amadey | 9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664

Analysis

max time kernel
145s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
18/04/2023, 00:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664.exe
Size

841KB
MD5

dd31ff790257ce768af5f310ad3393f1
SHA1

f1ea0dcd262ed148a9d2df478f2669d90076e5a0
SHA256

9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664
SHA512

98cdd56a07591c1131cb552a2ceb84e617a037d1b44d71ccd6e9e9a615250d47b1bc36e1807c64d9389dc1d32086456e4ae29fb61dad291fac99059261c4ad57
SSDEEP

12288:Zy90AkBVwTo/A96oYAShW0g9RG2Q25fb3woj/7HV3iSJJWhu7gm97WRllqQlZOL8:Zyypo95YAE1g9RG2ftgY4SJJW9DI6MI

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it711828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it711828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it711828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it711828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it711828.exe

Executes dropped EXE 6 IoCs

pid	Process
4060	ziEN3819.exe
4292	zikh9543.exe
3812	it711828.exe
3080	jr771628.exe
2568	kp700966.exe
4248	lr164819.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it711828.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zikh9543.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zikh9543.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziEN3819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziEN3819.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4268	4248	WerFault.exe	72
4972	4248	WerFault.exe	72
2128	4248	WerFault.exe	72
4088	4248	WerFault.exe	72
4132	4248	WerFault.exe	72
4100	4248	WerFault.exe	72
3776	4248	WerFault.exe	72
4528	4248	WerFault.exe	72
4756	4248	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3812	it711828.exe
3812	it711828.exe
3080	jr771628.exe
3080	jr771628.exe
2568	kp700966.exe
2568	kp700966.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	it711828.exe
Token: SeDebugPrivilege	3080	jr771628.exe
Token: SeDebugPrivilege	2568	kp700966.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4248	lr164819.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 4060	3612	9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664.exe	66
PID 3612 wrote to memory of 4060	3612	9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664.exe	66
PID 3612 wrote to memory of 4060	3612	9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664.exe	66
PID 4060 wrote to memory of 4292	4060	ziEN3819.exe	67
PID 4060 wrote to memory of 4292	4060	ziEN3819.exe	67
PID 4060 wrote to memory of 4292	4060	ziEN3819.exe	67
PID 4292 wrote to memory of 3812	4292	zikh9543.exe	68
PID 4292 wrote to memory of 3812	4292	zikh9543.exe	68
PID 4292 wrote to memory of 3080	4292	zikh9543.exe	69
PID 4292 wrote to memory of 3080	4292	zikh9543.exe	69
PID 4292 wrote to memory of 3080	4292	zikh9543.exe	69
PID 4060 wrote to memory of 2568	4060	ziEN3819.exe	71
PID 4060 wrote to memory of 2568	4060	ziEN3819.exe	71
PID 4060 wrote to memory of 2568	4060	ziEN3819.exe	71
PID 3612 wrote to memory of 4248	3612	9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664.exe	72
PID 3612 wrote to memory of 4248	3612	9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664.exe	72
PID 3612 wrote to memory of 4248	3612	9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664.exe	72

C:\Users\Admin\AppData\Local\Temp\9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664.exe
"C:\Users\Admin\AppData\Local\Temp\9d25c9be5687bfd019b9d8d582b5d9952d179499792fd48e3b335e210fb7e664.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEN3819.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEN3819.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zikh9543.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zikh9543.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it711828.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it711828.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr771628.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr771628.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3080
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp700966.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp700966.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr164819.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr164819.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 640
    3⤵
    - Program crash
    PID:4268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 716
    3⤵
    - Program crash
    PID:4972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 844
    3⤵
    - Program crash
    PID:2128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 852
    3⤵
    - Program crash
    PID:4088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 884
    3⤵
    - Program crash
    PID:4132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 856
    3⤵
    - Program crash
    PID:4100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1120
    3⤵
    - Program crash
    PID:3776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1196
    3⤵
    - Program crash
    PID:4528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1248
    3⤵
    - Program crash
    PID:4756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr164819.exe

Filesize
271KB

MD5
a2fdbd60f8a0c9a804f809151789b828

SHA1
1130b0a2aa9f7a448709db0619805fa56198ddd8

SHA256
810e2f2d807a1acc79163e72503ebc23c1bef36c78bc3659310d6b9394809122

SHA512
ae173bfbd6b84e811a95bcc6d0542e5b26a019682bf7d4ab2aa974b2266b6386761e58e151613f09e873cae42975fa85847ce5164771293ac0c93b94aac60424

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr164819.exe

Filesize
271KB

MD5
a2fdbd60f8a0c9a804f809151789b828

SHA1
1130b0a2aa9f7a448709db0619805fa56198ddd8

SHA256
810e2f2d807a1acc79163e72503ebc23c1bef36c78bc3659310d6b9394809122

SHA512
ae173bfbd6b84e811a95bcc6d0542e5b26a019682bf7d4ab2aa974b2266b6386761e58e151613f09e873cae42975fa85847ce5164771293ac0c93b94aac60424

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEN3819.exe

Filesize
568KB

MD5
82afb93dc5d2fa0930611363c29a304d

SHA1
ac8f2e081fcf4f571b990cace05ef4d4c1156cdb

SHA256
c43be6bab2c76c8f043fa150fe2491cd1627c854ce37fe09e4fcb79c70d9ab75

SHA512
44f28ea8719b2f8696cfd5b0f2027d152d5ed74416fe25fe3e50447ce340a181e901a04088093e8804f1f3772153e4551230de60830a36e5852efceca5620668

