amadey | 3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600

Analysis

max time kernel
149s
max time network
97s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21/04/2023, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600.exe
Size

955KB
MD5

53b099d5f57bfe4d89402bff3ff44c83
SHA1

ddb8014dba14f570ea0885206cdc58bad0979fac
SHA256

3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600
SHA512

57a9184996c45e4dc10829ba2a7fcf54348739707b57d698338273b832b9e3f1ef37fd8d30879b25e41d25e1304310864c13c207177e19b416c576b6b65e2f6e
SSDEEP

24576:HyBeMJtXwQoLpiP6ZRfAiTa/GhyCsFwSwqKMT:SBnJt9kpiP2fBkraSwqKM

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr918609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr918609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr918609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr918609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr918609.exe

Executes dropped EXE 6 IoCs

pid	Process
3276	un129178.exe
4168	un430158.exe
4140	pr918609.exe
2472	qu135318.exe
4228	rk245544.exe
3980	si802745.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr918609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr918609.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un129178.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un129178.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un430158.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un430158.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4380	3980	WerFault.exe	72
4076	3980	WerFault.exe	72
2096	3980	WerFault.exe	72
4600	3980	WerFault.exe	72
3136	3980	WerFault.exe	72
2224	3980	WerFault.exe	72
1488	3980	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4140	pr918609.exe
4140	pr918609.exe
2472	qu135318.exe
2472	qu135318.exe
4228	rk245544.exe
4228	rk245544.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	pr918609.exe
Token: SeDebugPrivilege	2472	qu135318.exe
Token: SeDebugPrivilege	4228	rk245544.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3276	3076	3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600.exe	66
PID 3076 wrote to memory of 3276	3076	3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600.exe	66
PID 3076 wrote to memory of 3276	3076	3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600.exe	66
PID 3276 wrote to memory of 4168	3276	un129178.exe	67
PID 3276 wrote to memory of 4168	3276	un129178.exe	67
PID 3276 wrote to memory of 4168	3276	un129178.exe	67
PID 4168 wrote to memory of 4140	4168	un430158.exe	68
PID 4168 wrote to memory of 4140	4168	un430158.exe	68
PID 4168 wrote to memory of 4140	4168	un430158.exe	68
PID 4168 wrote to memory of 2472	4168	un430158.exe	69
PID 4168 wrote to memory of 2472	4168	un430158.exe	69
PID 4168 wrote to memory of 2472	4168	un430158.exe	69
PID 3276 wrote to memory of 4228	3276	un129178.exe	71
PID 3276 wrote to memory of 4228	3276	un129178.exe	71
PID 3276 wrote to memory of 4228	3276	un129178.exe	71
PID 3076 wrote to memory of 3980	3076	3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600.exe	72
PID 3076 wrote to memory of 3980	3076	3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600.exe	72
PID 3076 wrote to memory of 3980	3076	3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600.exe	72

C:\Users\Admin\AppData\Local\Temp\3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600.exe
"C:\Users\Admin\AppData\Local\Temp\3370c016268b11b5013a76a18f3de0d2af0954b7335097c358be3d9dd88cb600.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un129178.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un129178.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un430158.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un430158.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr918609.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr918609.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4140
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu135318.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu135318.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245544.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245544.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si802745.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si802745.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 624
    3⤵
    - Program crash
    PID:4380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 704
    3⤵
    - Program crash
    PID:4076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 844
    3⤵
    - Program crash
    PID:2096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 852
    3⤵
    - Program crash
    PID:4600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 880
    3⤵
    - Program crash
    PID:3136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 936
    3⤵
    - Program crash
    PID:2224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 1088
    3⤵
    - Program crash
    PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si802745.exe

Filesize
270KB

MD5
1b6d982dd5ed7fd3e872f98c088ff6ac

SHA1
d27e677eab8b64cc4942d692002404cb2d27df7a

SHA256
aee279daba1a5eaa0651f35bbb99672f3651f467180fefe92911a5641cd51127

SHA512
c029a0a31ba907de0eb50926fa8159ed9f27259bed509bea236abbc16b9e4af8ff0d2fac6ccfc97b601916a5d10ee8e2b72c8d0b8437e133c31ea92423c99f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si802745.exe

