amadey | 6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a

Analysis

max time kernel
59s
max time network
98s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
30-03-2024 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe
Size

1.8MB
MD5

f3e2a669dc6dc53f60ca3ef9d66dc92b
SHA1

dfb414050cd65f4c69f378e27e4ef92146cdfe3f
SHA256

6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a
SHA512

bd6abeaf13570a5c9a8861229e465dbbca3de16d542353ae4e8fddc1837e2d0be258414aea1b1c08dee8cac8d4814d094607f8a292590152683cb7dfb32decb4
SSDEEP

49152:tE48ATW/E2zu8c9JmshGMLu9rDUtwaIUaY:tEi2SJLQMLUgtwaIUa

Score

10^/10

amadey evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe

Drops startup file 4 IoCs

Processes:

regsvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AilTKr9S2s7540BmO7KWJmnn.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwNtxrfKBmO9LzsiLY02IfoV.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xmaYmhw9TnwD6pRYnOQ5NvYC.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PS1TDzOCNX7utudK6w9Tyd59.bat	regsvcs.exe

Executes dropped EXE 3 IoCs

Processes:

explorgu.exeAkh.exeEWO1QvzwW2fX9ix97v6j7O2k.exe

pid process

1684 explorgu.exe
1704 Akh.exe
2180 EWO1QvzwW2fX9ix97v6j7O2k.exe

pid	process
1684	explorgu.exe
1704	Akh.exe
2180	EWO1QvzwW2fX9ix97v6j7O2k.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorgu.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 pastebin.com
8 pastebin.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exeexplorgu.exe

pid process

1308 6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe
1684 explorgu.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Akh.exe

description pid process target process

PID 1704 set thread context of 224 1704 Akh.exe regsvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job 6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
3	pastebin.com
8	pastebin.com

description	pid	process	target process
PID 1704 set thread context of 224	1704	Akh.exe	regsvcs.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exeexplorgu.exe

pid	process
1308	6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe
1308	6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe
1684	explorgu.exe
1684	explorgu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regsvcs.exe

description pid process

Token: SeDebugPrivilege 224 regsvcs.exe

description	pid	process
Token: SeDebugPrivilege	224	regsvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

explorgu.exeAkh.exeregsvcs.exe

description	pid	process	target process
PID 1684 wrote to memory of 1704	1684	explorgu.exe	Akh.exe
PID 1684 wrote to memory of 1704	1684	explorgu.exe	Akh.exe
PID 1704 wrote to memory of 224	1704	Akh.exe	regsvcs.exe
PID 1704 wrote to memory of 224	1704	Akh.exe	regsvcs.exe
PID 1704 wrote to memory of 224	1704	Akh.exe	regsvcs.exe
PID 1704 wrote to memory of 224	1704	Akh.exe	regsvcs.exe
PID 1704 wrote to memory of 224	1704	Akh.exe	regsvcs.exe
PID 1704 wrote to memory of 224	1704	Akh.exe	regsvcs.exe
PID 1704 wrote to memory of 224	1704	Akh.exe	regsvcs.exe
PID 1704 wrote to memory of 224	1704	Akh.exe	regsvcs.exe
PID 1704 wrote to memory of 2492	1704	Akh.exe	regsvcs.exe
PID 1704 wrote to memory of 2492	1704	Akh.exe	regsvcs.exe
PID 1704 wrote to memory of 2492	1704	Akh.exe	regsvcs.exe
PID 224 wrote to memory of 2180	224	regsvcs.exe	EWO1QvzwW2fX9ix97v6j7O2k.exe
PID 224 wrote to memory of 2180	224	regsvcs.exe	EWO1QvzwW2fX9ix97v6j7O2k.exe
PID 224 wrote to memory of 2180	224	regsvcs.exe	EWO1QvzwW2fX9ix97v6j7O2k.exe

C:\Users\Admin\AppData\Local\Temp\6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe
"C:\Users\Admin\AppData\Local\Temp\6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\1001067001\Akh.exe
"C:\Users\Admin\AppData\Local\Temp\1001067001\Akh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
3⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\Pictures\EWO1QvzwW2fX9ix97v6j7O2k.exe
"C:\Users\Admin\Pictures\EWO1QvzwW2fX9ix97v6j7O2k.exe"
4⤵
- Executes dropped EXE
PID:2180

