amadey | be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7

Analysis

max time kernel
145s
max time network
92s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
17/04/2023, 22:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7.exe
Size

984KB
MD5

aa93c543f8d6fe4c1d7c2aab5a17fadd
SHA1

e5edcf5e534ddd8d1e0ab5615ebe7e35d5b48787
SHA256

be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7
SHA512

8b36dd5593dae986b570d52dbf6959155c10c5b8260145bbaff5a0368c431bf91edd3829e42b39d17cf707d562e025876b61ecb2ded8e96453a79a7953e14b32
SSDEEP

24576:NyIw46HFgk+yTfF0IQEIrUz3hfz/84+YQpR9TuN:oIP6HFcyTfF0nxrUdfz/YD9T

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr186387.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr186387.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr186387.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr186387.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr186387.exe

Executes dropped EXE 6 IoCs

pid	Process
8	un764385.exe
4720	un048858.exe
4796	pr186387.exe
2544	qu655666.exe
2084	rk162509.exe
4972	si997067.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr186387.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr186387.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un764385.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un048858.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un048858.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un764385.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3464	4972	WerFault.exe	72
1516	4972	WerFault.exe	72
1996	4972	WerFault.exe	72
4412	4972	WerFault.exe	72
2684	4972	WerFault.exe	72
3524	4972	WerFault.exe	72
1548	4972	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4796	pr186387.exe
4796	pr186387.exe
2544	qu655666.exe
2544	qu655666.exe
2084	rk162509.exe
2084	rk162509.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	pr186387.exe
Token: SeDebugPrivilege	2544	qu655666.exe
Token: SeDebugPrivilege	2084	rk162509.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 8	4192	be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7.exe	66
PID 4192 wrote to memory of 8	4192	be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7.exe	66
PID 4192 wrote to memory of 8	4192	be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7.exe	66
PID 8 wrote to memory of 4720	8	un764385.exe	67
PID 8 wrote to memory of 4720	8	un764385.exe	67
PID 8 wrote to memory of 4720	8	un764385.exe	67
PID 4720 wrote to memory of 4796	4720	un048858.exe	68
PID 4720 wrote to memory of 4796	4720	un048858.exe	68
PID 4720 wrote to memory of 4796	4720	un048858.exe	68
PID 4720 wrote to memory of 2544	4720	un048858.exe	69
PID 4720 wrote to memory of 2544	4720	un048858.exe	69
PID 4720 wrote to memory of 2544	4720	un048858.exe	69
PID 8 wrote to memory of 2084	8	un764385.exe	71
PID 8 wrote to memory of 2084	8	un764385.exe	71
PID 8 wrote to memory of 2084	8	un764385.exe	71
PID 4192 wrote to memory of 4972	4192	be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7.exe	72
PID 4192 wrote to memory of 4972	4192	be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7.exe	72
PID 4192 wrote to memory of 4972	4192	be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7.exe	72

C:\Users\Admin\AppData\Local\Temp\be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7.exe
"C:\Users\Admin\AppData\Local\Temp\be8fab64ea4cdee143f0740b4d056edf9acd273d375b3b53b077e15604b3b5e7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un764385.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un764385.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un048858.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un048858.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr186387.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr186387.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4796
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu655666.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu655666.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk162509.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk162509.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si997067.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si997067.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 644
    3⤵
    - Program crash
    PID:3464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 720
    3⤵
    - Program crash
    PID:1516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 848
    3⤵
    - Program crash
    PID:1996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 856
    3⤵
    - Program crash
    PID:4412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 884
    3⤵
    - Program crash
    PID:2684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 896
    3⤵
    - Program crash
    PID:3524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1080
    3⤵
    - Program crash
    PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si997067.exe

Filesize
246KB

MD5
ac3eb194ed5ab3b80a14e8189174a171

SHA1
c888d21cbdb7d01e02b5bb199d070a18c23cfda6

SHA256
708c0153842214059ea1aa8bd40086850cb5cfbc58300f18d7b6421b2d34ed38

SHA512
a776e533d4d3f483bdb649a116d4c1c5dde9617466ceacbe2ad8ffbb7ee3ea9405ee69f1ac3db2e0a2fd6c738d5bc9e7b8cf20b0753a4761d3981b249fc0b3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si997067.exe

