amadey | 5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33

Analysis

max time kernel
144s
max time network
90s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
17/04/2023, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe
Size

980KB
MD5

12a5b2c98bbeebabb3f583e6c329217c
SHA1

7db94993d92c87e3e0cd97f2b142661d2c7a7fb1
SHA256

5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33
SHA512

8a9d6578d9afbb1c6ed81839a678c457559bbde6a6107b3778bcb16e52575eb74febcd4edfedf4b27716c30fdffdd2d5aef118f768b0ea005292da415e05711d
SSDEEP

24576:MycYTw6pQhVHfhISr5zRRVWX+PKoVgBFKWAELkXWt0QE:7cYsJhVZIqzRuOioQAWtP

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr326521.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr326521.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr326521.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr326521.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr326521.exe

Executes dropped EXE 6 IoCs

pid	Process
988	un697385.exe
4496	un894923.exe
4988	pr326521.exe
4856	qu626999.exe
4020	rk700955.exe
60	si879502.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr326521.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr326521.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un697385.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un697385.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un894923.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un894923.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2112	60	WerFault.exe	72
4588	60	WerFault.exe	72
4484	60	WerFault.exe	72
2652	60	WerFault.exe	72
2684	60	WerFault.exe	72
4992	60	WerFault.exe	72
4300	60	WerFault.exe	72
3992	60	WerFault.exe	72
1196	60	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4988	pr326521.exe
4988	pr326521.exe
4856	qu626999.exe
4856	qu626999.exe
4020	rk700955.exe
4020	rk700955.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	pr326521.exe
Token: SeDebugPrivilege	4856	qu626999.exe
Token: SeDebugPrivilege	4020	rk700955.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 988	3668	5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe	66
PID 3668 wrote to memory of 988	3668	5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe	66
PID 3668 wrote to memory of 988	3668	5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe	66
PID 988 wrote to memory of 4496	988	un697385.exe	67
PID 988 wrote to memory of 4496	988	un697385.exe	67
PID 988 wrote to memory of 4496	988	un697385.exe	67
PID 4496 wrote to memory of 4988	4496	un894923.exe	68
PID 4496 wrote to memory of 4988	4496	un894923.exe	68
PID 4496 wrote to memory of 4988	4496	un894923.exe	68
PID 4496 wrote to memory of 4856	4496	un894923.exe	69
PID 4496 wrote to memory of 4856	4496	un894923.exe	69
PID 4496 wrote to memory of 4856	4496	un894923.exe	69
PID 988 wrote to memory of 4020	988	un697385.exe	71
PID 988 wrote to memory of 4020	988	un697385.exe	71
PID 988 wrote to memory of 4020	988	un697385.exe	71
PID 3668 wrote to memory of 60	3668	5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe	72
PID 3668 wrote to memory of 60	3668	5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe	72
PID 3668 wrote to memory of 60	3668	5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe	72

C:\Users\Admin\AppData\Local\Temp\5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe
"C:\Users\Admin\AppData\Local\Temp\5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un697385.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un697385.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un894923.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un894923.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr326521.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr326521.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu626999.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu626999.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk700955.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk700955.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si879502.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si879502.exe
  2⤵
  - Executes dropped EXE
  PID:60
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 644
    3⤵
    - Program crash
    PID:2112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 720
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 848
    3⤵
    - Program crash
    PID:4484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 856
    3⤵
    - Program crash
    PID:2652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 884
    3⤵
    - Program crash
    PID:2684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 896
    3⤵
    - Program crash
    PID:4992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1124
    3⤵
    - Program crash
    PID:4300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1160
    3⤵
    - Program crash
    PID:3992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1204
    3⤵
    - Program crash
    PID:1196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si879502.exe

