amadey | 5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3

Analysis

max time kernel
146s
max time network
111s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2023 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exe
Size

924KB
MD5

4e3a882385f223f67be5123b973507be
SHA1

22d5ee7eaf57b11d60b3038c76cab111f6923535
SHA256

5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3
SHA512

68e009c9f664a23dbf21078165e3aaa0c67796045a469b9e16a58b3d30d314ef509fd36b77ea9cfe6077867d40c4f47a661b44bc640b00173d35a4a19613ff73
SSDEEP

24576:+y6Wlmv7AbRk1Y4r0/KzqSpuz8xMl+yLg3Hp6m+echzC:NvlmjAK1Y4rmrz+MRw8DJ

Score

10^/10

amadey redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr302673.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr302673.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr302673.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr302673.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr302673.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr302673.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4556-186-0x00000000009E0000-0x0000000000A26000-memory.dmp	family_redline
behavioral1/memory/4556-187-0x0000000002520000-0x0000000002564000-memory.dmp	family_redline
behavioral1/memory/4556-188-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-189-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-191-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-193-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-195-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-197-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-199-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-201-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-203-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-205-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-207-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-209-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-211-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-213-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-215-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-217-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-219-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/4556-221-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

un002881.exeun888203.exepr302673.exequ614895.exerk368717.exesi658879.exe

pid process

3524 un002881.exe
4280 un888203.exe
4828 pr302673.exe
4556 qu614895.exe
4868 rk368717.exe
3512 si658879.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3524	un002881.exe
4280	un888203.exe
4828	pr302673.exe
4556	qu614895.exe
4868	rk368717.exe
3512	si658879.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr302673.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr302673.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr302673.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exeun002881.exeun888203.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un002881.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un002881.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un888203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un888203.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
484	3512	WerFault.exe	si658879.exe
4800	3512	WerFault.exe	si658879.exe
4804	3512	WerFault.exe	si658879.exe
4388	3512	WerFault.exe	si658879.exe
4432	3512	WerFault.exe	si658879.exe
4764	3512	WerFault.exe	si658879.exe
4972	3512	WerFault.exe	si658879.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr302673.exequ614895.exerk368717.exe

pid process

4828 pr302673.exe
4828 pr302673.exe
4556 qu614895.exe
4556 qu614895.exe
4868 rk368717.exe
4868 rk368717.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr302673.exequ614895.exerk368717.exe

description pid process

Token: SeDebugPrivilege 4828 pr302673.exe
Token: SeDebugPrivilege 4556 qu614895.exe
Token: SeDebugPrivilege 4868 rk368717.exe

pid	process
4828	pr302673.exe
4828	pr302673.exe
4556	qu614895.exe
4556	qu614895.exe
4868	rk368717.exe
4868	rk368717.exe

description	pid	process
Token: SeDebugPrivilege	4828	pr302673.exe
Token: SeDebugPrivilege	4556	qu614895.exe
Token: SeDebugPrivilege	4868	rk368717.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exeun002881.exeun888203.exe

description	pid	process	target process
PID 3588 wrote to memory of 3524	3588	5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exe	un002881.exe
PID 3588 wrote to memory of 3524	3588	5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exe	un002881.exe
PID 3588 wrote to memory of 3524	3588	5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exe	un002881.exe
PID 3524 wrote to memory of 4280	3524	un002881.exe	un888203.exe
PID 3524 wrote to memory of 4280	3524	un002881.exe	un888203.exe
PID 3524 wrote to memory of 4280	3524	un002881.exe	un888203.exe
PID 4280 wrote to memory of 4828	4280	un888203.exe	pr302673.exe
PID 4280 wrote to memory of 4828	4280	un888203.exe	pr302673.exe
PID 4280 wrote to memory of 4828	4280	un888203.exe	pr302673.exe
PID 4280 wrote to memory of 4556	4280	un888203.exe	qu614895.exe
PID 4280 wrote to memory of 4556	4280	un888203.exe	qu614895.exe
PID 4280 wrote to memory of 4556	4280	un888203.exe	qu614895.exe
PID 3524 wrote to memory of 4868	3524	un002881.exe	rk368717.exe
PID 3524 wrote to memory of 4868	3524	un002881.exe	rk368717.exe
PID 3524 wrote to memory of 4868	3524	un002881.exe	rk368717.exe
PID 3588 wrote to memory of 3512	3588	5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exe	si658879.exe
PID 3588 wrote to memory of 3512	3588	5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exe	si658879.exe
PID 3588 wrote to memory of 3512	3588	5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exe	si658879.exe

