amadey | 89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992

Analysis

max time kernel
298s
max time network
159s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21-04-2023 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992.exe
Size

815KB
MD5

17cacd771fe30050908f29e25cdc9304
SHA1

bf0e2bd303a5db056206a4c186c7b653a743a25e
SHA256

89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992
SHA512

7e0997952863f8a8353ad593f123b256bc1e23df2278b179af8cc6df13090e4b8f2be40468f66ff54aad05926fe61e0b212d6060a646904a17e34bc3c2fc7997
SSDEEP

12288:Ey90b+EopwsEaQF4cG2hxECWWTLiShswEhoxKVyCm6hEYMVRKMDGOZ:EyoV14cErY3sRhocVyCDherKMDz

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it428630.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it428630.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it428630.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it428630.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it428630.exe

Executes dropped EXE 6 IoCs

pid	Process
2508	ziug3974.exe
2592	ziXM1352.exe
3084	it428630.exe
5092	jr761881.exe
2168	kp562493.exe
3632	lr227634.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it428630.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziug3974.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziug3974.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziXM1352.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziXM1352.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2552	3632	WerFault.exe	72
2252	3632	WerFault.exe	72
3084	3632	WerFault.exe	72
4420	3632	WerFault.exe	72
3120	3632	WerFault.exe	72
4696	3632	WerFault.exe	72
2796	3632	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3084	it428630.exe
3084	it428630.exe
5092	jr761881.exe
5092	jr761881.exe
2168	kp562493.exe
2168	kp562493.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	it428630.exe
Token: SeDebugPrivilege	5092	jr761881.exe
Token: SeDebugPrivilege	2168	kp562493.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2508	2332	89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992.exe	66
PID 2332 wrote to memory of 2508	2332	89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992.exe	66
PID 2332 wrote to memory of 2508	2332	89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992.exe	66
PID 2508 wrote to memory of 2592	2508	ziug3974.exe	67
PID 2508 wrote to memory of 2592	2508	ziug3974.exe	67
PID 2508 wrote to memory of 2592	2508	ziug3974.exe	67
PID 2592 wrote to memory of 3084	2592	ziXM1352.exe	68
PID 2592 wrote to memory of 3084	2592	ziXM1352.exe	68
PID 2592 wrote to memory of 5092	2592	ziXM1352.exe	69
PID 2592 wrote to memory of 5092	2592	ziXM1352.exe	69
PID 2592 wrote to memory of 5092	2592	ziXM1352.exe	69
PID 2508 wrote to memory of 2168	2508	ziug3974.exe	71
PID 2508 wrote to memory of 2168	2508	ziug3974.exe	71
PID 2508 wrote to memory of 2168	2508	ziug3974.exe	71
PID 2332 wrote to memory of 3632	2332	89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992.exe	72
PID 2332 wrote to memory of 3632	2332	89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992.exe	72
PID 2332 wrote to memory of 3632	2332	89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992.exe	72

C:\Users\Admin\AppData\Local\Temp\89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992.exe
"C:\Users\Admin\AppData\Local\Temp\89fa122a017b99c59beb0ab39e8aca9205978410e8ca9c230a114bafbab21992.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziug3974.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziug3974.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziXM1352.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziXM1352.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it428630.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it428630.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr761881.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr761881.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5092
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp562493.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp562493.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr227634.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr227634.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 620
    3⤵
    - Program crash
    PID:2552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 700
    3⤵
    - Program crash
    PID:2252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 840
    3⤵
    - Program crash
    PID:3084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 828
    3⤵
    - Program crash
    PID:4420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 876
    3⤵
    - Program crash
    PID:3120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 812
    3⤵
    - Program crash
    PID:4696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1084
    3⤵
    - Program crash
    PID:2796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr227634.exe

