amadey | 15a4b67f70e0165ebd58ddceeb3c169cc7139ee2c29562cb376e53833a61b265

Analysis

max time kernel
185s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15a4b67f70e0165ebd58ddceeb3c169cc7139ee2c29562cb376e53833a61b265.exe
Size

1.5MB
MD5

d833a88aa5d6f2903dce801a1ea91a35
SHA1

26fc237e2fecfac6e71ff8433b7a510e2e9f7a1d
SHA256

15a4b67f70e0165ebd58ddceeb3c169cc7139ee2c29562cb376e53833a61b265
SHA512

50daa5040c53cbc70b3c5dfc424b9fa9a0d0fd6dc4c6175d035ebbb8823bbfa21d92087097cce951deed78ef80dd3ac77c48ab13e126f8f5fe627735bb93b77d
SSDEEP

24576:kyHL3HnYEOUEyN9i05AXOtgiK8n/VtrT3Xu1X5F4vYw8RdHncTTfiKUNpOXtccb:z7nYEOU/N9ikAetpKcVtrbGIvYrcqKs

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.70

212.113.119.255/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

26502123.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	26502123.exe

Executes dropped EXE 7 IoCs

Processes:

za141904.exeza894027.exeza860981.exe26502123.exe1.exeu88986647.exew59Qd10.exe

pid process

3900 za141904.exe
2572 za894027.exe
3932 za860981.exe
220 26502123.exe
3268 1.exe
1876 u88986647.exe
228 w59Qd10.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1.exe

pid	process
3900	za141904.exe
2572	za894027.exe
3932	za860981.exe
220	26502123.exe
3268	1.exe
1876	u88986647.exe
228	w59Qd10.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za141904.exeza894027.exeza860981.exe15a4b67f70e0165ebd58ddceeb3c169cc7139ee2c29562cb376e53833a61b265.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za141904.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za141904.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za894027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za894027.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za860981.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za860981.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	15a4b67f70e0165ebd58ddceeb3c169cc7139ee2c29562cb376e53833a61b265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	15a4b67f70e0165ebd58ddceeb3c169cc7139ee2c29562cb376e53833a61b265.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1696 1876 WerFault.exe u88986647.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

3268 1.exe
3268 1.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

26502123.exeu88986647.exe1.exe

description pid process

Token: SeDebugPrivilege 220 26502123.exe
Token: SeDebugPrivilege 1876 u88986647.exe
Token: SeDebugPrivilege 3268 1.exe

pid	pid_target	process	target process
1696	1876	WerFault.exe	u88986647.exe

pid	process
3268	1.exe
3268	1.exe

description	pid	process
Token: SeDebugPrivilege	220	26502123.exe
Token: SeDebugPrivilege	1876	u88986647.exe
Token: SeDebugPrivilege	3268	1.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

15a4b67f70e0165ebd58ddceeb3c169cc7139ee2c29562cb376e53833a61b265.exeza141904.exeza894027.exeza860981.exe26502123.exe

description	pid	process	target process
PID 628 wrote to memory of 3900	628	15a4b67f70e0165ebd58ddceeb3c169cc7139ee2c29562cb376e53833a61b265.exe	za141904.exe
PID 628 wrote to memory of 3900	628	15a4b67f70e0165ebd58ddceeb3c169cc7139ee2c29562cb376e53833a61b265.exe	za141904.exe
PID 628 wrote to memory of 3900	628	15a4b67f70e0165ebd58ddceeb3c169cc7139ee2c29562cb376e53833a61b265.exe	za141904.exe
PID 3900 wrote to memory of 2572	3900	za141904.exe	za894027.exe
PID 3900 wrote to memory of 2572	3900	za141904.exe	za894027.exe
PID 3900 wrote to memory of 2572	3900	za141904.exe	za894027.exe
PID 2572 wrote to memory of 3932	2572	za894027.exe	za860981.exe
PID 2572 wrote to memory of 3932	2572	za894027.exe	za860981.exe
PID 2572 wrote to memory of 3932	2572	za894027.exe	za860981.exe
PID 3932 wrote to memory of 220	3932	za860981.exe	26502123.exe
PID 3932 wrote to memory of 220	3932	za860981.exe	26502123.exe
PID 3932 wrote to memory of 220	3932	za860981.exe	26502123.exe
PID 220 wrote to memory of 3268	220	26502123.exe	1.exe
PID 220 wrote to memory of 3268	220	26502123.exe	1.exe
PID 3932 wrote to memory of 1876	3932	za860981.exe	u88986647.exe
PID 3932 wrote to memory of 1876	3932	za860981.exe	u88986647.exe
PID 3932 wrote to memory of 1876	3932	za860981.exe	u88986647.exe
PID 2572 wrote to memory of 228	2572	za894027.exe	w59Qd10.exe
PID 2572 wrote to memory of 228	2572	za894027.exe	w59Qd10.exe
PID 2572 wrote to memory of 228	2572	za894027.exe	w59Qd10.exe

