcc885ec2ec
SSDEEP

6144:UkdPVCFLSWomUIADz7Nl7lwUndTEvKbIT8:UkdPcFWWowqN9l5dTe8

Score

10^/10

amadey redline bethoven collection discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

bethoven

185.215.113.46:8223

Attributes

auth_value
42d21fccbcd8cb0441971e6ed0b0897a

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000001ac35-526.dat	amadey_cred_module
behavioral1/files/0x000800000001ac35-528.dat	amadey_cred_module
behavioral1/files/0x000800000001ac35-527.dat	amadey_cred_module

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/3476-576-0x0000000000422136-mapping.dmp	family_redline
behavioral1/memory/3476-611-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	2512	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
3812	rovwer.exe
4012	becomeproblem.exe
2744	SETUP_~1.EXE
4544	rovwer.exe
3476	SETUP_~1.EXE
2276	rovwer.exe

Loads dropped DLL 2 IoCs

pid	Process
2512	rundll32.exe
2512	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	becomeproblem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	becomeproblem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\becomeproblem.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000183001\\becomeproblem.exe"	rovwer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 3476	2744	SETUP_~1.EXE	75

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4552	powershell.exe
4552	powershell.exe
4552	powershell.exe
2512	rundll32.exe
2512	rundll32.exe
2512	rundll32.exe
2512	rundll32.exe
3476	SETUP_~1.EXE
3476	SETUP_~1.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	SETUP_~1.EXE
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	3476	SETUP_~1.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3812	3676	b0b4664013262a48fa9543ed9c651c34c9a7233678882f16d86e779c0a9a39ca.exe	66
PID 3676 wrote to memory of 3812	3676	b0b4664013262a48fa9543ed9c651c34c9a7233678882f16d86e779c0a9a39ca.exe	66
PID 3676 wrote to memory of 3812	3676	b0b4664013262a48fa9543ed9c651c34c9a7233678882f16d86e779c0a9a39ca.exe	66
PID 3812 wrote to memory of 1264	3812	rovwer.exe	67
PID 3812 wrote to memory of 1264	3812	rovwer.exe	67
PID 3812 wrote to memory of 1264	3812	rovwer.exe	67
PID 3812 wrote to memory of 4012	3812	rovwer.exe	69
PID 3812 wrote to memory of 4012	3812	rovwer.exe	69
PID 4012 wrote to memory of 2744	4012	becomeproblem.exe	70
PID 4012 wrote to memory of 2744	4012	becomeproblem.exe	70
PID 4012 wrote to memory of 2744	4012	becomeproblem.exe	70
PID 2744 wrote to memory of 4552	2744	SETUP_~1.EXE	71
PID 2744 wrote to memory of 4552	2744	SETUP_~1.EXE	71
PID 2744 wrote to memory of 4552	2744	SETUP_~1.EXE	71
PID 3812 wrote to memory of 2512	3812	rovwer.exe	74
PID 3812 wrote to memory of 2512	3812	rovwer.exe	74
PID 3812 wrote to memory of 2512	3812	rovwer.exe	74
PID 2744 wrote to memory of 3476	2744	SETUP_~1.EXE	75
PID 2744 wrote to memory of 3476	2744	SETUP_~1.EXE	75
PID 2744 wrote to memory of 3476	2744	SETUP_~1.EXE	75
PID 2744 wrote to memory of 3476	2744	SETUP_~1.EXE	75
PID 2744 wrote to memory of 3476	2744	SETUP_~1.EXE	75
PID 2744 wrote to memory of 3476	2744	SETUP_~1.EXE	75
PID 2744 wrote to memory of 3476	2744	SETUP_~1.EXE	75
PID 2744 wrote to memory of 3476	2744	SETUP_~1.EXE	75

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b0b4664013262a48fa9543ed9c651c34c9a7233678882f16d86e779c0a9a39ca.exe
"C:\Users\Admin\AppData\Local\Temp\b0b4664013262a48fa9543ed9c651c34c9a7233678882f16d86e779c0a9a39ca.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1264
- - C:\Users\Admin\AppData\Local\Temp\1000183001\becomeproblem.exe
    "C:\Users\Admin\AppData\Local\Temp\1000183001\becomeproblem.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:2512

C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe
1⤵
- Executes dropped EXE
PID:2276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SETUP_~1.EXE.log

Filesize
1KB

MD5
94783fcf58c98f5ea0b416f441ad15eb

SHA1
979a7c39c6a5dbed314bc41a22c4ccdca6db206b

SHA256
117df0a0e80abf166ef148863dd82ba9e75c05b38ed3979d048f5fcc848ef905

SHA512
9301306461cb978e91761b24b1d04339c2bff71771431987cd8dc373387c12feb81dbdbf272da1f7c045eade4ffff1976885ca705ca7cf9a40a6c4a7553aa06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000183001\becomeproblem.exe