Filesize
270KB

MD5
1138ad3f2c41c0d6a3dfe6a8800e5e48

SHA1
c2a4b4fddc24ea17d7eeabe7e4bfbef2dda7bf5e

SHA256
fd72116d8478ca0408b99be72b76e3160cdd55e8165eaf7241bf60666fb7a3a6

SHA512
51dc7073a2dfca31f5a705c30d7e7eca412af18d453179146a60021ad7fbac9042e942445beafb87cc09fe92365a3edbc970662e4b3ec2fdb5d34631995ccc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr227634.exe

Filesize
270KB

MD5
1138ad3f2c41c0d6a3dfe6a8800e5e48

SHA1
c2a4b4fddc24ea17d7eeabe7e4bfbef2dda7bf5e

SHA256
fd72116d8478ca0408b99be72b76e3160cdd55e8165eaf7241bf60666fb7a3a6

SHA512
51dc7073a2dfca31f5a705c30d7e7eca412af18d453179146a60021ad7fbac9042e942445beafb87cc09fe92365a3edbc970662e4b3ec2fdb5d34631995ccc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziug3974.exe

Filesize
552KB

MD5
16317b3f1c526232725eec633b70e6fe

SHA1
d37b8c6bae94a673b1f2a095b0b52685e537f00a

SHA256
da440df2dfd5d3205aa6df86378ef49706c89ee514a09bfdd261d2cd1c9495ea

SHA512
d048d2405fd7c7887bb7eae563d5eb8e00a8a1c3f9d08be05f8d9e2d9753675eae3b1e8df7dc3e67a0c84c3103adbaaeeea178a7f67576b21df63c15afa84452

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziug3974.exe

Filesize
552KB

MD5
16317b3f1c526232725eec633b70e6fe

SHA1
d37b8c6bae94a673b1f2a095b0b52685e537f00a

SHA256
da440df2dfd5d3205aa6df86378ef49706c89ee514a09bfdd261d2cd1c9495ea

SHA512
d048d2405fd7c7887bb7eae563d5eb8e00a8a1c3f9d08be05f8d9e2d9753675eae3b1e8df7dc3e67a0c84c3103adbaaeeea178a7f67576b21df63c15afa84452

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp562493.exe

Filesize
136KB

MD5
e48a471cb7bc4ff6a6b32ae6d192dbbb

SHA1
d38181853eccf41490641e35b9f2b13e1f6d1711

SHA256
ce0d0c494beb02432c1c208d73c07be71fefb4afd34e74a98f188417ca86d21c

SHA512
dffde20f58c233b543a9a5e5a4bbdf29767bfb80661541b36c52cd6d53debb6cb3a62d3f7aa76010d06c9b0d74e9b972231eae53cd539f648ec89a85bdc457f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp562493.exe

Filesize
136KB

MD5
e48a471cb7bc4ff6a6b32ae6d192dbbb

SHA1
d38181853eccf41490641e35b9f2b13e1f6d1711

SHA256
ce0d0c494beb02432c1c208d73c07be71fefb4afd34e74a98f188417ca86d21c

SHA512
dffde20f58c233b543a9a5e5a4bbdf29767bfb80661541b36c52cd6d53debb6cb3a62d3f7aa76010d06c9b0d74e9b972231eae53cd539f648ec89a85bdc457f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziXM1352.exe

Filesize
398KB

MD5
01045ff3a5cc850f1299336b1dd07614

SHA1
5157fc889cc44f3db4caba887994f6e9c01dfebd

SHA256
f03d75d9be5ca3530a6ba72172cb32a957e2fb89f21398b1a597ce2dd53dc1eb

SHA512
bb0ba65a20f4331846cfc93cf0b79e9544db1ea26888f90a7db382ae3839f5809fe2b155c4dd2c1dc76ca7b73158e254e5bbb7f5384e6f2702974faad97a9fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziXM1352.exe

Filesize
398KB

MD5
01045ff3a5cc850f1299336b1dd07614

SHA1
5157fc889cc44f3db4caba887994f6e9c01dfebd

SHA256
f03d75d9be5ca3530a6ba72172cb32a957e2fb89f21398b1a597ce2dd53dc1eb

SHA512
bb0ba65a20f4331846cfc93cf0b79e9544db1ea26888f90a7db382ae3839f5809fe2b155c4dd2c1dc76ca7b73158e254e5bbb7f5384e6f2702974faad97a9fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it428630.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it428630.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr761881.exe