C:\Users\Admin\AppData\Local\Temp\15a4b67f70e0165ebd58ddceeb3c169cc7139ee2c29562cb376e53833a61b265.exe
"C:\Users\Admin\AppData\Local\Temp\15a4b67f70e0165ebd58ddceeb3c169cc7139ee2c29562cb376e53833a61b265.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za141904.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za141904.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za894027.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za894027.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za860981.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za860981.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\26502123.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\26502123.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u88986647.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u88986647.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1264
6⤵
- Program crash
PID:1696

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w59Qd10.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w59Qd10.exe
4⤵
- Executes dropped EXE
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1876 -ip 1876
1⤵
PID:876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za141904.exe
Filesize
1.3MB

MD5
682a4479ebcb2e497ea75613cdcfdbb5

SHA1
c111f8a534820a3a93d62c4eb211859854700fee

SHA256
10c4506a7cfc3665b62593023693f4388db78bb208e6f3a0bf04c6c657812e75

SHA512
f5a2b9501283eaae7fb2a2f9d4f38921f724a28aa110d79c2f733f58c2a68abc8f2ac38edd419c4ce2527dcd4c9add0a3e772e84b5763f460343ba3764c283d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za141904.exe
Filesize
1.3MB

MD5
682a4479ebcb2e497ea75613cdcfdbb5

SHA1
c111f8a534820a3a93d62c4eb211859854700fee

SHA256
10c4506a7cfc3665b62593023693f4388db78bb208e6f3a0bf04c6c657812e75

SHA512
f5a2b9501283eaae7fb2a2f9d4f38921f724a28aa110d79c2f733f58c2a68abc8f2ac38edd419c4ce2527dcd4c9add0a3e772e84b5763f460343ba3764c283d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za894027.exe
Filesize
862KB

MD5
27039d1c0025bc0d698b014d42222104

SHA1
a5a8a29a1c610a9c04ac64c745d8b65cc41698cb

SHA256
5c4df67c74c99e0609c5c0266380fe8468f6200a21c381030e7793bf914d64cc

SHA512
56276f410693b154b48b36006f084375379589980f4bacce42e0db8d7458d120c08207c4cfcc1c0ea36b2ad463e178739aa7b94ff07788805ed00c1bf0d76b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za894027.exe
Filesize
862KB

MD5
27039d1c0025bc0d698b014d42222104

SHA1
a5a8a29a1c610a9c04ac64c745d8b65cc41698cb

SHA256
5c4df67c74c99e0609c5c0266380fe8468f6200a21c381030e7793bf914d64cc

SHA512
56276f410693b154b48b36006f084375379589980f4bacce42e0db8d7458d120c08207c4cfcc1c0ea36b2ad463e178739aa7b94ff07788805ed00c1bf0d76b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w59Qd10.exe
Filesize
229KB

MD5
a8e946087b554b1e307eb60f5bb77bb6

SHA1
9ba33d6ba618a5358a24e245a904c949880e9c63

SHA256
40110c97ec8b9645c267ba23a483427062e1aaa03e2b48345d4c80ce8e58dd6b

SHA512
2a35ae46989feea083ca4457259acf4dbbdd1da49bd07bbf6ee63ac62a8bf4f75cbafce9fd4c4be99c905ec07ef734add24cdf4d806e0a74805a663bd00f8090

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w59Qd10.exe
Filesize
229KB

MD5
a8e946087b554b1e307eb60f5bb77bb6

SHA1
9ba33d6ba618a5358a24e245a904c949880e9c63

SHA256
40110c97ec8b9645c267ba23a483427062e1aaa03e2b48345d4c80ce8e58dd6b

SHA512
2a35ae46989feea083ca4457259acf4dbbdd1da49bd07bbf6ee63ac62a8bf4f75cbafce9fd4c4be99c905ec07ef734add24cdf4d806e0a74805a663bd00f8090

