amadey | 16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b

Analysis

max time kernel
294s
max time network
267s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe
Size

1.8MB
MD5

fbcaa3cac043ad80f0502ea00d364bcf
SHA1

b5cd5bab9ece35631fb3233960d24519d458ce89
SHA256

16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b
SHA512

8f2a03757fe95a4de74632b3406cfb446ae9b47ddcf55dfa335555bcb18f5906c9f057d90363479c0a45c93c186cb192320ce654ac9cb0d5862930ca0c8468b7
SSDEEP

49152:gm74u9Qd6cQ8SmuJsXhuhum5ryXYK/x0cpn/z7c:gG4AQqziXhKu2rs///

Score

10^/10

amadey fed3aa discovery evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 4 IoCs

pid	Process
2560	axplong.exe
2900	neon.exe
2416	neon.exe
1480	neon.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	axplong.exe

Loads dropped DLL 4 IoCs

pid	Process
2728	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe
2560	axplong.exe
2560	axplong.exe
2416	neon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\neon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\neon.exe"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2728	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe
2560	axplong.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neon.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2948	cmd.exe
1380	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1380	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2728	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe
2560	axplong.exe
2900	neon.exe
2900	neon.exe
2900	neon.exe
2900	neon.exe
2900	neon.exe
2900	neon.exe
2900	neon.exe
2900	neon.exe
2900	neon.exe
2900	neon.exe
2900	neon.exe
2900	neon.exe
2900	neon.exe
2416	neon.exe
1480	neon.exe
1480	neon.exe
1480	neon.exe
2900	neon.exe
2900	neon.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	neon.exe
Token: SeDebugPrivilege	2416	neon.exe
Token: SeDebugPrivilege	1480	neon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2728	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2560	2728	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe	30
PID 2728 wrote to memory of 2560	2728	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe	30
PID 2728 wrote to memory of 2560	2728	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe	30
PID 2728 wrote to memory of 2560	2728	16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe	30
PID 2560 wrote to memory of 2900	2560	axplong.exe	32
PID 2560 wrote to memory of 2900	2560	axplong.exe	32
PID 2560 wrote to memory of 2900	2560	axplong.exe	32
PID 2560 wrote to memory of 2900	2560	axplong.exe	32
PID 2900 wrote to memory of 2948	2900	neon.exe	33
PID 2900 wrote to memory of 2948	2900	neon.exe	33
PID 2900 wrote to memory of 2948	2900	neon.exe	33
PID 2948 wrote to memory of 1380	2948	cmd.exe	35
PID 2948 wrote to memory of 1380	2948	cmd.exe	35
PID 2948 wrote to memory of 1380	2948	cmd.exe	35
PID 2900 wrote to memory of 1932	2900	neon.exe	36
PID 2900 wrote to memory of 1932	2900	neon.exe	36
PID 2900 wrote to memory of 1932	2900	neon.exe	36
PID 2900 wrote to memory of 1932	2900	neon.exe	36
PID 2900 wrote to memory of 1932	2900	neon.exe	36
PID 2900 wrote to memory of 1932	2900	neon.exe	36
PID 2900 wrote to memory of 1932	2900	neon.exe	36
PID 2900 wrote to memory of 1932	2900	neon.exe	36
PID 2900 wrote to memory of 2116	2900	neon.exe	37
PID 2900 wrote to memory of 2116	2900	neon.exe	37
PID 2900 wrote to memory of 2116	2900	neon.exe	37
PID 2900 wrote to memory of 2116	2900	neon.exe	37
PID 2900 wrote to memory of 2116	2900	neon.exe	37
PID 2900 wrote to memory of 2116	2900	neon.exe	37
PID 2900 wrote to memory of 2116	2900	neon.exe	37
PID 2900 wrote to memory of 2116	2900	neon.exe	37
PID 2948 wrote to memory of 2376	2948	cmd.exe	38
PID 2948 wrote to memory of 2376	2948	cmd.exe	38
PID 2948 wrote to memory of 2376	2948	cmd.exe	38
PID 2900 wrote to memory of 2488	2900	neon.exe	39
PID 2900 wrote to memory of 2488	2900	neon.exe	39
PID 2900 wrote to memory of 2488	2900	neon.exe	39
PID 2900 wrote to memory of 2488	2900	neon.exe	39
PID 2900 wrote to memory of 2488	2900	neon.exe	39
PID 2900 wrote to memory of 2488	2900	neon.exe	39
PID 2900 wrote to memory of 2488	2900	neon.exe	39
PID 2900 wrote to memory of 2488	2900	neon.exe	39
PID 2900 wrote to memory of 2420	2900	neon.exe	40
PID 2900 wrote to memory of 2420	2900	neon.exe	40
PID 2900 wrote to memory of 2420	2900	neon.exe	40
PID 2900 wrote to memory of 2420	2900	neon.exe	40
PID 2900 wrote to memory of 2420	2900	neon.exe	40
PID 2900 wrote to memory of 2420	2900	neon.exe	40
PID 2900 wrote to memory of 2420	2900	neon.exe	40
PID 2900 wrote to memory of 2420	2900	neon.exe	40
PID 2900 wrote to memory of 1568	2900	neon.exe	41
PID 2900 wrote to memory of 1568	2900	neon.exe	41
PID 2900 wrote to memory of 1568	2900	neon.exe	41
PID 2900 wrote to memory of 1568	2900	neon.exe	41
PID 2900 wrote to memory of 1568	2900	neon.exe	41
PID 2900 wrote to memory of 1568	2900	neon.exe	41
PID 2900 wrote to memory of 1568	2900	neon.exe	41
PID 2900 wrote to memory of 1568	2900	neon.exe	41
PID 2900 wrote to memory of 2416	2900	neon.exe	43
PID 2900 wrote to memory of 2416	2900	neon.exe	43
PID 2900 wrote to memory of 2416	2900	neon.exe	43
PID 2900 wrote to memory of 2416	2900	neon.exe	43
PID 2416 wrote to memory of 1480	2416	neon.exe	44
PID 2416 wrote to memory of 1480	2416	neon.exe	44
PID 2416 wrote to memory of 1480	2416	neon.exe	44