C:\Users\Admin\AppData\Local\Temp\5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exe
"C:\Users\Admin\AppData\Local\Temp\5e4ebf39b68ee065486f566c41927a65db5aeb9a688b738a47ec36bf21b2c2b3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un002881.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un002881.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3524

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un888203.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un888203.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr302673.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr302673.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu614895.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu614895.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk368717.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk368717.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si658879.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si658879.exe
2⤵
- Executes dropped EXE
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 616
3⤵
- Program crash
PID:484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 696
3⤵
- Program crash
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 836
3⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 844
3⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 880
3⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 816
3⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1076
3⤵
- Program crash
PID:4972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si658879.exe
Filesize
226KB

MD5
d8c3f20eef4f33bd865589859629bf41

SHA1
3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

SHA256
2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

SHA512
52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si658879.exe
Filesize
226KB

MD5
d8c3f20eef4f33bd865589859629bf41

SHA1
3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

SHA256
2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

SHA512
52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un002881.exe
Filesize
661KB

MD5
dea52591b3a0fcdf5ada2a92137f5437

SHA1
d1c276947177a95df939daf359cd5acfe308b6ab

SHA256
b6e769cfbb6cabad1241d740781e2b2fd662a94dd272c5814e2fd700f1c08839

SHA512
e9676d9d8d4891732c2f01a645224c64f1beaac5dc1dccf0099cb1f293a6eaf3ba263d18b6dc77eb30fe0ad41ce2ed3929e4e35872228f8d29026cbb47c13b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un002881.exe
Filesize
661KB

MD5
dea52591b3a0fcdf5ada2a92137f5437

SHA1
d1c276947177a95df939daf359cd5acfe308b6ab

SHA256
b6e769cfbb6cabad1241d740781e2b2fd662a94dd272c5814e2fd700f1c08839

SHA512
e9676d9d8d4891732c2f01a645224c64f1beaac5dc1dccf0099cb1f293a6eaf3ba263d18b6dc77eb30fe0ad41ce2ed3929e4e35872228f8d29026cbb47c13b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk368717.exe
Filesize
175KB

MD5
bb6d43fa4ebafe62b98ec4dea4ff49d9

SHA1
d8188e664ac977f59d3ec26589e3cf67b1fab23b

SHA256
1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

SHA512
679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk368717.exe
Filesize
175KB

MD5
bb6d43fa4ebafe62b98ec4dea4ff49d9

SHA1
d8188e664ac977f59d3ec26589e3cf67b1fab23b

SHA256
1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

SHA512
679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un888203.exe
Filesize
519KB

MD5
3cae6574313576a40cb27687da582fe0

SHA1
5abd7f305a6c5ae1d4a3b32c3681a481916e76a0

SHA256
e97bee6f538482eaccdbca01c62c5dc49f3f75a1598e1fb4aa1ac2d683d45560

SHA512
7ee799b9de01474ca5e59ebf6ae8a14aa965e756f7d056a6e8e9ddcb057746f596d4ea14293aea977d06bc05e4d68b05cfc1b878f39124f5cda4ec961cba0310

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un888203.exe
Filesize
519KB

MD5
3cae6574313576a40cb27687da582fe0

SHA1
5abd7f305a6c5ae1d4a3b32c3681a481916e76a0

SHA256
e97bee6f538482eaccdbca01c62c5dc49f3f75a1598e1fb4aa1ac2d683d45560

SHA512
7ee799b9de01474ca5e59ebf6ae8a14aa965e756f7d056a6e8e9ddcb057746f596d4ea14293aea977d06bc05e4d68b05cfc1b878f39124f5cda4ec961cba0310

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr302673.exe
Filesize
235KB

MD5
d959747880d49587b1f06b8454f903ce

SHA1
8f22fb188d12414f94ec508aa478ac46d970b2e1

SHA256
5685a2167c46d643c662c1c8ed28b41835018b938fb5b93f020f26c0bfc3bee9

SHA512
92e65b2ef15f64c073ff1759546fc8d361780ccf77e6932aefbc6142e95f276d83f2f22c6dd0e8eb32e73fcd193256288999b2cf86763d72f84e1808c452e4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr302673.exe
Filesize
235KB

