amadey | a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90

Analysis

max time kernel
148s
max time network
143s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
08/02/2023, 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe
Size

567KB
MD5

acb7186c421bf69e5bea05489020bd80
SHA1

3b967e911a1c8a22440843d0e09c9b4882029c06
SHA256

a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90
SHA512

44174868966271bef1f36fbbde672026e95d4873776c6aec80f0a9a4a2c7332a303634697c1c579e05854a819ef2b3e2f224e7ee90d5bf8c6b0a964f5c57f966
SSDEEP

12288:6Mrwy907uAkg7AOVbagUHC0qo36ZZmCRBFzyd:Sy6k0AORagEqo36yu+d

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.66

62.204.41.4/Gol478Ns/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	alBf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	alBf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	alBf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	alBf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	alBf.exe

Executes dropped EXE 7 IoCs

pid	Process
3380	blBg.exe
5088	alBf.exe
3608	nika.exe
5072	xriv.exe
5008	mnolyk.exe
2264	mnolyk.exe
4956	mnolyk.exe

Loads dropped DLL 1 IoCs

pid	Process
4748	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	alBf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	alBf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	nika.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	blBg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	blBg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5088	alBf.exe
5088	alBf.exe
3608	nika.exe
3608	nika.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	alBf.exe
Token: SeDebugPrivilege	3608	nika.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 3380	2620	a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe	67
PID 2620 wrote to memory of 3380	2620	a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe	67
PID 2620 wrote to memory of 3380	2620	a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe	67
PID 3380 wrote to memory of 5088	3380	blBg.exe	66
PID 3380 wrote to memory of 5088	3380	blBg.exe	66
PID 3380 wrote to memory of 5088	3380	blBg.exe	66
PID 3380 wrote to memory of 3608	3380	blBg.exe	68
PID 3380 wrote to memory of 3608	3380	blBg.exe	68
PID 2620 wrote to memory of 5072	2620	a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe	69
PID 2620 wrote to memory of 5072	2620	a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe	69
PID 2620 wrote to memory of 5072	2620	a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe	69
PID 5072 wrote to memory of 5008	5072	xriv.exe	70
PID 5072 wrote to memory of 5008	5072	xriv.exe	70
PID 5072 wrote to memory of 5008	5072	xriv.exe	70
PID 5008 wrote to memory of 4448	5008	mnolyk.exe	71
PID 5008 wrote to memory of 4448	5008	mnolyk.exe	71
PID 5008 wrote to memory of 4448	5008	mnolyk.exe	71
PID 5008 wrote to memory of 648	5008	mnolyk.exe	72
PID 5008 wrote to memory of 648	5008	mnolyk.exe	72
PID 5008 wrote to memory of 648	5008	mnolyk.exe	72
PID 648 wrote to memory of 224	648	cmd.exe	75
PID 648 wrote to memory of 224	648	cmd.exe	75
PID 648 wrote to memory of 224	648	cmd.exe	75
PID 648 wrote to memory of 3300	648	cmd.exe	76
PID 648 wrote to memory of 3300	648	cmd.exe	76
PID 648 wrote to memory of 3300	648	cmd.exe	76
PID 648 wrote to memory of 2660	648	cmd.exe	77
PID 648 wrote to memory of 2660	648	cmd.exe	77
PID 648 wrote to memory of 2660	648	cmd.exe	77
PID 648 wrote to memory of 1400	648	cmd.exe	78
PID 648 wrote to memory of 1400	648	cmd.exe	78
PID 648 wrote to memory of 1400	648	cmd.exe	78
PID 648 wrote to memory of 3316	648	cmd.exe	79
PID 648 wrote to memory of 3316	648	cmd.exe	79
PID 648 wrote to memory of 3316	648	cmd.exe	79
PID 648 wrote to memory of 4504	648	cmd.exe	80
PID 648 wrote to memory of 4504	648	cmd.exe	80
PID 648 wrote to memory of 4504	648	cmd.exe	80
PID 5008 wrote to memory of 4748	5008	mnolyk.exe	81
PID 5008 wrote to memory of 4748	5008	mnolyk.exe	81
PID 5008 wrote to memory of 4748	5008	mnolyk.exe	81

C:\Users\Admin\AppData\Local\Temp\a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe
"C:\Users\Admin\AppData\Local\Temp\a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\blBg.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\blBg.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
    "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4448
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:224
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:N"
        5⤵
        
        PID:3300
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:R" /E
        5⤵
        
        PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1400
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\4b9a106e76" /P "Admin:N"
        5⤵
        
        PID:3316
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\4b9a106e76" /P "Admin:R" /E
        5⤵
        
        PID:4504
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4748

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\alBf.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\alBf.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
1⤵
- Executes dropped EXE
PID:4956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe

