amadey | c1b498cfa1d995397e728559093534c36c1777b3288502409b68752d3b0b0ab5

Analysis

max time kernel
159s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1b498cfa1d995397e728559093534c36c1777b3288502409b68752d3b0b0ab5.exe
Size

1.5MB
MD5

836ebd50cda51a2e7b80798716053331
SHA1

14dba1de905513f545b2eb07139e27d86f830b16
SHA256

c1b498cfa1d995397e728559093534c36c1777b3288502409b68752d3b0b0ab5
SHA512

3c8a2d0fe385e2a8ede8ae98f6203cef4cb0ac6cdfdc67ed4673d0dfde496ea22755d1bd4151617bfa35b46f8ce54ac84b93b6683be406553390b5d7317f1d51
SSDEEP

24576:RyZxmfaoM1ttaH7RLvJRE1TyyHiz21YK6eaEwgq/s3kIjeC0eu:E/mCoUt4H7xJREZH+0YK6eaEAE3Hjec

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.70

212.113.119.255/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

22653380.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation 22653380.exe
Executes dropped EXE 7 IoCs

Processes:

za114052.exeza693011.exeza622102.exe22653380.exe1.exeu76324744.exew25zk21.exe

pid process

3872 za114052.exe
2668 za693011.exe
2824 za622102.exe
1844 22653380.exe
60 1.exe
4824 u76324744.exe
4668 w25zk21.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	22653380.exe

pid	process
3872	za114052.exe
2668	za693011.exe
2824	za622102.exe
1844	22653380.exe
60	1.exe
4824	u76324744.exe
4668	w25zk21.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za622102.exec1b498cfa1d995397e728559093534c36c1777b3288502409b68752d3b0b0ab5.exeza114052.exeza693011.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za622102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za622102.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c1b498cfa1d995397e728559093534c36c1777b3288502409b68752d3b0b0ab5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1b498cfa1d995397e728559093534c36c1777b3288502409b68752d3b0b0ab5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za114052.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za114052.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za693011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za693011.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1160 4824 WerFault.exe u76324744.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

60 1.exe
60 1.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

22653380.exeu76324744.exe1.exe

description pid process

Token: SeDebugPrivilege 1844 22653380.exe
Token: SeDebugPrivilege 4824 u76324744.exe
Token: SeDebugPrivilege 60 1.exe

pid	pid_target	process	target process
1160	4824	WerFault.exe	u76324744.exe

pid	process
60	1.exe
60	1.exe

description	pid	process
Token: SeDebugPrivilege	1844	22653380.exe
Token: SeDebugPrivilege	4824	u76324744.exe
Token: SeDebugPrivilege	60	1.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c1b498cfa1d995397e728559093534c36c1777b3288502409b68752d3b0b0ab5.exeza114052.exeza693011.exeza622102.exe22653380.exe

description	pid	process	target process
PID 1896 wrote to memory of 3872	1896	c1b498cfa1d995397e728559093534c36c1777b3288502409b68752d3b0b0ab5.exe	za114052.exe
PID 1896 wrote to memory of 3872	1896	c1b498cfa1d995397e728559093534c36c1777b3288502409b68752d3b0b0ab5.exe	za114052.exe
PID 1896 wrote to memory of 3872	1896	c1b498cfa1d995397e728559093534c36c1777b3288502409b68752d3b0b0ab5.exe	za114052.exe
PID 3872 wrote to memory of 2668	3872	za114052.exe	za693011.exe
PID 3872 wrote to memory of 2668	3872	za114052.exe	za693011.exe
PID 3872 wrote to memory of 2668	3872	za114052.exe	za693011.exe
PID 2668 wrote to memory of 2824	2668	za693011.exe	za622102.exe
PID 2668 wrote to memory of 2824	2668	za693011.exe	za622102.exe
PID 2668 wrote to memory of 2824	2668	za693011.exe	za622102.exe
PID 2824 wrote to memory of 1844	2824	za622102.exe	22653380.exe
PID 2824 wrote to memory of 1844	2824	za622102.exe	22653380.exe
PID 2824 wrote to memory of 1844	2824	za622102.exe	22653380.exe
PID 1844 wrote to memory of 60	1844	22653380.exe	1.exe
PID 1844 wrote to memory of 60	1844	22653380.exe	1.exe
PID 2824 wrote to memory of 4824	2824	za622102.exe	u76324744.exe
PID 2824 wrote to memory of 4824	2824	za622102.exe	u76324744.exe
PID 2824 wrote to memory of 4824	2824	za622102.exe	u76324744.exe
PID 2668 wrote to memory of 4668	2668	za693011.exe	w25zk21.exe
PID 2668 wrote to memory of 4668	2668	za693011.exe	w25zk21.exe
PID 2668 wrote to memory of 4668	2668	za693011.exe	w25zk21.exe

