amadey | d132eda8a9978b08693ac6b263813a195fa8900ac0fd6a9929f2ed708a616570

Analysis

max time kernel
217s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d132eda8a9978b08693ac6b263813a195fa8900ac0fd6a9929f2ed708a616570.exe
Size

1.4MB
MD5

a61f133c0c9fe94516235c5cb4e038db
SHA1

32ce7bc32bdd1bb4bc1f75ce3ab42158231e880d
SHA256

d132eda8a9978b08693ac6b263813a195fa8900ac0fd6a9929f2ed708a616570
SHA512

2534e119eebc6c1a0f9c7ae8c4cbe98fa8ed229ef06c89bbc66a75c6128001cbb373a0f9c0a17cd3cf8adde46eea9fc4c8751946c10fc2b56f95590ed2611f33
SSDEEP

24576:hyXkzJqLK1eeAn/ItAm39JQo/5amF/QQK6siO20nPUSQcXpSberS:UoqG1wnQtBbj5dRQ76xO29apSbA

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.70

212.113.119.255/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

54209683.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	54209683.exe

Executes dropped EXE 7 IoCs

Processes:

za443922.exeza485037.exeza604504.exe54209683.exe1.exeu86994054.exew11MY31.exe

pid process

4324 za443922.exe
2876 za485037.exe
4972 za604504.exe
2836 54209683.exe
3300 1.exe
1312 u86994054.exe
4520 w11MY31.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1.exe

pid	process
4324	za443922.exe
2876	za485037.exe
4972	za604504.exe
2836	54209683.exe
3300	1.exe
1312	u86994054.exe
4520	w11MY31.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za485037.exeza604504.exed132eda8a9978b08693ac6b263813a195fa8900ac0fd6a9929f2ed708a616570.exeza443922.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za485037.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za485037.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za604504.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za604504.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d132eda8a9978b08693ac6b263813a195fa8900ac0fd6a9929f2ed708a616570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d132eda8a9978b08693ac6b263813a195fa8900ac0fd6a9929f2ed708a616570.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za443922.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za443922.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1392 1312 WerFault.exe u86994054.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

3300 1.exe
3300 1.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

54209683.exeu86994054.exe1.exe

description pid process

Token: SeDebugPrivilege 2836 54209683.exe
Token: SeDebugPrivilege 1312 u86994054.exe
Token: SeDebugPrivilege 3300 1.exe

pid	pid_target	process	target process
1392	1312	WerFault.exe	u86994054.exe

pid	process
3300	1.exe
3300	1.exe

description	pid	process
Token: SeDebugPrivilege	2836	54209683.exe
Token: SeDebugPrivilege	1312	u86994054.exe
Token: SeDebugPrivilege	3300	1.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

d132eda8a9978b08693ac6b263813a195fa8900ac0fd6a9929f2ed708a616570.exeza443922.exeza485037.exeza604504.exe54209683.exe

description	pid	process	target process
PID 1488 wrote to memory of 4324	1488	d132eda8a9978b08693ac6b263813a195fa8900ac0fd6a9929f2ed708a616570.exe	za443922.exe
PID 1488 wrote to memory of 4324	1488	d132eda8a9978b08693ac6b263813a195fa8900ac0fd6a9929f2ed708a616570.exe	za443922.exe
PID 1488 wrote to memory of 4324	1488	d132eda8a9978b08693ac6b263813a195fa8900ac0fd6a9929f2ed708a616570.exe	za443922.exe
PID 4324 wrote to memory of 2876	4324	za443922.exe	za485037.exe
PID 4324 wrote to memory of 2876	4324	za443922.exe	za485037.exe
PID 4324 wrote to memory of 2876	4324	za443922.exe	za485037.exe
PID 2876 wrote to memory of 4972	2876	za485037.exe	za604504.exe
PID 2876 wrote to memory of 4972	2876	za485037.exe	za604504.exe
PID 2876 wrote to memory of 4972	2876	za485037.exe	za604504.exe
PID 4972 wrote to memory of 2836	4972	za604504.exe	54209683.exe
PID 4972 wrote to memory of 2836	4972	za604504.exe	54209683.exe
PID 4972 wrote to memory of 2836	4972	za604504.exe	54209683.exe
PID 2836 wrote to memory of 3300	2836	54209683.exe	1.exe
PID 2836 wrote to memory of 3300	2836	54209683.exe	1.exe
PID 4972 wrote to memory of 1312	4972	za604504.exe	u86994054.exe
PID 4972 wrote to memory of 1312	4972	za604504.exe	u86994054.exe
PID 4972 wrote to memory of 1312	4972	za604504.exe	u86994054.exe
PID 2876 wrote to memory of 4520	2876	za485037.exe	w11MY31.exe
PID 2876 wrote to memory of 4520	2876	za485037.exe	w11MY31.exe
PID 2876 wrote to memory of 4520	2876	za485037.exe	w11MY31.exe

