amadey | ca4095e22929adf715288129142d3951115649028a04b2a813f98c412e7ad9ce

Analysis

max time kernel
240s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca4095e22929adf715288129142d3951115649028a04b2a813f98c412e7ad9ce.exe
Size

1.5MB
MD5

67f75a10acdf8b5e273cfb455e03b685
SHA1

213c42996089d15beac09995e90cf8371ddd8eaa
SHA256

ca4095e22929adf715288129142d3951115649028a04b2a813f98c412e7ad9ce
SHA512

b9277d568069913c5f7eb50e95aad213255ad06a2eb26a92c916c5bd7559486f61abdd325842d523b80b5eece4fcab0b0cfe469d6f524d434d6354e7829d86ef
SSDEEP

24576:1y5RCeg71V1aK+g8tnMSzAdEbkG6u7cCImQFo/e7e+/9JIDR1q1ZQlEXGhR:Q5RCLRVN+htMScdukG2CImoo/eqXR1+d

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.70

212.113.119.255/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

31576021.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	31576021.exe

Executes dropped EXE 7 IoCs

Processes:

za002477.exeza149668.exeza831203.exe31576021.exe1.exeu65132683.exew65Ht48.exe

pid process

3960 za002477.exe
4320 za149668.exe
1100 za831203.exe
4436 31576021.exe
4260 1.exe
4840 u65132683.exe
1424 w65Ht48.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1.exe

pid	process
3960	za002477.exe
4320	za149668.exe
1100	za831203.exe
4436	31576021.exe
4260	1.exe
4840	u65132683.exe
1424	w65Ht48.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za149668.exeza831203.execa4095e22929adf715288129142d3951115649028a04b2a813f98c412e7ad9ce.exeza002477.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za149668.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za149668.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za831203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za831203.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ca4095e22929adf715288129142d3951115649028a04b2a813f98c412e7ad9ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca4095e22929adf715288129142d3951115649028a04b2a813f98c412e7ad9ce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za002477.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za002477.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2308 4840 WerFault.exe u65132683.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

4260 1.exe
4260 1.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

31576021.exe1.exeu65132683.exe

description pid process

Token: SeDebugPrivilege 4436 31576021.exe
Token: SeDebugPrivilege 4260 1.exe
Token: SeDebugPrivilege 4840 u65132683.exe

pid	pid_target	process	target process
2308	4840	WerFault.exe	u65132683.exe

pid	process
4260	1.exe
4260	1.exe

description	pid	process
Token: SeDebugPrivilege	4436	31576021.exe
Token: SeDebugPrivilege	4260	1.exe
Token: SeDebugPrivilege	4840	u65132683.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ca4095e22929adf715288129142d3951115649028a04b2a813f98c412e7ad9ce.exeza002477.exeza149668.exeza831203.exe31576021.exe

description	pid	process	target process
PID 1116 wrote to memory of 3960	1116	ca4095e22929adf715288129142d3951115649028a04b2a813f98c412e7ad9ce.exe	za002477.exe
PID 1116 wrote to memory of 3960	1116	ca4095e22929adf715288129142d3951115649028a04b2a813f98c412e7ad9ce.exe	za002477.exe
PID 1116 wrote to memory of 3960	1116	ca4095e22929adf715288129142d3951115649028a04b2a813f98c412e7ad9ce.exe	za002477.exe
PID 3960 wrote to memory of 4320	3960	za002477.exe	za149668.exe
PID 3960 wrote to memory of 4320	3960	za002477.exe	za149668.exe
PID 3960 wrote to memory of 4320	3960	za002477.exe	za149668.exe
PID 4320 wrote to memory of 1100	4320	za149668.exe	za831203.exe
PID 4320 wrote to memory of 1100	4320	za149668.exe	za831203.exe
PID 4320 wrote to memory of 1100	4320	za149668.exe	za831203.exe
PID 1100 wrote to memory of 4436	1100	za831203.exe	31576021.exe
PID 1100 wrote to memory of 4436	1100	za831203.exe	31576021.exe
PID 1100 wrote to memory of 4436	1100	za831203.exe	31576021.exe
PID 4436 wrote to memory of 4260	4436	31576021.exe	1.exe
PID 4436 wrote to memory of 4260	4436	31576021.exe	1.exe
PID 1100 wrote to memory of 4840	1100	za831203.exe	u65132683.exe
PID 1100 wrote to memory of 4840	1100	za831203.exe	u65132683.exe
PID 1100 wrote to memory of 4840	1100	za831203.exe	u65132683.exe
PID 4320 wrote to memory of 1424	4320	za149668.exe	w65Ht48.exe
PID 4320 wrote to memory of 1424	4320	za149668.exe	w65Ht48.exe
PID 4320 wrote to memory of 1424	4320	za149668.exe	w65Ht48.exe

