amadey | 22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe
Size

217KB
MD5

34d6101588b61ba8e9b4d0c536ecd77c
SHA1

91e70f4960d0fcd1c6af828dfaedc3f705ebc773
SHA256

22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21
SHA512

79dd27db42e58f79353b4f3396d8f5b7a286b99a9b5223671bf4fe5c653a9d9bbbe792f1307d0c1002c1e44e7dfdb218d0ccab06f5e3df7cafb042572546c2c7
SSDEEP

3072:iH2KZ8t0X6rJrqodM+dxv1G086+6jP00ztLR5HVFUjWjJkp:iHfZ8S+RHHv1GT+P0eVR5HYjWjm

Score

10^/10

amadey smokeloader pub3 backdoor spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

amadey

Version

4.14

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

1384
Executes dropped EXE 4 IoCs

Processes:

12A6.exeUtsysc.exeUtsysc.exeUtsysc.exe

pid process

2920 12A6.exe
2516 Utsysc.exe
1524 Utsysc.exe
2064 Utsysc.exe

pid	process
1384

Loads dropped DLL 44 IoCs

Processes:

12A6.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exerundll32.exe

pid	process
2920	12A6.exe
2920	12A6.exe
2932	rundll32.exe
2932	rundll32.exe
2932	rundll32.exe
2932	rundll32.exe
2224	rundll32.exe
2224	rundll32.exe
2224	rundll32.exe
2224	rundll32.exe
2100	WerFault.exe
2100	WerFault.exe
3068	rundll32.exe
3068	rundll32.exe
3068	rundll32.exe
3068	rundll32.exe
2368	rundll32.exe
2368	rundll32.exe
2368	rundll32.exe
2368	rundll32.exe
1448	WerFault.exe
1448	WerFault.exe
1108	rundll32.exe
1108	rundll32.exe
1108	rundll32.exe
1108	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe
2524	WerFault.exe
2524	WerFault.exe
932	rundll32.exe
932	rundll32.exe
932	rundll32.exe
932	rundll32.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1392 schtasks.exe

pid	process
1392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe

pid	process
2436	22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe
2436	22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe

pid process

2436 22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1384
Token: SeShutdownPrivilege 1384
Token: SeShutdownPrivilege 1384
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

12A6.exe

pid process

2920 12A6.exe

description	pid	process
Token: SeShutdownPrivilege	1384
Token: SeShutdownPrivilege	1384
Token: SeShutdownPrivilege	1384

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

12A6.exeUtsysc.exetaskeng.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1384 wrote to memory of 2920	1384		12A6.exe
PID 1384 wrote to memory of 2920	1384		12A6.exe
PID 1384 wrote to memory of 2920	1384		12A6.exe
PID 1384 wrote to memory of 2920	1384		12A6.exe
PID 2920 wrote to memory of 2516	2920	12A6.exe	Utsysc.exe
PID 2920 wrote to memory of 2516	2920	12A6.exe	Utsysc.exe
PID 2920 wrote to memory of 2516	2920	12A6.exe	Utsysc.exe
PID 2920 wrote to memory of 2516	2920	12A6.exe	Utsysc.exe
PID 2516 wrote to memory of 1392	2516	Utsysc.exe	schtasks.exe
PID 2516 wrote to memory of 1392	2516	Utsysc.exe	schtasks.exe
PID 2516 wrote to memory of 1392	2516	Utsysc.exe	schtasks.exe
PID 2516 wrote to memory of 1392	2516	Utsysc.exe	schtasks.exe
PID 1912 wrote to memory of 1524	1912	taskeng.exe	Utsysc.exe
PID 1912 wrote to memory of 1524	1912	taskeng.exe	Utsysc.exe
PID 1912 wrote to memory of 1524	1912	taskeng.exe	Utsysc.exe
PID 1912 wrote to memory of 1524	1912	taskeng.exe	Utsysc.exe
PID 2516 wrote to memory of 2932	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 2932	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 2932	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 2932	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 2932	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 2932	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 2932	2516	Utsysc.exe	rundll32.exe
PID 2932 wrote to memory of 2224	2932	rundll32.exe	rundll32.exe
PID 2932 wrote to memory of 2224	2932	rundll32.exe	rundll32.exe
PID 2932 wrote to memory of 2224	2932	rundll32.exe	rundll32.exe
PID 2932 wrote to memory of 2224	2932	rundll32.exe	rundll32.exe
PID 2224 wrote to memory of 2100	2224	rundll32.exe	WerFault.exe
PID 2224 wrote to memory of 2100	2224	rundll32.exe	WerFault.exe
PID 2224 wrote to memory of 2100	2224	rundll32.exe	WerFault.exe
PID 2516 wrote to memory of 3068	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 3068	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 3068	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 3068	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 3068	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 3068	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 3068	2516	Utsysc.exe	rundll32.exe
PID 3068 wrote to memory of 2368	3068	rundll32.exe	rundll32.exe
PID 3068 wrote to memory of 2368	3068	rundll32.exe	rundll32.exe
PID 3068 wrote to memory of 2368	3068	rundll32.exe	rundll32.exe
PID 3068 wrote to memory of 2368	3068	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 1448	2368	rundll32.exe	WerFault.exe
PID 2368 wrote to memory of 1448	2368	rundll32.exe	WerFault.exe
PID 2368 wrote to memory of 1448	2368	rundll32.exe	WerFault.exe
PID 2516 wrote to memory of 1108	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 1108	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 1108	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 1108	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 1108	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 1108	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 1108	2516	Utsysc.exe	rundll32.exe
PID 1108 wrote to memory of 1776	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1776	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1776	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1776	1108	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 2524	1776	rundll32.exe	WerFault.exe
PID 1776 wrote to memory of 2524	1776	rundll32.exe	WerFault.exe
PID 1776 wrote to memory of 2524	1776	rundll32.exe	WerFault.exe
PID 2516 wrote to memory of 932	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 932	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 932	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 932	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 932	2516	Utsysc.exe	rundll32.exe
PID 2516 wrote to memory of 932	2516	Utsysc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe
"C:\Users\Admin\AppData\Local\Temp\22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2436

