amadey | a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b

Resubmissions

29-06-2024 12:49

240629-p2gk1axgjc 10

02-06-2024 21:31

240602-1c6dlsff6v 10

02-06-2024 14:50

240602-r7t5dsfh36 10

Analysis

max time kernel
24s
max time network
28s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe
Size

1.8MB
MD5

122fad17c6aff4733e392eca0386a7b4
SHA1

0be0d823262772d257a99b453d71f87fc3f255c8
SHA256

a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b
SHA512

dd3a8b8a699c977d6683d5a17e51826a738b64ae170ecc455ec02821eff490619b3709a10347ccf83764dad48ad392e6e43d85db772b585dad07aad24aa86153
SSDEEP

24576:C2smJre8lecMoNYrFeSJ8MnkvcDmUPwQ8MIVtCUtqegEqGsw2tcGrdIeTfygjYV0:C2He0ZMoNG6H9BMIVtPo/MO8edcVQA0

Score

10^/10

amadey 49e482 evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

49e482

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe

Executes dropped EXE 7 IoCs

pid	Process
2576	axplont.exe
1248	33333.exe
2684	lumma1234.exe
856	gold.exe
308	swizzzz.exe
1812	buildjudit.exe
1544	stub.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe

Loads dropped DLL 24 IoCs

pid	Process
2864	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe
2576	axplont.exe
2576	axplont.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2576	axplont.exe
2576	axplont.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2576	axplont.exe
2576	axplont.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2576	axplont.exe
2576	axplont.exe
2212	WerFault.exe
2212	WerFault.exe
2212	WerFault.exe
2576	axplont.exe
1812	buildjudit.exe
1544	stub.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2864	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe
2576	axplont.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplont.job	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2816	1248	WerFault.exe	30
2780	2684	WerFault.exe	32
2252	856	WerFault.exe	35
2212	308	WerFault.exe	37

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2864	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe
2576	axplont.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2864	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2576	2864	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe	28
PID 2864 wrote to memory of 2576	2864	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe	28
PID 2864 wrote to memory of 2576	2864	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe	28
PID 2864 wrote to memory of 2576	2864	a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe	28
PID 2576 wrote to memory of 1248	2576	axplont.exe	30
PID 2576 wrote to memory of 1248	2576	axplont.exe	30
PID 2576 wrote to memory of 1248	2576	axplont.exe	30
PID 2576 wrote to memory of 1248	2576	axplont.exe	30
PID 1248 wrote to memory of 2816	1248	33333.exe	31
PID 1248 wrote to memory of 2816	1248	33333.exe	31
PID 1248 wrote to memory of 2816	1248	33333.exe	31
PID 1248 wrote to memory of 2816	1248	33333.exe	31
PID 2576 wrote to memory of 2684	2576	axplont.exe	32
PID 2576 wrote to memory of 2684	2576	axplont.exe	32
PID 2576 wrote to memory of 2684	2576	axplont.exe	32
PID 2576 wrote to memory of 2684	2576	axplont.exe	32
PID 2684 wrote to memory of 2780	2684	lumma1234.exe	34
PID 2684 wrote to memory of 2780	2684	lumma1234.exe	34
PID 2684 wrote to memory of 2780	2684	lumma1234.exe	34
PID 2684 wrote to memory of 2780	2684	lumma1234.exe	34
PID 2576 wrote to memory of 856	2576	axplont.exe	35
PID 2576 wrote to memory of 856	2576	axplont.exe	35
PID 2576 wrote to memory of 856	2576	axplont.exe	35
PID 2576 wrote to memory of 856	2576	axplont.exe	35
PID 856 wrote to memory of 2252	856	gold.exe	36
PID 856 wrote to memory of 2252	856	gold.exe	36
PID 856 wrote to memory of 2252	856	gold.exe	36
PID 856 wrote to memory of 2252	856	gold.exe	36
PID 2576 wrote to memory of 308	2576	axplont.exe	37
PID 2576 wrote to memory of 308	2576	axplont.exe	37
PID 2576 wrote to memory of 308	2576	axplont.exe	37
PID 2576 wrote to memory of 308	2576	axplont.exe	37
PID 308 wrote to memory of 2212	308	swizzzz.exe	38
PID 308 wrote to memory of 2212	308	swizzzz.exe	38
PID 308 wrote to memory of 2212	308	swizzzz.exe	38
PID 308 wrote to memory of 2212	308	swizzzz.exe	38
PID 2576 wrote to memory of 1812	2576	axplont.exe	39
PID 2576 wrote to memory of 1812	2576	axplont.exe	39
PID 2576 wrote to memory of 1812	2576	axplont.exe	39
PID 2576 wrote to memory of 1812	2576	axplont.exe	39
PID 1812 wrote to memory of 1544	1812	buildjudit.exe	40
PID 1812 wrote to memory of 1544	1812	buildjudit.exe	40
PID 1812 wrote to memory of 1544	1812	buildjudit.exe	40