MD5
d959747880d49587b1f06b8454f903ce

SHA1
8f22fb188d12414f94ec508aa478ac46d970b2e1

SHA256
5685a2167c46d643c662c1c8ed28b41835018b938fb5b93f020f26c0bfc3bee9

SHA512
92e65b2ef15f64c073ff1759546fc8d361780ccf77e6932aefbc6142e95f276d83f2f22c6dd0e8eb32e73fcd193256288999b2cf86763d72f84e1808c452e4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu614895.exe
Filesize
292KB

MD5
40f9689042eadf2caa702a0381206252

SHA1
cb2d2364203f44bd5f696784e97da75daea66f86

SHA256
f855674a281f801a22b2f780a65ff08c291b80f6b356f762f3baa1f8e2c2f017

SHA512
8900d26e8783b3f7c5d9a6797f30093e6c765a7d9f157aa58d158e2b6fc4bea5bad94160f12512afce9f07c6da139109e200a02c912eee012f6c10f60a6124bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu614895.exe
Filesize
292KB

MD5
40f9689042eadf2caa702a0381206252

SHA1
cb2d2364203f44bd5f696784e97da75daea66f86

SHA256
f855674a281f801a22b2f780a65ff08c291b80f6b356f762f3baa1f8e2c2f017

SHA512
8900d26e8783b3f7c5d9a6797f30093e6c765a7d9f157aa58d158e2b6fc4bea5bad94160f12512afce9f07c6da139109e200a02c912eee012f6c10f60a6124bd

Download Submit
memory/3512-1127-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/4556-1099-0x0000000005660000-0x000000000576A000-memory.dmp

Filesize
1.0MB

Download
memory/4556-1104-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/4556-1113-0x0000000006500000-0x0000000006A2C000-memory.dmp

Filesize
5.2MB

Download
memory/4556-1111-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4556-1112-0x0000000006320000-0x00000000064E2000-memory.dmp

Filesize
1.8MB

Download
memory/4556-1110-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4556-1109-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4556-1108-0x00000000062D0000-0x0000000006320000-memory.dmp

Filesize
320KB

Download
memory/4556-1107-0x0000000006240000-0x00000000062B6000-memory.dmp

Filesize
472KB

Download
memory/4556-1105-0x0000000006160000-0x00000000061F2000-memory.dmp

Filesize
584KB

Download
memory/4556-1103-0x0000000005910000-0x000000000595B000-memory.dmp

Filesize
300KB

Download
memory/4556-1102-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4556-1101-0x00000000057C0000-0x00000000057FE000-memory.dmp

Filesize
248KB

Download
memory/4556-1100-0x00000000057A0000-0x00000000057B2000-memory.dmp

Filesize
72KB

Download
memory/4556-1098-0x0000000004FD0000-0x00000000055D6000-memory.dmp

Filesize
6.0MB

Download
memory/4556-401-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4556-398-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4556-399-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4556-396-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/4556-221-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-219-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-217-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-186-0x00000000009E0000-0x0000000000A26000-memory.dmp

Filesize
280KB

Download
memory/4556-187-0x0000000002520000-0x0000000002564000-memory.dmp

Filesize
272KB

Download
memory/4556-188-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-189-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-191-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-193-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-195-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-197-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-199-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-201-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-203-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-205-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-207-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-209-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-211-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-213-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4556-215-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/4828-165-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-181-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4828-163-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-179-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4828-178-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4828-177-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4828-176-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4828-175-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-146-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4828-173-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-171-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-169-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-167-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-149-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-141-0x0000000001F90000-0x0000000001FAA000-memory.dmp

Filesize
104KB

Download
memory/4828-148-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-161-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-157-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-159-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-155-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-153-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-151-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4828-145-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4828-144-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4828-147-0x00000000022D0000-0x00000000022E8000-memory.dmp

Filesize
96KB

Download
memory/4828-142-0x0000000004BA0000-0x000000000509E000-memory.dmp

Filesize
5.0MB

Download
memory/4828-143-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download
memory/4868-1121-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4868-1120-0x0000000005020000-0x000000000506B000-memory.dmp

Filesize
300KB

Download
memory/4868-1119-0x00000000005E0000-0x0000000000612000-memory.dmp

Filesize
200KB

Download