amadey | 9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4

Analysis

max time kernel
145s
max time network
92s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
18/04/2023, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4.exe
Size

1.1MB
MD5

5dfcfe42fb483319d4d9c238042d9de6
SHA1

7c4eb4372e452c561b46d6792df9b33a277ba8e2
SHA256

9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4
SHA512

b9281d179f7f590fd15e7ef25fa8eb043618f96c703f138711a4b326990f240b958e24337b7c4ea6b39c7c84de180ab50ea3d822b5348b7e550c9b2914b0376f
SSDEEP

24576:OyceDuUg63Vwk2xxzPryPxmhKx71aAOtpg5uX/saO/qdo:dtFg2J2jDyPxm4x7lOtG5uXkHSd

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr695570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr695570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr695570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr695570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr695570.exe

Executes dropped EXE 6 IoCs

pid	Process
3644	un236578.exe
4132	un651897.exe
4488	pr695570.exe
4600	qu450712.exe
2584	rk706834.exe
4292	si268340.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr695570.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr695570.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un236578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un236578.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un651897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un651897.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1864	4292	WerFault.exe	72
2120	4292	WerFault.exe	72
2792	4292	WerFault.exe	72
4852	4292	WerFault.exe	72
2940	4292	WerFault.exe	72
960	4292	WerFault.exe	72
4764	4292	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4488	pr695570.exe
4488	pr695570.exe
4600	qu450712.exe
4600	qu450712.exe
2584	rk706834.exe
2584	rk706834.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	pr695570.exe
Token: SeDebugPrivilege	4600	qu450712.exe
Token: SeDebugPrivilege	2584	rk706834.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 3644	3608	9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4.exe	66
PID 3608 wrote to memory of 3644	3608	9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4.exe	66
PID 3608 wrote to memory of 3644	3608	9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4.exe	66
PID 3644 wrote to memory of 4132	3644	un236578.exe	67
PID 3644 wrote to memory of 4132	3644	un236578.exe	67
PID 3644 wrote to memory of 4132	3644	un236578.exe	67
PID 4132 wrote to memory of 4488	4132	un651897.exe	68
PID 4132 wrote to memory of 4488	4132	un651897.exe	68
PID 4132 wrote to memory of 4488	4132	un651897.exe	68
PID 4132 wrote to memory of 4600	4132	un651897.exe	69
PID 4132 wrote to memory of 4600	4132	un651897.exe	69
PID 4132 wrote to memory of 4600	4132	un651897.exe	69
PID 3644 wrote to memory of 2584	3644	un236578.exe	71
PID 3644 wrote to memory of 2584	3644	un236578.exe	71
PID 3644 wrote to memory of 2584	3644	un236578.exe	71
PID 3608 wrote to memory of 4292	3608	9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4.exe	72
PID 3608 wrote to memory of 4292	3608	9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4.exe	72
PID 3608 wrote to memory of 4292	3608	9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4.exe	72

C:\Users\Admin\AppData\Local\Temp\9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4.exe
"C:\Users\Admin\AppData\Local\Temp\9de17bb5dfc46b9b5512821ab58d83751cd5a7f77545d5fdd520519a10ad27a4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un236578.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un236578.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un651897.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un651897.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr695570.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr695570.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu450712.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu450712.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4600
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk706834.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk706834.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si268340.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si268340.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 620
    3⤵
    - Program crash
    PID:1864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 700
    3⤵
    - Program crash
    PID:2120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 836
    3⤵
    - Program crash
    PID:2792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 848
    3⤵
    - Program crash
    PID:4852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 888
    3⤵
    - Program crash
    PID:2940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 940
    3⤵
    - Program crash
    PID:960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1072
    3⤵
    - Program crash
    PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si268340.exe

Filesize
395KB

MD5
51d1dd7c115deda9f7d3b35aaf489a7c

SHA1
ff26026a3eaf8ddada6bdb78f1bdaca17498555d

SHA256
5ae260d370191e96ceead3b875c7af2acb63e34b091e814f1f0245e0b1180864

SHA512
0078a9f3b9761ed03cf66dba91f8a70f22f4f17101ed420e969956678ac67013ef4a08c8a302c5d503c06a92c6f7a6481f2c06a58b2140224fa22aafa106e3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si268340.exe

