amadey | bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc

Analysis

max time kernel
4s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe
Size

1.8MB
MD5

bf698063d67816dfb55d93238f45b46c
SHA1

3d5d42d1b4357d294e22c43953e667b98cc0371b
SHA256

bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc
SHA512

e2b9d3b285d7cb4ca90645f1a2dca6160a9a3a83246a96cb74f53dd0833c4cd1c44968bb372fcbbd85ef64a8dd7b16a44f31bd6ab033ff93b56312da8de70cce
SSDEEP

49152:HkBNvrVFlVXTNbDaIrY7DgjIiWqGPD8PSnaA6HCerO:Hk/lVXTND5rY7DgjkDySaJB

Score

10^/10

amadey stealc fed3aa stok discovery evasion stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	axplong.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	axplong.exe

Loads dropped DLL 2 IoCs

pid	Process
2256	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe
2256	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2256	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe
2752	axplong.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001a094-2520.dat	upx
behavioral1/memory/4112-2533-0x0000000000A00000-0x000000000117B000-memory.dmp	upx
behavioral1/memory/4112-2535-0x0000000000A00000-0x000000000117B000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3960	1516	WerFault.exe	41
5248	5504	WerFault.exe	43

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2256	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe
2752	axplong.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2256	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2752	2256	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe	31
PID 2256 wrote to memory of 2752	2256	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe	31
PID 2256 wrote to memory of 2752	2256	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe	31
PID 2256 wrote to memory of 2752	2256	bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe	31

C:\Users\Admin\AppData\Local\Temp\bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe
"C:\Users\Admin\AppData\Local\Temp\bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\1005970001\chrome11.exe
    "C:\Users\Admin\AppData\Local\Temp\1005970001\chrome11.exe"
    3⤵
    PID:2388
  - - C:\Windows\System32\certutil.exe
      "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmpF7C9.tmp"
      4⤵
      PID:3064
- - C:\Users\Admin\AppData\Local\Temp\1006029001\l4.exe
    "C:\Users\Admin\AppData\Local\Temp\1006029001\l4.exe"
    3⤵
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\onefile_112_133784681959956000\l4.exe
      C:\Users\Admin\AppData\Local\Temp\1006029001\l4.exe
      4⤵
      PID:1204
- - C:\Users\Admin\AppData\Local\Temp\1006032001\Qtdedcpuf.exe
    "C:\Users\Admin\AppData\Local\Temp\1006032001\Qtdedcpuf.exe"
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 632
      4⤵
      Program crash
      PID:3960
- - C:\Users\Admin\AppData\Local\Temp\1006092001\Ixpla.exe
    "C:\Users\Admin\AppData\Local\Temp\1006092001\Ixpla.exe"
    3⤵
    PID:5504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 632
      4⤵
      Program crash
      PID:5248
- - C:\Users\Admin\AppData\Local\Temp\1006141001\networkmanager.exe
    "C:\Users\Admin\AppData\Local\Temp\1006141001\networkmanager.exe"
    3⤵
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\1006188001\09db103d2e.exe
    "C:\Users\Admin\AppData\Local\Temp\1006188001\09db103d2e.exe"
    3⤵
    PID:4312
- - C:\Users\Admin\AppData\Local\Temp\1006189001\bab66d4457.exe
    "C:\Users\Admin\AppData\Local\Temp\1006189001\bab66d4457.exe"
    3⤵
    PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1005970001\chrome11.exe

Filesize
4.5MB

MD5
5b39766f490f17925defaee5de2f9861

SHA1
9c89f2951c255117eb3eebcd61dbecf019a4c186

SHA256
de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a

SHA512
d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006029001\l4.exe

Filesize
5.9MB

MD5
d68f79c459ee4ae03b76fa5ba151a41f

SHA1
bfa641085d59d58993ba98ac9ee376f898ee5f7b

SHA256
aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6

SHA512
bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006032001\Qtdedcpuf.exe

Filesize
1.4MB

MD5
338cbbffa6028ee1a0beb3e7e6c4abd9

SHA1
bd008e415d2d85a124d33d455a2e2b0a0312be39

SHA256
1af9406ad522df70d8b59054cbdbef1a267fe199ab0ec1369523cdce9884bea6

SHA512
a8bb96d8ab47a3f57d5f1fc48c61392e9b28b379517cd12a468044d42a7ecdf9c099244d94784ff2411b358ea2272f8069a2fee2ea952b693ee460de0f689215

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006092001\Ixpla.exe

Filesize
1.4MB

MD5
6e7ffd057086e44e4fcc01846cd2b152

SHA1
05712e7e7b8429b2dd201ea504dc32fefe5795da

SHA256
fbc587e990949e428e8ce7a2c74dbf85cd63ffa07370756ad854595fea0033d7

SHA512
8cab1824b32c54273658d28738109c8a1ef3170c1fbe02deeee40d40990acb6d45431bfb65a3facebee9a919bd972734012b1e8de035b9c1329f1bd0e709ecd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006141001\networkmanager.exe

