amadey | cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206

Analysis

max time kernel
141s
max time network
98s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16-04-2023 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206.exe
Size

952KB
MD5

02a2d9c11ec58c11f67219cdd6f2cdcf
SHA1

f798ba2e4bc7508d174fa538acf324a05304f3a6
SHA256

cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206
SHA512

e39b797416c019821a076cbbe9522c7daad1a66369e6eedd8977f0b8d6c2997d62d5d87d2bc6b540e80d17c69d5b1378cd257b34f8277898cb2d9abbff5a70db
SSDEEP

24576:zyW8BUo5d0VxcTmSomfrZ2x4gK80BiVb/:GDf5uVxcThocsxLK8ciV

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it124305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it124305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it124305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it124305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it124305.exe

Executes dropped EXE 6 IoCs

pid	Process
4512	ziea8003.exe
4324	ziZm4675.exe
68	it124305.exe
2292	jr584531.exe
3472	kp631847.exe
3784	lr699646.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it124305.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziea8003.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziea8003.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziZm4675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziZm4675.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 18 IoCs

pid	pid_target	Process	procid_target
4296	3784	WerFault.exe	72
1480	3784	WerFault.exe	72
2136	3784	WerFault.exe	72
4064	3784	WerFault.exe	72
4520	3784	WerFault.exe	72
2008	3784	WerFault.exe	72
4744	3784	WerFault.exe	72
1432	3784	WerFault.exe	72
2760	3784	WerFault.exe	72
1308	4676	WerFault.exe	83
3688	4676	WerFault.exe	83
4468	4676	WerFault.exe	83
1724	4676	WerFault.exe	83
4704	4676	WerFault.exe	83
3720	4676	WerFault.exe	83
4860	4676	WerFault.exe	83
4164	4676	WerFault.exe	83
4048	4676	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
68	it124305.exe
68	it124305.exe
2292	jr584531.exe
2292	jr584531.exe
3472	kp631847.exe
3472	kp631847.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	68	it124305.exe
Token: SeDebugPrivilege	2292	jr584531.exe
Token: SeDebugPrivilege	3472	kp631847.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 4512	372	cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206.exe	66
PID 372 wrote to memory of 4512	372	cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206.exe	66
PID 372 wrote to memory of 4512	372	cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206.exe	66
PID 4512 wrote to memory of 4324	4512	ziea8003.exe	67
PID 4512 wrote to memory of 4324	4512	ziea8003.exe	67
PID 4512 wrote to memory of 4324	4512	ziea8003.exe	67
PID 4324 wrote to memory of 68	4324	ziZm4675.exe	68
PID 4324 wrote to memory of 68	4324	ziZm4675.exe	68
PID 4324 wrote to memory of 2292	4324	ziZm4675.exe	69
PID 4324 wrote to memory of 2292	4324	ziZm4675.exe	69
PID 4324 wrote to memory of 2292	4324	ziZm4675.exe	69
PID 4512 wrote to memory of 3472	4512	ziea8003.exe	71
PID 4512 wrote to memory of 3472	4512	ziea8003.exe	71
PID 4512 wrote to memory of 3472	4512	ziea8003.exe	71
PID 372 wrote to memory of 3784	372	cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206.exe	72
PID 372 wrote to memory of 3784	372	cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206.exe	72
PID 372 wrote to memory of 3784	372	cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206.exe	72

C:\Users\Admin\AppData\Local\Temp\cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206.exe
"C:\Users\Admin\AppData\Local\Temp\cde19cc1a4872f7cf08785ffa73457993ccb860f55a3f8f183814e78aa930206.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziea8003.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziea8003.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziZm4675.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziZm4675.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it124305.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it124305.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:68
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr584531.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr584531.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2292
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp631847.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp631847.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr699646.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr699646.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 624
    3⤵
    - Program crash
    PID:4296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 704
    3⤵
    - Program crash
    PID:1480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 844
    3⤵
    - Program crash
    PID:2136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 852
    3⤵
    - Program crash
    PID:4064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 880
    3⤵
    - Program crash
    PID:4520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 840
    3⤵
    - Program crash
    PID:2008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1124
    3⤵
    - Program crash
    PID:4744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1088
    3⤵
    - Program crash
    PID:1432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1284
    3⤵
    - Program crash
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    PID:4676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 620
      4⤵
      Program crash
      PID:1308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 744
      4⤵
      Program crash
      PID:3688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 776
      4⤵
      Program crash
      PID:4468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 804
      4⤵
      Program crash
      PID:1724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1032
      4⤵
      Program crash
      PID:4704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1080
      4⤵
      Program crash
      PID:3720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1044
      4⤵
      Program crash
      PID:4860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1156
      4⤵
      Program crash
      PID:4164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1148
      4⤵
      Program crash
      PID:4048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr699646.exe

Filesize
395KB

MD5
f8d1f08b15ba95119b7d2ddea4b3c543

SHA1
79812ef3ec5d8e979c3553cc31145988f7ec65b8

SHA256
afc48eabd725325d00324625eb9035c450d730c0b07d4d5a7246cbb1a3a443eb

SHA512
a6b04bd33a1fc937aeb826e97f1071dce0787c35a8aab8bdd44ea3f84454c22544cc62778435274411481e58490d0d292b0b5d7a039a7d317e27d7c44b723039

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziea8003.exe

Filesize
624KB

MD5
e067c2c3a14df9d0af90010047cc4d6c

SHA1
874399cc82d86e103b1efc9de0bc2743e5ba7a66

SHA256
a26c95558d3d79749f0e51e8c12925a040e1743b37fbaacc876d543bf761f160

SHA512
85b85d224e8c39eebaf2271c77c5c222abd2703717730f17917fabc5c6c09f93494a1f40354dad250a54ad8844dc6f45f2252eab15f10b713bfb6a512f5c6dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziea8003.exe

