amadey | decbcf05edc76dd31fbf2e2eefb16305e4086c0b0d8df47e5d4631433e9387f5

Analysis

max time kernel
151s
max time network
171s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
Size

4.4MB
MD5

81ed47a991b51ac416d56e87a29a9e1e
SHA1

0532b1052beed07bb9243e819b4dd5c3343120eb
SHA256

ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29
SHA512

1ee538bf29b583d591539f6352c1dfa3cd8b5d445384af73f8745e0dc98fc15cd0e886e9d4c3b9c6cb09f554bff77bc7ef58596f84c851303e619902eb4aea62
SSDEEP

98304:Weekh63DHMYli6N3ZngCekllw5HON7IZGwTT5MCMBwxQf+0b:Weu3DHJ9RplwxOqEA5MdWxQd

Score

10^/10

amadey evasion spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.13

http://185.172.128.5

Attributes

install_dir
4fdb51ccdc
install_file
Utsysc.exe
strings_key
11bb398ff31ee80d2c37571aecd1d36d
url_paths
/v8sjh3hs8/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Utsysc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Utsysc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Utsysc.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	3032	rundll32.exe
9	600	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Utsysc.exe

Executes dropped EXE 3 IoCs

pid	Process
2696	Utsysc.exe
2184	Utsysc.exe
1212	Utsysc.exe

Loads dropped DLL 13 IoCs

pid	Process
1612	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
3032	rundll32.exe
3032	rundll32.exe
3032	rundll32.exe
3032	rundll32.exe
600	rundll32.exe
600	rundll32.exe
600	rundll32.exe
600	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utsysc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utsysc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1612	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
2696	Utsysc.exe
2184	Utsysc.exe
1212	Utsysc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1612	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
2696	Utsysc.exe
3032	rundll32.exe
3032	rundll32.exe
3032	rundll32.exe
3032	rundll32.exe
2164	powershell.exe
2184	Utsysc.exe
1212	Utsysc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1612	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2696	1612	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe	28
PID 1612 wrote to memory of 2696	1612	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe	28
PID 1612 wrote to memory of 2696	1612	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe	28
PID 1612 wrote to memory of 2696	1612	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe	28
PID 2696 wrote to memory of 2780	2696	Utsysc.exe	31
PID 2696 wrote to memory of 2780	2696	Utsysc.exe	31
PID 2696 wrote to memory of 2780	2696	Utsysc.exe	31
PID 2696 wrote to memory of 2780	2696	Utsysc.exe	31
PID 2696 wrote to memory of 2004	2696	Utsysc.exe	35
PID 2696 wrote to memory of 2004	2696	Utsysc.exe	35
PID 2696 wrote to memory of 2004	2696	Utsysc.exe	35
PID 2696 wrote to memory of 2004	2696	Utsysc.exe	35
PID 2696 wrote to memory of 2004	2696	Utsysc.exe	35
PID 2696 wrote to memory of 2004	2696	Utsysc.exe	35
PID 2696 wrote to memory of 2004	2696	Utsysc.exe	35
PID 2004 wrote to memory of 3032	2004	rundll32.exe	36
PID 2004 wrote to memory of 3032	2004	rundll32.exe	36
PID 2004 wrote to memory of 3032	2004	rundll32.exe	36
PID 2004 wrote to memory of 3032	2004	rundll32.exe	36
PID 3032 wrote to memory of 376	3032	rundll32.exe	37
PID 3032 wrote to memory of 376	3032	rundll32.exe	37
PID 3032 wrote to memory of 376	3032	rundll32.exe	37
PID 3032 wrote to memory of 2164	3032	rundll32.exe	40
PID 3032 wrote to memory of 2164	3032	rundll32.exe	40
PID 3032 wrote to memory of 2164	3032	rundll32.exe	40
PID 2696 wrote to memory of 600	2696	Utsysc.exe	42
PID 2696 wrote to memory of 600	2696	Utsysc.exe	42
PID 2696 wrote to memory of 600	2696	Utsysc.exe	42
PID 2696 wrote to memory of 600	2696	Utsysc.exe	42
PID 2696 wrote to memory of 600	2696	Utsysc.exe	42
PID 2696 wrote to memory of 600	2696	Utsysc.exe	42
PID 2696 wrote to memory of 600	2696	Utsysc.exe	42
PID 1544 wrote to memory of 2184	1544	taskeng.exe	45
PID 1544 wrote to memory of 2184	1544	taskeng.exe	45
PID 1544 wrote to memory of 2184	1544	taskeng.exe	45
PID 1544 wrote to memory of 2184	1544	taskeng.exe	45
PID 1544 wrote to memory of 1212	1544	taskeng.exe	46
PID 1544 wrote to memory of 1212	1544	taskeng.exe	46
PID 1544 wrote to memory of 1212	1544	taskeng.exe	46
PID 1544 wrote to memory of 1212	1544	taskeng.exe	46

C:\Users\Admin\AppData\Local\Temp\ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
"C:\Users\Admin\AppData\Local\Temp\ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2780
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\603059206200_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:600

C:\Windows\system32\taskeng.exe
taskeng.exe {8A608C7B-EF91-474B-8DC7-9D981B8D170F} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2184
- C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
3.8MB

