amadey | 9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da

Analysis

max time kernel
148s
max time network
94s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21/04/2023, 15:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da.exe
Size

944KB
MD5

3ffc3a3832c9dd6867dfe37ebe501e1e
SHA1

44eefa0ff616f90c6e7c1f5776328d130ee8796f
SHA256

9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da
SHA512

7b9c9426e00835872a897cea3c82e1a7a51122888a947297b18e6120bb59b91f9a8d3f130f61693961c021266e42a2c7de70e4dbd5fb41707a74c8a109099cd9
SSDEEP

24576:oyYK9ng7buLfxOZBv2b4c9OCirryWHNKrQLIFrwy/ie:vYgg7qxiOnxirNsrcmB/

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr046701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr046701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr046701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr046701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr046701.exe

Executes dropped EXE 6 IoCs

pid	Process
2092	un407144.exe
4568	un308064.exe
4980	pr046701.exe
1460	qu628892.exe
4336	rk356251.exe
4112	si431437.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr046701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr046701.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un407144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un407144.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un308064.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un308064.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3856	4112	WerFault.exe	72
4004	4112	WerFault.exe	72
2160	4112	WerFault.exe	72
1856	4112	WerFault.exe	72
1124	4112	WerFault.exe	72
4784	4112	WerFault.exe	72
3100	4112	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4980	pr046701.exe
4980	pr046701.exe
1460	qu628892.exe
1460	qu628892.exe
4336	rk356251.exe
4336	rk356251.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	pr046701.exe
Token: SeDebugPrivilege	1460	qu628892.exe
Token: SeDebugPrivilege	4336	rk356251.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 2092	3520	9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da.exe	66
PID 3520 wrote to memory of 2092	3520	9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da.exe	66
PID 3520 wrote to memory of 2092	3520	9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da.exe	66
PID 2092 wrote to memory of 4568	2092	un407144.exe	67
PID 2092 wrote to memory of 4568	2092	un407144.exe	67
PID 2092 wrote to memory of 4568	2092	un407144.exe	67
PID 4568 wrote to memory of 4980	4568	un308064.exe	68
PID 4568 wrote to memory of 4980	4568	un308064.exe	68
PID 4568 wrote to memory of 4980	4568	un308064.exe	68
PID 4568 wrote to memory of 1460	4568	un308064.exe	69
PID 4568 wrote to memory of 1460	4568	un308064.exe	69
PID 4568 wrote to memory of 1460	4568	un308064.exe	69
PID 2092 wrote to memory of 4336	2092	un407144.exe	71
PID 2092 wrote to memory of 4336	2092	un407144.exe	71
PID 2092 wrote to memory of 4336	2092	un407144.exe	71
PID 3520 wrote to memory of 4112	3520	9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da.exe	72
PID 3520 wrote to memory of 4112	3520	9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da.exe	72
PID 3520 wrote to memory of 4112	3520	9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da.exe	72

C:\Users\Admin\AppData\Local\Temp\9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da.exe
"C:\Users\Admin\AppData\Local\Temp\9a8a1ee2cf79e34cbac92a42f204076f1d8eeb90896f7f804369095c876584da.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un407144.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un407144.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un308064.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un308064.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr046701.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr046701.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu628892.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu628892.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1460
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk356251.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk356251.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si431437.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si431437.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 620
    3⤵
    - Program crash
    PID:3856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 700
    3⤵
    - Program crash
    PID:4004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 840
    3⤵
    - Program crash
    PID:2160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 848
    3⤵
    - Program crash
    PID:1856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 876
    3⤵
    - Program crash
    PID:1124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 924
    3⤵
    - Program crash
    PID:4784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1064
    3⤵
    - Program crash
    PID:3100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si431437.exe

Filesize
258KB

MD5
3d660910fcfa92e28c31c9bbcdf76b6a

SHA1
98a368e2c80f70accbf9d8d2047e36cb13566b40

SHA256
927e03a893291cf995bf5f85c4732218381870e5255d9207f70ee6ce37010c37

SHA512
58be15f546f5ecacdca9231b1628c0cb9a640be5d002e4fbb97b8d026764dc78ac6d041c5bb2de5583dd0c1a312af5e75f88a99b6e69fae5839aceee03770389

