amadey | ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e

Analysis

max time kernel
149s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16/04/2023, 07:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e.exe
Size

1.1MB
MD5

91a8d5023d1dd80d6b5d8540d461b864
SHA1

d2759b6dca36ffc0d75ba6ed6e19410f63edfcea
SHA256

ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e
SHA512

d63f8dcfed1e4ac03197a34a5aa54dbbbaf915105e8ca0baee4a1e2b12ae0727ddfb6c8c5275a77553699700f3c82b6b842aa9b8e82698ad40656e212a9b7aff
SSDEEP

24576:nyh8Eue1e/KAKQRxt+F5mV6gPlsLnbiLMkScrj5gnrLxF+uzZf/xOJO:yhQD/KJQbtw1+MbkMkv0LxF+oXx

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr267349.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr267349.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr267349.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr267349.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr267349.exe

Executes dropped EXE 6 IoCs

pid	Process
1868	un529990.exe
2088	un949579.exe
2344	pr267349.exe
2092	qu297227.exe
2328	rk257975.exe
2712	si672217.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr267349.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr267349.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un949579.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un529990.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un529990.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un949579.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4980	2712	WerFault.exe	72
2564	2712	WerFault.exe	72
1428	2712	WerFault.exe	72
4588	2712	WerFault.exe	72
4632	2712	WerFault.exe	72
1480	2712	WerFault.exe	72
2948	2712	WerFault.exe	72
2928	2712	WerFault.exe	72
1544	2712	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2344	pr267349.exe
2344	pr267349.exe
2092	qu297227.exe
2092	qu297227.exe
2328	rk257975.exe
2328	rk257975.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	pr267349.exe
Token: SeDebugPrivilege	2092	qu297227.exe
Token: SeDebugPrivilege	2328	rk257975.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2712	si672217.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1868	1680	ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e.exe	66
PID 1680 wrote to memory of 1868	1680	ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e.exe	66
PID 1680 wrote to memory of 1868	1680	ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e.exe	66
PID 1868 wrote to memory of 2088	1868	un529990.exe	67
PID 1868 wrote to memory of 2088	1868	un529990.exe	67
PID 1868 wrote to memory of 2088	1868	un529990.exe	67
PID 2088 wrote to memory of 2344	2088	un949579.exe	68
PID 2088 wrote to memory of 2344	2088	un949579.exe	68
PID 2088 wrote to memory of 2344	2088	un949579.exe	68
PID 2088 wrote to memory of 2092	2088	un949579.exe	69
PID 2088 wrote to memory of 2092	2088	un949579.exe	69
PID 2088 wrote to memory of 2092	2088	un949579.exe	69
PID 1868 wrote to memory of 2328	1868	un529990.exe	71
PID 1868 wrote to memory of 2328	1868	un529990.exe	71
PID 1868 wrote to memory of 2328	1868	un529990.exe	71
PID 1680 wrote to memory of 2712	1680	ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e.exe	72
PID 1680 wrote to memory of 2712	1680	ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e.exe	72
PID 1680 wrote to memory of 2712	1680	ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e.exe	72

C:\Users\Admin\AppData\Local\Temp\ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e.exe
"C:\Users\Admin\AppData\Local\Temp\ecf05a24642a86405bf229ff89c9a562961b5a523e03d2d0bb2f3754a209f89e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un529990.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un529990.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un949579.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un949579.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr267349.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr267349.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu297227.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu297227.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2092
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk257975.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk257975.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672217.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672217.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 620
    3⤵
    - Program crash
    PID:4980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 700
    3⤵
    - Program crash
    PID:2564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 840
    3⤵
    - Program crash
    PID:1428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 828
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 876
    3⤵
    - Program crash
    PID:4632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 892
    3⤵
    - Program crash
    PID:1480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1124
    3⤵
    - Program crash
    PID:2948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1152
    3⤵
    - Program crash
    PID:2928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1156
    3⤵
    - Program crash
    PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672217.exe

Filesize
391KB

MD5
ddf04463153f1e5dbc154e5ce336faf9

SHA1
c3dae185f839ef74dcbce57aec93e68551a6aa87

SHA256
d3ac829489becb0b7f4754549b2fe1a4d0894aaebd6517ab8aefbeed262bcc64

SHA512
7d6ac4e64b01aa238bf15f9d64cbca523008795c9ef8d432d9c3ec5df15b294707b13d68b9f2cef23b6e581d39e19eed7e83c6a9de05ccd2890a65951e809eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672217.exe