C:\Users\Admin\AppData\Local\Temp\16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe
"C:\Users\Admin\AppData\Local\Temp\16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe
    "C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\system32\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 6
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1380
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"
        5⤵
        Adds Run key to start application
        
        PID:2376
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:1932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2116
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2488
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2420
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\neon.exe
      "C:\Users\Admin\AppData\Local\Temp\neon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\neon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\neon.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

Filesize
3.5MB

MD5
b3fd0e1003b1cd38402b6d32829f6135

SHA1
c9cedd6322fb83457f56b64b4624b07e2786f702

SHA256
e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31

SHA512
04692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
fbcaa3cac043ad80f0502ea00d364bcf

SHA1
b5cd5bab9ece35631fb3233960d24519d458ce89

SHA256
16c41bc0596a6f48a9f1720b2db60cc8d6c3fa2d8b3649f2ea0247cd4f4c4f7b

SHA512
8f2a03757fe95a4de74632b3406cfb446ae9b47ddcf55dfa335555bcb18f5906c9f057d90363479c0a45c93c186cb192320ce654ac9cb0d5862930ca0c8468b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\neon.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\neon.txt

Filesize
64B

MD5
16db32ae45196b7f212f09c9e1dd08cf

SHA1
467f69438ff171071ef88b26fe9ac7737e82dcae

SHA256
cb27eaf349b5e10aa255429ddfc4b5ad375a4ffbeb2ecf2d1cd2155a70620173

SHA512
883429fdb0b7468f7133ac83a3a25bdf89ab1ea699e7af8534d2fe7a578cf81a59c8c3ec73bf80028a48219572c075d6575685c75566b52a9087e8ba2970e392

Download Submit
C:\Users\Admin\AppData\Local\Temp\neon.txt

Filesize
67B

MD5
4a8d19f47f0bbddf1c4e000ea872455d

SHA1
f5722f0bc47551e7db0d85a7e8fdbe04d8de5a41

SHA256
42de143f6e233e5be3efb371a8b5d10f207a57eea12b1379f2f305f69e8fce5c

SHA512
790afcec6f0563b4345375d328d7715b7961236a10f9956d523634287f5d53881b6d2e1446e63fcd70d7c564b171429fe84a4d81569dc76ed8ea74d481fdc3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\neon.txt

Filesize
67B

MD5
b72fd7678b0caca061726422b3e56db3

SHA1
33e0042bffa623492082a167b5a65b49fc502eb9

SHA256
9abeb505ec134cdabf73cf20804a4c6c967bbc701aafe17274fcfda4d9e686ae

SHA512
7e438a49a2940a272ca020da72bb3a123c5e2968a03f537f4bc38a849610f85bd9846639bfee5e6eba88133cf0ffe1b39e03d353a74c4477c1d75f47e9cc7bcc

Download Submit
memory/1568-107-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1932-61-0x0000000000470000-0x0000000000664000-memory.dmp

Filesize
2.0MB

Download
memory/1932-63-0x0000000000470000-0x0000000000664000-memory.dmp

Filesize
2.0MB

Download
memory/1932-69-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1932-65-0x0000000000470000-0x0000000000664000-memory.dmp

