amadey | 03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4

Analysis

max time kernel
148s
max time network
139s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
15/04/2023, 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe
Size

950KB
MD5

2a34f6b8fe2dbbc72fff8fda80ffa8eb
SHA1

6753b9ab0d19283f0b2bdd99031317d5abd3764d
SHA256

03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4
SHA512

1318218f0133d999d88257327c9dbb633e2608ca4d5f4f3774a259d368b401a3ec718ff3749334dc73e4c8e9c17c8f90c402fbfe09f25c02f7674ff5fb275b0b
SSDEEP

24576:ayrZzzNAdOq8P21q+YUuNp1qFxWoV9igSHdA0Xnq+:hrN5A4zN+M9CWoV2d3q

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it069192.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it069192.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it069192.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it069192.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it069192.exe

Executes dropped EXE 6 IoCs

pid	Process
3548	zijF9584.exe
2348	ziVY4555.exe
4500	it069192.exe
4916	jr268695.exe
2144	kp943372.exe
3736	lr520498.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it069192.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zijF9584.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zijF9584.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziVY4555.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziVY4555.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3588	3736	WerFault.exe	72
2368	3736	WerFault.exe	72
5112	3736	WerFault.exe	72
4816	3736	WerFault.exe	72
2080	3736	WerFault.exe	72
4240	3736	WerFault.exe	72
1016	3736	WerFault.exe	72
1800	3736	WerFault.exe	72
4392	3736	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4500	it069192.exe
4500	it069192.exe
4916	jr268695.exe
4916	jr268695.exe
2144	kp943372.exe
2144	kp943372.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4500	it069192.exe
Token: SeDebugPrivilege	4916	jr268695.exe
Token: SeDebugPrivilege	2144	kp943372.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3736	lr520498.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 3548	4124	03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe	66
PID 4124 wrote to memory of 3548	4124	03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe	66
PID 4124 wrote to memory of 3548	4124	03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe	66
PID 3548 wrote to memory of 2348	3548	zijF9584.exe	67
PID 3548 wrote to memory of 2348	3548	zijF9584.exe	67
PID 3548 wrote to memory of 2348	3548	zijF9584.exe	67
PID 2348 wrote to memory of 4500	2348	ziVY4555.exe	68
PID 2348 wrote to memory of 4500	2348	ziVY4555.exe	68
PID 2348 wrote to memory of 4916	2348	ziVY4555.exe	69
PID 2348 wrote to memory of 4916	2348	ziVY4555.exe	69
PID 2348 wrote to memory of 4916	2348	ziVY4555.exe	69
PID 3548 wrote to memory of 2144	3548	zijF9584.exe	71
PID 3548 wrote to memory of 2144	3548	zijF9584.exe	71
PID 3548 wrote to memory of 2144	3548	zijF9584.exe	71
PID 4124 wrote to memory of 3736	4124	03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe	72
PID 4124 wrote to memory of 3736	4124	03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe	72
PID 4124 wrote to memory of 3736	4124	03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe	72

C:\Users\Admin\AppData\Local\Temp\03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe
"C:\Users\Admin\AppData\Local\Temp\03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF9584.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF9584.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVY4555.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVY4555.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it069192.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it069192.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4500
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr268695.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr268695.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp943372.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp943372.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr520498.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr520498.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:3736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 620
    3⤵
    - Program crash
    PID:3588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 700
    3⤵
    - Program crash
    PID:2368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 840
    3⤵
    - Program crash
    PID:5112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 848
    3⤵
    - Program crash
    PID:4816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 876
    3⤵
    - Program crash
    PID:2080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 836
    3⤵
    - Program crash
    PID:4240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1120
    3⤵
    - Program crash
    PID:1016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1180
    3⤵
    - Program crash
    PID:1800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1200
    3⤵
    - Program crash
    PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr520498.exe

Filesize
390KB

MD5
5ed9270ca56d41db87987823290dfa15

SHA1
89f81232efb22eb536efd30fa52ed8710601b592

SHA256
74c8d2e808ec0734e30d03e29b9a17b020bdbe85b6584c1aa501ba892ae4a054

SHA512
e612b392272b0b6cf27582286e1ac92a5609bb51f72af0c8acdb489ad6e3ab1ecba5470cf391015dab06dc67c01726da60f3bc9da68dfd3e2f84b2716443d4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr520498.exe