Filesize
270KB

MD5
1b6d982dd5ed7fd3e872f98c088ff6ac

SHA1
d27e677eab8b64cc4942d692002404cb2d27df7a

SHA256
aee279daba1a5eaa0651f35bbb99672f3651f467180fefe92911a5641cd51127

SHA512
c029a0a31ba907de0eb50926fa8159ed9f27259bed509bea236abbc16b9e4af8ff0d2fac6ccfc97b601916a5d10ee8e2b72c8d0b8437e133c31ea92423c99f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un129178.exe

Filesize
693KB

MD5
f23b3279533f02b5fc09e62240d1b444

SHA1
1e3c3704a055e676b57a4b5be14c0094ae76e45d

SHA256
b248e1b8bcca15566a95e552b97f918e86cf0f5fce8befe8ee219fe57d24d55b

SHA512
d6bb155b440464120c6d54764a9c0f6c9c3291f588f4ec200f82540b164427760db79e596717af498375e794dc8767526e248b700d194c82e83b8c3164e9f73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un129178.exe

Filesize
693KB

MD5
f23b3279533f02b5fc09e62240d1b444

SHA1
1e3c3704a055e676b57a4b5be14c0094ae76e45d

SHA256
b248e1b8bcca15566a95e552b97f918e86cf0f5fce8befe8ee219fe57d24d55b

SHA512
d6bb155b440464120c6d54764a9c0f6c9c3291f588f4ec200f82540b164427760db79e596717af498375e794dc8767526e248b700d194c82e83b8c3164e9f73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245544.exe

Filesize
136KB

MD5
e48a471cb7bc4ff6a6b32ae6d192dbbb

SHA1
d38181853eccf41490641e35b9f2b13e1f6d1711

SHA256
ce0d0c494beb02432c1c208d73c07be71fefb4afd34e74a98f188417ca86d21c

SHA512
dffde20f58c233b543a9a5e5a4bbdf29767bfb80661541b36c52cd6d53debb6cb3a62d3f7aa76010d06c9b0d74e9b972231eae53cd539f648ec89a85bdc457f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245544.exe

Filesize
136KB

MD5
e48a471cb7bc4ff6a6b32ae6d192dbbb

SHA1
d38181853eccf41490641e35b9f2b13e1f6d1711

SHA256
ce0d0c494beb02432c1c208d73c07be71fefb4afd34e74a98f188417ca86d21c

SHA512
dffde20f58c233b543a9a5e5a4bbdf29767bfb80661541b36c52cd6d53debb6cb3a62d3f7aa76010d06c9b0d74e9b972231eae53cd539f648ec89a85bdc457f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un430158.exe

Filesize
539KB

MD5
66e3781a880a15ba187946777da2b376

SHA1
0f97d560b0a4ef628e91c757118c7b6811daa0cb

SHA256
aa746ef42698dfc9feb8d30917aad6fbaa0a87cda951660ccb561c7170214ebd

SHA512
d6b5fbce07446a916d90732403ba06c62422b1c438e854d51f8a109d029f7416b9b13ac1d67c95f41120ec14e32e070f1cadbb9a4606659e555b1ca54b9d275d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un430158.exe

Filesize
539KB

MD5
66e3781a880a15ba187946777da2b376

SHA1
0f97d560b0a4ef628e91c757118c7b6811daa0cb

SHA256
aa746ef42698dfc9feb8d30917aad6fbaa0a87cda951660ccb561c7170214ebd

SHA512
d6b5fbce07446a916d90732403ba06c62422b1c438e854d51f8a109d029f7416b9b13ac1d67c95f41120ec14e32e070f1cadbb9a4606659e555b1ca54b9d275d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr918609.exe

Filesize
278KB

MD5
423cba1845f45ce4a4c45daddeb74e81

SHA1
8c4ba3ea8c5e2fea5bc54417ef9e85abe94fc2fe

SHA256
33b2903f62b29ab5cbd8c053356b5c0097c6efb5a625304a85dd45066ee38bb9

SHA512
a22e70c87ca5785afe873075c5b4e0808e425330ad9c87181891d9886fd9c8f20e2fb85a161de86404692d0dc2cc609ad2ed5810bafe6bec1c3e651c92d85015

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr918609.exe

Filesize
278KB

MD5
423cba1845f45ce4a4c45daddeb74e81

SHA1
8c4ba3ea8c5e2fea5bc54417ef9e85abe94fc2fe

SHA256
33b2903f62b29ab5cbd8c053356b5c0097c6efb5a625304a85dd45066ee38bb9

SHA512
a22e70c87ca5785afe873075c5b4e0808e425330ad9c87181891d9886fd9c8f20e2fb85a161de86404692d0dc2cc609ad2ed5810bafe6bec1c3e651c92d85015

