amadey | 1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2

Analysis

max time kernel
146s
max time network
93s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
18-04-2023 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2.exe
Size

952KB
MD5

e7cd2e16d494539cf0a558eafd77b590
SHA1

693049d4c25c36704787034a5a0d7fea9ffbd030
SHA256

1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2
SHA512

b0200cecbb28720a6ca82ab2db52b35b82f59adc5aac6306719bae52b28caf0a4250dccb7df653df5a86b8169b6846277532cf1521ec78f404d8784d231c7dbd
SSDEEP

12288:ky90I3tvaY0jQt+u57o3M3XcAygeKyaeT2wJ22LXQenYpghuKrxiIWMI:kyXRabjQ+MbygeKR8p2mAeY2PxPxI

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it833614.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it833614.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it833614.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it833614.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it833614.exe

Executes dropped EXE 6 IoCs

pid	Process
2464	zimM3060.exe
2492	zikr6784.exe
4456	it833614.exe
4172	jr894751.exe
4152	kp005613.exe
420	lr416424.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it833614.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zimM3060.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zimM3060.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zikr6784.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zikr6784.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2244	420	WerFault.exe	72
2508	420	WerFault.exe	72
2124	420	WerFault.exe	72
4756	420	WerFault.exe	72
2624	420	WerFault.exe	72
3752	420	WerFault.exe	72
4832	420	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4456	it833614.exe
4456	it833614.exe
4172	jr894751.exe
4172	jr894751.exe
4152	kp005613.exe
4152	kp005613.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	it833614.exe
Token: SeDebugPrivilege	4172	jr894751.exe
Token: SeDebugPrivilege	4152	kp005613.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2464	2168	1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2.exe	66
PID 2168 wrote to memory of 2464	2168	1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2.exe	66
PID 2168 wrote to memory of 2464	2168	1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2.exe	66
PID 2464 wrote to memory of 2492	2464	zimM3060.exe	67
PID 2464 wrote to memory of 2492	2464	zimM3060.exe	67
PID 2464 wrote to memory of 2492	2464	zimM3060.exe	67
PID 2492 wrote to memory of 4456	2492	zikr6784.exe	68
PID 2492 wrote to memory of 4456	2492	zikr6784.exe	68
PID 2492 wrote to memory of 4172	2492	zikr6784.exe	69
PID 2492 wrote to memory of 4172	2492	zikr6784.exe	69
PID 2492 wrote to memory of 4172	2492	zikr6784.exe	69
PID 2464 wrote to memory of 4152	2464	zimM3060.exe	71
PID 2464 wrote to memory of 4152	2464	zimM3060.exe	71
PID 2464 wrote to memory of 4152	2464	zimM3060.exe	71
PID 2168 wrote to memory of 420	2168	1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2.exe	72
PID 2168 wrote to memory of 420	2168	1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2.exe	72
PID 2168 wrote to memory of 420	2168	1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2.exe	72

C:\Users\Admin\AppData\Local\Temp\1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2.exe
"C:\Users\Admin\AppData\Local\Temp\1198f9734025e6d21cb44b69daf796006435b536c84d237376707b6cda734ad2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimM3060.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimM3060.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zikr6784.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zikr6784.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it833614.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it833614.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr894751.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr894751.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4172
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp005613.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp005613.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4152
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr416424.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr416424.exe
  2⤵
  - Executes dropped EXE
  PID:420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 620
    3⤵
    - Program crash
    PID:2244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 700
    3⤵
    - Program crash
    PID:2508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 840
    3⤵
    - Program crash
    PID:2124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 684
    3⤵
    - Program crash
    PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 876
    3⤵
    - Program crash
    PID:2624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 904
    3⤵
    - Program crash
    PID:3752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 1056
    3⤵
    - Program crash
    PID:4832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr416424.exe

Filesize
395KB

MD5
e799b11d469433a4b2482556d9b1e615

SHA1
96ebad7121f4bf608b7c0a5a28966053f8389cb5

SHA256
3cc3f6981966e650fb6b17dfe1adc8e99f1dd63cc8662526540c8f233b0473c9

SHA512
93fe220ddd6d8c2177a8ee882ef96c056ab4d3762762e1b3806055bc3d265ea41b18b558697b0f16053213ef2571b52f95683ca54b6bd5a6d3ce97057a1c57bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr416424.exe

Filesize
395KB

MD5
e799b11d469433a4b2482556d9b1e615

SHA1
96ebad7121f4bf608b7c0a5a28966053f8389cb5

SHA256
3cc3f6981966e650fb6b17dfe1adc8e99f1dd63cc8662526540c8f233b0473c9

SHA512
93fe220ddd6d8c2177a8ee882ef96c056ab4d3762762e1b3806055bc3d265ea41b18b558697b0f16053213ef2571b52f95683ca54b6bd5a6d3ce97057a1c57bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimM3060.exe

Filesize
624KB

MD5
27e83d0cc6f70261f06d7258dcb550dd

SHA1
768bb7d54b42a2c926d6dcaf2e87de97df5b0929

SHA256
57d2b2dff6bffad802d3bd0886cd048588eced265dfb9e26c864d293b40586ef

SHA512
25969f9d9f2a3db7ee9c251cd7322c679d18a1961ed3faef9d9aa9f2ae23f8ee289cf298c79fbe2b4c5fed6b3977505790dca2c6db29512c0b673ceac8a8d0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimM3060.exe