C:\Users\Admin\AppData\Local\Temp\c1b498cfa1d995397e728559093534c36c1777b3288502409b68752d3b0b0ab5.exe
"C:\Users\Admin\AppData\Local\Temp\c1b498cfa1d995397e728559093534c36c1777b3288502409b68752d3b0b0ab5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za114052.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za114052.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za693011.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za693011.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za622102.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za622102.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\22653380.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\22653380.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u76324744.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u76324744.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1256
        6⤵
        Program crash
        
        PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w25zk21.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w25zk21.exe
      4⤵
      Executes dropped EXE
      PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4824 -ip 4824
1⤵
PID:4500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za114052.exe

Filesize
1.3MB

MD5
c6ae66ba58ffe2991239db402e7554e6

SHA1
49de9f66fefb10574f13df5610b8b6e9af2d46f7

SHA256
921dd1c033fb397a45c3df01912a4834a7349cddbb0725ebef2510c2eaaf5476

SHA512
abdc6077df35e128b994622196df491062b2a431fde0c962fd0bf98e42ec380e8f4c18e66e3d6f4eb6488784258f07e02044942297c94ce393cd48edb9b5373e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za114052.exe

Filesize
1.3MB

MD5
c6ae66ba58ffe2991239db402e7554e6

SHA1
49de9f66fefb10574f13df5610b8b6e9af2d46f7

SHA256
921dd1c033fb397a45c3df01912a4834a7349cddbb0725ebef2510c2eaaf5476

SHA512
abdc6077df35e128b994622196df491062b2a431fde0c962fd0bf98e42ec380e8f4c18e66e3d6f4eb6488784258f07e02044942297c94ce393cd48edb9b5373e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za693011.exe

Filesize
882KB

MD5
74c9adc9671d32343e8148e73aee3b68

SHA1
da9ef9e14ed3ae774cb2002f7fb9a070c50a86d3

SHA256
2abf4c1b237a89cda0cbd91cac56ecaeb5b7f355e9335d7386cda281a01f4653

SHA512
0b18b07772f36461f1e6dbf2e3e7179d278b8a0c38176133fcd1c1620504045abcb59f07e85196f48a5151c847e76c1ae9a9bcb97d9c237670a5f20758dda9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za693011.exe

Filesize
882KB

MD5
74c9adc9671d32343e8148e73aee3b68

SHA1
da9ef9e14ed3ae774cb2002f7fb9a070c50a86d3

SHA256
2abf4c1b237a89cda0cbd91cac56ecaeb5b7f355e9335d7386cda281a01f4653

SHA512
0b18b07772f36461f1e6dbf2e3e7179d278b8a0c38176133fcd1c1620504045abcb59f07e85196f48a5151c847e76c1ae9a9bcb97d9c237670a5f20758dda9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w25zk21.exe

Filesize
229KB

MD5
4b803df7b39ff5e60d3d9a864fe53ee1

SHA1
71aba672fb548dc755f91a81aeb6190dea1d2eb9

SHA256
b2f93f6f1d56e6bdbf25c437390a5c686e47c441cb02c201829c2e3db710ff1a

SHA512
1f9758fcb802ccaab9bbf66e4b6941d334b2ebd4249183c65d0361a17da1c58ac3abfb8271ce3cb651b3bd88abb14cf5b13014e90efa80cf32194d2f28b17561