C:\Users\Admin\AppData\Local\Temp\a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe
"C:\Users\Admin\AppData\Local\Temp\a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
  "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 72
      4⤵
      Loads dropped DLL
      Program crash
      PID:2816
- - C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
    "C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 68
      4⤵
      Loads dropped DLL
      Program crash
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 72
      4⤵
      Loads dropped DLL
      Program crash
      PID:2252
- - C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
    "C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 52
      4⤵
      Loads dropped DLL
      Program crash
      PID:2212
- - C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe
    "C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1812_133618375164974000\stub.exe
      "C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e55d28eb6e3d4a542f99ef4b83409ba

SHA1
11bc8094998604ea6185351cdaa4f81d1733eee9

SHA256
236f74fbd565c1c11e295ae92389d5f03ee154c61c1f8bd4e9e337cb36f8da7a

SHA512
86b7224c88cdc4bf1c699d4b50db795d4c8e63241e80c07794c500b6f42ed4872f175282ae6564da31e251e919ee9bc1e0a21fe3768acbe997a8ce4580f962be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

Filesize
2.1MB

MD5
208bd37e8ead92ed1b933239fb3c7079

SHA1
941191eed14fce000cfedbae9acfcb8761eb3492

SHA256
e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494

SHA512
a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

Filesize
518KB

MD5
c4ffab152141150528716daa608d5b92

SHA1
a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

SHA256
c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

SHA512
a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

Filesize
1.2MB

MD5
0b7e08a8268a6d413a322ff62d389bf9

SHA1
e04b849cc01779fe256744ad31562aca833a82c1

SHA256
d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65

SHA512
3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

Filesize
352KB

MD5
a74811b7e2d71612463144c69c0ca7e2

SHA1
900132a2213f70aed06e9982e47cfdcc8964b710

SHA256
3d07b09f83f2fc5dcb7f2429cac9a37160181da77df5a429e37b98dd685f239f

SHA512
c4c5bef04693f000ae1f45d2a2d28f67609f36a635464d5025a50b939eaf9cc8d7766355990847f5679375f3d4b760e035dd92914f754ae64df6923da1cecebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

Filesize
10.7MB

MD5
c09ff1273b09cb1f9c7698ed147bf22e

SHA1
5634aec5671c4fd565694aa12cd3bf11758675d2

SHA256
bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92

SHA512
e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

Filesize
9.4MB

MD5
ffce81505b9da5605a03a21c41392896

SHA1
ce18b2ed48c99cd4459fcf3107ead521067295cf

SHA256
bebd563f7e45812a4d94fe2cad639b00601d4a0cc8c8ab8b1f729e623d4e8e8f

SHA512
946881a6da5d4abd15452f745fa705f32af7f1d8b77d02104ae592145cf42bf0cf3a2630e58cc6e2e2b5438eab802f77366ec0db0a070a551338e97c524ee6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7DE9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7EF9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1812_133618375164974000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1812_133618375164974000\stub.exe