Filesize
624KB

MD5
27e83d0cc6f70261f06d7258dcb550dd

SHA1
768bb7d54b42a2c926d6dcaf2e87de97df5b0929

SHA256
57d2b2dff6bffad802d3bd0886cd048588eced265dfb9e26c864d293b40586ef

SHA512
25969f9d9f2a3db7ee9c251cd7322c679d18a1961ed3faef9d9aa9f2ae23f8ee289cf298c79fbe2b4c5fed6b3977505790dca2c6db29512c0b673ceac8a8d0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp005613.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp005613.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zikr6784.exe

Filesize
470KB

MD5
fc1a8ef053c0ced5051fd641c3eac2ba

SHA1
f3ebd4bea44aa94e5e86104e0365140c6323cc57

SHA256
0dfe034655d0093a55260016837b7e3a19ac6279f28756436521f15fa2729cec

SHA512
7f9b7f7427dc44ab3212bac1a00bf1ffaef2f2fc048c11f5ae1de385d0876cbd5d493b03ae7ea1c4601a0c34a948b076230aa3721f7be7f9d59af38d7f4e8aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zikr6784.exe

Filesize
470KB

MD5
fc1a8ef053c0ced5051fd641c3eac2ba

SHA1
f3ebd4bea44aa94e5e86104e0365140c6323cc57

SHA256
0dfe034655d0093a55260016837b7e3a19ac6279f28756436521f15fa2729cec

SHA512
7f9b7f7427dc44ab3212bac1a00bf1ffaef2f2fc048c11f5ae1de385d0876cbd5d493b03ae7ea1c4601a0c34a948b076230aa3721f7be7f9d59af38d7f4e8aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it833614.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it833614.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr894751.exe

Filesize
486KB

MD5
3cf24826450c6b0fb4527e1d0431a868

SHA1
ee0963e94f0cb0f470afb09d8d6be96aedbbcf21

SHA256
01d65b89db0c27cae80459421d54560e33283c5f3d728075d7b5213bd6c94b41

SHA512
f15cc47e6ff657d9d0eb83bdb9fbc362bf6b3ce53ebfafd5b01d54845f9d75614996e1e0fc08e1d85acd11b22e0ae496ead5237a264695741ac184323ec64fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr894751.exe

Filesize
486KB

MD5
3cf24826450c6b0fb4527e1d0431a868

SHA1
ee0963e94f0cb0f470afb09d8d6be96aedbbcf21

SHA256
01d65b89db0c27cae80459421d54560e33283c5f3d728075d7b5213bd6c94b41

SHA512
f15cc47e6ff657d9d0eb83bdb9fbc362bf6b3ce53ebfafd5b01d54845f9d75614996e1e0fc08e1d85acd11b22e0ae496ead5237a264695741ac184323ec64fda

Download Submit
memory/420-973-0x00000000008E0000-0x000000000091B000-memory.dmp

Filesize
236KB

Download
memory/4152-966-0x0000000007110000-0x000000000715B000-memory.dmp

Filesize
300KB

Download
memory/4152-965-0x0000000000360000-0x0000000000388000-memory.dmp

Filesize
160KB

Download
memory/4152-967-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/4172-184-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-202-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-154-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4172-155-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-156-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-158-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-160-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-162-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-164-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-166-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-168-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-170-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-172-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-176-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-174-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-178-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-180-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-182-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-153-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4172-186-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-188-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-190-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-192-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-194-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-196-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-198-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-200-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-152-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4172-204-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-206-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-208-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-210-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-212-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-214-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-216-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-218-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/4172-947-0x0000000007820000-0x0000000007E26000-memory.dmp

Filesize
6.0MB

Download
memory/4172-948-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/4172-949-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/4172-950-0x0000000007FF0000-0x000000000802E000-memory.dmp

Filesize
248KB

Download
memory/4172-951-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4172-952-0x0000000008030000-0x000000000807B000-memory.dmp

Filesize
300KB

Download
memory/4172-953-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/4172-954-0x0000000008970000-0x0000000008A02000-memory.dmp

Filesize
584KB

Download
memory/4172-955-0x0000000008B60000-0x0000000008BB0000-memory.dmp

Filesize
320KB

Download
memory/4172-151-0x0000000000920000-0x0000000000966000-memory.dmp

Filesize
280KB

Download
memory/4172-150-0x00000000026A0000-0x00000000026DA000-memory.dmp

Filesize
232KB

Download
memory/4172-149-0x0000000004FA0000-0x000000000549E000-memory.dmp

Filesize
5.0MB

Download
memory/4172-148-0x0000000002510000-0x000000000254C000-memory.dmp

Filesize
240KB

Download
memory/4172-956-0x0000000008BD0000-0x0000000008C46000-memory.dmp

Filesize
472KB

Download
memory/4172-957-0x0000000008D70000-0x0000000008D8E000-memory.dmp

Filesize
120KB

Download
memory/4172-958-0x0000000008EA0000-0x0000000009062000-memory.dmp

Filesize
1.8MB

Download
memory/4172-959-0x0000000009070000-0x000000000959C000-memory.dmp

Filesize
5.2MB

Download
memory/4456-142-0x0000000000D10000-0x0000000000D1A000-memory.dmp

Filesize
40KB

Download