Filesize
390KB

MD5
5ed9270ca56d41db87987823290dfa15

SHA1
89f81232efb22eb536efd30fa52ed8710601b592

SHA256
74c8d2e808ec0734e30d03e29b9a17b020bdbe85b6584c1aa501ba892ae4a054

SHA512
e612b392272b0b6cf27582286e1ac92a5609bb51f72af0c8acdb489ad6e3ab1ecba5470cf391015dab06dc67c01726da60f3bc9da68dfd3e2f84b2716443d4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF9584.exe

Filesize
623KB

MD5
c269b90e487a3e32992790b0900b7020

SHA1
fc522e44e7191b9de48b860d97688b21e905b204

SHA256
cd5ea334a091fcf73a11f559dec661f526f756278f90f46352979c0901fc93e4

SHA512
4f6099e2a704fbf871d9083c0a56a24af1b72e396fe57b65b413d27cacc0372bde70087de3624b256fdef06cb902d60c93748c1301da17a26bfce985164fc799

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF9584.exe

Filesize
623KB

MD5
c269b90e487a3e32992790b0900b7020

SHA1
fc522e44e7191b9de48b860d97688b21e905b204

SHA256
cd5ea334a091fcf73a11f559dec661f526f756278f90f46352979c0901fc93e4

SHA512
4f6099e2a704fbf871d9083c0a56a24af1b72e396fe57b65b413d27cacc0372bde70087de3624b256fdef06cb902d60c93748c1301da17a26bfce985164fc799

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp943372.exe

Filesize
136KB

MD5
4db9b048077c8bb9469b4671ef85844f

SHA1
84c0bfd0e9d46043342b875a3f2a74c48b50815a

SHA256
a37d0b22161b713836203c8a3678d8106dbdcc01deaa1c2f4a80c49c97236a27

SHA512
84bb09495e0bade6762a38b6c43dbf062f46ae7415e15a8b21c19f93ab4e9b103df28694cdebdcd454623b9bf530f2d9c2c87bb531eec6bbbc0db83a2d21b81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp943372.exe

Filesize
136KB

MD5
4db9b048077c8bb9469b4671ef85844f

SHA1
84c0bfd0e9d46043342b875a3f2a74c48b50815a

SHA256
a37d0b22161b713836203c8a3678d8106dbdcc01deaa1c2f4a80c49c97236a27

SHA512
84bb09495e0bade6762a38b6c43dbf062f46ae7415e15a8b21c19f93ab4e9b103df28694cdebdcd454623b9bf530f2d9c2c87bb531eec6bbbc0db83a2d21b81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVY4555.exe

Filesize
468KB

MD5
f347f0c0726ba7d57df02649793324af

SHA1
f1cc9402d1c33c98fe3e3828e4a9c143813f3d18

SHA256
29af44c787bc06379f9d01651e8ae29684ad2e01258aae2af57283b47741e0b7

SHA512
28268d52d53c53455b3039970206a901caf3b7b5723c604d5a4894c7347513a3339bcf79bece1bb4bf2b38bf1e7e1d900ee64a99bd4de04a51847bb34e5e2e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVY4555.exe

Filesize
468KB

MD5
f347f0c0726ba7d57df02649793324af

SHA1
f1cc9402d1c33c98fe3e3828e4a9c143813f3d18

SHA256
29af44c787bc06379f9d01651e8ae29684ad2e01258aae2af57283b47741e0b7

SHA512
28268d52d53c53455b3039970206a901caf3b7b5723c604d5a4894c7347513a3339bcf79bece1bb4bf2b38bf1e7e1d900ee64a99bd4de04a51847bb34e5e2e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it069192.exe

Filesize
12KB

MD5
c716ed259cfaa72701354cab5c45b44b

SHA1
249c18298d9c45971a69ab78988b6accb49a55a9

SHA256
dad1271b2521e0cd12037fb2aacc66cd6c0409ad7946cd45cc7d3f398f6c55d9

SHA512
73f0592edf2c37a53a79eecf6a011473a7e9ba5fb327fda318a2d7fa73aa0895f04dddde8c15c497fdecd02d1a8a76cc80769a839c3d6ed9a4ecef148761909a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it069192.exe