C:\Users\Admin\Pictures\04N6XctQfEBRsXXfGvZUgZMh.exe
"C:\Users\Admin\Pictures\04N6XctQfEBRsXXfGvZUgZMh.exe"
4⤵
PID:572

C:\Users\Admin\Pictures\TYZvZavfhma6Xqj5znGYmZWo.exe
"C:\Users\Admin\Pictures\TYZvZavfhma6Xqj5znGYmZWo.exe"
4⤵
PID:3460

C:\Users\Admin\Pictures\mycS4VxL2DdKnOBjo9Fe20ZA.exe
"C:\Users\Admin\Pictures\mycS4VxL2DdKnOBjo9Fe20ZA.exe"
4⤵
PID:3136

C:\Users\Admin\Pictures\BZgyiljVq07Qq5f3mQNHN0oD.exe
"C:\Users\Admin\Pictures\BZgyiljVq07Qq5f3mQNHN0oD.exe"
4⤵
PID:4076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
3⤵
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
Filesize
1.8MB

MD5
f3e2a669dc6dc53f60ca3ef9d66dc92b

SHA1
dfb414050cd65f4c69f378e27e4ef92146cdfe3f

SHA256
6c4949083fbe277ca9595fc757a203e6b0acadde6211747387ed4ed0efb5013a

SHA512
bd6abeaf13570a5c9a8861229e465dbbca3de16d542353ae4e8fddc1837e2d0be258414aea1b1c08dee8cac8d4814d094607f8a292590152683cb7dfb32decb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001067001\Akh.exe
Filesize
390KB

MD5
f3054dc7004336617747743d172b111b

SHA1
4c619d882a80bff1ec7d26bc5f5f6b7cf93676be

SHA256
56768dc2486a0eadfb82e3df6436434d1b6502d542fe6c41e2b52aae948b140f

SHA512
f3181fcd53823a635e9c828de8090017b0f97cc4903f75dfeba721bd98c77a4de867e94cd929954063469b926350f40476fe1a07bad6b2fe0007b78f3772ed69

Download Submit
C:\Users\Admin\Pictures\04N6XctQfEBRsXXfGvZUgZMh.exe
Filesize
4.1MB

MD5
53c587e435f6011adb6f6cf74bbb5665

SHA1
3fe5f19bfb61d31e85061ae8cd8525b44d82ebc7

SHA256
99c9537530d2cd9e3489abf79727f7b1f8322848b7d209cb7fca07a7e8ae37d9

SHA512
dfa139a90191bb8d11191190574fb4be06234339403ec0b4f30c93b8dcbb8f238f8e4db84c572d6ad5824bb638261c4acfff8ed7b2988c6d2f0efb51ba78275f

Download Submit
C:\Users\Admin\Pictures\04N6XctQfEBRsXXfGvZUgZMh.exe
Filesize
3.3MB

MD5
2dfc6c6fa717cbfe47336a48500f7e7d

SHA1
8d9cf6573b79da49bff93ca8ac90072b1eb931cd

SHA256
26167ec66d997abf55c17e2c38292178a30af35dbd1016debe9ac7cfd70752cf

SHA512
b5a371ed7f90f4e3f87d1f376bacb9ace11c035a556aec73eb630a98b032398c253c1d2cc13110e13c2cbdc2fdb6d07d6c6e743b76ff96802cf41c6ce2c79df7

Download Submit
C:\Users\Admin\Pictures\04N6XctQfEBRsXXfGvZUgZMh.exe
Filesize
2.6MB

MD5
141ee9069a34a67f8d0d7ed03f48692f

SHA1
d40ed4d5eaac13eb1ef3fd5c134c5c045a1d4684

SHA256
198bf600bcc9db34c5ce725f977ae2adbf8553dfa7b6cfc88965462f83ffb472

SHA512
e0c36026056d86ff873737ddd21f5e6478800f7aa98c85e4de20ad884eff0122911d9c6bd0a6170b8e637591373090fe9868a669ff3215d790974d4f72d7e155

Download Submit
C:\Users\Admin\Pictures\BZgyiljVq07Qq5f3mQNHN0oD.exe
Filesize
192KB