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si431437.exe

Filesize
258KB

MD5
3d660910fcfa92e28c31c9bbcdf76b6a

SHA1
98a368e2c80f70accbf9d8d2047e36cb13566b40

SHA256
927e03a893291cf995bf5f85c4732218381870e5255d9207f70ee6ce37010c37

SHA512
58be15f546f5ecacdca9231b1628c0cb9a640be5d002e4fbb97b8d026764dc78ac6d041c5bb2de5583dd0c1a312af5e75f88a99b6e69fae5839aceee03770389

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un407144.exe

Filesize
689KB

MD5
023bda447c97dc6c2dbf404a8620b837

SHA1
ee1422565c39e23c094263d516ab5897911b82ec

SHA256
1cc5edd20a60f73ba3a2f71b4172702eb7a03586ecff15562c3fa8e45d1d4bb5

SHA512
77097ef1881b39fea2dc70eab6c507852f54babdf2c048c8cf6dd63f99eefbcf73432f602bd4d1ba21587ef965627d55c4a71d8780f74d1f23b5da3429d26210

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un407144.exe

Filesize
689KB

MD5
023bda447c97dc6c2dbf404a8620b837

SHA1
ee1422565c39e23c094263d516ab5897911b82ec

SHA256
1cc5edd20a60f73ba3a2f71b4172702eb7a03586ecff15562c3fa8e45d1d4bb5

SHA512
77097ef1881b39fea2dc70eab6c507852f54babdf2c048c8cf6dd63f99eefbcf73432f602bd4d1ba21587ef965627d55c4a71d8780f74d1f23b5da3429d26210

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk356251.exe

Filesize
136KB

MD5
e48a471cb7bc4ff6a6b32ae6d192dbbb

SHA1
d38181853eccf41490641e35b9f2b13e1f6d1711

SHA256
ce0d0c494beb02432c1c208d73c07be71fefb4afd34e74a98f188417ca86d21c

SHA512
dffde20f58c233b543a9a5e5a4bbdf29767bfb80661541b36c52cd6d53debb6cb3a62d3f7aa76010d06c9b0d74e9b972231eae53cd539f648ec89a85bdc457f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk356251.exe

Filesize
136KB

MD5
e48a471cb7bc4ff6a6b32ae6d192dbbb

SHA1
d38181853eccf41490641e35b9f2b13e1f6d1711

SHA256
ce0d0c494beb02432c1c208d73c07be71fefb4afd34e74a98f188417ca86d21c

SHA512
dffde20f58c233b543a9a5e5a4bbdf29767bfb80661541b36c52cd6d53debb6cb3a62d3f7aa76010d06c9b0d74e9b972231eae53cd539f648ec89a85bdc457f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un308064.exe

Filesize
534KB

MD5
7e2dde37fd16e55a6f1c7687bd5cb77e

SHA1
459a1a739c6965717674d5048bb9d1cde4a62905

SHA256
8ef9a78706d312bcfff73039c5dd4431d976d9532b862caafc85c4c18b8d5ad3

SHA512
a9538af9d6af00ce145b9f0f389d530248b0efdb32777771ad33ced5217f376af506187a0a575050bcf6fe55ea17fae68bd642f76a02f36ffd06a8a32df8ef1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un308064.exe

Filesize
534KB

MD5
7e2dde37fd16e55a6f1c7687bd5cb77e

SHA1
459a1a739c6965717674d5048bb9d1cde4a62905

SHA256
8ef9a78706d312bcfff73039c5dd4431d976d9532b862caafc85c4c18b8d5ad3

SHA512
a9538af9d6af00ce145b9f0f389d530248b0efdb32777771ad33ced5217f376af506187a0a575050bcf6fe55ea17fae68bd642f76a02f36ffd06a8a32df8ef1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr046701.exe

Filesize
266KB

MD5
49579d075e556b3f41eaf2fcf677892f

SHA1
46408506abef17e1d113f49487005c28b64cb303

SHA256
475891d826007c89050f504a51602fe2a566ef55ac2faa889050ef25ef4d836e

SHA512
78403ee9cf8b70d1d685c806a3316f45616bd2c652e7cbc70a07f6e52138f94c4e609c2824d82300aaf4a9fc9661ccc8abab672686482756f6ba4a5c61517566

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr046701.exe

Filesize
266KB

MD5
49579d075e556b3f41eaf2fcf677892f

SHA1
46408506abef17e1d113f49487005c28b64cb303

SHA256
475891d826007c89050f504a51602fe2a566ef55ac2faa889050ef25ef4d836e

SHA512
78403ee9cf8b70d1d685c806a3316f45616bd2c652e7cbc70a07f6e52138f94c4e609c2824d82300aaf4a9fc9661ccc8abab672686482756f6ba4a5c61517566