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu135318.exe

Filesize
350KB

MD5
1dedb5bf8b75ae7033f117086be085a9

SHA1
00177feeb96be41b51100738c233c344f63e6801

SHA256
2369cd8631c27597bffc67705869b5721e2774c2d5fc0754745b74b5d720c7b6

SHA512
cdd31bf21c50306aa7885ce3c3de21427d8539b0b2aa554a61c1e43e088d1c001cf0fff67e08355c7ef670ca98e99a8080c10c7b23a06f08de4e6725c59c9e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu135318.exe

Filesize
350KB

MD5
1dedb5bf8b75ae7033f117086be085a9

SHA1
00177feeb96be41b51100738c233c344f63e6801

SHA256
2369cd8631c27597bffc67705869b5721e2774c2d5fc0754745b74b5d720c7b6

SHA512
cdd31bf21c50306aa7885ce3c3de21427d8539b0b2aa554a61c1e43e088d1c001cf0fff67e08355c7ef670ca98e99a8080c10c7b23a06f08de4e6725c59c9e81

Download Submit
memory/2472-983-0x0000000009BF0000-0x0000000009C02000-memory.dmp

Filesize
72KB

Download
memory/2472-987-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/2472-994-0x000000000B730000-0x000000000B74E000-memory.dmp

Filesize
120KB

Download
memory/2472-993-0x000000000B0E0000-0x000000000B60C000-memory.dmp

Filesize
5.2MB

Download
memory/2472-992-0x000000000AEF0000-0x000000000B0B2000-memory.dmp

Filesize
1.8MB

Download
memory/2472-991-0x000000000AE30000-0x000000000AEA6000-memory.dmp

Filesize
472KB

Download
memory/2472-990-0x000000000ADC0000-0x000000000AE10000-memory.dmp

Filesize
320KB

Download
memory/2472-989-0x000000000AD20000-0x000000000ADB2000-memory.dmp

Filesize
584KB

Download
memory/2472-988-0x000000000A050000-0x000000000A0B6000-memory.dmp

Filesize
408KB

Download
memory/2472-986-0x0000000009EC0000-0x0000000009F0B000-memory.dmp

Filesize
300KB

Download
memory/2472-985-0x0000000009D40000-0x0000000009D7E000-memory.dmp

Filesize
248KB

Download
memory/2472-984-0x0000000009C20000-0x0000000009D2A000-memory.dmp

Filesize
1.0MB

Download
memory/2472-982-0x000000000A1C0000-0x000000000A7C6000-memory.dmp

Filesize
6.0MB

Download
memory/2472-226-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/2472-222-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-218-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-220-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-216-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-214-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-212-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-210-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-185-0x0000000004A00000-0x0000000004A3C000-memory.dmp

Filesize
240KB

Download
memory/2472-186-0x0000000002CD0000-0x0000000002D16000-memory.dmp

Filesize
280KB

Download
memory/2472-187-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/2472-188-0x0000000004C00000-0x0000000004C3A000-memory.dmp

Filesize
232KB

Download
memory/2472-189-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-190-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-192-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-194-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-196-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-198-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-200-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-202-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-204-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-206-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/2472-208-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3980-1009-0x0000000002C80000-0x0000000002CBB000-memory.dmp

Filesize
236KB

Download
memory/4140-160-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-150-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-179-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4140-177-0x0000000000400000-0x0000000002BA0000-memory.dmp

Filesize
39.6MB

Download
memory/4140-162-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-174-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-172-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-170-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-147-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4140-168-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-166-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-164-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-180-0x0000000000400000-0x0000000002BA0000-memory.dmp

Filesize
39.6MB

Download
memory/4140-148-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4140-176-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-158-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-156-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-154-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-152-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-149-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4140-145-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4140-144-0x00000000048A0000-0x00000000048B8000-memory.dmp

Filesize
96KB

Download
memory/4140-142-0x0000000002DC0000-0x0000000002DDA000-memory.dmp

Filesize
104KB

Download
memory/4140-146-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4140-143-0x00000000072F0000-0x00000000077EE000-memory.dmp

Filesize
5.0MB

Download
memory/4228-1003-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/4228-1001-0x00000000002A0000-0x00000000002C8000-memory.dmp

Filesize
160KB

Download
memory/4228-1002-0x0000000007020000-0x000000000706B000-memory.dmp

Filesize
300KB

Download