amadey | 138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

Analysis

max time kernel
117s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2023 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Secur.exe
Size

531KB
MD5

a544d2c23c55904dbf0f0190f42eaac6
SHA1

e9d920e5400b36562dfe81b900b99d35b70576b9
SHA256

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a
SHA512

21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5
SSDEEP

12288:fz9JHhp3l7Nt0P78PyCp3qkxD+XYaVikoSG6s7XuwMefn:fzXtNeP7v6XZMYackkX/

Score

10^/10

amadey discovery spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.12

http://brodoyouevenlift.co.za

Attributes

install_dir
ce3eb8f6b2
install_file
Utsysc.exe
strings_key
c5b804d7b4c8a99f5afb89e5203cf3ba
url_paths
/g9sdjScV2/index.php

/vdhe8ejs3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Secur.exeUtsysc.exeOpesi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	Secur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	Opesi.exe

Executes dropped EXE 7 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeOpesi.exeOpesi.exe

pid process

4460 Utsysc.exe
5036 Utsysc.exe
2764 Utsysc.exe
3612 Utsysc.exe
1856 Utsysc.exe
3720 Opesi.exe
5072 Opesi.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4460	Utsysc.exe
5036	Utsysc.exe
2764	Utsysc.exe
3612	Utsysc.exe
1856	Utsysc.exe
3720	Opesi.exe
5072	Opesi.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Secur.exeUtsysc.exeUtsysc.exeOpesi.exe

description	pid	process	target process
PID 2816 set thread context of 4536	2816	Secur.exe	Secur.exe
PID 4460 set thread context of 5036	4460	Utsysc.exe	Utsysc.exe
PID 2764 set thread context of 1856	2764	Utsysc.exe	Utsysc.exe
PID 3720 set thread context of 5072	3720	Opesi.exe	Opesi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Opesi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Opesi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Opesi.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2768 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1276 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Utsysc.exeOpesi.exe

pid process

2764 Utsysc.exe
2764 Utsysc.exe
5072 Opesi.exe
5072 Opesi.exe

pid	process
2768	schtasks.exe

pid	process
1276	timeout.exe

pid	process
2764	Utsysc.exe
2764	Utsysc.exe
5072	Opesi.exe
5072	Opesi.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Secur.exeUtsysc.exeUtsysc.exeOpesi.exe

description	pid	process
Token: SeDebugPrivilege	2816	Secur.exe
Token: SeDebugPrivilege	4460	Utsysc.exe
Token: SeDebugPrivilege	2764	Utsysc.exe
Token: SeDebugPrivilege	3720	Opesi.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Secur.exe