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu628892.exe

Filesize
350KB

MD5
accbf334d756f9d8b787ee7b6673ceb9

SHA1
df523309a90d0eead57c4a453c2fde1335cdceb8

SHA256
a15e7933c284f4b000d77a2a6b45b2c44c7a8d18054347f5c16ef5e306025c1c

SHA512
25a3232ae2f1781feeec88602707d237197d2c04b4cb4e553c777dae89b3f13512e7a12ba1b0f56dbc42ceb2c171e654bf85dc99e538fc75c28182616e6481eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu628892.exe

Filesize
350KB

MD5
accbf334d756f9d8b787ee7b6673ceb9

SHA1
df523309a90d0eead57c4a453c2fde1335cdceb8

SHA256
a15e7933c284f4b000d77a2a6b45b2c44c7a8d18054347f5c16ef5e306025c1c

SHA512
25a3232ae2f1781feeec88602707d237197d2c04b4cb4e553c777dae89b3f13512e7a12ba1b0f56dbc42ceb2c171e654bf85dc99e538fc75c28182616e6481eb

Download Submit
memory/1460-980-0x0000000009BC0000-0x000000000A1C6000-memory.dmp

Filesize
6.0MB

Download
memory/1460-984-0x000000000A4D0000-0x000000000A51B000-memory.dmp

Filesize
300KB

Download
memory/1460-992-0x000000000B270000-0x000000000B79C000-memory.dmp

Filesize
5.2MB

Download
memory/1460-991-0x000000000B0A0000-0x000000000B262000-memory.dmp

Filesize
1.8MB

Download
memory/1460-990-0x000000000AFD0000-0x000000000AFEE000-memory.dmp

Filesize
120KB

Download
memory/1460-989-0x000000000AE30000-0x000000000AEA6000-memory.dmp

Filesize
472KB

Download
memory/1460-988-0x000000000ADC0000-0x000000000AE10000-memory.dmp

Filesize
320KB

Download
memory/1460-987-0x000000000AD10000-0x000000000ADA2000-memory.dmp

Filesize
584KB

Download
memory/1460-986-0x000000000A660000-0x000000000A6C6000-memory.dmp

Filesize
408KB

Download
memory/1460-985-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/1460-983-0x000000000A350000-0x000000000A38E000-memory.dmp

Filesize
248KB

Download
memory/1460-982-0x000000000A230000-0x000000000A33A000-memory.dmp

Filesize
1.0MB

Download
memory/1460-981-0x000000000A200000-0x000000000A212000-memory.dmp

Filesize
72KB

Download
memory/1460-221-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-219-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-217-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-215-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-213-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-211-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-209-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-207-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-182-0x0000000004740000-0x000000000477C000-memory.dmp

Filesize
240KB

Download
memory/1460-183-0x0000000004810000-0x000000000484A000-memory.dmp

Filesize
232KB

Download
memory/1460-185-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-187-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-186-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/1460-190-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/1460-188-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/1460-184-0x0000000002BC0000-0x0000000002C06000-memory.dmp

Filesize
280KB

Download
memory/1460-191-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-197-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-195-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-193-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-199-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-201-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-203-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/1460-205-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/4112-1006-0x0000000002BA0000-0x0000000002BDB000-memory.dmp

Filesize
236KB

Download
memory/4336-998-0x0000000000E20000-0x0000000000E48000-memory.dmp

Filesize
160KB

Download
memory/4336-1000-0x0000000007F10000-0x0000000007F20000-memory.dmp

Filesize
64KB

Download
memory/4336-999-0x0000000007BA0000-0x0000000007BEB000-memory.dmp

Filesize
300KB

Download
memory/4980-159-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-157-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4980-171-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-169-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-143-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-167-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-165-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-163-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-148-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-161-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-144-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-153-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4980-156-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-173-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-155-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4980-152-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-150-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4980-142-0x0000000004970000-0x0000000004988000-memory.dmp

Filesize
96KB

Download
memory/4980-141-0x0000000007300000-0x00000000077FE000-memory.dmp

Filesize
5.0MB

Download
memory/4980-174-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4980-176-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4980-177-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4980-140-0x0000000004710000-0x000000000472A000-memory.dmp

Filesize
104KB

Download
memory/4980-139-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/4980-146-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download