Filesize
785KB

MD5
d6e9e86e003086022805cd59d1a406bd

SHA1
514a4aaa1d1a0577fb1f84ff5d36cba8ea9619ea

SHA256
29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1

SHA512
bff9b88db4187f31f1aa4f405d676df909eacf5ad48a9f413278e2fdc656e735c0ab265f0f4cdc87b8885d15109ffc7cfca071faca9352988ec2a6f0afb36ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
333.8MB

MD5
6adc030eeebd67c41f767f7ff4d7fea0

SHA1
e5d80aff951e4b6df714cb4eb650bafb54e87370

SHA256
b12ba6202ed39313ebef9404fd7513effd5c00d8e3f403fe971a8550843ef5ec

SHA512
9a3c48019d245e2a6e041bd8aa0a477c9f24d5678036a6252d112fe493283e5996ffbdcc7d0c8fdafbe0d636a4d26ae28a1c476222dbabb5ad9893b64e977475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
333.8MB

MD5
6adc030eeebd67c41f767f7ff4d7fea0

SHA1
e5d80aff951e4b6df714cb4eb650bafb54e87370

SHA256
b12ba6202ed39313ebef9404fd7513effd5c00d8e3f403fe971a8550843ef5ec

SHA512
9a3c48019d245e2a6e041bd8aa0a477c9f24d5678036a6252d112fe493283e5996ffbdcc7d0c8fdafbe0d636a4d26ae28a1c476222dbabb5ad9893b64e977475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
333.8MB

MD5
6adc030eeebd67c41f767f7ff4d7fea0

SHA1
e5d80aff951e4b6df714cb4eb650bafb54e87370

SHA256
b12ba6202ed39313ebef9404fd7513effd5c00d8e3f403fe971a8550843ef5ec

SHA512
9a3c48019d245e2a6e041bd8aa0a477c9f24d5678036a6252d112fe493283e5996ffbdcc7d0c8fdafbe0d636a4d26ae28a1c476222dbabb5ad9893b64e977475

Download Submit
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
293KB

MD5
3776556daf53e7da67e1f0714c292ba0

SHA1
04b54e2e1bb59cfe0736c03dfe2e8437d99ee5fd

SHA256
b0b4664013262a48fa9543ed9c651c34c9a7233678882f16d86e779c0a9a39ca

SHA512
56f011965d2b1fd60d4661abb5cac96fe359db4812071910cb4b842a778052829914ab8006f7056410e500602ce6c9af700d9708f4b3278f36313dcc885ec2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
293KB

MD5
3776556daf53e7da67e1f0714c292ba0

SHA1
04b54e2e1bb59cfe0736c03dfe2e8437d99ee5fd

SHA256
b0b4664013262a48fa9543ed9c651c34c9a7233678882f16d86e779c0a9a39ca

SHA512
56f011965d2b1fd60d4661abb5cac96fe359db4812071910cb4b842a778052829914ab8006f7056410e500602ce6c9af700d9708f4b3278f36313dcc885ec2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
293KB

MD5
3776556daf53e7da67e1f0714c292ba0

SHA1
04b54e2e1bb59cfe0736c03dfe2e8437d99ee5fd

SHA256
b0b4664013262a48fa9543ed9c651c34c9a7233678882f16d86e779c0a9a39ca

SHA512
56f011965d2b1fd60d4661abb5cac96fe359db4812071910cb4b842a778052829914ab8006f7056410e500602ce6c9af700d9708f4b3278f36313dcc885ec2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
293KB

MD5
3776556daf53e7da67e1f0714c292ba0

SHA1
04b54e2e1bb59cfe0736c03dfe2e8437d99ee5fd

SHA256
b0b4664013262a48fa9543ed9c651c34c9a7233678882f16d86e779c0a9a39ca

SHA512
56f011965d2b1fd60d4661abb5cac96fe359db4812071910cb4b842a778052829914ab8006f7056410e500602ce6c9af700d9708f4b3278f36313dcc885ec2ec

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
e92a6a3a013a87cf57f3753d77a1b9c9

SHA1
01366b392cb71fed71f5bc1cd09e0f8c76657519

SHA256
42a247529de63a9b43768ac145e38fe9da3adc8b2eed558e3ce11e5cd8bbc0e5

SHA512
c59bab1bef238927fe8102cca6080f7b62e945254668201d0eaa49a64c6969e1f8eef65b2fea56d341035f0995b5c24907487351e4cde2b6baa5d49f5a192b57

Download Submit
\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
e92a6a3a013a87cf57f3753d77a1b9c9

SHA1
01366b392cb71fed71f5bc1cd09e0f8c76657519

SHA256
42a247529de63a9b43768ac145e38fe9da3adc8b2eed558e3ce11e5cd8bbc0e5

SHA512
c59bab1bef238927fe8102cca6080f7b62e945254668201d0eaa49a64c6969e1f8eef65b2fea56d341035f0995b5c24907487351e4cde2b6baa5d49f5a192b57

Download Submit
\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
e92a6a3a013a87cf57f3753d77a1b9c9

SHA1
01366b392cb71fed71f5bc1cd09e0f8c76657519

SHA256
42a247529de63a9b43768ac145e38fe9da3adc8b2eed558e3ce11e5cd8bbc0e5

SHA512
c59bab1bef238927fe8102cca6080f7b62e945254668201d0eaa49a64c6969e1f8eef65b2fea56d341035f0995b5c24907487351e4cde2b6baa5d49f5a192b57

