amadey | 4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc

Analysis

max time kernel
147s
max time network
113s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2023 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exe
Size

940KB
MD5

c57e3bfd8be746ae41aa38a68e343709
SHA1

412dba109982b935b9c3985fb602775fdeca8a25
SHA256

4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc
SHA512

61191bee1e2c0d35158d0643736add9e3f8c7b8919913b9ca1935979cfd9d8574b31caa10304df2a90796ea8864c2684ac068173d2532a3a192723559c24b1b1
SSDEEP

12288:pMr4y90/iOJx2LqUGcTvr1ksEeACegqLGTAKhC6GI7tLusEZBaIbDLoeiIMFJ1:xy+aLqtcjrQ6qLEAR6GI7tLus8au4t5

Score

10^/10

amadey redline rosn zima discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

176.113.115.145:4125

Attributes

auth_value
2ef701d510c0d27e8a8e3270281678b1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr965746.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr965746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr965746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr965746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr965746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr965746.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3076-188-0x0000000002160000-0x00000000021A6000-memory.dmp	family_redline
behavioral1/memory/3076-192-0x0000000002400000-0x0000000002444000-memory.dmp	family_redline
behavioral1/memory/3076-194-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-195-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-197-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-199-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-201-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-203-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-205-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-207-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-209-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-211-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-213-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-215-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-217-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-219-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-221-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-223-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-225-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline
behavioral1/memory/3076-227-0x0000000002400000-0x000000000243F000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

un826703.exeun088196.exepr965746.exequ581070.exerk818485.exesi035844.exe

pid process

4144 un826703.exe
4132 un088196.exe
4956 pr965746.exe
3076 qu581070.exe
3956 rk818485.exe
4808 si035844.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4144	un826703.exe
4132	un088196.exe
4956	pr965746.exe
3076	qu581070.exe
3956	rk818485.exe
4808	si035844.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr965746.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr965746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr965746.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exeun826703.exeun088196.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un826703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un826703.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un088196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un088196.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4740	4808	WerFault.exe	si035844.exe
4744	4808	WerFault.exe	si035844.exe
2524	4808	WerFault.exe	si035844.exe
3236	4808	WerFault.exe	si035844.exe
1780	4808	WerFault.exe	si035844.exe
3456	4808	WerFault.exe	si035844.exe
4528	4808	WerFault.exe	si035844.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pr965746.exequ581070.exerk818485.exe

pid process

4956 pr965746.exe
4956 pr965746.exe
3076 qu581070.exe
3076 qu581070.exe
3956 rk818485.exe
3956 rk818485.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pr965746.exequ581070.exerk818485.exe

description pid process

Token: SeDebugPrivilege 4956 pr965746.exe
Token: SeDebugPrivilege 3076 qu581070.exe
Token: SeDebugPrivilege 3956 rk818485.exe

pid	process
4956	pr965746.exe
4956	pr965746.exe
3076	qu581070.exe
3076	qu581070.exe
3956	rk818485.exe
3956	rk818485.exe

description	pid	process
Token: SeDebugPrivilege	4956	pr965746.exe
Token: SeDebugPrivilege	3076	qu581070.exe
Token: SeDebugPrivilege	3956	rk818485.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exeun826703.exeun088196.exe

description	pid	process	target process
PID 3796 wrote to memory of 4144	3796	4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exe	un826703.exe
PID 3796 wrote to memory of 4144	3796	4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exe	un826703.exe
PID 3796 wrote to memory of 4144	3796	4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exe	un826703.exe
PID 4144 wrote to memory of 4132	4144	un826703.exe	un088196.exe
PID 4144 wrote to memory of 4132	4144	un826703.exe	un088196.exe
PID 4144 wrote to memory of 4132	4144	un826703.exe	un088196.exe
PID 4132 wrote to memory of 4956	4132	un088196.exe	pr965746.exe
PID 4132 wrote to memory of 4956	4132	un088196.exe	pr965746.exe
PID 4132 wrote to memory of 4956	4132	un088196.exe	pr965746.exe
PID 4132 wrote to memory of 3076	4132	un088196.exe	qu581070.exe
PID 4132 wrote to memory of 3076	4132	un088196.exe	qu581070.exe
PID 4132 wrote to memory of 3076	4132	un088196.exe	qu581070.exe
PID 4144 wrote to memory of 3956	4144	un826703.exe	rk818485.exe
PID 4144 wrote to memory of 3956	4144	un826703.exe	rk818485.exe
PID 4144 wrote to memory of 3956	4144	un826703.exe	rk818485.exe
PID 3796 wrote to memory of 4808	3796	4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exe	si035844.exe
PID 3796 wrote to memory of 4808	3796	4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exe	si035844.exe
PID 3796 wrote to memory of 4808	3796	4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exe	si035844.exe

C:\Users\Admin\AppData\Local\Temp\4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exe
"C:\Users\Admin\AppData\Local\Temp\4c423e200c7f88f3e8c36edb7e1ae58cd3204b442432a6cfeef0794c68009abc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3796