Filesize
246KB

MD5
ac3eb194ed5ab3b80a14e8189174a171

SHA1
c888d21cbdb7d01e02b5bb199d070a18c23cfda6

SHA256
708c0153842214059ea1aa8bd40086850cb5cfbc58300f18d7b6421b2d34ed38

SHA512
a776e533d4d3f483bdb649a116d4c1c5dde9617466ceacbe2ad8ffbb7ee3ea9405ee69f1ac3db2e0a2fd6c738d5bc9e7b8cf20b0753a4761d3981b249fc0b3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un764385.exe

Filesize
710KB

MD5
405050e3b8fa32340eb243b26197b455

SHA1
8f80b77517bbfe9f3b350e25b1057aaf2770b6e5

SHA256
6385e7c003e51fb2d8d0ca40cd431201c773811e295a754b1db58fd754c36d65

SHA512
6575e5b736bdf81fad2103fed2026a9a8fc365d28060db769540ea2e9e3da2145b7bb198e95c70c69fe1eb07d5379b88f2452d46f2bebb440d0d2f24fb424096

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un764385.exe

Filesize
710KB

MD5
405050e3b8fa32340eb243b26197b455

SHA1
8f80b77517bbfe9f3b350e25b1057aaf2770b6e5

SHA256
6385e7c003e51fb2d8d0ca40cd431201c773811e295a754b1db58fd754c36d65

SHA512
6575e5b736bdf81fad2103fed2026a9a8fc365d28060db769540ea2e9e3da2145b7bb198e95c70c69fe1eb07d5379b88f2452d46f2bebb440d0d2f24fb424096

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk162509.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk162509.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un048858.exe

Filesize
555KB

MD5
47839a399836a7e7561d928c427991f5

SHA1
5cf2579c440dbd30aa5d0e6913b2a83252cfb820

SHA256
f66a0a13a1460c42bbc6f32ee85c6a368355d41f788a8b35ea1d4d0fc9e04a56

SHA512
9b2f798b078db733d36f8e4cfde69158f6ec201da15f1608db721cb6d2c1787152d31faf45abb14dfce5cd5bdfafa034bfb517df9458323dea63094dd8688595

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un048858.exe

Filesize
555KB

MD5
47839a399836a7e7561d928c427991f5

SHA1
5cf2579c440dbd30aa5d0e6913b2a83252cfb820

SHA256
f66a0a13a1460c42bbc6f32ee85c6a368355d41f788a8b35ea1d4d0fc9e04a56

SHA512
9b2f798b078db733d36f8e4cfde69158f6ec201da15f1608db721cb6d2c1787152d31faf45abb14dfce5cd5bdfafa034bfb517df9458323dea63094dd8688595

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr186387.exe

Filesize
255KB

MD5
da0bb9975c59eb4d9610be833bfbb8a4

SHA1
61488562668c2a9bb455a479bf20261c8bc2470b

SHA256
d745c0b78850cd2216562c94b1c90f7b87528a1aef2f301a509ff700be94c960

SHA512
096fbd82e05b2aa53d65ed0ec573045807ca190b26c2f5b85a5241802e2fd8fef3476c1b738cea772d0579848b609967f243a76075adc581f432ba356746a190

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr186387.exe

Filesize
255KB

MD5
da0bb9975c59eb4d9610be833bfbb8a4

SHA1
61488562668c2a9bb455a479bf20261c8bc2470b

SHA256
d745c0b78850cd2216562c94b1c90f7b87528a1aef2f301a509ff700be94c960

SHA512
096fbd82e05b2aa53d65ed0ec573045807ca190b26c2f5b85a5241802e2fd8fef3476c1b738cea772d0579848b609967f243a76075adc581f432ba356746a190