Download Submit
memory/2276-700-0x0000000000400000-0x0000000002C36000-memory.dmp

Filesize
40.2MB

Download
memory/2744-354-0x00000000090A0000-0x00000000090C2000-memory.dmp

Filesize
136KB

Download
memory/2744-304-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/2744-352-0x0000000008ED0000-0x0000000008F98000-memory.dmp

Filesize
800KB

Download
memory/2744-353-0x0000000009010000-0x00000000090A2000-memory.dmp

Filesize
584KB

Download
memory/2744-356-0x00000000090D0000-0x0000000009420000-memory.dmp

Filesize
3.3MB

Download
memory/3476-633-0x0000000005360000-0x000000000546A000-memory.dmp

Filesize
1.0MB

Download
memory/3476-637-0x00000000052F0000-0x000000000532E000-memory.dmp

Filesize
248KB

Download
memory/3476-635-0x0000000005290000-0x00000000052A2000-memory.dmp

Filesize
72KB

Download
memory/3476-639-0x0000000005470000-0x00000000054BB000-memory.dmp

Filesize
300KB

Download
memory/3476-643-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/3476-644-0x00000000062F0000-0x00000000067EE000-memory.dmp

Filesize
5.0MB

Download
memory/3476-657-0x00000000076A0000-0x0000000007862000-memory.dmp

Filesize
1.8MB

Download
memory/3476-658-0x0000000007DA0000-0x00000000082CC000-memory.dmp

Filesize
5.2MB

Download
memory/3476-632-0x00000000057E0000-0x0000000005DE6000-memory.dmp

Filesize
6.0MB

Download
memory/3476-611-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3676-158-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-142-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-151-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-153-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-154-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-155-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-156-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-157-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-150-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-159-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-160-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-161-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-162-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-163-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-164-0x0000000000400000-0x0000000002C36000-memory.dmp

Filesize
40.2MB

Download
memory/3676-165-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-166-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-167-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-149-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-148-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-147-0x0000000002C40000-0x0000000002CEE000-memory.dmp

Filesize
696KB

Download
memory/3676-146-0x0000000002C40000-0x0000000002CEE000-memory.dmp

Filesize
696KB

Download
memory/3676-145-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-144-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-143-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-152-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-141-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-118-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-179-0x0000000000400000-0x0000000002C36000-memory.dmp

Filesize
40.2MB

Download
memory/3676-140-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-139-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-138-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-137-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-136-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-135-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-134-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-133-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-132-0x0000000002CE3000-0x0000000002D01000-memory.dmp

Filesize
120KB

Download
memory/3676-131-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-130-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-129-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-128-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-127-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-126-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-125-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-124-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-123-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-122-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-121-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-120-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-119-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-175-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-180-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-336-0x0000000002C40000-0x0000000002D8A000-memory.dmp

Filesize
1.3MB

Download
memory/3812-335-0x0000000002F73000-0x0000000002F91000-memory.dmp

Filesize
120KB

Download
memory/3812-170-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-248-0x0000000000400000-0x0000000002C36000-memory.dmp

Filesize
40.2MB

Download
memory/3812-171-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-172-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-173-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-174-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-176-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-178-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-337-0x0000000000400000-0x0000000002C36000-memory.dmp

Filesize
40.2MB

Download
memory/3812-181-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-182-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-183-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-185-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-245-0x0000000002C40000-0x0000000002D8A000-memory.dmp

Filesize
1.3MB

Download
memory/3812-244-0x0000000002F73000-0x0000000002F91000-memory.dmp

Filesize
120KB

Download
memory/3812-188-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-186-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-187-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-184-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-485-0x0000000000400000-0x0000000002C36000-memory.dmp

Filesize
40.2MB

Download
memory/4544-484-0x0000000002FB0000-0x0000000002FEA000-memory.dmp

Filesize
232KB

Download
memory/4552-446-0x0000000007D80000-0x0000000007D9C000-memory.dmp

Filesize
112KB

Download
memory/4552-451-0x00000000086B0000-0x0000000008726000-memory.dmp

Filesize
472KB

Download
memory/4552-447-0x0000000008930000-0x000000000897B000-memory.dmp

Filesize
300KB

Download
memory/4552-462-0x0000000009E70000-0x000000000A4E8000-memory.dmp

Filesize
6.5MB

Download
memory/4552-443-0x0000000007DA0000-0x0000000007E06000-memory.dmp

Filesize
408KB

Download
memory/4552-442-0x0000000007E10000-0x0000000007E76000-memory.dmp

Filesize
408KB

Download
memory/4552-423-0x0000000007700000-0x0000000007D28000-memory.dmp

Filesize
6.2MB

Download
memory/4552-418-0x0000000004F30000-0x0000000004F66000-memory.dmp

Filesize
216KB

Download
memory/4552-463-0x0000000009510000-0x000000000952A000-memory.dmp

Filesize
104KB

Download