Filesize
2.0MB

Download
memory/1932-67-0x0000000000470000-0x0000000000664000-memory.dmp

Filesize
2.0MB

Download
memory/2116-79-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

Filesize
4KB

Download
memory/2416-119-0x0000000001030000-0x000000000104A000-memory.dmp

Filesize
104KB

Download
memory/2420-98-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2488-89-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/2560-22-0x0000000000B70000-0x0000000001022000-memory.dmp

Filesize
4.7MB

Download
memory/2560-21-0x0000000000B70000-0x0000000001022000-memory.dmp

Filesize
4.7MB

Download
memory/2560-58-0x0000000000B70000-0x0000000001022000-memory.dmp

Filesize
4.7MB

Download
memory/2560-57-0x0000000000B70000-0x0000000001022000-memory.dmp

Filesize
4.7MB

Download
memory/2560-56-0x0000000000B70000-0x0000000001022000-memory.dmp

Filesize
4.7MB

Download
memory/2560-55-0x0000000000B70000-0x0000000001022000-memory.dmp

Filesize
4.7MB

Download
memory/2560-19-0x0000000000B70000-0x0000000001022000-memory.dmp

Filesize
4.7MB

Download
memory/2560-110-0x0000000000B70000-0x0000000001022000-memory.dmp

Filesize
4.7MB

Download
memory/2560-80-0x0000000000B70000-0x0000000001022000-memory.dmp

Filesize
4.7MB

Download
memory/2560-17-0x0000000000B70000-0x0000000001022000-memory.dmp

Filesize
4.7MB

Download
memory/2560-18-0x0000000000B71000-0x0000000000B9F000-memory.dmp

Filesize
184KB

Download
memory/2728-16-0x0000000001380000-0x0000000001832000-memory.dmp

Filesize
4.7MB

Download
memory/2728-10-0x0000000001380000-0x0000000001832000-memory.dmp

Filesize
4.7MB

Download
memory/2728-0-0x0000000001380000-0x0000000001832000-memory.dmp

Filesize
4.7MB

Download
memory/2728-5-0x0000000001380000-0x0000000001832000-memory.dmp

Filesize
4.7MB

Download
memory/2728-3-0x0000000001380000-0x0000000001832000-memory.dmp

Filesize
4.7MB

Download
memory/2728-2-0x0000000001381000-0x00000000013AF000-memory.dmp

Filesize
184KB

Download
memory/2728-1-0x0000000077AD0000-0x0000000077AD2000-memory.dmp

Filesize
8KB

Download
memory/2900-51-0x0000000022510000-0x00000000225AE000-memory.dmp

Filesize
632KB

Download
memory/2900-52-0x0000000022F80000-0x0000000023020000-memory.dmp

Filesize
640KB

Download
memory/2900-38-0x00000000009C0000-0x0000000000A5F000-memory.dmp

Filesize
636KB

Download
memory/2900-40-0x0000000000A60000-0x0000000000B8D000-memory.dmp

Filesize
1.2MB

Download
memory/2900-39-0x00000000006C0000-0x00000000006DF000-memory.dmp

Filesize
124KB

Download
memory/2900-59-0x0000000023410000-0x000000002342A000-memory.dmp

Filesize
104KB

Download
memory/2900-54-0x00000000239D0000-0x0000000023B31000-memory.dmp

Filesize
1.4MB

Download
memory/2900-70-0x0000000023480000-0x0000000023494000-memory.dmp

Filesize
80KB

Download
memory/2900-53-0x0000000023130000-0x0000000023345000-memory.dmp

Filesize
2.1MB

Download
memory/2900-60-0x0000000023430000-0x0000000023436000-memory.dmp

Filesize
24KB

Download
memory/2900-42-0x0000000000D70000-0x0000000000DE1000-memory.dmp

Filesize
452KB

Download
memory/2900-50-0x0000000003C00000-0x0000000003C17000-memory.dmp

Filesize
92KB

Download
memory/2900-49-0x000000001C590000-0x000000001C5B2000-memory.dmp

Filesize
136KB

Download
memory/2900-48-0x000000001E930000-0x000000001EA5C000-memory.dmp

Filesize
1.2MB

Download
memory/2900-47-0x0000000000FE0000-0x000000000135C000-memory.dmp

Filesize
3.5MB

Download
memory/2900-46-0x0000000003580000-0x0000000003677000-memory.dmp

Filesize
988KB

Download
memory/2900-43-0x0000000000E60000-0x0000000000F29000-memory.dmp

Filesize
804KB

Download
memory/2900-44-0x00000000014F0000-0x00000000015F9000-memory.dmp

Filesize
1.0MB

Download
memory/2900-41-0x0000000000C90000-0x0000000000D2C000-memory.dmp

Filesize
624KB

Download