amadey | e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6

Analysis

max time kernel
142s
max time network
146s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
17/04/2023, 19:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6.exe
Size

982KB
MD5

127bedee4c6894eca1355061cf6caf1a
SHA1

89d954098bf17885c786f4bc9aebfa5a5ee7a181
SHA256

e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6
SHA512

80f1cafa3bddb559314bc24ce6d0ec53797a1e16735ab357209f9c8350011fe0bcb354e77af68b8a9f4573221ae16b37bad12b8a01789cd76f6e2f13b5ae2911
SSDEEP

12288:oy903zzrfche5VDWz03K8PwavkgNoWC9PT1lsCb+yIX+FUILx6TxBhPUfkne:oy0NPBPfcgi7PMIm+jcBBUfX

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr275489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr275489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr275489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr275489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr275489.exe

Executes dropped EXE 6 IoCs

pid	Process
3280	un946943.exe
3396	un388457.exe
3404	pr275489.exe
1940	qu716969.exe
2652	rk382974.exe
4628	si279762.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr275489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr275489.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un388457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un388457.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un946943.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un946943.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3676	4628	WerFault.exe	72
4708	4628	WerFault.exe	72
4132	4628	WerFault.exe	72
1384	4628	WerFault.exe	72
1708	4628	WerFault.exe	72
3780	4628	WerFault.exe	72
4824	4628	WerFault.exe	72
2068	4628	WerFault.exe	72
4116	4628	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3404	pr275489.exe
3404	pr275489.exe
1940	qu716969.exe
1940	qu716969.exe
2652	rk382974.exe
2652	rk382974.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	pr275489.exe
Token: SeDebugPrivilege	1940	qu716969.exe
Token: SeDebugPrivilege	2652	rk382974.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 3280	2900	e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6.exe	66
PID 2900 wrote to memory of 3280	2900	e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6.exe	66
PID 2900 wrote to memory of 3280	2900	e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6.exe	66
PID 3280 wrote to memory of 3396	3280	un946943.exe	67
PID 3280 wrote to memory of 3396	3280	un946943.exe	67
PID 3280 wrote to memory of 3396	3280	un946943.exe	67
PID 3396 wrote to memory of 3404	3396	un388457.exe	68
PID 3396 wrote to memory of 3404	3396	un388457.exe	68
PID 3396 wrote to memory of 3404	3396	un388457.exe	68
PID 3396 wrote to memory of 1940	3396	un388457.exe	69
PID 3396 wrote to memory of 1940	3396	un388457.exe	69
PID 3396 wrote to memory of 1940	3396	un388457.exe	69
PID 3280 wrote to memory of 2652	3280	un946943.exe	71
PID 3280 wrote to memory of 2652	3280	un946943.exe	71
PID 3280 wrote to memory of 2652	3280	un946943.exe	71
PID 2900 wrote to memory of 4628	2900	e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6.exe	72
PID 2900 wrote to memory of 4628	2900	e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6.exe	72
PID 2900 wrote to memory of 4628	2900	e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6.exe	72

C:\Users\Admin\AppData\Local\Temp\e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6.exe
"C:\Users\Admin\AppData\Local\Temp\e5962e104f6dd6f3bdf7ddeb6e169dc7c224aa7e3075885c6d356891b4d82ee6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946943.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946943.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un388457.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un388457.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr275489.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr275489.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu716969.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu716969.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk382974.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk382974.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si279762.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si279762.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 640
    3⤵
    - Program crash
    PID:3676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 716
    3⤵
    - Program crash
    PID:4708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 776
    3⤵
    - Program crash
    PID:4132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 852
    3⤵
    - Program crash
    PID:1384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 880
    3⤵
    - Program crash
    PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 932
    3⤵
    - Program crash
    PID:3780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1132
    3⤵
    - Program crash
    PID:4824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1184
    3⤵
    - Program crash
    PID:2068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1152
    3⤵
    - Program crash
    PID:4116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si279762.exe

