amadey | 1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744

Analysis

max time kernel
147s
max time network
94s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
17/04/2023, 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744.exe
Size

983KB
MD5

7947957b2ad4035e18c81b0d4ce40792
SHA1

ef963908a524d5d1f436f87ccaab28a311e73c4c
SHA256

1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744
SHA512

2aff16e3cd5db1a56be427ef19112dfed707705f7d8d4dfabc094104c8298e5b31817bdefa2936221dffb9dc0fd21f8eb1f4bdecca5c579ca36e9218d4758caf
SSDEEP

12288:gy90aBrgonmyGYkhqLa84aVSYVqc+JxktaDyr6kZmtQjKUgM5or3J:gyfBr5nlGYa4autSxpO6FqKNjJ

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr770011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr770011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr770011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr770011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr770011.exe

Executes dropped EXE 6 IoCs

pid	Process
2520	un766738.exe
2616	un759897.exe
4132	pr770011.exe
1480	qu701191.exe
3932	rk077732.exe
4888	si804239.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr770011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr770011.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un759897.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un766738.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un766738.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un759897.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1076	4888	WerFault.exe	72
3036	4888	WerFault.exe	72
3508	4888	WerFault.exe	72
1516	4888	WerFault.exe	72
1096	4888	WerFault.exe	72
4912	4888	WerFault.exe	72
5068	4888	WerFault.exe	72
5088	4888	WerFault.exe	72
3228	4888	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4132	pr770011.exe
4132	pr770011.exe
1480	qu701191.exe
1480	qu701191.exe
3932	rk077732.exe
3932	rk077732.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4132	pr770011.exe
Token: SeDebugPrivilege	1480	qu701191.exe
Token: SeDebugPrivilege	3932	rk077732.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2520	2292	1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744.exe	66
PID 2292 wrote to memory of 2520	2292	1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744.exe	66
PID 2292 wrote to memory of 2520	2292	1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744.exe	66
PID 2520 wrote to memory of 2616	2520	un766738.exe	67
PID 2520 wrote to memory of 2616	2520	un766738.exe	67
PID 2520 wrote to memory of 2616	2520	un766738.exe	67
PID 2616 wrote to memory of 4132	2616	un759897.exe	68
PID 2616 wrote to memory of 4132	2616	un759897.exe	68
PID 2616 wrote to memory of 4132	2616	un759897.exe	68
PID 2616 wrote to memory of 1480	2616	un759897.exe	69
PID 2616 wrote to memory of 1480	2616	un759897.exe	69
PID 2616 wrote to memory of 1480	2616	un759897.exe	69
PID 2520 wrote to memory of 3932	2520	un766738.exe	71
PID 2520 wrote to memory of 3932	2520	un766738.exe	71
PID 2520 wrote to memory of 3932	2520	un766738.exe	71
PID 2292 wrote to memory of 4888	2292	1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744.exe	72
PID 2292 wrote to memory of 4888	2292	1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744.exe	72
PID 2292 wrote to memory of 4888	2292	1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744.exe	72

C:\Users\Admin\AppData\Local\Temp\1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744.exe
"C:\Users\Admin\AppData\Local\Temp\1c6c479be15c88bf8dce5c41c225a1e4fb660c0272f4a2eca2ecc64bd9d83744.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un766738.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un766738.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un759897.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un759897.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr770011.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr770011.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu701191.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu701191.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk077732.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk077732.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si804239.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si804239.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 640
    3⤵
    - Program crash
    PID:1076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 716
    3⤵
    - Program crash
    PID:3036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 844
    3⤵
    - Program crash
    PID:3508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 820
    3⤵
    - Program crash
    PID:1516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 880
    3⤵
    - Program crash
    PID:1096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 904
    3⤵
    - Program crash
    PID:4912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1120
    3⤵
    - Program crash
    PID:5068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1152
    3⤵
    - Program crash
    PID:5088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1076
    3⤵
    - Program crash
    PID:3228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si804239.exe

