amadey | cbb9d81ebfc3933a4d48b8f875ef3a4be40954a3cc4f6ab408c907442bb89e10

Analysis

max time kernel
193s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbb9d81ebfc3933a4d48b8f875ef3a4be40954a3cc4f6ab408c907442bb89e10.exe
Size

1.5MB
MD5

b4e1fb1e6b95c8d4911b116cb792590e
SHA1

f99b3192393a747048eb41ecb3c62be2d4ca2c84
SHA256

cbb9d81ebfc3933a4d48b8f875ef3a4be40954a3cc4f6ab408c907442bb89e10
SHA512

d96fde955472120c56dea66d6f6d5f39dbd729baf9bb2ef1bcc3a2d65d4be16c590442edfb59aeb34c87cfe185639ffae20ee2c70a70f715bd604fdac785fe9e
SSDEEP

24576:myA+UesYonLkzMAdl+VMtDBnu/4Ji5nLcHhOeezfN8Io1cTTfiKwN8rZIMHGQ:1Y1nwQAP+uttg4yLcHhOeqf6yqKVZI

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.70

212.113.119.255/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15342344.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	15342344.exe

Executes dropped EXE 7 IoCs

Processes:

za490769.exeza213431.exeza023316.exe15342344.exe1.exeu63386193.exew93uO65.exe

pid process

5112 za490769.exe
1868 za213431.exe
264 za023316.exe
3524 15342344.exe
796 1.exe
3876 u63386193.exe
4364 w93uO65.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1.exe

pid	process
5112	za490769.exe
1868	za213431.exe
264	za023316.exe
3524	15342344.exe
796	1.exe
3876	u63386193.exe
4364	w93uO65.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cbb9d81ebfc3933a4d48b8f875ef3a4be40954a3cc4f6ab408c907442bb89e10.exeza490769.exeza213431.exeza023316.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cbb9d81ebfc3933a4d48b8f875ef3a4be40954a3cc4f6ab408c907442bb89e10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cbb9d81ebfc3933a4d48b8f875ef3a4be40954a3cc4f6ab408c907442bb89e10.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za490769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za490769.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za213431.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za213431.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za023316.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za023316.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2120 3876 WerFault.exe u63386193.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

796 1.exe
796 1.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

15342344.exeu63386193.exe1.exe

description pid process

Token: SeDebugPrivilege 3524 15342344.exe
Token: SeDebugPrivilege 3876 u63386193.exe
Token: SeDebugPrivilege 796 1.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

w93uO65.exe

pid process

4364 w93uO65.exe

pid	pid_target	process	target process
2120	3876	WerFault.exe	u63386193.exe

pid	process
796	1.exe
796	1.exe

description	pid	process
Token: SeDebugPrivilege	3524	15342344.exe
Token: SeDebugPrivilege	3876	u63386193.exe
Token: SeDebugPrivilege	796	1.exe

pid	process
4364	w93uO65.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cbb9d81ebfc3933a4d48b8f875ef3a4be40954a3cc4f6ab408c907442bb89e10.exeza490769.exeza213431.exeza023316.exe15342344.exe

description	pid	process	target process
PID 5100 wrote to memory of 5112	5100	cbb9d81ebfc3933a4d48b8f875ef3a4be40954a3cc4f6ab408c907442bb89e10.exe	za490769.exe
PID 5100 wrote to memory of 5112	5100	cbb9d81ebfc3933a4d48b8f875ef3a4be40954a3cc4f6ab408c907442bb89e10.exe	za490769.exe
PID 5100 wrote to memory of 5112	5100	cbb9d81ebfc3933a4d48b8f875ef3a4be40954a3cc4f6ab408c907442bb89e10.exe	za490769.exe
PID 5112 wrote to memory of 1868	5112	za490769.exe	za213431.exe
PID 5112 wrote to memory of 1868	5112	za490769.exe	za213431.exe
PID 5112 wrote to memory of 1868	5112	za490769.exe	za213431.exe
PID 1868 wrote to memory of 264	1868	za213431.exe	za023316.exe
PID 1868 wrote to memory of 264	1868	za213431.exe	za023316.exe
PID 1868 wrote to memory of 264	1868	za213431.exe	za023316.exe
PID 264 wrote to memory of 3524	264	za023316.exe	15342344.exe
PID 264 wrote to memory of 3524	264	za023316.exe	15342344.exe
PID 264 wrote to memory of 3524	264	za023316.exe	15342344.exe
PID 3524 wrote to memory of 796	3524	15342344.exe	1.exe
PID 3524 wrote to memory of 796	3524	15342344.exe	1.exe
PID 264 wrote to memory of 3876	264	za023316.exe	u63386193.exe
PID 264 wrote to memory of 3876	264	za023316.exe	u63386193.exe
PID 264 wrote to memory of 3876	264	za023316.exe	u63386193.exe
PID 1868 wrote to memory of 4364	1868	za213431.exe	w93uO65.exe
PID 1868 wrote to memory of 4364	1868	za213431.exe	w93uO65.exe
PID 1868 wrote to memory of 4364	1868	za213431.exe	w93uO65.exe