Filesize
2.1MB

MD5
f8d528a37993ed91d2496bab9fc734d3

SHA1
4b66b225298f776e21f566b758f3897d20b23cad

SHA256
bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02

SHA512
75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006188001\09db103d2e.exe

Filesize
1.7MB

MD5
6731bd7e893f440a5f73edfd40b73112

SHA1
8e396ca101830e0116881c8d8c81c6d5e7918afe

SHA256
599399619509681016345f5e4e50f6edd38a70496201d1a9fbfe5c53d7f4690b

SHA512
d0247ad0a1392a9b622d08e22feee7d79854c8f1492f0b4d5d5e669f7efce409e3a3961f8229ebb40aca97ed6e36066b40393b3e9cb78d7356d34d530c125110

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006189001\bab66d4457.exe

Filesize
2.7MB

MD5
9aa3e28acbd0b5a2e045a6d513c93b6b

SHA1
9381e49745b0e1c2fab053f8d4d2a59bc61988f1

SHA256
2f1568be0dd8f9a154b003441a09464578fc012d81f60faab98f8ba9c1913898

SHA512
994aacaaafb7a60400aa05ad2524eac325b50b46109a75a71e2907e0dc08b5147ad7f63d308c72b92dc70d232335134815b461b00c18c722a365e6e0f8491471

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
bf698063d67816dfb55d93238f45b46c

SHA1
3d5d42d1b4357d294e22c43953e667b98cc0371b

SHA256
bed935b2f56cefb81472fbee6327c35db4e82a57fd97c5caa133977a9db6a5fc

SHA512
e2b9d3b285d7cb4ca90645f1a2dca6160a9a3a83246a96cb74f53dd0833c4cd1c44968bb372fcbbd85ef64a8dd7b16a44f31bd6ab033ff93b56312da8de70cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpF73B.tmp

Filesize
2KB

MD5
f7fa1db8c9fc4c0276b0c976b570941a

SHA1
2651db7abfaf6f16ce285c66ae7f7786a4a05d6e

SHA256
c047d0300dacedf54019acfcabe0c13573f3b76d3c3dc85a6c07e8cfad275051

SHA512
48aa373e5ac40a370c43112b974622f860dd5d98b2da9023ce0906d30ef3872b7e3293971c3f16fb751e6efc4ff06d0b2e7fe9dc0823255e1bf2e520933fd85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_112_133784681959956000\l4.exe

Filesize
5.9MB

MD5
63c4e3f9c7383d039ab4af449372c17f

SHA1
f52ff760a098a006c41269ff73abb633b811f18e

SHA256
151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd

SHA512
dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_112_133784681959956000\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\83BF76C47CEE41D6764C196BDED416C59418F8F7

Filesize
1KB

MD5
7d00735f000fdec17dafd8b488e95144

SHA1
dc04346324f9bafda3d7b641f8790a701262840a

SHA256
5c87746b34d77934a580d7643abb2b926649168d5119192712c47a176a447f5e

SHA512
a5736434c52eeacc9ef044df6282848e6a593b38b6e249e78e4da2510228b3576cde9a2a2797cfe9804935ce9d8ea4369eef23fd2acd5d2e801ed6d6a024af91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lbroker.vbs

Filesize
82B

MD5
107a610c004bfc1ebb8b87365b2c4600

SHA1
04695e838daaaf45d91f0b51868c8995b80d3392

SHA256
3a5be027d623c694cc4874fbb6cd2f434bbaf65033607f6d2acfc1d05c3f6fdc

SHA512
4b26a04ec889e149bf4fb974178990804d371d72b239c1d55c5acc32636cfd7ad02f8d21ed9e289358873242493303de25f2a0bca7d1b5da9b0426854ff4a2d2

Download Submit
\??\c:\users\admin\appdata\roaming\lbroker.exe

Filesize
1.4MB

MD5
495c1259248262162db242763cd67db8

SHA1
af4e854569d445b067b346408672b72b053055f5

SHA256
317127a1b0af48d4686101df29a8c4063c3934cd9485890467d00505ad1712b1

SHA512
5bd5e7dfc243c18b732f5666c8c7b570ff4f3832de7e8bf1126c4016562c2caad783a31841768958576ecf897dd1634271b08be78d1beac33d4b2a1c6f953853

Download Submit
memory/1516-149-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-135-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-2508-0x0000000000B70000-0x0000000000BC4000-memory.dmp

Filesize
336KB

Download
memory/1516-122-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-123-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-125-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-127-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-129-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-131-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-133-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-137-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-120-0x0000000000E60000-0x0000000000FCA000-memory.dmp

Filesize
1.4MB

Download
memory/1516-121-0x0000000004C40000-0x0000000004D58000-memory.dmp

Filesize
1.1MB

Download
memory/1516-159-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-171-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-183-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-181-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-180-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-169-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-167-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-165-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-163-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-161-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-1300-0x00000000006A0000-0x00000000006EC000-memory.dmp

Filesize
304KB

Download
memory/1516-1299-0x0000000000D70000-0x0000000000DFA000-memory.dmp

Filesize
552KB

Download
memory/1516-177-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-175-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-173-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-157-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-155-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-153-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-151-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-139-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-147-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-145-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-143-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/1516-141-0x0000000004C40000-0x0000000004D52000-memory.dmp