Filesize
395KB

MD5
51d1dd7c115deda9f7d3b35aaf489a7c

SHA1
ff26026a3eaf8ddada6bdb78f1bdaca17498555d

SHA256
5ae260d370191e96ceead3b875c7af2acb63e34b091e814f1f0245e0b1180864

SHA512
0078a9f3b9761ed03cf66dba91f8a70f22f4f17101ed420e969956678ac67013ef4a08c8a302c5d503c06a92c6f7a6481f2c06a58b2140224fa22aafa106e3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un236578.exe

Filesize
763KB

MD5
4e42834be044720594b95a106ae2a6c5

SHA1
886fdf26451c5b0268d4944ec55aec155d9c476e

SHA256
4fec67b87a4cacf5797c78242c36fd42b2372021355ddd20e85b01e6e50c924d

SHA512
1842132d24d27f56b7b70ecf2487f21e844ad70b62709a788984886fb763ccdfe882830dda26dd9d007ce90a8a5931b92fd0bf48306f1d80dfd45492d95eaa93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un236578.exe

Filesize
763KB

MD5
4e42834be044720594b95a106ae2a6c5

SHA1
886fdf26451c5b0268d4944ec55aec155d9c476e

SHA256
4fec67b87a4cacf5797c78242c36fd42b2372021355ddd20e85b01e6e50c924d

SHA512
1842132d24d27f56b7b70ecf2487f21e844ad70b62709a788984886fb763ccdfe882830dda26dd9d007ce90a8a5931b92fd0bf48306f1d80dfd45492d95eaa93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk706834.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk706834.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un651897.exe

Filesize
609KB

MD5
c5b46c5930870e507a62b264c735f4fb

SHA1
3cfad97a6f6f4f48d5b4140d86ede369721f24d2

SHA256
0ac28e4a09534c916c823e7238b631e9b748834a5f8376370a894d9a90bb030e

SHA512
5cbcad44106efd0c6026db94fd747fd628f257add4ca09edfb7fa5961d8410bc7cd826ee08d173532f1605968f354be80a5d906fada8d7cfa0978e9e13345926

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un651897.exe

Filesize
609KB

MD5
c5b46c5930870e507a62b264c735f4fb

SHA1
3cfad97a6f6f4f48d5b4140d86ede369721f24d2

SHA256
0ac28e4a09534c916c823e7238b631e9b748834a5f8376370a894d9a90bb030e

SHA512
5cbcad44106efd0c6026db94fd747fd628f257add4ca09edfb7fa5961d8410bc7cd826ee08d173532f1605968f354be80a5d906fada8d7cfa0978e9e13345926

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr695570.exe

Filesize
403KB

MD5
e990b4caa44f00fd8844e6fc1f916484

SHA1
56ceb7ab5312c8f4ad63b229dca64f1323f5d5ce

SHA256
cf9c27f092451b6998f389ee765e39c6cb87d0a0ec3d3128f7857248290b673b

SHA512
ebfbd33cbaa68e73dcc64e1eb580a334e6d682a4f5b7d2234a663725afb9592bb7713933c677c0ae4942006b3567e4104b32764f9b0c256fba651ae6c41daa87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr695570.exe

Filesize
403KB

MD5
e990b4caa44f00fd8844e6fc1f916484

SHA1
56ceb7ab5312c8f4ad63b229dca64f1323f5d5ce

SHA256
cf9c27f092451b6998f389ee765e39c6cb87d0a0ec3d3128f7857248290b673b

SHA512
ebfbd33cbaa68e73dcc64e1eb580a334e6d682a4f5b7d2234a663725afb9592bb7713933c677c0ae4942006b3567e4104b32764f9b0c256fba651ae6c41daa87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu450712.exe