Filesize
236KB

MD5
8bb923c4d81284daef7896e5682df6c6

SHA1
67e34a96b77e44b666c5479f540995bdeacf5de2

SHA256
9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

SHA512
2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe

Filesize
236KB

MD5
8bb923c4d81284daef7896e5682df6c6

SHA1
67e34a96b77e44b666c5479f540995bdeacf5de2

SHA256
9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

SHA512
2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe

Filesize
236KB

MD5
8bb923c4d81284daef7896e5682df6c6

SHA1
67e34a96b77e44b666c5479f540995bdeacf5de2

SHA256
9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

SHA512
2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe

Filesize
236KB

MD5
8bb923c4d81284daef7896e5682df6c6

SHA1
67e34a96b77e44b666c5479f540995bdeacf5de2

SHA256
9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

SHA512
2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\blBg.exe

Filesize
381KB

MD5
7ad925b5dcd534c725a19b49686fa723

SHA1
f51dbd558df6eb51d04eb1e6558fce477939f042

SHA256
a0ecbeec4e1558c334cd998f32e7eb8d2c734a6b11bccfd0d7f480b248d5c117

SHA512
3876a63dbf396508b997ad384034a8e87b3d2ce1b11bd02c0ec9d61411c295b1fa27995c145fffa503efcd60075b94814e96fe8d575d9ee2a3c8af6548dbdc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\blBg.exe

Filesize
381KB

MD5
7ad925b5dcd534c725a19b49686fa723

SHA1
f51dbd558df6eb51d04eb1e6558fce477939f042

SHA256
a0ecbeec4e1558c334cd998f32e7eb8d2c734a6b11bccfd0d7f480b248d5c117

SHA512
3876a63dbf396508b997ad384034a8e87b3d2ce1b11bd02c0ec9d61411c295b1fa27995c145fffa503efcd60075b94814e96fe8d575d9ee2a3c8af6548dbdc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe

Filesize
236KB

MD5
8bb923c4d81284daef7896e5682df6c6

SHA1
67e34a96b77e44b666c5479f540995bdeacf5de2

SHA256
9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

SHA512
2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe

Filesize
236KB

MD5
8bb923c4d81284daef7896e5682df6c6

SHA1
67e34a96b77e44b666c5479f540995bdeacf5de2

SHA256
9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

SHA512
2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\alBf.exe

Filesize
362KB

MD5
de4166164886abfc0a2860d62abb2298

SHA1
6da185d1f8d6ecf7ec4528dcd1bb27a0f4ca5094

SHA256
36543071eed8fff982be3473bcbc66d2a4ae00f2a6017f3ac58b009f7eb19bae

SHA512
e2e1cce29ee160894178c00b14e9fdd6cd192430376e041fcbe75f44693b764bfce39dd667b45bbf9418204c2b3af83a0041dbd19d8546124d4e84e3fc7f5a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\alBf.exe

Filesize
362KB

MD5
de4166164886abfc0a2860d62abb2298

SHA1
6da185d1f8d6ecf7ec4528dcd1bb27a0f4ca5094

SHA256
36543071eed8fff982be3473bcbc66d2a4ae00f2a6017f3ac58b009f7eb19bae

SHA512
e2e1cce29ee160894178c00b14e9fdd6cd192430376e041fcbe75f44693b764bfce39dd667b45bbf9418204c2b3af83a0041dbd19d8546124d4e84e3fc7f5a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
89KB

MD5
c79b74d8fec5e7e2ba2f1789fd582a15

SHA1
78a1e5d99dbaccc5e07b125e1dfb280112cb3128

SHA256
b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3

SHA512
0debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba

Download Submit
\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
89KB

MD5
c79b74d8fec5e7e2ba2f1789fd582a15

SHA1
78a1e5d99dbaccc5e07b125e1dfb280112cb3128

SHA256
b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3

SHA512
0debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba

Download Submit
memory/2620-131-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-164-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-134-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-135-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-136-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-137-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-138-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-139-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-140-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-142-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-143-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-144-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-146-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-147-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-148-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-149-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-151-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-152-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-154-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-155-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-156-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-153-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-158-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-160-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-162-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-133-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-141-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-132-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-150-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-130-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-129-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-157-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-128-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-127-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-159-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-161-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-126-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-125-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-124-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-123-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-122-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-121-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-120-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-119-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-145-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-163-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-180-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-185-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-167-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-168-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-170-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-172-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-176-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-178-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-183-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-169-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-184-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-182-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-171-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-174-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-181-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-179-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-175-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3380-177-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3608-288-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/5088-278-0x0000000004DA0000-0x000000000529E000-memory.dmp

Filesize
5.0MB

Download
memory/5088-280-0x00000000021F0000-0x0000000002208000-memory.dmp

Filesize
96KB

Download
memory/5088-274-0x0000000000830000-0x000000000084A000-memory.dmp

Filesize
104KB

Download
memory/5088-283-0x0000000000620000-0x000000000076A000-memory.dmp

Filesize
1.3MB

Download
memory/5088-284-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/5088-265-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/5088-264-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/5088-263-0x0000000000620000-0x000000000076A000-memory.dmp

Filesize
1.3MB

Download