MD5
f8e6ca345428abf89656f261cd07314f

SHA1
9ed75e05e2b53901ec4258555f24989df5b6c10b

SHA256
4e0c8334c34869af16be5b01bbe1048464f0d4feb07c9bf32028f4e5ab2cf721

SHA512
44f827cc2bbf2cff6243885d36d933f9b9897fcde931e675cdf96b6ee34566c890d702eaeb230a9c224b6cbc9561bb5658e34cfcc1bb3cf220f440d6f611fec8

Download Submit
C:\Users\Admin\Pictures\BZgyiljVq07Qq5f3mQNHN0oD.exe
Filesize
1.2MB

MD5
65acc40c52632664a5b2fdbf8fd51ce9

SHA1
4b5d605cf1b2f7e2ec8ec45bfae2ed69529580ce

SHA256
3f285363eb0e9f988f559e0cd5875f31f466ad8f7f3c64abc1a16d0c23fe7811

SHA512
96f4f91f36ec321f8731e385983551d24b06ec92194ee51ab8d4a2957d720511a629fa5cb4fd1048af0220fd7799038422e1b252be257952cbeaa178114cfc49

Download Submit
C:\Users\Admin\Pictures\EWO1QvzwW2fX9ix97v6j7O2k.exe
Filesize
372KB

MD5
b0578b68365a4b4f641c94befa6121ba

SHA1
fb9853a47ce7aee9455f06a47e55630b3facc002

SHA256
f1a1df470000f186b368afc5d1a1a6d8b8f7cd296aaa01cb2bf4bdf099cc33dd

SHA512
970906b48208f7366aa8469034dfe5cddcc648fecbba9e14abe4c368424c9ad23c948f5b7ecae5927530052d63e24c9d1af693ee656d4646add278b00b605212

Download Submit
C:\Users\Admin\Pictures\M82F1ATrSqRYxukNcu2HjNoO.exe
Filesize
3KB

MD5
ef81f6de3a35deb7ddde7ed08a1e4220

SHA1
2b090b6418a40225465e45e3899b778aa9a4eb0c

SHA256
b40cd452876888d8a1b6507094a5755040daefa58c465aa024c81a37997fcb74

SHA512
b64d01935140248d9dc8b0b739f1030ee6ce5e6cffcec791d4227e41828638e243e38e461d4094f1e91fc75d20124c34b1419a3bab61b94031252d55efe4afee

Download Submit
C:\Users\Admin\Pictures\TYZvZavfhma6Xqj5znGYmZWo.exe
Filesize
1.9MB

MD5
e5457880d1cbdd720c5a3a07758f351b

SHA1
fb192bda2933acd5dc466fc8ab18bb1e366fa31b

SHA256
8f588718ecd989f1080cd5430744c18a6b75afc4b246e76c29e4ac9148c2da3a

SHA512
5235e77b9522ccb5a652b418c1050495d1bc30b22dca7c1ca5e78745fba8f85bec7467ffcf586db81a9fe640953d76f673807a832ea86ae665aef366a8f766f3

Download Submit
C:\Users\Admin\Pictures\TYZvZavfhma6Xqj5znGYmZWo.exe
Filesize
2.1MB

MD5
3ccd0358773f4ded40e3a05d5a551cab

SHA1
59fb1dde1774451081dfc295dced56a7af737288

SHA256
b71510c1d6d0eed3b2b5ba810bcbadac5a499e36c6fbd4075f27f4547ae7147c

SHA512
136c4af50b41213caf7aeb0fda0b256f104141d36aa49d517ece8c575f53c32932c0cde4de2bd971cc6dfae7efcd5bb20cb4814edc8d893c9630035e36aa9c35

Download Submit
C:\Users\Admin\Pictures\TYZvZavfhma6Xqj5znGYmZWo.exe
Filesize
1.1MB

MD5
aa54633d9c8c06ee2ac11b7187936e23

SHA1
2ab662c03dbf4c905d8d92bf86aaec2ca3730443

SHA256
ab63c145e470656b860ff4d5ce177258d223d7b1ae6b0533356564f436fcc756

SHA512
33e9517eb387d9de631e5e5e5a02c5bc92fff8cea2d3cd6daa66c995e012aa0d3f84da4e12acb497d9cb38523f40772e381c867fbd54c50d042facea5206ccb9

