amadey | 5cd379d1024d7dae18b1dcb62a0290008c3c67e4c46f13c2c639d3a7aae51bee

Analysis

max time kernel
109s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2023 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
Size

531KB
MD5

a544d2c23c55904dbf0f0190f42eaac6
SHA1

e9d920e5400b36562dfe81b900b99d35b70576b9
SHA256

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a
SHA512

21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5
SSDEEP

12288:fz9JHhp3l7Nt0P78PyCp3qkxD+XYaVikoSG6s7XuwMefn:fzXtNeP7v6XZMYackkX/

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.12

http://brodoyouevenlift.co.za

Attributes

install_dir
ce3eb8f6b2
install_file
Utsysc.exe
strings_key
c5b804d7b4c8a99f5afb89e5203cf3ba
url_paths
/g9sdjScV2/index.php

/vdhe8ejs3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Utsysc.exe138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe

Executes dropped EXE 6 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exe

pid process

4856 Utsysc.exe
1764 Utsysc.exe
5100 Utsysc.exe
2436 Utsysc.exe
4328 Utsysc.exe
2336 Utsysc.exe

pid	process
4856	Utsysc.exe
1764	Utsysc.exe
5100	Utsysc.exe
2436	Utsysc.exe
4328	Utsysc.exe
2336	Utsysc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exeUtsysc.exeUtsysc.exeUtsysc.exe

description	pid	process	target process
PID 1256 set thread context of 4564	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 4856 set thread context of 1764	4856	Utsysc.exe	Utsysc.exe
PID 5100 set thread context of 2436	5100	Utsysc.exe	Utsysc.exe
PID 4328 set thread context of 2336	4328	Utsysc.exe	Utsysc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5016 schtasks.exe

pid	process
5016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe

pid	process
1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exeUtsysc.exeUtsysc.exeUtsysc.exe

description	pid	process
Token: SeDebugPrivilege	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
Token: SeDebugPrivilege	4856	Utsysc.exe
Token: SeDebugPrivilege	5100	Utsysc.exe
Token: SeDebugPrivilege	4328	Utsysc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe

pid process

4564 138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe

pid	process
4564	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exe

description	pid	process	target process
PID 1256 wrote to memory of 4556	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1256 wrote to memory of 4556	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1256 wrote to memory of 4556	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1256 wrote to memory of 4564	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1256 wrote to memory of 4564	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1256 wrote to memory of 4564	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1256 wrote to memory of 4564	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1256 wrote to memory of 4564	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1256 wrote to memory of 4564	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1256 wrote to memory of 4564	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1256 wrote to memory of 4564	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1256 wrote to memory of 4564	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1256 wrote to memory of 4564	1256	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 4564 wrote to memory of 4856	4564	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	Utsysc.exe
PID 4564 wrote to memory of 4856	4564	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	Utsysc.exe
PID 4564 wrote to memory of 4856	4564	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	Utsysc.exe
PID 4856 wrote to memory of 1764	4856	Utsysc.exe	Utsysc.exe
PID 4856 wrote to memory of 1764	4856	Utsysc.exe	Utsysc.exe
PID 4856 wrote to memory of 1764	4856	Utsysc.exe	Utsysc.exe
PID 4856 wrote to memory of 1764	4856	Utsysc.exe	Utsysc.exe
PID 4856 wrote to memory of 1764	4856	Utsysc.exe	Utsysc.exe
PID 4856 wrote to memory of 1764	4856	Utsysc.exe	Utsysc.exe
PID 4856 wrote to memory of 1764	4856	Utsysc.exe	Utsysc.exe
PID 4856 wrote to memory of 1764	4856	Utsysc.exe	Utsysc.exe
PID 4856 wrote to memory of 1764	4856	Utsysc.exe	Utsysc.exe
PID 4856 wrote to memory of 1764	4856	Utsysc.exe	Utsysc.exe
PID 1764 wrote to memory of 5016	1764	Utsysc.exe	schtasks.exe
PID 1764 wrote to memory of 5016	1764	Utsysc.exe	schtasks.exe
PID 1764 wrote to memory of 5016	1764	Utsysc.exe	schtasks.exe
PID 5100 wrote to memory of 2436	5100	Utsysc.exe	Utsysc.exe
PID 5100 wrote to memory of 2436	5100	Utsysc.exe	Utsysc.exe
PID 5100 wrote to memory of 2436	5100	Utsysc.exe	Utsysc.exe
PID 5100 wrote to memory of 2436	5100	Utsysc.exe	Utsysc.exe
PID 5100 wrote to memory of 2436	5100	Utsysc.exe	Utsysc.exe
PID 5100 wrote to memory of 2436	5100	Utsysc.exe	Utsysc.exe
PID 5100 wrote to memory of 2436	5100	Utsysc.exe	Utsysc.exe
PID 5100 wrote to memory of 2436	5100	Utsysc.exe	Utsysc.exe
PID 5100 wrote to memory of 2436	5100	Utsysc.exe	Utsysc.exe
PID 5100 wrote to memory of 2436	5100	Utsysc.exe	Utsysc.exe
PID 4328 wrote to memory of 2336	4328	Utsysc.exe	Utsysc.exe
PID 4328 wrote to memory of 2336	4328	Utsysc.exe	Utsysc.exe
PID 4328 wrote to memory of 2336	4328	Utsysc.exe	Utsysc.exe
PID 4328 wrote to memory of 2336	4328	Utsysc.exe	Utsysc.exe
PID 4328 wrote to memory of 2336	4328	Utsysc.exe	Utsysc.exe
PID 4328 wrote to memory of 2336	4328	Utsysc.exe	Utsysc.exe
PID 4328 wrote to memory of 2336	4328	Utsysc.exe	Utsysc.exe
PID 4328 wrote to memory of 2336	4328	Utsysc.exe	Utsysc.exe
PID 4328 wrote to memory of 2336	4328	Utsysc.exe	Utsysc.exe
PID 4328 wrote to memory of 2336	4328	Utsysc.exe	Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
"C:\Users\Admin\AppData\Local\Temp\138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
C:\Users\Admin\AppData\Local\Temp\138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
2⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
C:\Users\Admin\AppData\Local\Temp\138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4564