C:\Users\Admin\AppData\Local\Temp\d132eda8a9978b08693ac6b263813a195fa8900ac0fd6a9929f2ed708a616570.exe
"C:\Users\Admin\AppData\Local\Temp\d132eda8a9978b08693ac6b263813a195fa8900ac0fd6a9929f2ed708a616570.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za443922.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za443922.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za485037.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za485037.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za604504.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za604504.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\54209683.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\54209683.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u86994054.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u86994054.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1268
        6⤵
        Program crash
        
        PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11MY31.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11MY31.exe
      4⤵
      Executes dropped EXE
      PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1312 -ip 1312
1⤵
PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za443922.exe

Filesize
1.3MB

MD5
1f897a56d114fcfc2c98f524e3807a61

SHA1
401478932349697611bbe677fc1057729a3480fa

SHA256
1bc345cd625fc93adcf16a861a343fabb80812c77938c38e6ddfcf3caede0d7c

SHA512
9e47435c802342fd1b2ed0a27db1579bfc9f57140aa0c558eeb98d556205954a94c24396024601268ef2ac166257758ab5eb79c38049d6e78e7891929e565015

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za443922.exe

Filesize
1.3MB

MD5
1f897a56d114fcfc2c98f524e3807a61

SHA1
401478932349697611bbe677fc1057729a3480fa

SHA256
1bc345cd625fc93adcf16a861a343fabb80812c77938c38e6ddfcf3caede0d7c

SHA512
9e47435c802342fd1b2ed0a27db1579bfc9f57140aa0c558eeb98d556205954a94c24396024601268ef2ac166257758ab5eb79c38049d6e78e7891929e565015

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za485037.exe

Filesize
861KB

MD5
2805529cc9b892b548c95800041e5aa6

SHA1
aba5ee84c4bcbc8d35bfaf04e68d2aa0092723f6

SHA256
2b06036e4c4dd3d65ebcdb65964ce81be5c8c0e40b660007c2cf47b9e1324191

SHA512
2e5724aa8f0b291ceea5f38546e17962afb7ff4c5f6082fe4df436f42dcb95f23ce35f5c73a3c74f6ac60ce4e6ab47c02adc089b6f29580478680b3bfe307615

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za485037.exe

Filesize
861KB

MD5
2805529cc9b892b548c95800041e5aa6

SHA1
aba5ee84c4bcbc8d35bfaf04e68d2aa0092723f6

SHA256
2b06036e4c4dd3d65ebcdb65964ce81be5c8c0e40b660007c2cf47b9e1324191

SHA512
2e5724aa8f0b291ceea5f38546e17962afb7ff4c5f6082fe4df436f42dcb95f23ce35f5c73a3c74f6ac60ce4e6ab47c02adc089b6f29580478680b3bfe307615

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11MY31.exe

Filesize
229KB

MD5
b6ede331222064e9782c5978ca931349

SHA1
57ad06203c2dcdf338aa922171fd8a955f4c2b00

SHA256
6aa6259f6d5c80e1230d404575af5ac812776042014ba1596b49d7397a316014

SHA512
709dfcf2e64580a9fc2114e6e82e97ce766d0af7385d3cd85243b390e6eb4b70b260e1023a86d10814c8e7dd724a474e001ced708cba42dfa0047d6e18ca6820

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11MY31.exe

Filesize
229KB

MD5
b6ede331222064e9782c5978ca931349

SHA1
57ad06203c2dcdf338aa922171fd8a955f4c2b00

SHA256
6aa6259f6d5c80e1230d404575af5ac812776042014ba1596b49d7397a316014

SHA512
709dfcf2e64580a9fc2114e6e82e97ce766d0af7385d3cd85243b390e6eb4b70b260e1023a86d10814c8e7dd724a474e001ced708cba42dfa0047d6e18ca6820