C:\Users\Admin\AppData\Local\Temp\ca4095e22929adf715288129142d3951115649028a04b2a813f98c412e7ad9ce.exe
"C:\Users\Admin\AppData\Local\Temp\ca4095e22929adf715288129142d3951115649028a04b2a813f98c412e7ad9ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za002477.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za002477.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za149668.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za149668.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4320

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za831203.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za831203.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\31576021.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\31576021.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u65132683.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u65132683.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 1220
6⤵
- Program crash
PID:2308

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w65Ht48.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w65Ht48.exe
4⤵
- Executes dropped EXE
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4840 -ip 4840
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za002477.exe
Filesize
1.3MB

MD5
d5efd987f05e403ab7e1638d4ff0e44a

SHA1
b0b43fb4957cadf8c8088d220a3d049c0095e941

SHA256
ff0c91c9be9a67630832fa313eeca283631d65128229e3c2ec0357351c888555

SHA512
6058c2177e2dd60f6a5a0061cd7b158e3ffd45a4c4fc560dc5a8d13087183285077240a75c9c8c2def0a5c70769cfbb68392737c20b245bcde1001b0b6ef9369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za002477.exe
Filesize
1.3MB

MD5
d5efd987f05e403ab7e1638d4ff0e44a

SHA1
b0b43fb4957cadf8c8088d220a3d049c0095e941

SHA256
ff0c91c9be9a67630832fa313eeca283631d65128229e3c2ec0357351c888555

SHA512
6058c2177e2dd60f6a5a0061cd7b158e3ffd45a4c4fc560dc5a8d13087183285077240a75c9c8c2def0a5c70769cfbb68392737c20b245bcde1001b0b6ef9369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za149668.exe
Filesize
882KB

MD5
4b24bbbbc3f737947d7cf93d89d14d02

SHA1
08fc28bc501c8ed73a0cda186f1df0c5875519bf

SHA256
bc9dc665bf517af4da02134970e6cc5ddcd8c5a7719aaf7c5242c7acb352bb92

SHA512
4449465356bb80817491de69a718d6c4586e6294c7ec2979a58934a45d70923f4698cbb00b1f3fba2c980e2e324f66b37edda5b08e6d061db00ceef3130527c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za149668.exe
Filesize
882KB

MD5
4b24bbbbc3f737947d7cf93d89d14d02

SHA1
08fc28bc501c8ed73a0cda186f1df0c5875519bf

SHA256
bc9dc665bf517af4da02134970e6cc5ddcd8c5a7719aaf7c5242c7acb352bb92

SHA512
4449465356bb80817491de69a718d6c4586e6294c7ec2979a58934a45d70923f4698cbb00b1f3fba2c980e2e324f66b37edda5b08e6d061db00ceef3130527c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w65Ht48.exe
Filesize
229KB

MD5
6bbad53535e6a4d4ef21ec0b2d329a50

SHA1
2130959d53c1cf13bd4393978d6e5a1ce3ba933f

SHA256
f96e70c10769dabd1d5de5fbaa0bc7d25cd3e3d162d3dace4b7bdcf5f86cb312

SHA512
027281175320a64595e910b25e2d9ecd664442cbfef46add0f5ada7bf43c1b140388dc580be055da901dbb8dd759dd277357732ba1453f0a426c4da16c5718f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w65Ht48.exe
Filesize
229KB

MD5
6bbad53535e6a4d4ef21ec0b2d329a50

SHA1
2130959d53c1cf13bd4393978d6e5a1ce3ba933f

SHA256
f96e70c10769dabd1d5de5fbaa0bc7d25cd3e3d162d3dace4b7bdcf5f86cb312

SHA512
027281175320a64595e910b25e2d9ecd664442cbfef46add0f5ada7bf43c1b140388dc580be055da901dbb8dd759dd277357732ba1453f0a426c4da16c5718f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za831203.exe
Filesize
699KB