Filesize
1.1MB

Download
memory/2256-5-0x0000000001340000-0x00000000017F6000-memory.dmp

Filesize
4.7MB

Download
memory/2256-21-0x0000000006F70000-0x0000000007426000-memory.dmp

Filesize
4.7MB

Download
memory/2256-0-0x0000000001340000-0x00000000017F6000-memory.dmp

Filesize
4.7MB

Download
memory/2256-2-0x0000000001341000-0x000000000136F000-memory.dmp

Filesize
184KB

Download
memory/2256-20-0x0000000006F70000-0x0000000007426000-memory.dmp

Filesize
4.7MB

Download
memory/2256-18-0x0000000001340000-0x00000000017F6000-memory.dmp

Filesize
4.7MB

Download
memory/2256-3-0x0000000001340000-0x00000000017F6000-memory.dmp

Filesize
4.7MB

Download
memory/2256-10-0x0000000001340000-0x00000000017F6000-memory.dmp

Filesize
4.7MB

Download
memory/2256-1-0x0000000077430000-0x0000000077432000-memory.dmp

Filesize
8KB

Download
memory/2388-40-0x00000000011D0000-0x0000000001660000-memory.dmp

Filesize
4.6MB

Download
memory/2752-26-0x00000000002D0000-0x0000000000786000-memory.dmp

Filesize
4.7MB

Download
memory/2752-72-0x00000000002D0000-0x0000000000786000-memory.dmp

Filesize
4.7MB

Download
memory/2752-2582-0x00000000068E0000-0x0000000006F70000-memory.dmp

Filesize
6.6MB

Download
memory/2752-2586-0x00000000068E0000-0x0000000006B98000-memory.dmp

Filesize
2.7MB

Download
memory/2752-42-0x00000000002D0000-0x0000000000786000-memory.dmp

Filesize
4.7MB

Download
memory/2752-73-0x00000000002D0000-0x0000000000786000-memory.dmp

Filesize
4.7MB

Download
memory/2752-2531-0x0000000006AA0000-0x000000000721B000-memory.dmp

Filesize
7.5MB

Download
memory/2752-22-0x00000000002D0000-0x0000000000786000-memory.dmp

Filesize
4.7MB

Download
memory/2752-2532-0x0000000006AA0000-0x000000000721B000-memory.dmp

Filesize
7.5MB

Download
memory/2752-2574-0x0000000006AA0000-0x000000000721B000-memory.dmp

Filesize
7.5MB

Download
memory/2752-2553-0x00000000068E0000-0x0000000006F70000-memory.dmp

Filesize
6.6MB

Download
memory/2752-2581-0x00000000068E0000-0x0000000006F70000-memory.dmp

Filesize
6.6MB

Download
memory/2752-24-0x00000000002D0000-0x0000000000786000-memory.dmp

Filesize
4.7MB

Download
memory/2752-2555-0x00000000068E0000-0x0000000006F70000-memory.dmp

Filesize
6.6MB

Download
memory/2752-2575-0x00000000068E0000-0x0000000006B98000-memory.dmp

Filesize
2.7MB

Download
memory/2752-23-0x00000000002D1000-0x00000000002FF000-memory.dmp

Filesize
184KB

Download
memory/2752-2578-0x00000000068E0000-0x0000000006B98000-memory.dmp

Filesize
2.7MB

Download
memory/2752-2577-0x0000000006AA0000-0x000000000721B000-memory.dmp

Filesize
7.5MB

Download
memory/2752-2584-0x00000000068E0000-0x0000000006B98000-memory.dmp

Filesize
2.7MB

Download
memory/4112-2535-0x0000000000A00000-0x000000000117B000-memory.dmp

Filesize
7.5MB

Download
memory/4112-2533-0x0000000000A00000-0x000000000117B000-memory.dmp

Filesize
7.5MB

Download
memory/4312-2557-0x0000000001380000-0x0000000001A10000-memory.dmp

Filesize
6.6MB

Download
memory/4312-2554-0x0000000001380000-0x0000000001A10000-memory.dmp

Filesize
6.6MB

Download
memory/4800-2580-0x00000000013B0000-0x0000000001668000-memory.dmp

Filesize
2.7MB

Download
memory/4800-2579-0x00000000013B0000-0x0000000001668000-memory.dmp

Filesize
2.7MB

Download
memory/4800-2576-0x00000000013B0000-0x0000000001668000-memory.dmp

Filesize
2.7MB

Download
memory/4800-2588-0x00000000013B0000-0x0000000001668000-memory.dmp

Filesize
2.7MB

Download
memory/5504-2507-0x0000000005000000-0x000000000508A000-memory.dmp

Filesize
552KB

Download
memory/5504-1330-0x0000000004290000-0x00000000043A8000-memory.dmp

Filesize
1.1MB

Download
memory/5504-1329-0x00000000001D0000-0x000000000033A000-memory.dmp

Filesize
1.4MB

Download
memory/5504-2589-0x0000000005090000-0x00000000050E4000-memory.dmp

Filesize
336KB

Download