amadey | e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa

Analysis

max time kernel
149s
max time network
103s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exe
Size

924KB
MD5

8920632fe226c0a8d911753be25cda84
SHA1

c54f027990a759696c8e8a567050f5d90b33faba
SHA256

e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa
SHA512

0e0146a4e90440fd67e4d26551295cfec47817381ffa17950fcadfe3e750759c8f29962e4d74553d6dcecd62ab26afd2349b4114b29de25f04ae656b55505417
SSDEEP

24576:dyaMYkWAWko7z0Vjp0EjlhyHvw8RBtyvivLE:4aVIWkizSpZjwvwQHyqvL

Score

10^/10

amadey redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr354824.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr354824.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr354824.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr354824.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr354824.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr354824.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4556-186-0x00000000024A0000-0x00000000024E6000-memory.dmp	family_redline
behavioral1/memory/4556-187-0x0000000004A40000-0x0000000004A84000-memory.dmp	family_redline
behavioral1/memory/4556-189-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-188-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-191-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-193-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-195-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-197-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-199-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-201-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-203-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-205-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-211-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-209-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-207-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-213-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-215-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-217-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-219-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline
behavioral1/memory/4556-221-0x0000000004A40000-0x0000000004A7F000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

un582106.exeun903031.exepr354824.exequ230711.exerk994573.exesi425834.exe

pid process

4116 un582106.exe
3940 un903031.exe
4824 pr354824.exe
4556 qu230711.exe
3608 rk994573.exe
3716 si425834.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4116	un582106.exe
3940	un903031.exe
4824	pr354824.exe
4556	qu230711.exe
3608	rk994573.exe
3716	si425834.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr354824.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr354824.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr354824.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

un903031.exee2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exeun582106.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un903031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un903031.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un582106.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un582106.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1692	3716	WerFault.exe	si425834.exe
2564	3716	WerFault.exe	si425834.exe
4344	3716	WerFault.exe	si425834.exe
4400	3716	WerFault.exe	si425834.exe
4432	3716	WerFault.exe	si425834.exe
4764	3716	WerFault.exe	si425834.exe
4976	3716	WerFault.exe	si425834.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr354824.exequ230711.exerk994573.exe

pid process

4824 pr354824.exe
4824 pr354824.exe
4556 qu230711.exe
4556 qu230711.exe
3608 rk994573.exe
3608 rk994573.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr354824.exequ230711.exerk994573.exe

description pid process

Token: SeDebugPrivilege 4824 pr354824.exe
Token: SeDebugPrivilege 4556 qu230711.exe
Token: SeDebugPrivilege 3608 rk994573.exe

pid	process
4824	pr354824.exe
4824	pr354824.exe
4556	qu230711.exe
4556	qu230711.exe
3608	rk994573.exe
3608	rk994573.exe

description	pid	process
Token: SeDebugPrivilege	4824	pr354824.exe
Token: SeDebugPrivilege	4556	qu230711.exe
Token: SeDebugPrivilege	3608	rk994573.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exeun582106.exeun903031.exe

description	pid	process	target process
PID 3588 wrote to memory of 4116	3588	e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exe	un582106.exe
PID 3588 wrote to memory of 4116	3588	e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exe	un582106.exe
PID 3588 wrote to memory of 4116	3588	e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exe	un582106.exe
PID 4116 wrote to memory of 3940	4116	un582106.exe	un903031.exe
PID 4116 wrote to memory of 3940	4116	un582106.exe	un903031.exe
PID 4116 wrote to memory of 3940	4116	un582106.exe	un903031.exe
PID 3940 wrote to memory of 4824	3940	un903031.exe	pr354824.exe
PID 3940 wrote to memory of 4824	3940	un903031.exe	pr354824.exe
PID 3940 wrote to memory of 4824	3940	un903031.exe	pr354824.exe
PID 3940 wrote to memory of 4556	3940	un903031.exe	qu230711.exe
PID 3940 wrote to memory of 4556	3940	un903031.exe	qu230711.exe
PID 3940 wrote to memory of 4556	3940	un903031.exe	qu230711.exe
PID 4116 wrote to memory of 3608	4116	un582106.exe	rk994573.exe
PID 4116 wrote to memory of 3608	4116	un582106.exe	rk994573.exe
PID 4116 wrote to memory of 3608	4116	un582106.exe	rk994573.exe
PID 3588 wrote to memory of 3716	3588	e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exe	si425834.exe
PID 3588 wrote to memory of 3716	3588	e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exe	si425834.exe
PID 3588 wrote to memory of 3716	3588	e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exe	si425834.exe