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe" /F
5⤵
- Creates scheduled task(s)
PID:5016

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:2436

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Utsysc.exe.log

Filesize
1KB

MD5
f7047b64aa01f9d80c7a5e177ce2485c

SHA1
bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8

SHA256
807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915

SHA512
a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f

Download Submit
C:\Users\Admin\AppData\Local\Temp\231940048779

Filesize
83KB

MD5
9c07e0be811eb34bb22c54e70e59149b

SHA1
8a1508fd810c103b945209acbfd764f56ebb97e6

SHA256
1f87e3b5aa09c25019e65dc5d3e95058c0cbf721a4535fca5624a21166c9dd65

SHA512
5415c45c49cf3606aca83d53b5fde5ffb6063da7c359de43adbb380f955c49eb2ac8718715d19c2b22965b72fe021dd3933accee53c0cdd5b0282c3e3b3cbf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
memory/1256-17-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1256-3-0x0000000005050000-0x00000000050C8000-memory.dmp

Filesize
480KB

Download
memory/1256-1-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1256-10-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/1256-2-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/1256-11-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/1256-9-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/1256-8-0x0000000005410000-0x000000000545C000-memory.dmp

Filesize
304KB

Download
memory/1256-7-0x0000000005380000-0x00000000053E0000-memory.dmp

Filesize
384KB

Download
memory/1256-6-0x0000000005100000-0x0000000005160000-memory.dmp

Filesize
384KB

Download
memory/1256-5-0x00000000051F0000-0x000000000526A000-memory.dmp

Filesize
488KB

Download
memory/1256-4-0x0000000005170000-0x00000000051E8000-memory.dmp

Filesize
480KB

Download
memory/1256-0-0x00000000007B0000-0x000000000083C000-memory.dmp

Filesize
560KB

Download
memory/1764-68-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1764-38-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1764-37-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1764-40-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1764-41-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1764-57-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2336-74-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2336-75-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2336-77-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2436-64-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2436-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2436-65-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4328-76-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/4328-71-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/4328-70-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/4564-31-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4564-16-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4564-15-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4564-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4564-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4856-32-0x0000000073380000-0x0000000073B30000-memory.dmp

Filesize
7.7MB

Download
memory/4856-33-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4856-39-0x0000000073380000-0x0000000073B30000-memory.dmp

Filesize
7.7MB

Download
memory/5100-67-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/5100-60-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/5100-61-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download