C:\Users\Admin\AppData\Local\Temp\cbb9d81ebfc3933a4d48b8f875ef3a4be40954a3cc4f6ab408c907442bb89e10.exe
"C:\Users\Admin\AppData\Local\Temp\cbb9d81ebfc3933a4d48b8f875ef3a4be40954a3cc4f6ab408c907442bb89e10.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za490769.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za490769.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za213431.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za213431.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za023316.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za023316.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:264
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\15342344.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\15342344.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u63386193.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u63386193.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1276
        6⤵
        Program crash
        
        PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w93uO65.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w93uO65.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3876 -ip 3876
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Filesize
229KB

MD5
c22455db56cddf5fb7e54f0c2adb52b8

SHA1
7ecedbe0a5056154d2deaf60f54da089620cb2d5

SHA256
20ce4196e4cff65087caeabe62718c40bcd8bff80b469d082e0c4c4f9c626f01

SHA512
9bd86d6c435a2cee9749a08309a89e9d59a034c5bdc54b3c6bb76d31f3b5ac91e7dc94d7b15fbbbbae96db443f611b55ef3a2332127680d99b38b4b933c3eba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za490769.exe

Filesize
1.3MB

MD5
416bc90d614c9a48a0fe375e4341e6e6

SHA1
c66a805a9c2f70e3120007990630583442e0a52e

SHA256
526a92e6f8549aaec2a088f342aaa5dfb23f6f763e7d45c329af37034cc9c3fd

SHA512
8e07c278603fe71598443acd9ddd9eb86953bfc004fd9bd0230640e32059b0d290d89e2c45c8ac1f53a04524ddfbeb82f522a2feb26b32b1e51346850e7bcc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za490769.exe

Filesize
1.3MB

MD5
416bc90d614c9a48a0fe375e4341e6e6

SHA1
c66a805a9c2f70e3120007990630583442e0a52e

SHA256
526a92e6f8549aaec2a088f342aaa5dfb23f6f763e7d45c329af37034cc9c3fd

SHA512
8e07c278603fe71598443acd9ddd9eb86953bfc004fd9bd0230640e32059b0d290d89e2c45c8ac1f53a04524ddfbeb82f522a2feb26b32b1e51346850e7bcc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za213431.exe

Filesize
862KB

MD5
a22702cb905f625544fae46639eb06a4

SHA1
984a87770ffc21198bf9d7109338347ae32f25b9

SHA256
9a981d63165323e8c93111dae62166207e72c66a402f33c0e33e5ff2e525fcfa

SHA512
d2f335a0d103d6f0f796d270996e549667a19d79b879bdbe3bd40a94a13ddc12a98b6e989ef45169d80e5d7a941ff82d18c2d2a6016f992a28094fdf697fb9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za213431.exe

Filesize
862KB

MD5
a22702cb905f625544fae46639eb06a4

SHA1
984a87770ffc21198bf9d7109338347ae32f25b9

SHA256
9a981d63165323e8c93111dae62166207e72c66a402f33c0e33e5ff2e525fcfa

SHA512
d2f335a0d103d6f0f796d270996e549667a19d79b879bdbe3bd40a94a13ddc12a98b6e989ef45169d80e5d7a941ff82d18c2d2a6016f992a28094fdf697fb9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w93uO65.exe

Filesize
229KB

MD5
c22455db56cddf5fb7e54f0c2adb52b8

SHA1
7ecedbe0a5056154d2deaf60f54da089620cb2d5

SHA256
20ce4196e4cff65087caeabe62718c40bcd8bff80b469d082e0c4c4f9c626f01

SHA512
9bd86d6c435a2cee9749a08309a89e9d59a034c5bdc54b3c6bb76d31f3b5ac91e7dc94d7b15fbbbbae96db443f611b55ef3a2332127680d99b38b4b933c3eba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w93uO65.exe