C:\Users\Admin\AppData\Local\Temp\e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exe
"C:\Users\Admin\AppData\Local\Temp\e2f0cfbd5c3939068c253bd9218c803905a5bd19326df6827824df56b840c3fa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582106.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582106.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un903031.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un903031.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3940

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr354824.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr354824.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu230711.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu230711.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk994573.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk994573.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si425834.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si425834.exe
2⤵
- Executes dropped EXE
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 624
3⤵
- Program crash
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 700
3⤵
- Program crash
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 836
3⤵
- Program crash
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 844
3⤵
- Program crash
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 872
3⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 848
3⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1072
3⤵
- Program crash
PID:4976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si425834.exe
Filesize
226KB

MD5
d8c3f20eef4f33bd865589859629bf41

SHA1
3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

SHA256
2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

SHA512
52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si425834.exe
Filesize
226KB

MD5
d8c3f20eef4f33bd865589859629bf41

SHA1
3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

SHA256
2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

SHA512
52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582106.exe
Filesize
661KB

MD5
5cbc6e1748de18ccd3d86b2ee35d88a1

SHA1
21fc37e4a24a3ba4803e997e9c83727bc471ba57

SHA256
eb5d00df661e6f0adcfbe26502b8247726692c4d2673145ba86e6097c69eb167

SHA512
d2f2fb072d7cfd34814f70f471399f52e0cd48f7894fe236afc0213480deb4a5b4564e089af3aa17edd3868e25620abec5b230ef900fe3037bd43a8aa1c52701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582106.exe
Filesize
661KB

MD5
5cbc6e1748de18ccd3d86b2ee35d88a1

SHA1
21fc37e4a24a3ba4803e997e9c83727bc471ba57

SHA256
eb5d00df661e6f0adcfbe26502b8247726692c4d2673145ba86e6097c69eb167

SHA512
d2f2fb072d7cfd34814f70f471399f52e0cd48f7894fe236afc0213480deb4a5b4564e089af3aa17edd3868e25620abec5b230ef900fe3037bd43a8aa1c52701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk994573.exe
Filesize
175KB

MD5
bb6d43fa4ebafe62b98ec4dea4ff49d9

SHA1
d8188e664ac977f59d3ec26589e3cf67b1fab23b

SHA256
1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

SHA512
679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk994573.exe
Filesize
175KB

MD5
bb6d43fa4ebafe62b98ec4dea4ff49d9

SHA1
d8188e664ac977f59d3ec26589e3cf67b1fab23b

SHA256
1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

SHA512
679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un903031.exe
Filesize
519KB

MD5
2c72e0329056a775367509f16c2dc515

SHA1
9c1b5f2ae1437df306a427e95d5c7098b69d86ed

SHA256
7c5b12b98f4dee2e9f05dbc705c7ff738ed172a3743a804e0f592d0ad4b7adc2

SHA512
07a58ac93ee0c94e156554a24a9295e889b2908a99e2d105d2ccb6611811db830133e69787449d56873abf20791bb1347cb233695aca090ef8ff5475b6bb03c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un903031.exe
Filesize
519KB

MD5
2c72e0329056a775367509f16c2dc515

SHA1
9c1b5f2ae1437df306a427e95d5c7098b69d86ed

SHA256
7c5b12b98f4dee2e9f05dbc705c7ff738ed172a3743a804e0f592d0ad4b7adc2

SHA512
07a58ac93ee0c94e156554a24a9295e889b2908a99e2d105d2ccb6611811db830133e69787449d56873abf20791bb1347cb233695aca090ef8ff5475b6bb03c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr354824.exe
Filesize
235KB

MD5
4f2ed9291948314fc8df30e612311259

SHA1
d85d16c8b19d588287f6b9da0dc26989b76725f1

SHA256
234d03d390becb9aef651c00f24fcc17d6eae6cb0d231a1cd24a7c53f5e81c65

SHA512
5dd051ca982e5e3da703fe8843d9eeb73ce6b28519a6a38d038d6d538223bac8f5f03743ec730bf755414360675fd4222eb0191beede7fbda172cc0beda8dd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr354824.exe
Filesize
235KB