Filesize
12KB

MD5
c716ed259cfaa72701354cab5c45b44b

SHA1
249c18298d9c45971a69ab78988b6accb49a55a9

SHA256
dad1271b2521e0cd12037fb2aacc66cd6c0409ad7946cd45cc7d3f398f6c55d9

SHA512
73f0592edf2c37a53a79eecf6a011473a7e9ba5fb327fda318a2d7fa73aa0895f04dddde8c15c497fdecd02d1a8a76cc80769a839c3d6ed9a4ecef148761909a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr268695.exe

Filesize
481KB

MD5
40cd229c4f554bc29b3333efb0f97afd

SHA1
b6015b1d34bf524e108215ee92b242e1d02a3ebe

SHA256
f4e58e4e7e970fa7ddfd25e398c3b9fccabcc23f8def4a99936eba87a8614dbd

SHA512
541bedf5cbefe1ee31c24584d2b438e8536ae8d09ac2052ef8ccde8878c69cf7cfab518d44f3f013ef526168d772a7e6521a8435f637e91c5e9f70abb0c94614

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr268695.exe

Filesize
481KB

MD5
40cd229c4f554bc29b3333efb0f97afd

SHA1
b6015b1d34bf524e108215ee92b242e1d02a3ebe

SHA256
f4e58e4e7e970fa7ddfd25e398c3b9fccabcc23f8def4a99936eba87a8614dbd

SHA512
541bedf5cbefe1ee31c24584d2b438e8536ae8d09ac2052ef8ccde8878c69cf7cfab518d44f3f013ef526168d772a7e6521a8435f637e91c5e9f70abb0c94614

Download Submit
memory/2144-962-0x0000000007B90000-0x0000000007BDB000-memory.dmp

Filesize
300KB

Download
memory/2144-961-0x0000000000DE0000-0x0000000000E08000-memory.dmp

Filesize
160KB

Download
memory/2144-963-0x0000000007B00000-0x0000000007B10000-memory.dmp

Filesize
64KB

Download
memory/3736-969-0x0000000000810000-0x000000000084B000-memory.dmp

Filesize
236KB

Download
memory/4500-137-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/4916-177-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-197-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-153-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4916-151-0x0000000000930000-0x0000000000976000-memory.dmp

Filesize
280KB

Download
memory/4916-155-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4916-156-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-152-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-159-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-161-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-158-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4916-163-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-165-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-167-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-169-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-171-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-173-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-175-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-149-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-179-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-181-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-183-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-185-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-187-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-189-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-191-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-193-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-195-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-146-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-199-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-201-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-203-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-205-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-207-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-209-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-211-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-213-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-942-0x00000000077C0000-0x0000000007DC6000-memory.dmp

Filesize
6.0MB

Download
memory/4916-943-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/4916-944-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/4916-945-0x0000000007FB0000-0x0000000007FEE000-memory.dmp

Filesize
248KB

Download
memory/4916-946-0x0000000008030000-0x000000000807B000-memory.dmp

Filesize
300KB

Download
memory/4916-947-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4916-948-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/4916-949-0x0000000008980000-0x0000000008A12000-memory.dmp

Filesize
584KB

Download
memory/4916-950-0x00000000026D0000-0x0000000002746000-memory.dmp

Filesize
472KB

Download
memory/4916-147-0x0000000005290000-0x00000000052C5000-memory.dmp

Filesize
212KB

Download
memory/4916-145-0x0000000005290000-0x00000000052CA000-memory.dmp

Filesize
232KB

Download
memory/4916-144-0x0000000004D90000-0x000000000528E000-memory.dmp

Filesize
5.0MB

Download
memory/4916-143-0x0000000004D00000-0x0000000004D3C000-memory.dmp

Filesize
240KB

Download
memory/4916-951-0x0000000008A60000-0x0000000008A7E000-memory.dmp

Filesize
120KB

Download
memory/4916-952-0x0000000008B20000-0x0000000008B70000-memory.dmp

Filesize
320KB

Download
memory/4916-953-0x0000000008C70000-0x0000000008E32000-memory.dmp

Filesize
1.8MB

Download
memory/4916-954-0x0000000008E40000-0x000000000936C000-memory.dmp

Filesize
5.2MB

Download