C:\Users\Admin\AppData\Local\Temp\12A6.exe
C:\Users\Admin\AppData\Local\Temp\12A6.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:1392

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2224 -s 312
5⤵
- Loads dropped DLL
PID:2100

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2368 -s 312
5⤵
- Loads dropped DLL
PID:1448

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1776 -s 312
5⤵
- Loads dropped DLL
PID:2524

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:932

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:684

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:2304

C:\Windows\system32\taskeng.exe
taskeng.exe {B99603D9-DA70-4C6B-B2FC-A8967C13E0A8} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
2⤵
- Executes dropped EXE
PID:1524

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
2⤵
- Executes dropped EXE
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12A6.exe

Filesize
395KB

MD5
1e42a52c9909dd21636bba1b0f00f8e8

SHA1
93f8c29dd3b615a97ef35b5bb3d5523bfe21d613

SHA256
0747f384a5cf12ae118c194c48a59dc7dcbb23c75b9d7d43b1cb03be8c711719

SHA512
400451711cf3ce5f756f63008a4461271f86faeeaa0dcfbc24caacb98f5aef7c61d897038f38f58b770d95ffc420da2fb686b8934eb573c13ce11910c6f7cf40

Download Submit
C:\Users\Admin\AppData\Local\Temp\427588347149

Filesize
66KB

MD5
3a2b89978a59b63e3bad5bff1e54ec5e

SHA1
a7654dbf25c6da379995fb11d252bcb6a0ca86ee

SHA256
3f9701249b389d15f2d1ca4ab29265e5a76bcbb5d9779c03e081676d571e3416

SHA512
34f7c27853f2beb38eeddd8c255f8f7da698da697c5606af89710c43347c9017e16dc2f94327e665bb41ef29bcd7216b4b3ce97af711890510958f85c4439f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Filesize
64KB

MD5
b804eeb2110d84f6e6f864ef575f7a1d

SHA1
82c41d00f257d84560dee6b1b506e775bf6788f4

SHA256
3fa2efe45129d32341057799493740157b91644aad7253d2f83b6b7db3237906

SHA512
e2d7c828551bd83f7ee3b490f7598898589e9eb2ed4a8366930fddb188d3884337e6c85d9ae54f587fa72b38456cac75892c5dcb11bb3c3e0964929dea69cb8b

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
980KB

MD5
b43b1c8b93d014610db08b741779ef09

SHA1
00d6617d8e5918931772e86f5a958eca664780fc

SHA256
8255c51b1d428c846f5a7438beccaee2f56aca5d2918535867644db86eb2eb25

SHA512
dead0c97171a3cd9708980fc00cc7a733ed757e24f3b2c7df2f1decae0a16f14ec33ac453ac4205795e559b559e0e72b36e4d336adb0c2b85a2c3a3e3db72afe

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
896KB

MD5
455600bca133c228b9480e56b4b5e681

SHA1
0ed599c0c25d5b16ad63b46ad43b1813723f17c6

SHA256
97a9e1a7d61804b9e5695fc48197cb638639e8dcdb558194f8908d175a911429

SHA512
909dc971dc82d9af1016bf70922823f27d085035d66106d802c203052155dd8bd67f80293c5ef83b9a9945c7a41e48ee7fb6797b5fe682335d1e8cf17ef081d6

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
620KB

MD5
9a3d12357fc28282f982b8ed97307444

SHA1
dfc36e165debb7f540bfe841e31a94b195fe7446

SHA256
7a635ee120ae682816899f7abb51f9fae166d44720b5f79fa937a451a022ebed

SHA512
d6882f92d09535c542a3ffff631fe52d6a50897b88ba5dc5b5ef45300ded06685b60f62a69b34d184be90831fcb17bb0e6867233ce207cf7a36d4db7cf3a9a51

Download Submit
memory/1384-4-0x00000000025E0000-0x00000000025F6000-memory.dmp

Filesize
88KB

Download
memory/1524-96-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/1524-49-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/1524-48-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2064-131-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/2064-130-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2064-139-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2436-8-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/2436-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2436-5-0x0000000000400000-0x0000000002BE4000-memory.dmp

Filesize
39.9MB

Download
memory/2436-3-0x0000000000400000-0x0000000002BE4000-memory.dmp

Filesize
39.9MB

Download
memory/2436-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/2516-83-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2516-97-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2516-54-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2516-40-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2516-137-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2516-39-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

Filesize
1024KB

Download
memory/2516-37-0x0000000000300000-0x000000000036F000-memory.dmp

Filesize
444KB

Download
memory/2516-84-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

Filesize
1024KB

Download
memory/2516-132-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2516-62-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2516-108-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2516-123-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2920-27-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2920-26-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2920-20-0x0000000000390000-0x00000000003FF000-memory.dmp

Filesize
444KB

Download
memory/2920-35-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2920-38-0x0000000002D70000-0x0000000002E70000-memory.dmp

Filesize
1024KB

Download
memory/2920-19-0x0000000002D70000-0x0000000002E70000-memory.dmp

Filesize
1024KB

Download