MD5
4f2ed9291948314fc8df30e612311259

SHA1
d85d16c8b19d588287f6b9da0dc26989b76725f1

SHA256
234d03d390becb9aef651c00f24fcc17d6eae6cb0d231a1cd24a7c53f5e81c65

SHA512
5dd051ca982e5e3da703fe8843d9eeb73ce6b28519a6a38d038d6d538223bac8f5f03743ec730bf755414360675fd4222eb0191beede7fbda172cc0beda8dd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu230711.exe
Filesize
292KB

MD5
cb102613679d7633cfd1c851f414f325

SHA1
d06ccc6fa82e5db7c930011c516446ea65bdb532

SHA256
81bc90248737e7fe75b745ca5aec289c85550ff47a67b314517e841d6b05acfa

SHA512
6845ffe03cda4bd791060c839e2442978ed2fe3913365fc80a65f0e90e4c0bdce46a7ac2087ba832a7c638de2283a2665cee7be23ca92849d8f00c8f68601de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu230711.exe
Filesize
292KB

MD5
cb102613679d7633cfd1c851f414f325

SHA1
d06ccc6fa82e5db7c930011c516446ea65bdb532

SHA256
81bc90248737e7fe75b745ca5aec289c85550ff47a67b314517e841d6b05acfa

SHA512
6845ffe03cda4bd791060c839e2442978ed2fe3913365fc80a65f0e90e4c0bdce46a7ac2087ba832a7c638de2283a2665cee7be23ca92849d8f00c8f68601de8

Download Submit
memory/3608-1122-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3608-1121-0x0000000005220000-0x000000000526B000-memory.dmp

Filesize
300KB

Download
memory/3608-1120-0x00000000007E0000-0x0000000000812000-memory.dmp

Filesize
200KB

Download
memory/3716-1128-0x0000000000590000-0x00000000005CB000-memory.dmp

Filesize
236KB

Download
memory/4556-1099-0x00000000057D0000-0x00000000058DA000-memory.dmp

Filesize
1.0MB

Download
memory/4556-1104-0x0000000005BE0000-0x0000000005C72000-memory.dmp

Filesize
584KB

Download
memory/4556-1114-0x0000000006D40000-0x0000000006D90000-memory.dmp

Filesize
320KB

Download
memory/4556-1113-0x0000000006CC0000-0x0000000006D36000-memory.dmp

Filesize
472KB

Download
memory/4556-1112-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4556-1111-0x0000000006550000-0x0000000006A7C000-memory.dmp

Filesize
5.2MB

Download
memory/4556-1110-0x0000000006380000-0x0000000006542000-memory.dmp

Filesize
1.8MB

Download
memory/4556-1109-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4556-1108-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4556-1107-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4556-1105-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/4556-1103-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4556-1102-0x0000000005A50000-0x0000000005A9B000-memory.dmp

Filesize
300KB

Download
memory/4556-1101-0x0000000005900000-0x000000000593E000-memory.dmp

Filesize
248KB

Download
memory/4556-1100-0x00000000058E0000-0x00000000058F2000-memory.dmp

Filesize
72KB

Download
memory/4556-1098-0x00000000051C0000-0x00000000057C6000-memory.dmp

Filesize
6.0MB

Download
memory/4556-230-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4556-228-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4556-226-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4556-186-0x00000000024A0000-0x00000000024E6000-memory.dmp

Filesize
280KB

Download
memory/4556-187-0x0000000004A40000-0x0000000004A84000-memory.dmp

Filesize
272KB

Download
memory/4556-189-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-188-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-191-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-193-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-195-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-197-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-199-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-201-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-203-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-205-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-211-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-209-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-207-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-213-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-215-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-217-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-219-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-221-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/4556-224-0x00000000006D0000-0x000000000071B000-memory.dmp

Filesize
300KB

Download
memory/4824-169-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-141-0x0000000002000000-0x000000000201A000-memory.dmp

Filesize
104KB

Download
memory/4824-153-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4824-179-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4824-148-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4824-178-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4824-177-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4824-176-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4824-175-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-155-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-173-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-171-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-181-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4824-152-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-145-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-163-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-161-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-159-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-157-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-151-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4824-149-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-165-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-147-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4824-144-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/4824-143-0x00000000020C0000-0x00000000020D8000-memory.dmp

Filesize
96KB

Download
memory/4824-142-0x0000000004BA0000-0x000000000509E000-memory.dmp

Filesize
5.0MB

Download
memory/4824-167-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download