amadey | 033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac

Analysis

max time kernel
148s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21/04/2023, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe
Size

808KB
MD5

03813a80e0f840b1d5c5623b917b0fdb
SHA1

5f3890ebdd0f203a1d00df6416acf7daf4c852fb
SHA256

033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac
SHA512

41ca3835d6d479050910fdb892539dcbdc6898374dcb0a14bdaa969c8d4d6693edb2523a802ad10ecdbb3d3cd92a94f5b86b2744395cdb3b03db585ce54befd7
SSDEEP

12288:Sy90204lg2J2FyH44i9rt9oNECWWcbwSmUwEdqNAf/otd2bQTkLwyrKZeWiWf:Sy+5O4B9jSE3buURMmXq2XELXf

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it414985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it414985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it414985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it414985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it414985.exe

Executes dropped EXE 6 IoCs

pid	Process
2272	zion7962.exe
2456	zigM2404.exe
2736	it414985.exe
4988	jr421986.exe
2848	kp095790.exe
1636	lr492753.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it414985.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zion7962.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zion7962.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zigM2404.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zigM2404.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2392	1636	WerFault.exe	72
2676	1636	WerFault.exe	72
3152	1636	WerFault.exe	72
2788	1636	WerFault.exe	72
2256	1636	WerFault.exe	72
2096	1636	WerFault.exe	72
2336	1636	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2736	it414985.exe
2736	it414985.exe
4988	jr421986.exe
4988	jr421986.exe
2848	kp095790.exe
2848	kp095790.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	it414985.exe
Token: SeDebugPrivilege	4988	jr421986.exe
Token: SeDebugPrivilege	2848	kp095790.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2272	1560	033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe	66
PID 1560 wrote to memory of 2272	1560	033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe	66
PID 1560 wrote to memory of 2272	1560	033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe	66
PID 2272 wrote to memory of 2456	2272	zion7962.exe	67
PID 2272 wrote to memory of 2456	2272	zion7962.exe	67
PID 2272 wrote to memory of 2456	2272	zion7962.exe	67
PID 2456 wrote to memory of 2736	2456	zigM2404.exe	68
PID 2456 wrote to memory of 2736	2456	zigM2404.exe	68
PID 2456 wrote to memory of 4988	2456	zigM2404.exe	69
PID 2456 wrote to memory of 4988	2456	zigM2404.exe	69
PID 2456 wrote to memory of 4988	2456	zigM2404.exe	69
PID 2272 wrote to memory of 2848	2272	zion7962.exe	71
PID 2272 wrote to memory of 2848	2272	zion7962.exe	71
PID 2272 wrote to memory of 2848	2272	zion7962.exe	71
PID 1560 wrote to memory of 1636	1560	033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe	72
PID 1560 wrote to memory of 1636	1560	033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe	72
PID 1560 wrote to memory of 1636	1560	033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe	72

C:\Users\Admin\AppData\Local\Temp\033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe
"C:\Users\Admin\AppData\Local\Temp\033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zion7962.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zion7962.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zigM2404.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zigM2404.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it414985.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it414985.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr421986.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr421986.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp095790.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp095790.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492753.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492753.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 616
    3⤵
    - Program crash
    PID:2392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 696
    3⤵
    - Program crash
    PID:2676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 836
    3⤵
    - Program crash
    PID:3152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 884
    3⤵
    - Program crash
    PID:2788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 828
    3⤵
    - Program crash
    PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 864
    3⤵
    - Program crash
    PID:2096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1080
    3⤵
    - Program crash
    PID:2336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492753.exe

Filesize
258KB

MD5
f3d71c0a4e36202ae9b2fe964d418fa5

SHA1
c9f0896632580ab06b88465df700eeed3a341792

SHA256
3c2ba41bb6c279d5cae1988ab5005daa38aeeaac8ec5c81e2cc7b0e5195c3dbc

SHA512
295bc708dfd4525a620ce207f4d8ba18b26bedd279575231608d7264596b4702a42d5fcc8fc3f47cc4ce83888cb8faa3ec05089f17452266949ee69c1a55d6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492753.exe