Filesize
247KB

MD5
3563508fced24a0217548b6d9c8ee8bd

SHA1
d66b26769526eb331d9ec053c7aa6a8ff676dd76

SHA256
0a00d2fd045a7a3127b90096e6a7aee571841ca2f229875ca7d51bf1b67ef772

SHA512
3d673c63251bd805989cd873929c2ab9a0cebf71d9d58d3c9d1d71fe0b5678151257e379d742367dcd66118ec25167e0b568c232bc349380fbfd2c85f077ba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si804239.exe

Filesize
247KB

MD5
3563508fced24a0217548b6d9c8ee8bd

SHA1
d66b26769526eb331d9ec053c7aa6a8ff676dd76

SHA256
0a00d2fd045a7a3127b90096e6a7aee571841ca2f229875ca7d51bf1b67ef772

SHA512
3d673c63251bd805989cd873929c2ab9a0cebf71d9d58d3c9d1d71fe0b5678151257e379d742367dcd66118ec25167e0b568c232bc349380fbfd2c85f077ba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un766738.exe

Filesize
708KB

MD5
b92eb887b90862a999baef4600a368b1

SHA1
d59b852ca90aa90e3e46993b39c8329acf032a24

SHA256
9588377a00c1b681a60e406433440611da0d6353bcc41fe62281bdf3e860727d

SHA512
0f887f7fb614af8526c47e4352b68bcc42ad8a3f224b89dd0472f717bcfac044ba52f39478a7100bc278a6bc5c2f7dc530754c0fd6487a5c5f689e0773b8e306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un766738.exe

Filesize
708KB

MD5
b92eb887b90862a999baef4600a368b1

SHA1
d59b852ca90aa90e3e46993b39c8329acf032a24

SHA256
9588377a00c1b681a60e406433440611da0d6353bcc41fe62281bdf3e860727d

SHA512
0f887f7fb614af8526c47e4352b68bcc42ad8a3f224b89dd0472f717bcfac044ba52f39478a7100bc278a6bc5c2f7dc530754c0fd6487a5c5f689e0773b8e306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk077732.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk077732.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un759897.exe

Filesize
554KB

MD5
739f55a6aed1fdef09091fff02aa93c7

SHA1
977fdcfe35d37ecf3d720ecf53af66c4f73f88d8

SHA256
e51ad0c2ff8a19d39db056007dc2a1a5d74032ef802fb3054854351f2be86348

SHA512
821213ac53e460f519d73c9a55a96a057ec6bdddd07041f9405061801afce268b9917a1d745eef432bb9db06db0f6a47351180339ab6f50e452d4ccf580040b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un759897.exe

Filesize
554KB

MD5
739f55a6aed1fdef09091fff02aa93c7

SHA1
977fdcfe35d37ecf3d720ecf53af66c4f73f88d8

SHA256
e51ad0c2ff8a19d39db056007dc2a1a5d74032ef802fb3054854351f2be86348

SHA512
821213ac53e460f519d73c9a55a96a057ec6bdddd07041f9405061801afce268b9917a1d745eef432bb9db06db0f6a47351180339ab6f50e452d4ccf580040b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr770011.exe

Filesize
255KB

MD5
58911ce2c427b950f78e31c2b7537321

SHA1
52f09db8c898be35daa856a3642baba0d8b127eb

SHA256
fba7a7e2f87f8ac259f3456b0310bc9c9f3e122fb503e17cd571184d7732dbf0

SHA512
eddf19331f71f7064590499c17c4608bd9a9cf07149904ef574028cba4916004d6770800b95f36c34f09a7c8297d59ef4f1b662c85475a0307797985a3adca1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr770011.exe

Filesize
255KB

MD5
58911ce2c427b950f78e31c2b7537321

SHA1
52f09db8c898be35daa856a3642baba0d8b127eb

SHA256
fba7a7e2f87f8ac259f3456b0310bc9c9f3e122fb503e17cd571184d7732dbf0

SHA512
eddf19331f71f7064590499c17c4608bd9a9cf07149904ef574028cba4916004d6770800b95f36c34f09a7c8297d59ef4f1b662c85475a0307797985a3adca1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu701191.exe