Filesize
246KB

MD5
9b0162f80597586445211439fe49aa48

SHA1
2d50bb04a33854c08ff576a8d698b9bb1ffa45a4

SHA256
72ae55c9b3043eab8eea841dafc529f92c41dc3bd8d033cdec417bf429883062

SHA512
f2eb7cbf1abe967c16fa6da85dd925b15e8edce01ce314b93e4ee804313b43bfa7e59b16d221ff07a840794dc2125540383b4e45308cddb6bda6ace2f7043115

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si279762.exe

Filesize
246KB

MD5
9b0162f80597586445211439fe49aa48

SHA1
2d50bb04a33854c08ff576a8d698b9bb1ffa45a4

SHA256
72ae55c9b3043eab8eea841dafc529f92c41dc3bd8d033cdec417bf429883062

SHA512
f2eb7cbf1abe967c16fa6da85dd925b15e8edce01ce314b93e4ee804313b43bfa7e59b16d221ff07a840794dc2125540383b4e45308cddb6bda6ace2f7043115

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946943.exe

Filesize
709KB

MD5
401d783516c5b00d7ebab9682930c448

SHA1
c848edbfe22242ab013af159fadd89dc21569dd0

SHA256
1b89ff71bc73205bb3b792bf97f715b80f7060c443f45316c5980b9b3a37cda9

SHA512
f9acdac352457477d3d5d06bf718716ff54115e8a4c294a7de02bb10b762d198cc93faef43fc8e4e40769ab15430e18b4bab250e548290689a79ed8ff223b515

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946943.exe

Filesize
709KB

MD5
401d783516c5b00d7ebab9682930c448

SHA1
c848edbfe22242ab013af159fadd89dc21569dd0

SHA256
1b89ff71bc73205bb3b792bf97f715b80f7060c443f45316c5980b9b3a37cda9

SHA512
f9acdac352457477d3d5d06bf718716ff54115e8a4c294a7de02bb10b762d198cc93faef43fc8e4e40769ab15430e18b4bab250e548290689a79ed8ff223b515

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk382974.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk382974.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un388457.exe

Filesize
555KB

MD5
7a5df7cf44e7451bc8280feacd7b95c4

SHA1
748a5ab288c8132bab171b11cb8a986cba8244dd

SHA256
6d438e0d9dbb9baaab7e23772685c1c970efd84165a023e5dfbe38c11a10ea2b

SHA512
e62b1f7bf90d27ae4a25c3baadd613721896c7ab6d9e0b1a38bde8739eea86c8a81af8bb63e7b3306876cfccfcad3030d31a3b3500223e79b7307dbe5f7eb9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un388457.exe

Filesize
555KB

MD5
7a5df7cf44e7451bc8280feacd7b95c4

SHA1
748a5ab288c8132bab171b11cb8a986cba8244dd

SHA256
6d438e0d9dbb9baaab7e23772685c1c970efd84165a023e5dfbe38c11a10ea2b

SHA512
e62b1f7bf90d27ae4a25c3baadd613721896c7ab6d9e0b1a38bde8739eea86c8a81af8bb63e7b3306876cfccfcad3030d31a3b3500223e79b7307dbe5f7eb9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr275489.exe

Filesize
255KB

MD5
cecc568fac6a5b126c7091b50eb21f47

SHA1
817ad839c29585ea2c1e2a311b67545b71b442bd

SHA256
9a2429dcf950759170c3ee6a7455f08bfb710a8dce68f6efd7a760c41fec6b56

SHA512
52e718b9e1285864a37e24641b1fb702bf75445fa09e1952bbd3fccf10daefb6396bdfe2cc34bd1724f4101e386a2e9628656a0fa6e8207e33f341936540cce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr275489.exe

Filesize
255KB

MD5
cecc568fac6a5b126c7091b50eb21f47

SHA1
817ad839c29585ea2c1e2a311b67545b71b442bd

SHA256
9a2429dcf950759170c3ee6a7455f08bfb710a8dce68f6efd7a760c41fec6b56

SHA512
52e718b9e1285864a37e24641b1fb702bf75445fa09e1952bbd3fccf10daefb6396bdfe2cc34bd1724f4101e386a2e9628656a0fa6e8207e33f341936540cce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu716969.exe