Filesize
229KB

MD5
c22455db56cddf5fb7e54f0c2adb52b8

SHA1
7ecedbe0a5056154d2deaf60f54da089620cb2d5

SHA256
20ce4196e4cff65087caeabe62718c40bcd8bff80b469d082e0c4c4f9c626f01

SHA512
9bd86d6c435a2cee9749a08309a89e9d59a034c5bdc54b3c6bb76d31f3b5ac91e7dc94d7b15fbbbbae96db443f611b55ef3a2332127680d99b38b4b933c3eba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za023316.exe

Filesize
679KB

MD5
9edc3c3121e8274eae730fdcb8e104a2

SHA1
4d058d66078a937769b142da4c3eb0d4468a888d

SHA256
70522ae5f307fabd964ada342169a2f25e4e129765da6348c43669dfbf27a15a

SHA512
18e3b659f4018cadaf271b1188e7e05dcbc303c0e61f720252e562c023d60d4a071e7bce347f9b8288266a2f4a9de55904c70000aca9448c86a4a69c6528828d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za023316.exe

Filesize
679KB

MD5
9edc3c3121e8274eae730fdcb8e104a2

SHA1
4d058d66078a937769b142da4c3eb0d4468a888d

SHA256
70522ae5f307fabd964ada342169a2f25e4e129765da6348c43669dfbf27a15a

SHA512
18e3b659f4018cadaf271b1188e7e05dcbc303c0e61f720252e562c023d60d4a071e7bce347f9b8288266a2f4a9de55904c70000aca9448c86a4a69c6528828d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\15342344.exe

Filesize
301KB

MD5
0b6fbbc57bf860095d0e7a2793ab0d9e

SHA1
9f1b4429d5db25e3e05cc25b7516de5a9c4255b8

SHA256
9b0ddf5c314cd381caa3ac5316a9509636c28bfa3b3d6670b91506871d781dd6

SHA512
f8439484f1869e15dfd13d3a648337a1c97a2b3fa0edd953786d35aff9a2bcd7d656ed498a89ca7591e197cc0942f3bff7e2052fef9f1221b75be33a192030d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\15342344.exe

Filesize
301KB

MD5
0b6fbbc57bf860095d0e7a2793ab0d9e

SHA1
9f1b4429d5db25e3e05cc25b7516de5a9c4255b8

SHA256
9b0ddf5c314cd381caa3ac5316a9509636c28bfa3b3d6670b91506871d781dd6

SHA512
f8439484f1869e15dfd13d3a648337a1c97a2b3fa0edd953786d35aff9a2bcd7d656ed498a89ca7591e197cc0942f3bff7e2052fef9f1221b75be33a192030d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u63386193.exe

Filesize
522KB

MD5
381d6f26c1a93a0215b2aa41627e687a

SHA1
9ba01e5a3280c109da29e2e684040a71d560d629

SHA256
06bdca2abc29fc5ebdd7dc51530a77ba68c3d635a2f30dc2b3e099edd0453b7a

SHA512
75d3d41f7ac4d841023d0fb8c85597acb59cfc3c70a0e69f0cb81f310fd9971856f5075514020c40722910e6bbaa8db7f75b1c3093377255da955889aac62f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u63386193.exe

Filesize
522KB

MD5
381d6f26c1a93a0215b2aa41627e687a

SHA1
9ba01e5a3280c109da29e2e684040a71d560d629

SHA256
06bdca2abc29fc5ebdd7dc51530a77ba68c3d635a2f30dc2b3e099edd0453b7a

SHA512
75d3d41f7ac4d841023d0fb8c85597acb59cfc3c70a0e69f0cb81f310fd9971856f5075514020c40722910e6bbaa8db7f75b1c3093377255da955889aac62f30

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/796-2309-0x0000000000A30000-0x0000000000A3A000-memory.dmp

Filesize
40KB

Download
memory/3524-177-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-224-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-181-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-183-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-187-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3524-189-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3524-186-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-185-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3524-190-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-192-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-194-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-196-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-198-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-202-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-206-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-208-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-204-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-200-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-210-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-212-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-214-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-216-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-218-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-220-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-222-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-179-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-226-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-228-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-2293-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3524-2294-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3524-2296-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3524-175-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-2304-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3524-173-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-171-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-169-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-167-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-165-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-161-0x00000000049F0000-0x0000000004F94000-memory.dmp

Filesize
5.6MB

Download
memory/3524-162-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3524-163-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/3876-2415-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/3876-4446-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/3876-4448-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/3876-4449-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/3876-4450-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/3876-4451-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/3876-4453-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/3876-2414-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/3876-2412-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/3876-2410-0x0000000000950000-0x000000000099C000-memory.dmp

Filesize
304KB

Download