Filesize
338KB

MD5
43eb6f14b9ef8a533721a3026511888a

SHA1
f1b84c45a574052950521804d416461847345045

SHA256
06f2e8716c407584c312a94a63cf7eecfae547f58638eddbffffe00ed04a9c11

SHA512
0acaa2c9b252fa76220021461f30e8958d443acfe712f91206d6fee45bca75d394fe292dc5059af04a64137315d15fb08834dc50f16fe0f8ac583ffbc6422518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu701191.exe

Filesize
338KB

MD5
43eb6f14b9ef8a533721a3026511888a

SHA1
f1b84c45a574052950521804d416461847345045

SHA256
06f2e8716c407584c312a94a63cf7eecfae547f58638eddbffffe00ed04a9c11

SHA512
0acaa2c9b252fa76220021461f30e8958d443acfe712f91206d6fee45bca75d394fe292dc5059af04a64137315d15fb08834dc50f16fe0f8ac583ffbc6422518

Download Submit
memory/1480-984-0x0000000007B40000-0x0000000007C4A000-memory.dmp

Filesize
1.0MB

Download
memory/1480-986-0x0000000007DE0000-0x0000000007E2B000-memory.dmp

Filesize
300KB

Download
memory/1480-994-0x0000000004530000-0x0000000004580000-memory.dmp

Filesize
320KB

Download
memory/1480-993-0x0000000008B30000-0x000000000905C000-memory.dmp

Filesize
5.2MB

Download
memory/1480-992-0x0000000008960000-0x0000000008B22000-memory.dmp

Filesize
1.8MB

Download
memory/1480-991-0x0000000008790000-0x00000000087AE000-memory.dmp

Filesize
120KB

Download
memory/1480-990-0x00000000086D0000-0x0000000008746000-memory.dmp

Filesize
472KB

Download
memory/1480-989-0x0000000008620000-0x00000000086B2000-memory.dmp

Filesize
584KB

Download
memory/1480-988-0x0000000007F70000-0x0000000007FD6000-memory.dmp

Filesize
408KB

Download
memory/1480-987-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1480-985-0x0000000007C60000-0x0000000007C9E000-memory.dmp

Filesize
248KB

Download
memory/1480-983-0x0000000007B10000-0x0000000007B22000-memory.dmp

Filesize
72KB

Download
memory/1480-982-0x0000000007490000-0x0000000007A96000-memory.dmp

Filesize
6.0MB

Download
memory/1480-223-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-221-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-216-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-219-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-217-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1480-213-0x0000000002160000-0x00000000021A6000-memory.dmp

Filesize
280KB

Download
memory/1480-214-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1480-185-0x00000000024B0000-0x00000000024EC000-memory.dmp

Filesize
240KB

Download
memory/1480-186-0x0000000004F90000-0x0000000004FCA000-memory.dmp

Filesize
232KB

Download
memory/1480-188-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-187-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-190-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-192-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-194-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-196-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-198-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-200-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-202-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-204-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-206-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-210-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-208-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/1480-212-0x0000000004F90000-0x0000000004FC5000-memory.dmp

Filesize
212KB

Download
memory/3932-1000-0x0000000000950000-0x0000000000978000-memory.dmp

Filesize
160KB

Download
memory/3932-1002-0x00000000076F0000-0x000000000773B000-memory.dmp

Filesize
300KB

Download
memory/3932-1001-0x00000000076E0000-0x00000000076F0000-memory.dmp

Filesize
64KB

Download
memory/4132-163-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-159-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-176-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4132-175-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-173-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-171-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-147-0x00000000023C0000-0x00000000023D8000-memory.dmp

Filesize
96KB

Download
memory/4132-169-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-153-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-167-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-165-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-148-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-161-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-177-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4132-157-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-155-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-149-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-146-0x0000000004C60000-0x000000000515E000-memory.dmp

Filesize
5.0MB

Download
memory/4132-145-0x00000000022F0000-0x000000000230A000-memory.dmp

Filesize
104KB

Download
memory/4132-178-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4132-180-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4132-151-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4132-144-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4132-143-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4888-1008-0x0000000001FE0000-0x000000000201B000-memory.dmp

Filesize
236KB

Download