Filesize
258KB

MD5
f3d71c0a4e36202ae9b2fe964d418fa5

SHA1
c9f0896632580ab06b88465df700eeed3a341792

SHA256
3c2ba41bb6c279d5cae1988ab5005daa38aeeaac8ec5c81e2cc7b0e5195c3dbc

SHA512
295bc708dfd4525a620ce207f4d8ba18b26bedd279575231608d7264596b4702a42d5fcc8fc3f47cc4ce83888cb8faa3ec05089f17452266949ee69c1a55d6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zion7962.exe

Filesize
553KB

MD5
cf234c4d39c682c8d5e8ff6894bf4bd0

SHA1
c8295334240dcdc78794e5c768c4acc67c5226b1

SHA256
641568d87ad85fe7c10862e1dae06d4a8ed028a177c487a9c86a9c4bac88e0e7

SHA512
bc7b02a8c6b151b89b51f5aa8208c895148b5ef1f98e7fb0ed61cbc3457cd6c93955f8074055e622fae5d087a48dbf09d2213156a06455d7da0a0e7763758def

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zion7962.exe

Filesize
553KB

MD5
cf234c4d39c682c8d5e8ff6894bf4bd0

SHA1
c8295334240dcdc78794e5c768c4acc67c5226b1

SHA256
641568d87ad85fe7c10862e1dae06d4a8ed028a177c487a9c86a9c4bac88e0e7

SHA512
bc7b02a8c6b151b89b51f5aa8208c895148b5ef1f98e7fb0ed61cbc3457cd6c93955f8074055e622fae5d087a48dbf09d2213156a06455d7da0a0e7763758def

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp095790.exe

Filesize
136KB

MD5
e48a471cb7bc4ff6a6b32ae6d192dbbb

SHA1
d38181853eccf41490641e35b9f2b13e1f6d1711

SHA256
ce0d0c494beb02432c1c208d73c07be71fefb4afd34e74a98f188417ca86d21c

SHA512
dffde20f58c233b543a9a5e5a4bbdf29767bfb80661541b36c52cd6d53debb6cb3a62d3f7aa76010d06c9b0d74e9b972231eae53cd539f648ec89a85bdc457f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp095790.exe

Filesize
136KB

MD5
e48a471cb7bc4ff6a6b32ae6d192dbbb

SHA1
d38181853eccf41490641e35b9f2b13e1f6d1711

SHA256
ce0d0c494beb02432c1c208d73c07be71fefb4afd34e74a98f188417ca86d21c

SHA512
dffde20f58c233b543a9a5e5a4bbdf29767bfb80661541b36c52cd6d53debb6cb3a62d3f7aa76010d06c9b0d74e9b972231eae53cd539f648ec89a85bdc457f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zigM2404.exe

Filesize
398KB

MD5
8dd21ff770f5f7f8bf7ad8dd29c1d257

SHA1
fe25fa9f936224ba45ba77b2be2bd40b1d5ab43b

SHA256
18a3c53454af03c61027c77b45a2066208e07d7f64baad0eea9d8f0ec10fbea6

SHA512
7895c69f77067f8dd3fe7d5e3bb6c245997d134901076adc9d1a69de14f0de2ba896fea49debbf54595424de03a84463c529261e3715aaf9bdbf3d97d6d24eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zigM2404.exe

Filesize
398KB

MD5
8dd21ff770f5f7f8bf7ad8dd29c1d257

SHA1
fe25fa9f936224ba45ba77b2be2bd40b1d5ab43b

SHA256
18a3c53454af03c61027c77b45a2066208e07d7f64baad0eea9d8f0ec10fbea6

SHA512
7895c69f77067f8dd3fe7d5e3bb6c245997d134901076adc9d1a69de14f0de2ba896fea49debbf54595424de03a84463c529261e3715aaf9bdbf3d97d6d24eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it414985.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it414985.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr421986.exe

