amadey | f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493

Analysis

max time kernel
146s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16/04/2023, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493.exe
Size

951KB
MD5

b9e06bf0bb584793b841aff9a07d37f5
SHA1

51c9f7dbbc4135d85282b552a32d8b58cda52fa4
SHA256

f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493
SHA512

32a17b6da0e9236a031b488c8fd4b9628157e8188caf4fcf0251398477a8fb91e393351482445c02957c43e39b676f0ab4e54ae747c828ece4bb3c19358ad9c4
SSDEEP

24576:qyEK5xUIHq08B72S1vCbYQd+Dion8Lq0:xEK5bHlybqbYWGio8Lq

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it375259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it375259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it375259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it375259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it375259.exe

Executes dropped EXE 6 IoCs

pid	Process
4152	ziEk8846.exe
4312	zidp1028.exe
4888	it375259.exe
2108	jr941354.exe
4008	kp995797.exe
4140	lr496387.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it375259.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziEk8846.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziEk8846.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zidp1028.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zidp1028.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4892	4140	WerFault.exe	72
4968	4140	WerFault.exe	72
1728	4140	WerFault.exe	72
3908	4140	WerFault.exe	72
4584	4140	WerFault.exe	72
4580	4140	WerFault.exe	72
4776	4140	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4888	it375259.exe
4888	it375259.exe
2108	jr941354.exe
2108	jr941354.exe
4008	kp995797.exe
4008	kp995797.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	it375259.exe
Token: SeDebugPrivilege	2108	jr941354.exe
Token: SeDebugPrivilege	4008	kp995797.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 4152	4108	f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493.exe	66
PID 4108 wrote to memory of 4152	4108	f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493.exe	66
PID 4108 wrote to memory of 4152	4108	f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493.exe	66
PID 4152 wrote to memory of 4312	4152	ziEk8846.exe	67
PID 4152 wrote to memory of 4312	4152	ziEk8846.exe	67
PID 4152 wrote to memory of 4312	4152	ziEk8846.exe	67
PID 4312 wrote to memory of 4888	4312	zidp1028.exe	68
PID 4312 wrote to memory of 4888	4312	zidp1028.exe	68
PID 4312 wrote to memory of 2108	4312	zidp1028.exe	69
PID 4312 wrote to memory of 2108	4312	zidp1028.exe	69
PID 4312 wrote to memory of 2108	4312	zidp1028.exe	69
PID 4152 wrote to memory of 4008	4152	ziEk8846.exe	71
PID 4152 wrote to memory of 4008	4152	ziEk8846.exe	71
PID 4152 wrote to memory of 4008	4152	ziEk8846.exe	71
PID 4108 wrote to memory of 4140	4108	f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493.exe	72
PID 4108 wrote to memory of 4140	4108	f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493.exe	72
PID 4108 wrote to memory of 4140	4108	f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493.exe	72

C:\Users\Admin\AppData\Local\Temp\f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493.exe
"C:\Users\Admin\AppData\Local\Temp\f26c64f64ddc778dbb2a43610108900f160cb599b91a211c1c8105d4a7757493.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEk8846.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEk8846.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidp1028.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidp1028.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it375259.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it375259.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr941354.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr941354.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp995797.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp995797.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr496387.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr496387.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 624
    3⤵
    - Program crash
    PID:4892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 696
    3⤵
    - Program crash
    PID:4968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 836
    3⤵
    - Program crash
    PID:1728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 844
    3⤵
    - Program crash
    PID:3908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 872
    3⤵
    - Program crash
    PID:4584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 820
    3⤵
    - Program crash
    PID:4580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1072
    3⤵
    - Program crash
    PID:4776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr496387.exe

Filesize
397KB

MD5
2ce731ee01438f3a48219650c44e831f

SHA1
95f1fb31df09382f8b2672efa535e891740b8834

SHA256
9494331643cabbbf55faf10961461f3b0a313f7e1b717c5d61e7d462ece71952

SHA512
dbdb771b8ea18b1eccc759615ba938b73fa87e9216481c0f4c68f663cb862236f3029d9713f3202ddd244d1bd8990be3a57667853fe3b9dff9c96a8f7fe0b173

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr496387.exe

Filesize
397KB

MD5
2ce731ee01438f3a48219650c44e831f

SHA1
95f1fb31df09382f8b2672efa535e891740b8834

SHA256
9494331643cabbbf55faf10961461f3b0a313f7e1b717c5d61e7d462ece71952

SHA512
dbdb771b8ea18b1eccc759615ba938b73fa87e9216481c0f4c68f663cb862236f3029d9713f3202ddd244d1bd8990be3a57667853fe3b9dff9c96a8f7fe0b173

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEk8846.exe

Filesize
624KB

MD5
5f1b903404a3b254b2f52eb8e9833f7d

SHA1
a68dcb63080f927200582a0356ff4afd4e431020

SHA256
d4e9a7b39d6c7595e264d0422e12a950a705b03b0bcb885807161938430aab8a

SHA512
766aa6fdcbe810f590b9c39047c24af50de27d4c357280dcf5ae452415e91781924b13c73602f82d65f87bc03aceb3affb5718380521a8ad6de8fd8380c74b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEk8846.exe