Filesize
350KB

MD5
a96f1685e182df1f86aee6145756d2dd

SHA1
b7ad4f62186aca080bf7b403cebeb2ad66147d6e

SHA256
6ed266d5f1756828b2a5691fabef7902bd75762238d8903c070db176b53bcb7a

SHA512
b93d9c2e0222b1df6a68434b07253f4e802be7ad6f6740da09a1226af46e77c1f10acac88fa5f41a5a941162b1dda57b7d82c87cdbd231b1dac63d4b567c18a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr761881.exe

Filesize
350KB

MD5
a96f1685e182df1f86aee6145756d2dd

SHA1
b7ad4f62186aca080bf7b403cebeb2ad66147d6e

SHA256
6ed266d5f1756828b2a5691fabef7902bd75762238d8903c070db176b53bcb7a

SHA512
b93d9c2e0222b1df6a68434b07253f4e802be7ad6f6740da09a1226af46e77c1f10acac88fa5f41a5a941162b1dda57b7d82c87cdbd231b1dac63d4b567c18a9

Download Submit
memory/2168-967-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/2168-966-0x0000000000480000-0x00000000004A8000-memory.dmp

Filesize
160KB

Download
memory/2168-968-0x0000000007200000-0x000000000724B000-memory.dmp

Filesize
300KB

Download
memory/3084-142-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/3632-974-0x0000000002D80000-0x0000000002DBB000-memory.dmp

Filesize
236KB

Download
memory/5092-182-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-202-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-152-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/5092-155-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-156-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-158-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-160-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-162-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-164-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-166-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-168-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-170-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-172-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-174-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-176-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-178-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-180-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-153-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/5092-184-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-186-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-188-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-190-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-192-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-194-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-196-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-198-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-200-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-154-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/5092-204-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-206-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-208-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-210-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-212-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-214-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-216-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-218-0x0000000004CD0000-0x0000000004D05000-memory.dmp

Filesize
212KB

Download
memory/5092-947-0x0000000009C20000-0x000000000A226000-memory.dmp

Filesize
6.0MB

Download
memory/5092-948-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/5092-949-0x000000000A230000-0x000000000A33A000-memory.dmp

Filesize
1.0MB

Download
memory/5092-950-0x000000000A350000-0x000000000A38E000-memory.dmp

Filesize
248KB

Download
memory/5092-951-0x000000000A4D0000-0x000000000A51B000-memory.dmp

Filesize
300KB

Download
memory/5092-952-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/5092-953-0x000000000A660000-0x000000000A6C6000-memory.dmp

Filesize
408KB

Download
memory/5092-954-0x000000000AD10000-0x000000000ADA2000-memory.dmp

Filesize
584KB

Download
memory/5092-955-0x000000000ADD0000-0x000000000AE46000-memory.dmp

Filesize
472KB

Download
memory/5092-151-0x0000000002C90000-0x0000000002CD6000-memory.dmp

Filesize
280KB

Download
memory/5092-150-0x0000000004CD0000-0x0000000004D0A000-memory.dmp

Filesize
232KB

Download
memory/5092-149-0x00000000072A0000-0x000000000779E000-memory.dmp

Filesize
5.0MB

Download
memory/5092-148-0x0000000004870000-0x00000000048AC000-memory.dmp

Filesize
240KB

Download
memory/5092-956-0x000000000AEA0000-0x000000000B062000-memory.dmp

Filesize
1.8MB

Download
memory/5092-957-0x000000000B080000-0x000000000B5AC000-memory.dmp

Filesize
5.2MB

Download
memory/5092-958-0x000000000B6E0000-0x000000000B6FE000-memory.dmp

Filesize
120KB

Download
memory/5092-960-0x0000000004910000-0x0000000004960000-memory.dmp

Filesize
320KB

Download