Filesize
350KB

MD5
a17611e842b97d54afc9a66fa7f3e5b8

SHA1
b1aca6ddeba01ff00460ccd7fe8498e2b07f8daa

SHA256
1e5abb18daae20255ecb11ec8fedf26cd388004811ea7bff57fef39ad38e42b9

SHA512
eae74327e2de2ebb15bf712f30fafbbd76e273241d08b7d4ad0cc6b5bffc0be5ac90c9d6031fa82fe6e706bde3f43883086ef31a4ce3e40e083c2e2995a19779

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr421986.exe

Filesize
350KB

MD5
a17611e842b97d54afc9a66fa7f3e5b8

SHA1
b1aca6ddeba01ff00460ccd7fe8498e2b07f8daa

SHA256
1e5abb18daae20255ecb11ec8fedf26cd388004811ea7bff57fef39ad38e42b9

SHA512
eae74327e2de2ebb15bf712f30fafbbd76e273241d08b7d4ad0cc6b5bffc0be5ac90c9d6031fa82fe6e706bde3f43883086ef31a4ce3e40e083c2e2995a19779

Download Submit
memory/1636-974-0x0000000002C90000-0x0000000002CCB000-memory.dmp

Filesize
236KB

Download
memory/2736-142-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/2848-966-0x0000000000810000-0x0000000000838000-memory.dmp

Filesize
160KB

Download
memory/2848-967-0x0000000007540000-0x0000000007550000-memory.dmp

Filesize
64KB

Download
memory/2848-968-0x00000000075D0000-0x000000000761B000-memory.dmp

Filesize
300KB

Download
memory/4988-182-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-202-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-156-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4988-158-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4988-159-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4988-160-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-155-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-162-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-164-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-168-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-166-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-170-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-172-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-174-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-176-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-178-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-180-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-152-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-184-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-186-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-188-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-190-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-192-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-194-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-196-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-198-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-200-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-154-0x0000000002CE0000-0x0000000002D26000-memory.dmp

Filesize
280KB

Download
memory/4988-204-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-206-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-208-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-210-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-212-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-214-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-216-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-218-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-947-0x0000000009C40000-0x000000000A246000-memory.dmp

Filesize
6.0MB

Download
memory/4988-948-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/4988-949-0x000000000A250000-0x000000000A35A000-memory.dmp

Filesize
1.0MB

Download
memory/4988-950-0x000000000A360000-0x000000000A39E000-memory.dmp

Filesize
248KB

Download
memory/4988-951-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4988-952-0x000000000A4D0000-0x000000000A51B000-memory.dmp

Filesize
300KB

Download
memory/4988-953-0x000000000A660000-0x000000000A6C6000-memory.dmp

Filesize
408KB

Download
memory/4988-954-0x000000000AE60000-0x000000000AEF2000-memory.dmp

Filesize
584KB

Download
memory/4988-955-0x000000000AF00000-0x000000000AF76000-memory.dmp

Filesize
472KB

Download
memory/4988-151-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4988-150-0x0000000007170000-0x00000000071AA000-memory.dmp

Filesize
232KB

Download
memory/4988-149-0x00000000072C0000-0x00000000077BE000-memory.dmp

Filesize
5.0MB

Download
memory/4988-148-0x0000000004860000-0x000000000489C000-memory.dmp

Filesize
240KB

Download
memory/4988-956-0x000000000AFC0000-0x000000000AFDE000-memory.dmp

Filesize
120KB

Download
memory/4988-957-0x000000000B190000-0x000000000B352000-memory.dmp

Filesize
1.8MB

Download
memory/4988-958-0x000000000B360000-0x000000000B88C000-memory.dmp

Filesize
5.2MB

Download
memory/4988-960-0x0000000004B50000-0x0000000004BA0000-memory.dmp

Filesize
320KB

Download