Filesize
624KB

MD5
5f1b903404a3b254b2f52eb8e9833f7d

SHA1
a68dcb63080f927200582a0356ff4afd4e431020

SHA256
d4e9a7b39d6c7595e264d0422e12a950a705b03b0bcb885807161938430aab8a

SHA512
766aa6fdcbe810f590b9c39047c24af50de27d4c357280dcf5ae452415e91781924b13c73602f82d65f87bc03aceb3affb5718380521a8ad6de8fd8380c74b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp995797.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp995797.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidp1028.exe

Filesize
469KB

MD5
6f8e0138f0d28f3833611d339a8e4324

SHA1
c204d40635808c4d265f85f1d6cf158d75522467

SHA256
8837e259114a6f01c2d480694c9a6e36f1a43f3542cd8fa83d5a2e95ca528339

SHA512
d492e3fdfc5b30e424978e5f8a65337013710f008452a822d24f485d6a4950724893799a7058eb41aa2f74af4e149dbca3a7b6f2ddc2f316762530bf386edf2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidp1028.exe

Filesize
469KB

MD5
6f8e0138f0d28f3833611d339a8e4324

SHA1
c204d40635808c4d265f85f1d6cf158d75522467

SHA256
8837e259114a6f01c2d480694c9a6e36f1a43f3542cd8fa83d5a2e95ca528339

SHA512
d492e3fdfc5b30e424978e5f8a65337013710f008452a822d24f485d6a4950724893799a7058eb41aa2f74af4e149dbca3a7b6f2ddc2f316762530bf386edf2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it375259.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it375259.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr941354.exe

Filesize
488KB

MD5
5e26b0cf02d49d7be1c6da93caf32725

SHA1
0c435c14c8b84b4f7a8dc52e5a5b8faae830d90d

SHA256
fe7a99dd1f465359fd6255b68801bb2a6aec341c5aa9f0a834ff89ffbe07925f

SHA512
fc037bf661ce5fe1eb463dd9a3dfccced07ae706c02fdd25063920c6527be21f95b550f058a93e8882f5fb9caa838d8952da137615a70cd0e34953dea2b08fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr941354.exe

Filesize
488KB

MD5
5e26b0cf02d49d7be1c6da93caf32725

SHA1
0c435c14c8b84b4f7a8dc52e5a5b8faae830d90d

SHA256
fe7a99dd1f465359fd6255b68801bb2a6aec341c5aa9f0a834ff89ffbe07925f

SHA512
fc037bf661ce5fe1eb463dd9a3dfccced07ae706c02fdd25063920c6527be21f95b550f058a93e8882f5fb9caa838d8952da137615a70cd0e34953dea2b08fa5

Download Submit
memory/2108-182-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-196-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-148-0x0000000002AC0000-0x0000000002AFA000-memory.dmp

Filesize
232KB

Download
memory/2108-149-0x0000000000910000-0x0000000000956000-memory.dmp

Filesize
280KB

Download
memory/2108-150-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/2108-151-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/2108-152-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/2108-153-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-154-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-156-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-158-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-160-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-162-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-164-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-166-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-168-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-170-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-172-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-174-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-176-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-178-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-180-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-146-0x00000000025F0000-0x000000000262C000-memory.dmp

Filesize
240KB

Download
memory/2108-184-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-186-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-188-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-190-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-192-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-194-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-147-0x0000000004E60000-0x000000000535E000-memory.dmp

Filesize
5.0MB

Download
memory/2108-198-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-200-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-202-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-204-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-206-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-210-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-208-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-212-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-214-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-216-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/2108-945-0x0000000007820000-0x0000000007E26000-memory.dmp

Filesize
6.0MB

Download
memory/2108-946-0x0000000007E70000-0x0000000007E82000-memory.dmp

Filesize
72KB

Download
memory/2108-947-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/2108-948-0x0000000007FB0000-0x0000000007FEE000-memory.dmp

Filesize
248KB

Download
memory/2108-949-0x0000000008130000-0x000000000817B000-memory.dmp

Filesize
300KB

Download
memory/2108-950-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/2108-951-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/2108-952-0x0000000008980000-0x0000000008A12000-memory.dmp

Filesize
584KB

Download
memory/2108-953-0x0000000008B80000-0x0000000008BF6000-memory.dmp

Filesize
472KB

Download
memory/2108-954-0x0000000008C40000-0x0000000008E02000-memory.dmp

Filesize
1.8MB

Download
memory/2108-955-0x0000000008E20000-0x000000000934C000-memory.dmp

Filesize
5.2MB

Download
memory/2108-956-0x0000000009460000-0x000000000947E000-memory.dmp

Filesize
120KB

Download
memory/2108-957-0x00000000024E0000-0x0000000002530000-memory.dmp

Filesize
320KB

Download
memory/4008-963-0x0000000000B80000-0x0000000000BA8000-memory.dmp

Filesize
160KB

Download
memory/4008-964-0x0000000007C70000-0x0000000007C80000-memory.dmp

Filesize
64KB

Download
memory/4008-965-0x0000000007900000-0x000000000794B000-memory.dmp

Filesize
300KB

Download
memory/4140-971-0x0000000000920000-0x000000000095B000-memory.dmp

Filesize
236KB

Download
memory/4888-140-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download