amadey | 1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878d

Analysis

max time kernel
103s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878dN.exe
Size

577KB
MD5

c61f9c4e1e78582eaf9b7f0f836407b0
SHA1

838c2c4b1f66dd27170bf94935b4847c26ae7d67
SHA256

1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878d
SHA512

72bf61d924e631b9a5a487c5241277b4573ff1fbcb6c93be6bfed023f7b7223857af70f6dd592a6557372fc5eb623fd1765895c31102614422b2baad1d025963
SSDEEP

12288:ry90D4XJnOx3s6euAM6NvEeduLcR0NU3xtKW87D:rysQJnOx3uhduLcFLKWOD

Score

10^/10

amadey healer 9c0adb discovery dropper evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4748-15-0x00000000024D0000-0x00000000024EA000-memory.dmp	healer
behavioral1/memory/4748-19-0x0000000005080000-0x0000000005098000-memory.dmp	healer
behavioral1/memory/4748-48-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-46-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-44-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-42-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-40-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-38-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-36-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-34-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-32-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-30-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-28-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-26-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-24-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-22-0x0000000005080000-0x0000000005093000-memory.dmp	healer
behavioral1/memory/4748-21-0x0000000005080000-0x0000000005093000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	101318249.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	258275243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	258275243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	101318249.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	101318249.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	101318249.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	258275243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	258275243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	258275243.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	101318249.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	101318249.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	308931350.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 6 IoCs

pid	Process
2516	np575217.exe
4748	101318249.exe
1448	258275243.exe
4576	308931350.exe
4784	oneetx.exe
4948	oneetx.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	258275243.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	101318249.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	101318249.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	np575217.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3140	1448	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	np575217.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	101318249.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	258275243.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	308931350.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4748	101318249.exe
4748	101318249.exe
1448	258275243.exe
1448	258275243.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	101318249.exe
Token: SeDebugPrivilege	1448	258275243.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4576	308931350.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2516	3032	1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878dN.exe	83
PID 3032 wrote to memory of 2516	3032	1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878dN.exe	83
PID 3032 wrote to memory of 2516	3032	1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878dN.exe	83
PID 2516 wrote to memory of 4748	2516	np575217.exe	84
PID 2516 wrote to memory of 4748	2516	np575217.exe	84
PID 2516 wrote to memory of 4748	2516	np575217.exe	84
PID 2516 wrote to memory of 1448	2516	np575217.exe	93
PID 2516 wrote to memory of 1448	2516	np575217.exe	93
PID 2516 wrote to memory of 1448	2516	np575217.exe	93
PID 3032 wrote to memory of 4576	3032	1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878dN.exe	97
PID 3032 wrote to memory of 4576	3032	1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878dN.exe	97
PID 3032 wrote to memory of 4576	3032	1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878dN.exe	97
PID 4576 wrote to memory of 4784	4576	308931350.exe	98
PID 4576 wrote to memory of 4784	4576	308931350.exe	98
PID 4576 wrote to memory of 4784	4576	308931350.exe	98
PID 4784 wrote to memory of 4796	4784	oneetx.exe	99
PID 4784 wrote to memory of 4796	4784	oneetx.exe	99
PID 4784 wrote to memory of 4796	4784	oneetx.exe	99
PID 4784 wrote to memory of 4176	4784	oneetx.exe	101
PID 4784 wrote to memory of 4176	4784	oneetx.exe	101
PID 4784 wrote to memory of 4176	4784	oneetx.exe	101
PID 4176 wrote to memory of 3900	4176	cmd.exe	103
PID 4176 wrote to memory of 3900	4176	cmd.exe	103
PID 4176 wrote to memory of 3900	4176	cmd.exe	103
PID 4176 wrote to memory of 5088	4176	cmd.exe	104
PID 4176 wrote to memory of 5088	4176	cmd.exe	104
PID 4176 wrote to memory of 5088	4176	cmd.exe	104
PID 4176 wrote to memory of 2112	4176	cmd.exe	105
PID 4176 wrote to memory of 2112	4176	cmd.exe	105
PID 4176 wrote to memory of 2112	4176	cmd.exe	105
PID 4176 wrote to memory of 2500	4176	cmd.exe	106
PID 4176 wrote to memory of 2500	4176	cmd.exe	106
PID 4176 wrote to memory of 2500	4176	cmd.exe	106
PID 4176 wrote to memory of 4400	4176	cmd.exe	107
PID 4176 wrote to memory of 4400	4176	cmd.exe	107
PID 4176 wrote to memory of 4400	4176	cmd.exe	107
PID 4176 wrote to memory of 2336	4176	cmd.exe	108
PID 4176 wrote to memory of 2336	4176	cmd.exe	108
PID 4176 wrote to memory of 2336	4176	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878dN.exe
"C:\Users\Admin\AppData\Local\Temp\1ec211762373a3dd9e667140cf716dd34e0573924d51d0303d3c7139120a878dN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np575217.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np575217.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\101318249.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\101318249.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258275243.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258275243.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 1084
      4⤵
      Program crash
      PID:3140
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\308931350.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\308931350.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1448 -ip 1448
1⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\308931350.exe

Filesize
204KB

MD5
1304f384653e08ae497008ff13498608

SHA1
d9a76ed63d74d4217c5027757cb9a7a0d0093080

SHA256
2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa

SHA512
4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np575217.exe

Filesize
406KB

MD5
97d774247be3a6ace8a3ad212f7684dd

SHA1
724cb6fdd9843e46ccf4d9e893aae4b12f8ecdef

SHA256
d401484a56aa2a2ab07b9f09a7386099713210003de5c507082f9c04fc39f42b

SHA512
4b636995741b5c5d403fec7e5b312c30bd164cbe4dc8cf3fb0765dbb7a90d3f1e95124045de7376d2464e5068d4f6438127308ab05b3bfebc676215921605ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\101318249.exe

Filesize
175KB

MD5
3d10b67208452d7a91d7bd7066067676

SHA1
e6c3ab7b6da65c8cc7dd95351f118caf3a50248d

SHA256
5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302

SHA512
b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258275243.exe

Filesize
264KB

MD5
a5740bd05f65c03914de992c6f81d9e7

SHA1
b0eb0ff4ae6a0119d3af130793cdff7978b0a36c

SHA256
ebec1eae9ced7dc6145f2e8308c4b720e84ca957ff15b39a5b04598ae2127f47

SHA512
de1b9df3f71ffb60f908f83dfdc87990017a3ad328a6b440ff618a96be6e3dbb61b4e95ea7efb5bee69efb692e2d17053cb0f2191e68cd1e838ffea86a4021a9

Download Submit
memory/1448-87-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/1448-85-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4748-38-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-28-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-20-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-48-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-46-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-44-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-42-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-40-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-19-0x0000000005080000-0x0000000005098000-memory.dmp

Filesize
96KB

Download
memory/4748-36-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-34-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-32-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-30-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-18-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-26-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-24-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-22-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-21-0x0000000005080000-0x0000000005093000-memory.dmp

Filesize
76KB

Download
memory/4748-49-0x000000007422E000-0x000000007422F000-memory.dmp

Filesize
4KB

Download
memory/4748-50-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-52-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-17-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-16-0x0000000004A90000-0x0000000005034000-memory.dmp

Filesize
5.6MB

Download
memory/4748-15-0x00000000024D0000-0x00000000024EA000-memory.dmp

Filesize
104KB

Download
memory/4748-14-0x000000007422E000-0x000000007422F000-memory.dmp

Filesize
4KB

Download