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un826703.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un826703.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4144

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088196.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088196.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4132

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr965746.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr965746.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu581070.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu581070.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk818485.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk818485.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si035844.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si035844.exe
2⤵
- Executes dropped EXE
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 620
3⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 700
3⤵
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 776
3⤵
- Program crash
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 848
3⤵
- Program crash
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 908
3⤵
- Program crash
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 908
3⤵
- Program crash
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1036
3⤵
- Program crash
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si035844.exe
Filesize
231KB

MD5
5a531a1495614605383afe7a35731a7a

SHA1
f00c58c5745c7adeb14b5b176fc0cd8d6d694bb6

SHA256
2aa40e53a153a68c6fd28793fdd06fa3bcbe4658820261607f6f4f8ecd3b8c2d

SHA512
906eb4afa865e09a68e5f40e48837bf576ced8218e8545daa25bd1ac0bea2087f77c9905d143c243cb3cbf04b3472c049620e2b51ccf243ac75f7134376e4aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si035844.exe
Filesize
231KB

MD5
5a531a1495614605383afe7a35731a7a

SHA1
f00c58c5745c7adeb14b5b176fc0cd8d6d694bb6

SHA256
2aa40e53a153a68c6fd28793fdd06fa3bcbe4658820261607f6f4f8ecd3b8c2d

SHA512
906eb4afa865e09a68e5f40e48837bf576ced8218e8545daa25bd1ac0bea2087f77c9905d143c243cb3cbf04b3472c049620e2b51ccf243ac75f7134376e4aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un826703.exe
Filesize
674KB

MD5
fedbd163c6dce2cd1d044b40bcfbf0b2

SHA1
7dfa8b0485dc92e3416872579d7008d742eccd58

SHA256
cd4560d0368b54e4c29375b677aa450dd381390f89084d9d5aa6a4b8613f0e69

SHA512
fd7e90510681e2a8e26c38a18c979b9a45e5975336ece1e149b7da60134a51b7e99fa68a12253c8eaf2f3e0bec9f053c71de901d17987b0a3ca4cc191245322a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un826703.exe
Filesize
674KB

MD5
fedbd163c6dce2cd1d044b40bcfbf0b2

SHA1
7dfa8b0485dc92e3416872579d7008d742eccd58

SHA256
cd4560d0368b54e4c29375b677aa450dd381390f89084d9d5aa6a4b8613f0e69

SHA512
fd7e90510681e2a8e26c38a18c979b9a45e5975336ece1e149b7da60134a51b7e99fa68a12253c8eaf2f3e0bec9f053c71de901d17987b0a3ca4cc191245322a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk818485.exe
Filesize
169KB

MD5
3cd5291bbb2756f116a0d84969a9ad07

SHA1
68278882d45ef87e679cdabcba04402624b19c65

SHA256
c6238cee8171558f5618924ea93d47f1e2f9d9f724140280c1069d1795000af0

SHA512
33865024d9fcfaf0e764548ab611407e16a1872978fe69363289b531df174b415e38e331028e3df4a0ee733a6f4ff85a3d5343371e4d5d7bcf42362fd6940420

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk818485.exe
Filesize
169KB

MD5
3cd5291bbb2756f116a0d84969a9ad07

SHA1
68278882d45ef87e679cdabcba04402624b19c65

SHA256
c6238cee8171558f5618924ea93d47f1e2f9d9f724140280c1069d1795000af0

SHA512
33865024d9fcfaf0e764548ab611407e16a1872978fe69363289b531df174b415e38e331028e3df4a0ee733a6f4ff85a3d5343371e4d5d7bcf42362fd6940420

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088196.exe
Filesize
520KB

MD5
450e8923f0efe640cc03a77349588431

SHA1
56b3d1150f9272aafd4f18e602aa84473ba60aa8

SHA256
7ae32c4f331777e2eb6be141f5bac3b83b6442f8274a4d0a396484418b056a55

SHA512
d782da3cd987cc3452a389dd1eed05a20d2057adde82124bec3a0f55ce9889c9ba7ec80abb86a38f39bab2a3f754b107a450b8c343ce5a5fb9f48cd4de96bda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088196.exe
Filesize
520KB

MD5
450e8923f0efe640cc03a77349588431

SHA1
56b3d1150f9272aafd4f18e602aa84473ba60aa8

SHA256
7ae32c4f331777e2eb6be141f5bac3b83b6442f8274a4d0a396484418b056a55

SHA512
d782da3cd987cc3452a389dd1eed05a20d2057adde82124bec3a0f55ce9889c9ba7ec80abb86a38f39bab2a3f754b107a450b8c343ce5a5fb9f48cd4de96bda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr965746.exe
Filesize
239KB