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za860981.exe
Filesize
679KB

MD5
ea9201453c07883b9621fc5c751d01d1

SHA1
5ffb8f96143252dc413959f54bcc1af50f9de273

SHA256
04912cd6a5bd06d63acbf8fe2f65dbf06904db3370e49a25fbc903ea215834dc

SHA512
36bb396021722be252d2387ec203df2d54c3ffa246d13198e773e87f02b13c6af0fcfbf86f834e9b6d3933adcdfb574522f3e6b2cd1b61871e0845534b262ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za860981.exe
Filesize
679KB

MD5
ea9201453c07883b9621fc5c751d01d1

SHA1
5ffb8f96143252dc413959f54bcc1af50f9de273

SHA256
04912cd6a5bd06d63acbf8fe2f65dbf06904db3370e49a25fbc903ea215834dc

SHA512
36bb396021722be252d2387ec203df2d54c3ffa246d13198e773e87f02b13c6af0fcfbf86f834e9b6d3933adcdfb574522f3e6b2cd1b61871e0845534b262ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\26502123.exe
Filesize
301KB

MD5
724a81345771aeba63cc25de6f7f0148

SHA1
18b2ec94b7bbccf0209e15b097745e3912e305b0

SHA256
8554f6d501b2b52ca50dc1284f5d53e9052469c228e90aa88a1dbad0a175a26c

SHA512
47e9f24f58b89afc8bf1a7e64e6eb5dc667575f7f6aa3e0d69245ceb0cb8f0f558dfaff7829c02d302c9f0eb54ca85e2dc698faf47c0acdab4eed8e448b58549

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\26502123.exe
Filesize
301KB

MD5
724a81345771aeba63cc25de6f7f0148

SHA1
18b2ec94b7bbccf0209e15b097745e3912e305b0

SHA256
8554f6d501b2b52ca50dc1284f5d53e9052469c228e90aa88a1dbad0a175a26c

SHA512
47e9f24f58b89afc8bf1a7e64e6eb5dc667575f7f6aa3e0d69245ceb0cb8f0f558dfaff7829c02d302c9f0eb54ca85e2dc698faf47c0acdab4eed8e448b58549

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u88986647.exe
Filesize
522KB

MD5
d8dd045fea98a330f71121e0387c5ef4

SHA1
11676c34855f4b34466d2f4f4262446767cc8143

SHA256
54403b114f06988d40c8070cacb25bcaa95e045268dae47e9b795710f6bbbd0a

SHA512
b18992dc2f9c0ed6248b470dc9acc917a84f8cd0bd75614d82ace3c0c29acb3ded2eb7e028c27487b2870e95ac4ad5ac2ae9972c1b4a323ea96b5b46b27a87e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u88986647.exe
Filesize
522KB

MD5
d8dd045fea98a330f71121e0387c5ef4

SHA1
11676c34855f4b34466d2f4f4262446767cc8143

SHA256
54403b114f06988d40c8070cacb25bcaa95e045268dae47e9b795710f6bbbd0a

SHA512
b18992dc2f9c0ed6248b470dc9acc917a84f8cd0bd75614d82ace3c0c29acb3ded2eb7e028c27487b2870e95ac4ad5ac2ae9972c1b4a323ea96b5b46b27a87e0

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/220-204-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-220-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-174-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-176-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-178-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-180-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-182-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-184-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-186-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-188-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-190-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-192-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-194-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-196-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-198-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-200-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-202-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-170-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-206-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-208-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-210-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-212-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-214-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-216-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-218-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-172-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-222-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-224-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-226-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-228-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-2293-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/220-2294-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/220-2295-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/220-2299-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/220-166-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-168-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-165-0x0000000004AF0000-0x0000000004B41000-memory.dmp

Filesize
324KB

Download
memory/220-164-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/220-163-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/220-161-0x0000000004BA0000-0x0000000005144000-memory.dmp

Filesize
5.6MB

Download
memory/220-162-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1876-2390-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1876-2391-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1876-2394-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1876-4446-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1876-4448-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1876-4449-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1876-4450-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1876-4452-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/1876-4453-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1876-2387-0x0000000000830000-0x000000000087C000-memory.dmp

Filesize
304KB

Download
memory/3268-2312-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download