Download Submit
C:\Users\Admin\Pictures\YQ8MFDo4jpxu0DZXIay6IOPW.exe
Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\mycS4VxL2DdKnOBjo9Fe20ZA.exe
Filesize
448KB

MD5
48c3ccdb4f2dd9382811622daafb6be9

SHA1
0b9cc0df4464e2017916dcaaf6bbc2c556274051

SHA256
4489cce7a6287e400cf05029f5296cb1cbf8c6db3f6da249eb0c476069c9cf79

SHA512
76587b05935d3eb2caddb01eeee5c7bfd628fdd5e2f6766d2e0eaada7f29b8e0565440cf5ac12de4af8129ec05825b1a5833759095474dfb624e1263a45a2e82

Download Submit
C:\Users\Admin\Pictures\xp0pPNZLxKwORW6OYxkFqq1V.exe
Filesize
3KB

MD5
b5c2003eaa81ce2bf41d8ddfbdf2f6d3

SHA1
5d31fbe360d75da50b34f1bca57b99beb016c66e

SHA256
36c4df7d8aa10cb8f5415c833e82f9ff017ffb64f02203c4bd92045eee9e3455

SHA512
35b10002caac49d6eda1e384eb44b3d552ffc902e9dbc6f66a1edeb63fc7bc1cff469989350debfcaa8d339f24dcb24d342bedb1a025bd504dbdefb9f1579bdf

Download Submit
memory/224-57-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/224-56-0x00000000734E0000-0x0000000073C91000-memory.dmp

Filesize
7.7MB

Download
memory/224-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/572-139-0x0000000002F00000-0x00000000037EB000-memory.dmp

Filesize
8.9MB

Download
memory/572-143-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/572-131-0x0000000002AF0000-0x0000000002EF5000-memory.dmp

Filesize
4.0MB

Download
memory/1308-15-0x0000000000F60000-0x000000000140A000-memory.dmp

Filesize
4.7MB

Download
memory/1308-10-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/1308-1-0x0000000077B26000-0x0000000077B28000-memory.dmp

Filesize
8KB

Download
memory/1308-2-0x0000000000F60000-0x000000000140A000-memory.dmp

Filesize
4.7MB

Download
memory/1308-6-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/1308-7-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/1308-8-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/1308-0-0x0000000000F60000-0x000000000140A000-memory.dmp

Filesize
4.7MB

Download
memory/1308-5-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/1308-4-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/1308-3-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/1308-9-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/1684-20-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/1684-18-0x0000000000720000-0x0000000000BCA000-memory.dmp

Filesize
4.7MB

Download
memory/1684-55-0x0000000000720000-0x0000000000BCA000-memory.dmp

Filesize
4.7MB

Download
memory/1684-19-0x0000000000720000-0x0000000000BCA000-memory.dmp

Filesize
4.7MB

Download
memory/1684-21-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1684-22-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/1684-27-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/1684-24-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/1684-23-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/1684-25-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/1684-26-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/1704-51-0x000001C4E6C90000-0x000001C4E6CAE000-memory.dmp

Filesize
120KB

Download
memory/1704-58-0x00007FFEE0A30000-0x00007FFEE14F2000-memory.dmp

Filesize
10.8MB

Download
memory/1704-53-0x000001C4E6E10000-0x000001C4E6E20000-memory.dmp

Filesize
64KB

Download
memory/1704-52-0x000001C480A30000-0x000001C480A8E000-memory.dmp

Filesize
376KB

Download
memory/1704-50-0x000001C4FF720000-0x000001C4FF796000-memory.dmp

Filesize
472KB

Download
memory/1704-49-0x000001C4E6E10000-0x000001C4E6E20000-memory.dmp

Filesize
64KB

Download
memory/1704-48-0x00007FFEE0A30000-0x00007FFEE14F2000-memory.dmp

Filesize
10.8MB

Download
memory/1704-47-0x000001C4E4EE0000-0x000001C4E4EEC000-memory.dmp

Filesize
48KB

Download
memory/2180-105-0x00000000021D0000-0x000000000223E000-memory.dmp

Filesize
440KB

Download
memory/2180-106-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2180-104-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/3460-152-0x0000000002AB0000-0x0000000002EAA000-memory.dmp

Filesize
4.0MB

Download