Filesize
391KB

MD5
ddf04463153f1e5dbc154e5ce336faf9

SHA1
c3dae185f839ef74dcbce57aec93e68551a6aa87

SHA256
d3ac829489becb0b7f4754549b2fe1a4d0894aaebd6517ab8aefbeed262bcc64

SHA512
7d6ac4e64b01aa238bf15f9d64cbca523008795c9ef8d432d9c3ec5df15b294707b13d68b9f2cef23b6e581d39e19eed7e83c6a9de05ccd2890a65951e809eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un529990.exe

Filesize
762KB

MD5
3810a75988f7673f608693a644958cf2

SHA1
620d59c8899d515b4119649e47028a749f3df852

SHA256
c5f73e477896c83f21a3b49e71cb4c041bf1930385ea0e88939f3c44320b091d

SHA512
622b2b9b6302a05d981e79497e78e361d991763065ae5e23a31a1c0c9d40323f43caa5ad987ce0c7441c43a1782f9218bc4c13bf24182fa2fed2a63b2fdd76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un529990.exe

Filesize
762KB

MD5
3810a75988f7673f608693a644958cf2

SHA1
620d59c8899d515b4119649e47028a749f3df852

SHA256
c5f73e477896c83f21a3b49e71cb4c041bf1930385ea0e88939f3c44320b091d

SHA512
622b2b9b6302a05d981e79497e78e361d991763065ae5e23a31a1c0c9d40323f43caa5ad987ce0c7441c43a1782f9218bc4c13bf24182fa2fed2a63b2fdd76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk257975.exe

Filesize
137KB

MD5
f1aaa70102ba4b1d82c59fdb5ab4d688

SHA1
458c55afce9587f3a60b2f1f622a0db0bd157b09

SHA256
9b328a597c7221d9429813635b6aa1514aacb69ec16134b2c8fc51d47404feba

SHA512
d0957dec7093c5683466766d2d3c734bbe09659f1b5ed40660985792d0399b78bb73885f2cda1dd2f82b6ff93437c683bfc0ff8fd4256a8554c5bc9523b55348

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk257975.exe

Filesize
137KB

MD5
f1aaa70102ba4b1d82c59fdb5ab4d688

SHA1
458c55afce9587f3a60b2f1f622a0db0bd157b09

SHA256
9b328a597c7221d9429813635b6aa1514aacb69ec16134b2c8fc51d47404feba

SHA512
d0957dec7093c5683466766d2d3c734bbe09659f1b5ed40660985792d0399b78bb73885f2cda1dd2f82b6ff93437c683bfc0ff8fd4256a8554c5bc9523b55348

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un949579.exe

Filesize
608KB

MD5
dceec7e7d6910b754eb407ae643b47f9

SHA1
a9a84bfacb85e8a2b3105c6353b61b7456bb0f9f

SHA256
862e201b2b84507b14f6c91765a6cebea584e7fc16fc8afc480a36688fed632c

SHA512
43245d13ec26edd6f8e7734d8005e935a9c45c75330304b5d1cfeb9d5fe0358ef3112ea19dc2d2e38ceb0483668e6f47bc385c7ac9d17db865735d1763720f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un949579.exe

Filesize
608KB

MD5
dceec7e7d6910b754eb407ae643b47f9

SHA1
a9a84bfacb85e8a2b3105c6353b61b7456bb0f9f

SHA256
862e201b2b84507b14f6c91765a6cebea584e7fc16fc8afc480a36688fed632c

SHA512
43245d13ec26edd6f8e7734d8005e935a9c45c75330304b5d1cfeb9d5fe0358ef3112ea19dc2d2e38ceb0483668e6f47bc385c7ac9d17db865735d1763720f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr267349.exe

Filesize
399KB

MD5
a48ac7c18e05054723335ebf771238e4

SHA1
f5530130b482d3eea1f9762a16b6edd26394c423

SHA256
461839be29ecc9521fd9457b766dc840845f0f3cbbf8bf312cf9901d11843491

SHA512
5b9a1a383550239cd3c3659f636d80f1c529929960c586e155cb92e1e337104511095feccea3d42a50092279eba104385e8fe14c1a9921a185a41a5962d26590