Filesize
7.6MB

MD5
67d2521c4a7872a5babd869e4c3d57a3

SHA1
68fde7255e3d9568624547112bd17618db6d617f

SHA256
8859ada10fb97642338131b9acd8c9aabb519546fefde6bdee620c8d2b1614b5

SHA512
aa04185c6df7cce4b0e3b17fcae234711f4e4e6ec9ef1bab5ed96b28cea62d6a58e9776874aab4cd4a7c3c70088dd0816684aacf39863dd8bd75438b25f1aa2a

Download Submit
\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

Filesize
9.5MB

MD5
bae6519dfbb92ca8dd498f98027c4799

SHA1
47c673cc3d9b27d55115763f22f4815979df3acb

SHA256
796adea0e873403ea965d40cfff604062076cec398301e9c8e16fb4d9e085b7f

SHA512
6c69b2d02c943109ed5bbbab074b59239744249c8fc4a99c7bdcb1f7d636c4ccfa53f49d7f4f2710dd6855bec08425e6e0b93319b0bf07cdd68a996e2537e729

Download Submit
\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

Filesize
1.8MB

MD5
122fad17c6aff4733e392eca0386a7b4

SHA1
0be0d823262772d257a99b453d71f87fc3f255c8

SHA256
a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b

SHA512
dd3a8b8a699c977d6683d5a17e51826a738b64ae170ecc455ec02821eff490619b3709a10347ccf83764dad48ad392e6e43d85db772b585dad07aad24aa86153

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1812_133618375164974000\stub.exe

Filesize
7.6MB

MD5
18b171dc2e836e173aa3b08d5c05fb4e

SHA1
9e9c4dde0536e1e90fa3d675efcc5faf152d475b

SHA256
33426ec77a6c90702bb59fee400cf344d1a7cf0e45d4f251e90bb2340fd11fe6

SHA512
28e1776bdc57193bf5a17129cb3c8ff0e3175dfdbeee8300d42b702f8e1855e5fe26600ba23524b6a3cd41b8e7f05a6aa38b4a9f4a1332d8525a2ac89429acc1

Download Submit
memory/1248-39-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1248-38-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1544-211-0x000000013FE60000-0x0000000141095000-memory.dmp

Filesize
18.2MB

Download
memory/2576-164-0x0000000000F60000-0x0000000001409000-memory.dmp

Filesize
4.7MB

Download
memory/2576-17-0x0000000000F60000-0x0000000001409000-memory.dmp

Filesize
4.7MB

Download
memory/2576-106-0x0000000000F60000-0x0000000001409000-memory.dmp

Filesize
4.7MB

Download
memory/2576-110-0x0000000000F60000-0x0000000001409000-memory.dmp

Filesize
4.7MB

Download
memory/2576-18-0x0000000000F60000-0x0000000001409000-memory.dmp

Filesize
4.7MB

Download
memory/2576-104-0x0000000000F60000-0x0000000001409000-memory.dmp

Filesize
4.7MB

Download
memory/2576-20-0x0000000000F60000-0x0000000001409000-memory.dmp

Filesize
4.7MB

Download
memory/2576-103-0x0000000000F60000-0x0000000001409000-memory.dmp

Filesize
4.7MB

Download
memory/2576-163-0x0000000000F60000-0x0000000001409000-memory.dmp

Filesize
4.7MB

Download
memory/2576-21-0x0000000000F60000-0x0000000001409000-memory.dmp

Filesize
4.7MB

Download
memory/2864-14-0x0000000001270000-0x0000000001719000-memory.dmp

Filesize
4.7MB

Download
memory/2864-15-0x0000000007010000-0x00000000074B9000-memory.dmp

Filesize
4.7MB

Download
memory/2864-0-0x0000000001270000-0x0000000001719000-memory.dmp

Filesize
4.7MB

Download
memory/2864-2-0x0000000001271000-0x000000000129F000-memory.dmp

Filesize
184KB

Download
memory/2864-1-0x0000000077810000-0x0000000077812000-memory.dmp

Filesize
8KB

Download
memory/2864-3-0x0000000001270000-0x0000000001719000-memory.dmp

Filesize
4.7MB

Download
memory/2864-5-0x0000000001270000-0x0000000001719000-memory.dmp

Filesize
4.7MB

Download