Filesize
246KB

MD5
1141efb7cc1de7dc0739d7b3fb735ab5

SHA1
9c4f1513eae1d586233def9ac91950d61cf1113d

SHA256
df2ba359f7a856f9a54385425d004fb2b045171a5f1bc2972f44e7fccb8e9580

SHA512
9b660a4b7ef00e12c4d835eb20fb9f3cda8b029eabed2f2377356853a8ba0ea9a75068669528ea6f093a6051128264d0c96be52dee6491075ff36f7134329782

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si879502.exe

Filesize
246KB

MD5
1141efb7cc1de7dc0739d7b3fb735ab5

SHA1
9c4f1513eae1d586233def9ac91950d61cf1113d

SHA256
df2ba359f7a856f9a54385425d004fb2b045171a5f1bc2972f44e7fccb8e9580

SHA512
9b660a4b7ef00e12c4d835eb20fb9f3cda8b029eabed2f2377356853a8ba0ea9a75068669528ea6f093a6051128264d0c96be52dee6491075ff36f7134329782

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un697385.exe

Filesize
706KB

MD5
29a82749a1286873a33ec86e089e772c

SHA1
29f7b746d33bcdaaaaa0f7ff96abb0f6b508faac

SHA256
66ceacd4b7cacc001c66c66f3758618446aae8bb31d75b4f73fc0498865435ad

SHA512
22205ec35ad1f42cb2a93ddfa7c2413eb29a0fc985a4e738f6faf933f15266d70e50b36498a4b54dc05a1d24af49f17bbb15c0bb2af516d748a2e302f39a7b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un697385.exe

Filesize
706KB

MD5
29a82749a1286873a33ec86e089e772c

SHA1
29f7b746d33bcdaaaaa0f7ff96abb0f6b508faac

SHA256
66ceacd4b7cacc001c66c66f3758618446aae8bb31d75b4f73fc0498865435ad

SHA512
22205ec35ad1f42cb2a93ddfa7c2413eb29a0fc985a4e738f6faf933f15266d70e50b36498a4b54dc05a1d24af49f17bbb15c0bb2af516d748a2e302f39a7b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk700955.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk700955.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un894923.exe

Filesize
552KB

MD5
9310d9f696d13503de1fd1cac419f430

SHA1
644edc5c06bf2762e366b2a8c4acd8a8af946089

SHA256
0b6d8b04d21afef1efb97a238094585157bfae6ca6f61fc03b88b031db7e4dc4

SHA512
56ec4e89937fcefda292c5271db0835e93345ae130fa343020eaa9d023e619880b46c7f010001a0851411b333c0dae70f2f00fde2942975064e2d3aa0983c65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un894923.exe

Filesize
552KB

MD5
9310d9f696d13503de1fd1cac419f430

SHA1
644edc5c06bf2762e366b2a8c4acd8a8af946089

SHA256
0b6d8b04d21afef1efb97a238094585157bfae6ca6f61fc03b88b031db7e4dc4

SHA512
56ec4e89937fcefda292c5271db0835e93345ae130fa343020eaa9d023e619880b46c7f010001a0851411b333c0dae70f2f00fde2942975064e2d3aa0983c65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr326521.exe

Filesize
254KB

MD5
b2b187b249bb640fce19729541466401

SHA1
2f29e11fe1cc499ebbd029e1a22bcb16ad1d329d

SHA256
262c499542d1dbc36bb2fec32c32e947f08249df8d8a4fab0dc2b3b96a7ee70c

SHA512
ac1e4f293a72861961977fb3446713ff3e826f686c43a17c28ecae3aa2be8af9aa8e97f7bd253e1729e04e5e59a585e07d41d2eefdfc16618ffe929f2f3af9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr326521.exe

Filesize
254KB

MD5
b2b187b249bb640fce19729541466401

SHA1
2f29e11fe1cc499ebbd029e1a22bcb16ad1d329d

SHA256
262c499542d1dbc36bb2fec32c32e947f08249df8d8a4fab0dc2b3b96a7ee70c

SHA512
ac1e4f293a72861961977fb3446713ff3e826f686c43a17c28ecae3aa2be8af9aa8e97f7bd253e1729e04e5e59a585e07d41d2eefdfc16618ffe929f2f3af9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu626999.exe