MD5
92a41739beaf84060b62d6a2649b3111

SHA1
f1afaeb927ce1b6796eb150d7cc81e17cd5ee343

SHA256
cdc33f6d9d89698baabc6dd253ed695a3d111f2cf564d4c95c466161d31433ba

SHA512
f0653fd4706a051ed7517241aed008d89f2bb4393229850a8d14fddc1a97c5dfa7b5c53cfa4dff155a39e9979bf55d80fcbf212dc5bb44edc249a64ca74cf49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
4.4MB

MD5
81ed47a991b51ac416d56e87a29a9e1e

SHA1
0532b1052beed07bb9243e819b4dd5c3343120eb

SHA256
ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29

SHA512
1ee538bf29b583d591539f6352c1dfa3cd8b5d445384af73f8745e0dc98fc15cd0e886e9d4c3b9c6cb09f554bff77bc7ef58596f84c851303e619902eb4aea62

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
136KB

MD5
2069e59a7ea4bf937d6907c991da653a

SHA1
077e6a0d24cdd6beeef19b54d7472d74c09df59d

SHA256
4f41b869588ffef2d35a9ea78ca7cbc6df731a5434ce7e9f5e706ddd72e992f9

SHA512
5af208aa66efd6814109420afdb40145e927ae8fa909649059f25d90fb3457fdaf4659d8b9b2a187bdb5d6af310af2ec089809cd1f5625d7768e38636cee1b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\603059206200

Filesize
65KB

MD5
536bb0fe2a6bd1bb048c3ae8dee8b08b

SHA1
f6a919f756735e83e3a1eac4c64c4b7b31d393b1

SHA256
fcd72d25ed815a68b88370d72e1f4f2c5c73fc19451656ad14bd06f10c280a0c

SHA512
b7723e270cf4b3f161119a9d2b3118c365a57be49e3cf05082caae18b1e120aea8feb8d9fa489cea13ca238b5fb59b6c37e763dbd376ddb0c9314f292d70357e

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
102KB

MD5
c06513af505f65393b4ebcd2a11a2ee4

SHA1
6e9e8a6b93fc9afbcc781790881d821b0bfb0821

SHA256
f5d35a2366cf13312a30c9384f1ac30d9dc9ced46fa6b1b9c2d0621493cc2495

SHA512
b90b8dc0571b2dde83c5ceaa4f12f203973bc2049663c0a840fa20a900bc7018f1f392f10273a607e816ccaf8a2b4f70bbc30b354437a2c9aecf5626b7c0a5ce

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.2MB

MD5
38d922b1364ecc07f1a933b7acb20de4

SHA1
82a3d4f9cf3502da8710c07f9b7b447b79519216

SHA256
48c4c53425a0ee02d48f3eab2b4da3b6ed24d6d5bc45dea783e43e32b9752931

SHA512
cb1ca40afc5ad7828c9ef79c8029e76ec351bbbf6697ab1ec6dd9fe7aa5273028cf9d711a9babb4444ab44266751affbb3de4f4c9572dea102b1a04e95f0d315

Download Submit
memory/1212-223-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1612-55-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-44-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-14-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-16-0x00000000773C0000-0x0000000077407000-memory.dmp

Filesize
284KB

Download
memory/1612-17-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-18-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1612-20-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1612-22-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-23-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1612-25-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-24-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-26-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-27-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-28-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-29-0x00000000778C0000-0x00000000778C2000-memory.dmp

Filesize
8KB

Download
memory/1612-21-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-19-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-15-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-30-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1612-39-0x00000000046B0000-0x000000000528E000-memory.dmp

Filesize
11.9MB

Download
memory/1612-41-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-42-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-40-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1612-43-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-45-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-5-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1612-46-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-47-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-48-0x00000000773C0000-0x0000000077407000-memory.dmp

Filesize
284KB

Download
memory/1612-49-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-50-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-52-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-53-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-57-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-59-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-58-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-56-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-13-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-2-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1612-1-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1612-12-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/1612-0-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2164-134-0x0000000002020000-0x0000000002028000-memory.dmp

Filesize
32KB

Download
memory/2164-133-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2164-135-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

Filesize
9.6MB

Download
memory/2184-196-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2184-195-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2184-194-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2184-193-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2184-165-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2696-70-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-77-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2696-79-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-81-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-82-0x00000000773C0000-0x0000000077407000-memory.dmp

Filesize
284KB

Download
memory/2696-84-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-85-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-86-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-83-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-80-0x00000000773C0000-0x0000000077407000-memory.dmp

Filesize
284KB

Download
memory/2696-88-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2696-93-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2696-95-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-94-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-98-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-100-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-101-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-69-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-99-0x00000000773C0000-0x0000000077407000-memory.dmp

Filesize
284KB

Download
memory/2696-97-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-78-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-76-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-96-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-128-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2696-157-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2696-74-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2696-75-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-71-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/2696-73-0x00000000773C0000-0x0000000077407000-memory.dmp

Filesize
284KB

Download
memory/2696-72-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-68-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-102-0x0000000075E30000-0x0000000075F40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-61-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download