Filesize
624KB

MD5
e067c2c3a14df9d0af90010047cc4d6c

SHA1
874399cc82d86e103b1efc9de0bc2743e5ba7a66

SHA256
a26c95558d3d79749f0e51e8c12925a040e1743b37fbaacc876d543bf761f160

SHA512
85b85d224e8c39eebaf2271c77c5c222abd2703717730f17917fabc5c6c09f93494a1f40354dad250a54ad8844dc6f45f2252eab15f10b713bfb6a512f5c6dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp631847.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp631847.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziZm4675.exe

Filesize
470KB

MD5
f552808eb384cf6283867a15b310c581

SHA1
a9ad8da9565124a58c9aed98db8d6abc78efff48

SHA256
24e7cba0b1f9303cc3189e50f483dff630fad3666a123214b292dbfaa6782af7

SHA512
b49a2443f96561a9ee36b2b5c9a3fc6f847eaa2dc43761c28f33064fb7a50a51a261f15874a24d8ebd3aa56b540474f8e8c511dec49ae699171bf92eb6065b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziZm4675.exe

Filesize
470KB

MD5
f552808eb384cf6283867a15b310c581

SHA1
a9ad8da9565124a58c9aed98db8d6abc78efff48

SHA256
24e7cba0b1f9303cc3189e50f483dff630fad3666a123214b292dbfaa6782af7

SHA512
b49a2443f96561a9ee36b2b5c9a3fc6f847eaa2dc43761c28f33064fb7a50a51a261f15874a24d8ebd3aa56b540474f8e8c511dec49ae699171bf92eb6065b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it124305.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it124305.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr584531.exe

Filesize
486KB

MD5
1539f3de0adf700ad4ef920dd27cf590

SHA1
62820438fe64412a5e05f91b69cb95a9a646681b

SHA256
11001a9845b4f62d1a290a9e01499399f57bc4bbbbbe6acd57d5b9bd550d607b

SHA512
ff104fd47c0485d1e1607688dc15f604d42a4265512d7e6d3042f8e9540a5867147cb4154ef4e5e4510d4b24a75e04ac424037037933f4725122e9c1a35ca00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr584531.exe

Filesize
486KB

MD5
1539f3de0adf700ad4ef920dd27cf590

SHA1
62820438fe64412a5e05f91b69cb95a9a646681b

SHA256
11001a9845b4f62d1a290a9e01499399f57bc4bbbbbe6acd57d5b9bd550d607b

SHA512
ff104fd47c0485d1e1607688dc15f604d42a4265512d7e6d3042f8e9540a5867147cb4154ef4e5e4510d4b24a75e04ac424037037933f4725122e9c1a35ca00b

Download Submit
memory/68-138-0x0000000000D30000-0x0000000000D3A000-memory.dmp

Filesize
40KB

Download
memory/2292-144-0x00000000028B0000-0x00000000028EC000-memory.dmp

Filesize
240KB

Download
memory/2292-145-0x0000000004DD0000-0x00000000052CE000-memory.dmp

Filesize
5.0MB

Download
memory/2292-146-0x0000000002940000-0x000000000297A000-memory.dmp

Filesize
232KB

Download
memory/2292-147-0x0000000000910000-0x0000000000956000-memory.dmp

Filesize
280KB

Download
memory/2292-148-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2292-150-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2292-149-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2292-151-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-152-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-154-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-156-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-158-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-160-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-162-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-164-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-166-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-168-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-170-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-172-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-174-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-176-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-178-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-180-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-182-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-184-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-186-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-188-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-190-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-192-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-194-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-196-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-198-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-200-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-202-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-204-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-206-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-208-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-210-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-212-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-214-0x0000000002940000-0x0000000002975000-memory.dmp

Filesize
212KB

Download
memory/2292-943-0x0000000007DD0000-0x00000000083D6000-memory.dmp

Filesize
6.0MB

Download
memory/2292-944-0x0000000007850000-0x0000000007862000-memory.dmp

Filesize
72KB

Download
memory/2292-945-0x0000000007880000-0x000000000798A000-memory.dmp

Filesize
1.0MB

Download
memory/2292-946-0x00000000079A0000-0x00000000079DE000-memory.dmp

Filesize
248KB

Download
memory/2292-947-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2292-948-0x0000000007A20000-0x0000000007A6B000-memory.dmp

Filesize
300KB

Download
memory/2292-949-0x0000000007CB0000-0x0000000007D16000-memory.dmp

Filesize
408KB

Download
memory/2292-950-0x0000000008970000-0x0000000008A02000-memory.dmp

Filesize
584KB

Download
memory/2292-951-0x0000000008B40000-0x0000000008BB6000-memory.dmp

Filesize
472KB

Download
memory/2292-952-0x0000000008C00000-0x0000000008DC2000-memory.dmp

Filesize
1.8MB

Download
memory/2292-953-0x0000000008DE0000-0x000000000930C000-memory.dmp

Filesize
5.2MB

Download
memory/2292-954-0x0000000009430000-0x000000000944E000-memory.dmp

Filesize
120KB

Download
memory/2292-955-0x0000000002710000-0x0000000002760000-memory.dmp

Filesize
320KB

Download
memory/3472-961-0x00000000000E0000-0x0000000000108000-memory.dmp

Filesize
160KB

Download
memory/3472-962-0x0000000006E60000-0x0000000006EAB000-memory.dmp

Filesize
300KB

Download
memory/3472-963-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4676-975-0x00000000008E0000-0x000000000091B000-memory.dmp

Filesize
236KB

Download