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu655666.exe

Filesize
337KB

MD5
cd91ba225421c5686e53747f98a5abbf

SHA1
95d9c385008a8331dfd7e41b87839e5525fb806c

SHA256
248015f1ceec3c9b52870de6d6ace7f0423b477f4c23d9115999c9ac6a5e4f1f

SHA512
30a9fe3294c45b74de1175748ddd649dc6a5e2ee087f3654fb527908715f4c1794c290129f2441dd2cf2fc5928ac52ac241c24391769916adbb9a625e54fe3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu655666.exe

Filesize
337KB

MD5
cd91ba225421c5686e53747f98a5abbf

SHA1
95d9c385008a8331dfd7e41b87839e5525fb806c

SHA256
248015f1ceec3c9b52870de6d6ace7f0423b477f4c23d9115999c9ac6a5e4f1f

SHA512
30a9fe3294c45b74de1175748ddd649dc6a5e2ee087f3654fb527908715f4c1794c290129f2441dd2cf2fc5928ac52ac241c24391769916adbb9a625e54fe3c4

Download Submit
memory/2084-1005-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/2084-1004-0x0000000007500000-0x000000000754B000-memory.dmp

Filesize
300KB

Download
memory/2084-1003-0x0000000000740000-0x0000000000768000-memory.dmp

Filesize
160KB

Download
memory/2544-986-0x0000000007B10000-0x0000000007B22000-memory.dmp

Filesize
72KB

Download
memory/2544-990-0x0000000007DE0000-0x0000000007E2B000-memory.dmp

Filesize
300KB

Download
memory/2544-997-0x0000000002440000-0x0000000002490000-memory.dmp

Filesize
320KB

Download
memory/2544-996-0x0000000008FD0000-0x0000000008FEE000-memory.dmp

Filesize
120KB

Download
memory/2544-995-0x0000000008990000-0x0000000008EBC000-memory.dmp

Filesize
5.2MB

Download
memory/2544-994-0x00000000087B0000-0x0000000008972000-memory.dmp

Filesize
1.8MB

Download
memory/2544-993-0x00000000086F0000-0x0000000008766000-memory.dmp

Filesize
472KB

Download
memory/2544-992-0x0000000008620000-0x00000000086B2000-memory.dmp

Filesize
584KB

Download
memory/2544-991-0x0000000007F70000-0x0000000007FD6000-memory.dmp

Filesize
408KB

Download
memory/2544-989-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2544-988-0x0000000007C60000-0x0000000007C9E000-memory.dmp

Filesize
248KB

Download
memory/2544-987-0x0000000007B40000-0x0000000007C4A000-memory.dmp

Filesize
1.0MB

Download
memory/2544-985-0x0000000007500000-0x0000000007B06000-memory.dmp

Filesize
6.0MB

Download
memory/2544-226-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-224-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-222-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-220-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-218-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-216-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-212-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-187-0x00000000022D0000-0x000000000230C000-memory.dmp

Filesize
240KB

Download
memory/2544-188-0x0000000004A80000-0x0000000004ABA000-memory.dmp

Filesize
232KB

Download
memory/2544-189-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-190-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-192-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-196-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-198-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-194-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-200-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-202-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-204-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-206-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-208-0x0000000004A80000-0x0000000004AB5000-memory.dmp

Filesize
212KB

Download
memory/2544-211-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2544-209-0x0000000000870000-0x00000000008B6000-memory.dmp

Filesize
280KB

Download
memory/2544-213-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2544-215-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/4796-166-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-145-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4796-182-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4796-180-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4796-150-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-178-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4796-177-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4796-176-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-149-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-174-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-172-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-170-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-152-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-154-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-179-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4796-164-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-162-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-160-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-158-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-156-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-148-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4796-147-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4796-146-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4796-168-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4796-144-0x00000000026D0000-0x00000000026E8000-memory.dmp

Filesize
96KB

Download
memory/4796-143-0x0000000004C60000-0x000000000515E000-memory.dmp

Filesize
5.0MB

Download
memory/4796-142-0x0000000002460000-0x000000000247A000-memory.dmp

Filesize
104KB

Download
memory/4972-1011-0x0000000002120000-0x000000000215B000-memory.dmp

Filesize
236KB

Download