pid process

4536 Secur.exe

pid	process
4536	Secur.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

Secur.exeSecur.exeUtsysc.exeUtsysc.exeUtsysc.exeOpesi.exeOpesi.execmd.exe

description	pid	process	target process
PID 2816 wrote to memory of 4536	2816	Secur.exe	Secur.exe
PID 2816 wrote to memory of 4536	2816	Secur.exe	Secur.exe
PID 2816 wrote to memory of 4536	2816	Secur.exe	Secur.exe
PID 2816 wrote to memory of 4536	2816	Secur.exe	Secur.exe
PID 2816 wrote to memory of 4536	2816	Secur.exe	Secur.exe
PID 2816 wrote to memory of 4536	2816	Secur.exe	Secur.exe
PID 2816 wrote to memory of 4536	2816	Secur.exe	Secur.exe
PID 2816 wrote to memory of 4536	2816	Secur.exe	Secur.exe
PID 2816 wrote to memory of 4536	2816	Secur.exe	Secur.exe
PID 2816 wrote to memory of 4536	2816	Secur.exe	Secur.exe
PID 4536 wrote to memory of 4460	4536	Secur.exe	Utsysc.exe
PID 4536 wrote to memory of 4460	4536	Secur.exe	Utsysc.exe
PID 4536 wrote to memory of 4460	4536	Secur.exe	Utsysc.exe
PID 4460 wrote to memory of 5036	4460	Utsysc.exe	Utsysc.exe
PID 4460 wrote to memory of 5036	4460	Utsysc.exe	Utsysc.exe
PID 4460 wrote to memory of 5036	4460	Utsysc.exe	Utsysc.exe
PID 4460 wrote to memory of 5036	4460	Utsysc.exe	Utsysc.exe
PID 4460 wrote to memory of 5036	4460	Utsysc.exe	Utsysc.exe
PID 4460 wrote to memory of 5036	4460	Utsysc.exe	Utsysc.exe
PID 4460 wrote to memory of 5036	4460	Utsysc.exe	Utsysc.exe
PID 4460 wrote to memory of 5036	4460	Utsysc.exe	Utsysc.exe
PID 4460 wrote to memory of 5036	4460	Utsysc.exe	Utsysc.exe
PID 4460 wrote to memory of 5036	4460	Utsysc.exe	Utsysc.exe
PID 5036 wrote to memory of 2768	5036	Utsysc.exe	schtasks.exe
PID 5036 wrote to memory of 2768	5036	Utsysc.exe	schtasks.exe
PID 5036 wrote to memory of 2768	5036	Utsysc.exe	schtasks.exe
PID 2764 wrote to memory of 3612	2764	Utsysc.exe	Utsysc.exe
PID 2764 wrote to memory of 3612	2764	Utsysc.exe	Utsysc.exe
PID 2764 wrote to memory of 3612	2764	Utsysc.exe	Utsysc.exe
PID 2764 wrote to memory of 1856	2764	Utsysc.exe	Utsysc.exe
PID 2764 wrote to memory of 1856	2764	Utsysc.exe	Utsysc.exe
PID 2764 wrote to memory of 1856	2764	Utsysc.exe	Utsysc.exe
PID 2764 wrote to memory of 1856	2764	Utsysc.exe	Utsysc.exe
PID 2764 wrote to memory of 1856	2764	Utsysc.exe	Utsysc.exe
PID 2764 wrote to memory of 1856	2764	Utsysc.exe	Utsysc.exe
PID 2764 wrote to memory of 1856	2764	Utsysc.exe	Utsysc.exe
PID 2764 wrote to memory of 1856	2764	Utsysc.exe	Utsysc.exe
PID 2764 wrote to memory of 1856	2764	Utsysc.exe	Utsysc.exe
PID 2764 wrote to memory of 1856	2764	Utsysc.exe	Utsysc.exe
PID 5036 wrote to memory of 3720	5036	Utsysc.exe	Opesi.exe
PID 5036 wrote to memory of 3720	5036	Utsysc.exe	Opesi.exe
PID 5036 wrote to memory of 3720	5036	Utsysc.exe	Opesi.exe
PID 3720 wrote to memory of 5072	3720	Opesi.exe	Opesi.exe
PID 3720 wrote to memory of 5072	3720	Opesi.exe	Opesi.exe
PID 3720 wrote to memory of 5072	3720	Opesi.exe	Opesi.exe
PID 3720 wrote to memory of 5072	3720	Opesi.exe	Opesi.exe
PID 3720 wrote to memory of 5072	3720	Opesi.exe	Opesi.exe
PID 3720 wrote to memory of 5072	3720	Opesi.exe	Opesi.exe
PID 3720 wrote to memory of 5072	3720	Opesi.exe	Opesi.exe
PID 3720 wrote to memory of 5072	3720	Opesi.exe	Opesi.exe
PID 3720 wrote to memory of 5072	3720	Opesi.exe	Opesi.exe
PID 5072 wrote to memory of 2596	5072	Opesi.exe	cmd.exe
PID 5072 wrote to memory of 2596	5072	Opesi.exe	cmd.exe
PID 5072 wrote to memory of 2596	5072	Opesi.exe	cmd.exe
PID 2596 wrote to memory of 1276	2596	cmd.exe	timeout.exe
PID 2596 wrote to memory of 1276	2596	cmd.exe	timeout.exe
PID 2596 wrote to memory of 1276	2596	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\Secur.exe
"C:\Users\Admin\AppData\Local\Temp\Secur.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\Secur.exe
C:\Users\Admin\AppData\Local\Temp\Secur.exe
2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe" /F
5⤵
- Creates scheduled task(s)
PID:2768

C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720

C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe" & del "C:\ProgramData\*.dll"" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
8⤵
- Delays execution with timeout.exe
PID:1276

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:3612

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Utsysc.exe.log

Filesize
1KB

MD5
f7047b64aa01f9d80c7a5e177ce2485c

SHA1
bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8

SHA256
807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915

SHA512
a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe

Filesize
385KB

MD5
51367ff68633e00c8a084cb52534182f

SHA1
52a06ba919a3ff357e456022493f66289acee4b3

SHA256
3c16def99c05de25b1b8dfb73757f3356bad519c9c39292752aa07fab0653936

SHA512
c3262d84da25a1b93575b81dae14f3478a6a2c09dfd399c17b4acb23825f898cdb0e2c4676b35d0279106bf54c35580c7cde608e311bc61bc5071bbc0e0eb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe

Filesize
385KB

MD5
51367ff68633e00c8a084cb52534182f

SHA1
52a06ba919a3ff357e456022493f66289acee4b3

SHA256
3c16def99c05de25b1b8dfb73757f3356bad519c9c39292752aa07fab0653936

SHA512
c3262d84da25a1b93575b81dae14f3478a6a2c09dfd399c17b4acb23825f898cdb0e2c4676b35d0279106bf54c35580c7cde608e311bc61bc5071bbc0e0eb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe

Filesize
385KB

MD5
51367ff68633e00c8a084cb52534182f

SHA1
52a06ba919a3ff357e456022493f66289acee4b3

SHA256
3c16def99c05de25b1b8dfb73757f3356bad519c9c39292752aa07fab0653936

SHA512
c3262d84da25a1b93575b81dae14f3478a6a2c09dfd399c17b4acb23825f898cdb0e2c4676b35d0279106bf54c35580c7cde608e311bc61bc5071bbc0e0eb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe

Filesize
385KB

MD5
51367ff68633e00c8a084cb52534182f

SHA1
52a06ba919a3ff357e456022493f66289acee4b3

SHA256
3c16def99c05de25b1b8dfb73757f3356bad519c9c39292752aa07fab0653936

SHA512
c3262d84da25a1b93575b81dae14f3478a6a2c09dfd399c17b4acb23825f898cdb0e2c4676b35d0279106bf54c35580c7cde608e311bc61bc5071bbc0e0eb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\873812795143

Filesize
85KB

MD5
76a675eeb963ca3c7d706fafa503a409

SHA1
8429e9eab2daf18150d68ed074feb9f895a1bcf4

SHA256
616a6b6a9aea5002098219d33a4df124462ac7cd75c0151c1a272fddb414ab51

SHA512
08c7e2c56255c44ad7d6b8356469712e5bc0c5ffa4369eb6bdd4dd5a87f2715ffab4e7996b73769687ffa5af89ec3779c3be46855d37086ce39d2fff94f87c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
memory/1856-57-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1856-60-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1856-58-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2764-59-0x0000000073370000-0x0000000073B20000-memory.dmp

Filesize
7.7MB

Download
memory/2764-53-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2764-51-0x0000000073370000-0x0000000073B20000-memory.dmp

Filesize
7.7MB

Download
memory/2816-7-0x0000000005470000-0x00000000054D0000-memory.dmp

Filesize
384KB

Download
memory/2816-10-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/2816-9-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/2816-8-0x00000000054D0000-0x000000000551C000-memory.dmp

Filesize
304KB

Download
memory/2816-17-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/2816-6-0x0000000005310000-0x0000000005370000-memory.dmp

Filesize
384KB

Download
memory/2816-5-0x0000000005290000-0x000000000530A000-memory.dmp

Filesize
488KB

Download
memory/2816-4-0x0000000005210000-0x0000000005288000-memory.dmp

Filesize
480KB

Download
memory/2816-3-0x0000000005110000-0x0000000005188000-memory.dmp

Filesize
480KB

Download
memory/2816-2-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/2816-11-0x0000000005C90000-0x0000000006234000-memory.dmp

Filesize
5.6MB

Download
memory/2816-0-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download
memory/2816-1-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/3720-87-0x0000000005430000-0x0000000005484000-memory.dmp

Filesize
336KB

Download
memory/3720-88-0x00000000732D0000-0x0000000073A80000-memory.dmp

Filesize
7.7MB

Download
memory/3720-98-0x00000000732D0000-0x0000000073A80000-memory.dmp

Filesize
7.7MB

Download
memory/3720-93-0x0000000005560000-0x000000000559C000-memory.dmp

Filesize
240KB

Download
memory/3720-92-0x0000000005520000-0x000000000555C000-memory.dmp

Filesize
240KB

Download
memory/3720-89-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/3720-90-0x0000000005480000-0x00000000054D4000-memory.dmp

Filesize
336KB

Download
memory/3720-91-0x00000000054D0000-0x0000000005524000-memory.dmp

Filesize
336KB

Download
memory/3720-86-0x0000000000B70000-0x0000000000BD6000-memory.dmp

Filesize
408KB

Download
memory/4460-39-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4460-33-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4460-32-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4536-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4536-31-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4536-15-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4536-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4536-16-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5036-40-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5036-41-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5036-38-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5036-37-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5036-84-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5036-74-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5036-49-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5072-94-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/5072-99-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/5072-100-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/5072-105-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/5072-106-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/5072-108-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5072-126-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download