MD5
4dadd31b0739b5361bcc62085ef03e59

SHA1
262517946b639497ce3c74a76310f5a42f9e8d3b

SHA256
ea8b0964aad10934519763eb29fdc114b7e3020b5e2a5bf8475ae639958796af

SHA512
28511b40dc4a29c435bf3d286654ab33d7285121220031b74f4315e6e28ea2a1a4355670d4e0658496c37108dd2dafd4386500cb4fd6fb9bab46dd66d7a771ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za831203.exe
Filesize
699KB

MD5
4dadd31b0739b5361bcc62085ef03e59

SHA1
262517946b639497ce3c74a76310f5a42f9e8d3b

SHA256
ea8b0964aad10934519763eb29fdc114b7e3020b5e2a5bf8475ae639958796af

SHA512
28511b40dc4a29c435bf3d286654ab33d7285121220031b74f4315e6e28ea2a1a4355670d4e0658496c37108dd2dafd4386500cb4fd6fb9bab46dd66d7a771ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\31576021.exe
Filesize
300KB

MD5
5982d826f525987db0065a279c4a8330

SHA1
2ffadbd2c1b20ad0d2ee0564fd4928ee88ad80ed

SHA256
7908be381bfe8f6ef65152e91810afa7f6e725f25c1222b420dbf7ed97090eb1

SHA512
25c09c61dab085880cf7a8d661727ecb74b356b6f4154afa112fe835864940715fcb6a419b7ad9740db5782a2bb9d1c430c35773a904d8834d34afe204a324ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\31576021.exe
Filesize
300KB

MD5
5982d826f525987db0065a279c4a8330

SHA1
2ffadbd2c1b20ad0d2ee0564fd4928ee88ad80ed

SHA256
7908be381bfe8f6ef65152e91810afa7f6e725f25c1222b420dbf7ed97090eb1

SHA512
25c09c61dab085880cf7a8d661727ecb74b356b6f4154afa112fe835864940715fcb6a419b7ad9740db5782a2bb9d1c430c35773a904d8834d34afe204a324ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u65132683.exe
Filesize
478KB

MD5
2cac155d5db96ef1392dc7e1b7d18974

SHA1
497e243b52b96d4f98ceb895f0f3c7164630c1c6

SHA256
6fabd49c4678c91ecff9d9883f964124bfe901b1c6437d56d76343b431019ee2

SHA512
1273157719e16ec3cc9d07ab18ced9e860ef0dd0c0afeb7bd9cd2777f9a59be246667fa2a848d14d16d194b539f78d50045e0b72588ed8727915aa8e23268708

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u65132683.exe
Filesize
478KB

MD5
2cac155d5db96ef1392dc7e1b7d18974

SHA1
497e243b52b96d4f98ceb895f0f3c7164630c1c6

SHA256
6fabd49c4678c91ecff9d9883f964124bfe901b1c6437d56d76343b431019ee2

SHA512
1273157719e16ec3cc9d07ab18ced9e860ef0dd0c0afeb7bd9cd2777f9a59be246667fa2a848d14d16d194b539f78d50045e0b72588ed8727915aa8e23268708

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/4260-2306-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

Filesize
40KB

Download
memory/4436-167-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/4436-222-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-178-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-180-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-176-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-182-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-184-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-186-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-188-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-190-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-192-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-194-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-196-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-198-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-200-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-202-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-204-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-206-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-208-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-210-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-212-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-214-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-216-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-218-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-220-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-174-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-224-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-226-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-228-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-2294-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/4436-172-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-168-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-171-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/4436-169-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/4436-165-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-163-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4436-161-0x00000000049B0000-0x0000000004F54000-memory.dmp

Filesize
5.6MB

Download
memory/4436-162-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

Filesize
324KB

Download
memory/4840-2509-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4840-2512-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4840-4445-0x0000000000A50000-0x0000000000A9C000-memory.dmp

Filesize
304KB

Download
memory/4840-4446-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4840-4449-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/4840-4450-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4840-4451-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4840-4452-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4840-4455-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4840-2510-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4840-2312-0x0000000000A50000-0x0000000000A9C000-memory.dmp

Filesize
304KB

Download