MD5
1eb6f6631b8035e1d8af6914066bce43

SHA1
1dae269dbd05b587866dc8c40096375d8cae213e

SHA256
c352e8aa2f5d9987b5f730d70443a83ee235eda0e697dda230f5826f385dc4f0

SHA512
b2d077a6c653df52ac99be9027884204257950ce18952458d716e8ed139a7c8be3a44d5ad72686fc8218083246839b7d7a3d02e690969f8fdee4309831c00330

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr965746.exe
Filesize
239KB

MD5
1eb6f6631b8035e1d8af6914066bce43

SHA1
1dae269dbd05b587866dc8c40096375d8cae213e

SHA256
c352e8aa2f5d9987b5f730d70443a83ee235eda0e697dda230f5826f385dc4f0

SHA512
b2d077a6c653df52ac99be9027884204257950ce18952458d716e8ed139a7c8be3a44d5ad72686fc8218083246839b7d7a3d02e690969f8fdee4309831c00330

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu581070.exe
Filesize
297KB

MD5
7bfbd0b58c2a74f855ed298223717cc0

SHA1
93ef30fe8a261e6543972f58448b380f7c567e8f

SHA256
4df813767eaf8b1be04bd97d9f52481b4d1c7409aebcc28bbb4bd1f644adee03

SHA512
27a0c137c372229a2e34c7ec10443f5d17a1398b990fea29327374b59194c82cb5f63f4af1ea828c107237afed38528c898e55989dc2a8ac872683260c97287f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu581070.exe
Filesize
297KB

MD5
7bfbd0b58c2a74f855ed298223717cc0

SHA1
93ef30fe8a261e6543972f58448b380f7c567e8f

SHA256
4df813767eaf8b1be04bd97d9f52481b4d1c7409aebcc28bbb4bd1f644adee03

SHA512
27a0c137c372229a2e34c7ec10443f5d17a1398b990fea29327374b59194c82cb5f63f4af1ea828c107237afed38528c898e55989dc2a8ac872683260c97287f

Download Submit
memory/3076-1101-0x00000000056A0000-0x00000000057AA000-memory.dmp

Filesize
1.0MB

Download
memory/3076-1105-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3076-1115-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3076-1114-0x0000000006C00000-0x0000000006C50000-memory.dmp

Filesize
320KB

Download
memory/3076-1113-0x0000000006B80000-0x0000000006BF6000-memory.dmp

Filesize
472KB

Download
memory/3076-1112-0x0000000006420000-0x000000000694C000-memory.dmp

Filesize
5.2MB

Download
memory/3076-1111-0x0000000006240000-0x0000000006402000-memory.dmp

Filesize
1.8MB

Download
memory/3076-1110-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/3076-1109-0x0000000005AA0000-0x0000000005B32000-memory.dmp

Filesize
584KB

Download
memory/3076-1108-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3076-1107-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3076-1104-0x0000000005910000-0x000000000595B000-memory.dmp

Filesize
300KB

Download
memory/3076-1103-0x00000000057D0000-0x000000000580E000-memory.dmp

Filesize
248KB

Download
memory/3076-1102-0x00000000057B0000-0x00000000057C2000-memory.dmp

Filesize
72KB

Download
memory/3076-1100-0x0000000005090000-0x0000000005696000-memory.dmp

Filesize
6.0MB

Download
memory/3076-227-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-225-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-223-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-221-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-219-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-217-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-215-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-213-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-188-0x0000000002160000-0x00000000021A6000-memory.dmp

Filesize
280KB

Download
memory/3076-189-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/3076-192-0x0000000002400000-0x0000000002444000-memory.dmp

Filesize
272KB

Download
memory/3076-191-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3076-193-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3076-190-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3076-194-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-195-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-197-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-199-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-201-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-203-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-205-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-207-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-209-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3076-211-0x0000000002400000-0x000000000243F000-memory.dmp

Filesize
252KB

Download
memory/3956-1121-0x0000000000170000-0x00000000001A0000-memory.dmp

Filesize
192KB

Download
memory/3956-1124-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/3956-1123-0x000000000A080000-0x000000000A0CB000-memory.dmp

Filesize
300KB

Download
memory/3956-1122-0x0000000000830000-0x0000000000836000-memory.dmp

Filesize
24KB

Download
memory/4808-1130-0x0000000000580000-0x00000000005BB000-memory.dmp

Filesize
236KB

Download
memory/4956-165-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-161-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-177-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4956-176-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4956-147-0x0000000002540000-0x0000000002558000-memory.dmp

Filesize
96KB

Download
memory/4956-175-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-173-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-171-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-151-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-169-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-167-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-148-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-163-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-178-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4956-159-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-157-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-155-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-153-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4956-146-0x0000000004B40000-0x000000000503E000-memory.dmp

Filesize
5.0MB

Download
memory/4956-145-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4956-179-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4956-180-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4956-181-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4956-183-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4956-144-0x00000000021B0000-0x00000000021CA000-memory.dmp

Filesize
104KB

Download
memory/4956-143-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4956-149-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download