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr267349.exe

Filesize
399KB

MD5
a48ac7c18e05054723335ebf771238e4

SHA1
f5530130b482d3eea1f9762a16b6edd26394c423

SHA256
461839be29ecc9521fd9457b766dc840845f0f3cbbf8bf312cf9901d11843491

SHA512
5b9a1a383550239cd3c3659f636d80f1c529929960c586e155cb92e1e337104511095feccea3d42a50092279eba104385e8fe14c1a9921a185a41a5962d26590

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu297227.exe

Filesize
481KB

MD5
ee38c38baf2e7255a894c7a868868938

SHA1
93e0032b681ca6cf7550bea7e57b790514b12666

SHA256
dfab28cee21e38beb5e8ab3d5ee9df4c2ae50e4cdf1a53f3f33a5f0073413ef7

SHA512
df605efade2447f985588ff138c902894a2d17455f9f2c9f044096bda87990713569479af2ae6f315f7429e7c64fd5151c7c4e45059a83d29603e2155e933d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu297227.exe

Filesize
481KB

MD5
ee38c38baf2e7255a894c7a868868938

SHA1
93e0032b681ca6cf7550bea7e57b790514b12666

SHA256
dfab28cee21e38beb5e8ab3d5ee9df4c2ae50e4cdf1a53f3f33a5f0073413ef7

SHA512
df605efade2447f985588ff138c902894a2d17455f9f2c9f044096bda87990713569479af2ae6f315f7429e7c64fd5151c7c4e45059a83d29603e2155e933d72

Download Submit
memory/2092-984-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/2092-988-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2092-995-0x0000000008EC0000-0x00000000093EC000-memory.dmp

Filesize
5.2MB

Download
memory/2092-994-0x0000000008CF0000-0x0000000008EB2000-memory.dmp

Filesize
1.8MB

Download
memory/2092-993-0x0000000008C30000-0x0000000008C4E000-memory.dmp

Filesize
120KB

Download
memory/2092-992-0x0000000008A90000-0x0000000008B06000-memory.dmp

Filesize
472KB

Download
memory/2092-991-0x0000000008A20000-0x0000000008A70000-memory.dmp

Filesize
320KB

Download
memory/2092-990-0x0000000008970000-0x0000000008A02000-memory.dmp

Filesize
584KB

Download
memory/2092-989-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/2092-987-0x0000000002A40000-0x0000000002A8B000-memory.dmp

Filesize
300KB

Download
memory/2092-986-0x00000000029D0000-0x0000000002A0E000-memory.dmp

Filesize
248KB

Download
memory/2092-985-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/2092-983-0x0000000007980000-0x0000000007F86000-memory.dmp

Filesize
6.0MB

Download
memory/2092-224-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-222-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-220-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-218-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-208-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-212-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-216-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-185-0x0000000002580000-0x00000000025BC000-memory.dmp

Filesize
240KB

Download
memory/2092-186-0x0000000002610000-0x000000000264A000-memory.dmp

Filesize
232KB

Download
memory/2092-187-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-188-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-190-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-192-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-194-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-196-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-198-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-200-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-202-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-204-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/2092-205-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2092-207-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2092-209-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2092-211-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2092-214-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/2328-1001-0x0000000000AB0000-0x0000000000AD8000-memory.dmp

Filesize
160KB

Download
memory/2328-1003-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download
memory/2328-1002-0x0000000007830000-0x000000000787B000-memory.dmp

Filesize
300KB

Download
memory/2344-161-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-157-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-175-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-173-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-171-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-147-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/2344-169-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-167-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-165-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-150-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-163-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-148-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/2344-159-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-177-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-155-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-153-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-151-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2344-146-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/2344-145-0x00000000028E0000-0x00000000028F8000-memory.dmp

Filesize
96KB

Download
memory/2344-178-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/2344-180-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/2344-149-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/2344-144-0x0000000004EC0000-0x00000000053BE000-memory.dmp

Filesize
5.0MB

Download
memory/2344-143-0x0000000002630000-0x000000000264A000-memory.dmp

Filesize
104KB

Download
memory/2712-1009-0x0000000000810000-0x000000000084B000-memory.dmp

Filesize
236KB

Download