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za604504.exe

Filesize
679KB

MD5
b3ac34006b76bbe493c75a579a0ed118

SHA1
6da5e22d8c30e2e55624f3446f01d64e8f21ff71

SHA256
57d8e4c0884aafeeb8387e17d1414be14da14b33b9bb949fc827dd066f87f213

SHA512
6eb11bd0966ee4267f2ec0aebfd8b2224e78e6ea87d685e2eaea2b66cd6a9b07c1609af1244132fd808628eeb0befd1858fa1834c4a6903654a24ac5cbd6eb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za604504.exe

Filesize
679KB

MD5
b3ac34006b76bbe493c75a579a0ed118

SHA1
6da5e22d8c30e2e55624f3446f01d64e8f21ff71

SHA256
57d8e4c0884aafeeb8387e17d1414be14da14b33b9bb949fc827dd066f87f213

SHA512
6eb11bd0966ee4267f2ec0aebfd8b2224e78e6ea87d685e2eaea2b66cd6a9b07c1609af1244132fd808628eeb0befd1858fa1834c4a6903654a24ac5cbd6eb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\54209683.exe

Filesize
301KB

MD5
4c17c75829b979b7c1df38524a9965d7

SHA1
ece5d6012ae34aae537be2ab15777fd8e1effe0c

SHA256
d08df4c135c2964c85c7aaaf46ee153b17e3c0ecc1e2b385feb29c575f236a36

SHA512
c8b369cda372b8cd559a1b12d5581c7b3426588f9fa35a9e3f5c900567aa319b4ec18993a7e2edf26141623f1eb1bd1e5754cc3c1e9f0812d8c02e6abee32d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\54209683.exe

Filesize
301KB

MD5
4c17c75829b979b7c1df38524a9965d7

SHA1
ece5d6012ae34aae537be2ab15777fd8e1effe0c

SHA256
d08df4c135c2964c85c7aaaf46ee153b17e3c0ecc1e2b385feb29c575f236a36

SHA512
c8b369cda372b8cd559a1b12d5581c7b3426588f9fa35a9e3f5c900567aa319b4ec18993a7e2edf26141623f1eb1bd1e5754cc3c1e9f0812d8c02e6abee32d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u86994054.exe

Filesize
521KB

MD5
41e2f07cc0b0a827ce7a438e3812e299

SHA1
063745e34181bb8e08568d36fdba4a84ce08b2a0

SHA256
c12df918e71404768a8ed7e865069a7d423b2db2eedaf6e258e372bffc6c25f6

SHA512
8e0d40d23757366fa9a662f3012caf0294a5de4df8ac98aeb77be2c5922e1c53a445d34f8b4c68c9d357b36adb34fcc2f8c49c9098f82882801de76de3404da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u86994054.exe

Filesize
521KB

MD5
41e2f07cc0b0a827ce7a438e3812e299

SHA1
063745e34181bb8e08568d36fdba4a84ce08b2a0

SHA256
c12df918e71404768a8ed7e865069a7d423b2db2eedaf6e258e372bffc6c25f6

SHA512
8e0d40d23757366fa9a662f3012caf0294a5de4df8ac98aeb77be2c5922e1c53a445d34f8b4c68c9d357b36adb34fcc2f8c49c9098f82882801de76de3404da0

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/1312-4447-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1312-4440-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1312-2672-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1312-2671-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1312-2309-0x0000000000A00000-0x0000000000A4C000-memory.dmp

Filesize
304KB

Download
memory/1312-4441-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/1312-4444-0x0000000000A00000-0x0000000000A4C000-memory.dmp

Filesize
304KB

Download
memory/1312-4448-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1312-4449-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/2836-172-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-2292-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2836-194-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-198-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-200-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-196-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-202-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-204-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-206-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-208-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-210-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-212-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-214-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-216-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-218-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-222-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-220-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-224-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-226-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-192-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-190-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-188-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-186-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-184-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-182-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-161-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2836-180-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-178-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-176-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-174-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-170-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-168-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-166-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-164-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-163-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/2836-162-0x0000000004A80000-0x0000000005024000-memory.dmp

Filesize
5.6MB

Download
memory/3300-2307-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download