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEN3819.exe

Filesize
568KB

MD5
82afb93dc5d2fa0930611363c29a304d

SHA1
ac8f2e081fcf4f571b990cace05ef4d4c1156cdb

SHA256
c43be6bab2c76c8f043fa150fe2491cd1627c854ce37fe09e4fcb79c70d9ab75

SHA512
44f28ea8719b2f8696cfd5b0f2027d152d5ed74416fe25fe3e50447ce340a181e901a04088093e8804f1f3772153e4551230de60830a36e5852efceca5620668

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp700966.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp700966.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zikh9543.exe

Filesize
414KB

MD5
673ed29e604c9d5ee6b840b1ec43fc22

SHA1
ae5b0048cb795d859d6f77c71216c4435e1c6c6f

SHA256
e5de2a06ccfa4972c2765e2bc4a181993c21cbea1fa71ba4f50dc4e2759b25c6

SHA512
16af979a09cc41e1a5914e7679185f0082ee73023dc79ee80bc6167a561a85cb711a05a1757f6bac4576c6762cab80d155a1edb6e31be37a127ff06947ec666d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zikh9543.exe

Filesize
414KB

MD5
673ed29e604c9d5ee6b840b1ec43fc22

SHA1
ae5b0048cb795d859d6f77c71216c4435e1c6c6f

SHA256
e5de2a06ccfa4972c2765e2bc4a181993c21cbea1fa71ba4f50dc4e2759b25c6

SHA512
16af979a09cc41e1a5914e7679185f0082ee73023dc79ee80bc6167a561a85cb711a05a1757f6bac4576c6762cab80d155a1edb6e31be37a127ff06947ec666d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it711828.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it711828.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr771628.exe

Filesize
360KB

MD5
4a1454d6204759a0ad43c1e20d9f4ad6

SHA1
e36bf6d14dd608aaf834056163754d3306444162

SHA256
54751b07091aea5da3e584f9d4563fedf8f5528263290d2ffd54a4f838378bf4

SHA512
51566e644d50794ad3ffd36c5c1767a801880ad7b06395ba1b6083e3667a476831019a8eaea32c3924ff15723aee513a34591a44ca53d4ecccb0e3b2eb7dd3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr771628.exe

Filesize
360KB

MD5
4a1454d6204759a0ad43c1e20d9f4ad6

SHA1
e36bf6d14dd608aaf834056163754d3306444162

SHA256
54751b07091aea5da3e584f9d4563fedf8f5528263290d2ffd54a4f838378bf4

SHA512
51566e644d50794ad3ffd36c5c1767a801880ad7b06395ba1b6083e3667a476831019a8eaea32c3924ff15723aee513a34591a44ca53d4ecccb0e3b2eb7dd3eb

Download Submit
memory/2568-960-0x0000000000B50000-0x0000000000B78000-memory.dmp

Filesize
160KB

Download
memory/2568-961-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download
memory/2568-962-0x00000000078D0000-0x000000000791B000-memory.dmp

Filesize
300KB

Download
memory/3080-182-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-195-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-147-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-150-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-152-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-154-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-156-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-158-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-160-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-162-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-164-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-166-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-168-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-170-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-172-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-174-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-176-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-178-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-180-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-146-0x0000000007190000-0x00000000071CA000-memory.dmp

Filesize
232KB

Download
memory/3080-185-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-184-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3080-186-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3080-188-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3080-189-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-191-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-193-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-148-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-197-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-199-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-201-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-203-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-205-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-207-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-209-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-211-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-213-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3080-942-0x000000000A1D0000-0x000000000A7D6000-memory.dmp

Filesize
6.0MB

Download
memory/3080-943-0x0000000009C20000-0x0000000009C32000-memory.dmp

Filesize
72KB

Download
memory/3080-944-0x0000000009C40000-0x0000000009D4A000-memory.dmp

Filesize
1.0MB

Download
memory/3080-945-0x0000000009D50000-0x0000000009D8E000-memory.dmp

Filesize
248KB

Download
memory/3080-946-0x0000000009EC0000-0x0000000009F0B000-memory.dmp

Filesize
300KB

Download
memory/3080-947-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3080-948-0x000000000A050000-0x000000000A0B6000-memory.dmp

Filesize
408KB

Download
memory/3080-949-0x000000000AD20000-0x000000000ADB2000-memory.dmp

Filesize
584KB

Download
memory/3080-950-0x000000000ADC0000-0x000000000AE36000-memory.dmp

Filesize
472KB

Download
memory/3080-145-0x0000000007340000-0x000000000783E000-memory.dmp

Filesize
5.0MB

Download
memory/3080-144-0x0000000004950000-0x000000000498C000-memory.dmp

Filesize
240KB

Download
memory/3080-143-0x0000000002D10000-0x0000000002D56000-memory.dmp

Filesize
280KB

Download
memory/3080-951-0x000000000AE90000-0x000000000AEAE000-memory.dmp

Filesize
120KB

Download
memory/3080-952-0x000000000AF30000-0x000000000AF80000-memory.dmp

Filesize
320KB

Download
memory/3080-953-0x000000000AFA0000-0x000000000B162000-memory.dmp

Filesize
1.8MB

Download
memory/3080-954-0x000000000B170000-0x000000000B69C000-memory.dmp

Filesize
5.2MB

Download
memory/3812-137-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/4248-968-0x00000000047F0000-0x000000000482B000-memory.dmp

Filesize
236KB

Download