Filesize
337KB

MD5
22c2f286706d373193b719008fff8366

SHA1
c91efe0d4a705eea050a72e33ee2dad067ba1a87

SHA256
676c6e245438d0cef25badd803ffe4e7f4d55e9855e8668cc1eb4c361a1c909b

SHA512
1d275ae1036ba668a4a953e4deff17bb1845570c8aba2455e9a2371b12646947d70aff76b0695118610fc1e40fdae7a0646e9ea42d43d85867a7091db98bf3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu626999.exe

Filesize
337KB

MD5
22c2f286706d373193b719008fff8366

SHA1
c91efe0d4a705eea050a72e33ee2dad067ba1a87

SHA256
676c6e245438d0cef25badd803ffe4e7f4d55e9855e8668cc1eb4c361a1c909b

SHA512
1d275ae1036ba668a4a953e4deff17bb1845570c8aba2455e9a2371b12646947d70aff76b0695118610fc1e40fdae7a0646e9ea42d43d85867a7091db98bf3af

Download Submit
memory/60-1010-0x0000000002120000-0x000000000215B000-memory.dmp

Filesize
236KB

Download
memory/4020-1004-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4020-1003-0x0000000007260000-0x00000000072AB000-memory.dmp

Filesize
300KB

Download
memory/4020-1002-0x00000000004E0000-0x0000000000508000-memory.dmp

Filesize
160KB

Download
memory/4856-985-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/4856-987-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/4856-996-0x0000000008B80000-0x00000000090AC000-memory.dmp

Filesize
5.2MB

Download
memory/4856-995-0x00000000089B0000-0x0000000008B72000-memory.dmp

Filesize
1.8MB

Download
memory/4856-994-0x0000000008840000-0x0000000008890000-memory.dmp

Filesize
320KB

Download
memory/4856-993-0x00000000087A0000-0x00000000087BE000-memory.dmp

Filesize
120KB

Download
memory/4856-992-0x00000000086D0000-0x0000000008746000-memory.dmp

Filesize
472KB

Download
memory/4856-991-0x0000000008630000-0x00000000086C2000-memory.dmp

Filesize
584KB

Download
memory/4856-990-0x0000000007960000-0x00000000079C6000-memory.dmp

Filesize
408KB

Download
memory/4856-989-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4856-988-0x00000000077D0000-0x000000000781B000-memory.dmp

Filesize
300KB

Download
memory/4856-986-0x0000000007540000-0x000000000764A000-memory.dmp

Filesize
1.0MB

Download
memory/4856-984-0x0000000007B50000-0x0000000008156000-memory.dmp

Filesize
6.0MB

Download
memory/4856-438-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4856-436-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4856-434-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4856-432-0x0000000000630000-0x0000000000676000-memory.dmp

Filesize
280KB

Download
memory/4856-221-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-219-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-186-0x0000000002260000-0x000000000229C000-memory.dmp

Filesize
240KB

Download
memory/4856-187-0x0000000002440000-0x000000000247A000-memory.dmp

Filesize
232KB

Download
memory/4856-189-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-188-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-191-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-193-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-195-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-197-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-199-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-201-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-203-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-205-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-207-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-209-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-211-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-213-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-215-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4856-217-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/4988-171-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-144-0x0000000004E00000-0x00000000052FE000-memory.dmp

Filesize
5.0MB

Download
memory/4988-181-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4988-179-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4988-178-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4988-177-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4988-176-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4988-149-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-175-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-155-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-173-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-165-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-153-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-151-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-169-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-163-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-161-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-159-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-157-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-148-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-147-0x00000000025B0000-0x00000000025C8000-memory.dmp

Filesize
96KB

Download
memory/4988-146-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4988-143-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4988-145-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4988-167-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4988-142-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4988-141-0x0000000002440000-0x000000000245A000-memory.dmp

Filesize
104KB

Download