Filesize
338KB

MD5
f4fb03141e613e2e0f808bdc055d7f69

SHA1
bdbaaa5a89a5eb0572792c39cc6682f85d578afc

SHA256
a3f3e19f61d20f17a47992a58e5ef3461de5b639df6d779eb71b1e860d63a37d

SHA512
729ebc3e50bb83e540705e9e18ec5b2f61b874477b410dd317c1a97f326e6fa14badb745f3603fcceb22c783e306fa0ee5d995c5afa5f988cea5108867fd3a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu716969.exe

Filesize
338KB

MD5
f4fb03141e613e2e0f808bdc055d7f69

SHA1
bdbaaa5a89a5eb0572792c39cc6682f85d578afc

SHA256
a3f3e19f61d20f17a47992a58e5ef3461de5b639df6d779eb71b1e860d63a37d

SHA512
729ebc3e50bb83e540705e9e18ec5b2f61b874477b410dd317c1a97f326e6fa14badb745f3603fcceb22c783e306fa0ee5d995c5afa5f988cea5108867fd3a25

Download Submit
memory/1940-984-0x0000000007C00000-0x0000000007D0A000-memory.dmp

Filesize
1.0MB

Download
memory/1940-988-0x0000000007F70000-0x0000000007FD6000-memory.dmp

Filesize
408KB

Download
memory/1940-998-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1940-997-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1940-996-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1940-994-0x0000000008B80000-0x00000000090AC000-memory.dmp

Filesize
5.2MB

Download
memory/1940-993-0x00000000089A0000-0x0000000008B62000-memory.dmp

Filesize
1.8MB

Download
memory/1940-992-0x0000000008950000-0x00000000089A0000-memory.dmp

Filesize
320KB

Download
memory/1940-991-0x0000000008890000-0x00000000088AE000-memory.dmp

Filesize
120KB

Download
memory/1940-990-0x00000000087D0000-0x0000000008846000-memory.dmp

Filesize
472KB

Download
memory/1940-989-0x0000000008620000-0x00000000086B2000-memory.dmp

Filesize
584KB

Download
memory/1940-987-0x0000000007E10000-0x0000000007E5B000-memory.dmp

Filesize
300KB

Download
memory/1940-986-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1940-985-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1940-983-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1940-982-0x00000000075F0000-0x0000000007BF6000-memory.dmp

Filesize
6.0MB

Download
memory/1940-205-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-207-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-209-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-184-0x0000000002590000-0x00000000025CC000-memory.dmp

Filesize
240KB

Download
memory/1940-185-0x0000000002610000-0x000000000264A000-memory.dmp

Filesize
232KB

Download
memory/1940-186-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-187-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-189-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-191-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-193-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-195-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-197-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-203-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-201-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-199-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-210-0x0000000000620000-0x0000000000666000-memory.dmp

Filesize
280KB

Download
memory/1940-214-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1940-215-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1940-217-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-213-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-223-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-221-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-219-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1940-211-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2652-1004-0x0000000000740000-0x0000000000768000-memory.dmp

Filesize
160KB

Download
memory/2652-1006-0x00000000077D0000-0x00000000077E0000-memory.dmp

Filesize
64KB

Download
memory/2652-1005-0x00000000074C0000-0x000000000750B000-memory.dmp

Filesize
300KB

Download
memory/3404-165-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-161-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-147-0x0000000002460000-0x0000000002478000-memory.dmp

Filesize
96KB

Download
memory/3404-175-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-173-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-171-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-151-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-169-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-167-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-148-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-163-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-176-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3404-159-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-157-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-155-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-153-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-146-0x0000000004C80000-0x000000000517E000-memory.dmp

Filesize
5.0MB

Download
memory/3404-145-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3404-177-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3404-179-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3404-149-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3404-144-0x0000000000820000-0x000000000083A000-memory.dmp

Filesize
104KB

Download
memory/3404-143-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4628-1012-0x0000000000600000-0x000000000063B000-memory.dmp

Filesize
236KB

Download