Filesize
486KB

MD5
7a2fb86c2d9ce00f28ddb6b63abdf5ed

SHA1
ba2cdc774c1595cdca45cb95efe5dfa8a6e533a7

SHA256
fb0040eccfac8f68420f18e2ae3a51998a2da51de6f7ef51bb6e19e203d79cac

SHA512
d16908f3cab88f085c1e75ab6794883d72c4edaac7ebd945f254c318f9b8adb1d3dd5d78739e21cf60c835afa2c34f4f24b7792d76456a6df688e91fadfa5f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu450712.exe

Filesize
486KB

MD5
7a2fb86c2d9ce00f28ddb6b63abdf5ed

SHA1
ba2cdc774c1595cdca45cb95efe5dfa8a6e533a7

SHA256
fb0040eccfac8f68420f18e2ae3a51998a2da51de6f7ef51bb6e19e203d79cac

SHA512
d16908f3cab88f085c1e75ab6794883d72c4edaac7ebd945f254c318f9b8adb1d3dd5d78739e21cf60c835afa2c34f4f24b7792d76456a6df688e91fadfa5f8e

Download Submit
memory/2584-1000-0x00000000008C0000-0x00000000008E8000-memory.dmp

Filesize
160KB

Download
memory/2584-1002-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2584-1001-0x0000000007650000-0x000000000769B000-memory.dmp

Filesize
300KB

Download
memory/4292-1008-0x00000000008E0000-0x000000000091B000-memory.dmp

Filesize
236KB

Download
memory/4488-155-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-169-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-151-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-153-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-147-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-157-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-159-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-161-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-163-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-165-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-167-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-149-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-171-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-173-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-174-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4488-175-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4488-176-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4488-177-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4488-179-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4488-146-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4488-145-0x00000000027D0000-0x00000000027E8000-memory.dmp

Filesize
96KB

Download
memory/4488-144-0x0000000005040000-0x000000000553E000-memory.dmp

Filesize
5.0MB

Download
memory/4488-143-0x0000000002620000-0x000000000263A000-memory.dmp

Filesize
104KB

Download
memory/4488-142-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4600-187-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-193-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-195-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-197-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/4600-198-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/4600-199-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-200-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/4600-203-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/4600-205-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-202-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-207-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-209-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-211-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-213-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-215-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-217-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-219-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-221-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-223-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-982-0x0000000007E10000-0x0000000008416000-memory.dmp

Filesize
6.0MB

Download
memory/4600-983-0x0000000007850000-0x0000000007862000-memory.dmp

Filesize
72KB

Download
memory/4600-984-0x0000000007880000-0x000000000798A000-memory.dmp

Filesize
1.0MB

Download
memory/4600-985-0x00000000079A0000-0x00000000079DE000-memory.dmp

Filesize
248KB

Download
memory/4600-986-0x0000000007A20000-0x0000000007A6B000-memory.dmp

Filesize
300KB

Download
memory/4600-987-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/4600-988-0x0000000007CB0000-0x0000000007D16000-memory.dmp

Filesize
408KB

Download
memory/4600-989-0x0000000008980000-0x0000000008A12000-memory.dmp

Filesize
584KB

Download
memory/4600-990-0x0000000008A20000-0x0000000008A96000-memory.dmp

Filesize
472KB

Download
memory/4600-991-0x0000000008AE0000-0x0000000008AFE000-memory.dmp

Filesize
120KB

Download
memory/4600-191-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-189-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-186-0x0000000002670000-0x00000000026A5000-memory.dmp

Filesize
212KB

Download
memory/4600-185-0x0000000002670000-0x00000000026AA000-memory.dmp

Filesize
232KB

Download
memory/4600-184-0x0000000000CF0000-0x0000000000D2C000-memory.dmp

Filesize
240KB

Download
memory/4600-992-0x0000000008BB0000-0x0000000008C00000-memory.dmp

Filesize
320KB

Download
memory/4600-993-0x0000000008E40000-0x0000000009002000-memory.dmp

Filesize
1.8MB

Download
memory/4600-994-0x0000000009010000-0x000000000953C000-memory.dmp

Filesize
5.2MB

Download