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w25zk21.exe

Filesize
229KB

MD5
4b803df7b39ff5e60d3d9a864fe53ee1

SHA1
71aba672fb548dc755f91a81aeb6190dea1d2eb9

SHA256
b2f93f6f1d56e6bdbf25c437390a5c686e47c441cb02c201829c2e3db710ff1a

SHA512
1f9758fcb802ccaab9bbf66e4b6941d334b2ebd4249183c65d0361a17da1c58ac3abfb8271ce3cb651b3bd88abb14cf5b13014e90efa80cf32194d2f28b17561

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za622102.exe

Filesize
700KB

MD5
273edd288075b5586dd7d2526cc731dd

SHA1
8c46f2769ab8ef1780169b1bd11cea6ba0adb5b6

SHA256
9ff673b0aa053bc4728ae72065b16ff3a1a8eb68804839662be3961a69ead6c6

SHA512
a2a0c8a598288d126a96bc300c83292910e97fc3be81ab9efee04c6e4bc68af525053f484284eedeee38ef24ac5559d2e2feb71618932f3d25b7041d3e57bbe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za622102.exe

Filesize
700KB

MD5
273edd288075b5586dd7d2526cc731dd

SHA1
8c46f2769ab8ef1780169b1bd11cea6ba0adb5b6

SHA256
9ff673b0aa053bc4728ae72065b16ff3a1a8eb68804839662be3961a69ead6c6

SHA512
a2a0c8a598288d126a96bc300c83292910e97fc3be81ab9efee04c6e4bc68af525053f484284eedeee38ef24ac5559d2e2feb71618932f3d25b7041d3e57bbe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\22653380.exe

Filesize
300KB

MD5
f97b67f9cf960af058fa680f7c7d7f47

SHA1
7c526a35e2aba0b83bc726d371c3b8b8a621df61

SHA256
e4b6254d0030427cbe61bad3147237c662fe4808fab4d93ea971cb13ff52196d

SHA512
f78196056db6db6eeeab86607b6555344d51ef32451dfbc36fa4ca83fa4d7cf20cb48ecf5a4859a10f0d11832ccfca2e5891f41b791fd4cab6cc82dd05c57e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\22653380.exe

Filesize
300KB

MD5
f97b67f9cf960af058fa680f7c7d7f47

SHA1
7c526a35e2aba0b83bc726d371c3b8b8a621df61

SHA256
e4b6254d0030427cbe61bad3147237c662fe4808fab4d93ea971cb13ff52196d

SHA512
f78196056db6db6eeeab86607b6555344d51ef32451dfbc36fa4ca83fa4d7cf20cb48ecf5a4859a10f0d11832ccfca2e5891f41b791fd4cab6cc82dd05c57e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u76324744.exe

Filesize
479KB

MD5
fb592526edf2daec25a50ec0c4a3e556

SHA1
270dbe093c6da559c32a1f9f2c1fe8e8f3952c8a

SHA256
853ad1b57ee9f777275f7dc7f28de734b3e4b4ff57172cb8f051da94de4bec7f

SHA512
9b8c176f68af8a7146099c9d238a150dde392f29f7c054bb46b015a08c41827a74f33985da300b9e78c3d5206edb048d0e2d0a6cf06dc72c3e4e38853aca0df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u76324744.exe

Filesize
479KB

MD5
fb592526edf2daec25a50ec0c4a3e556

SHA1
270dbe093c6da559c32a1f9f2c1fe8e8f3952c8a

SHA256
853ad1b57ee9f777275f7dc7f28de734b3e4b4ff57172cb8f051da94de4bec7f

SHA512
9b8c176f68af8a7146099c9d238a150dde392f29f7c054bb46b015a08c41827a74f33985da300b9e78c3d5206edb048d0e2d0a6cf06dc72c3e4e38853aca0df4

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/60-2754-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/1844-171-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-203-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-173-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-175-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-177-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-179-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-181-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-183-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-185-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-187-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-189-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-191-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-195-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-193-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-197-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-199-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-201-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-207-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-209-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-211-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-205-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-213-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-215-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-217-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-219-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-169-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-221-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-225-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-229-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-227-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-231-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-223-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-2296-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1844-2298-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1844-168-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/1844-167-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1844-166-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1844-165-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1844-164-0x0000000004BB0000-0x0000000005154000-memory.dmp

Filesize
5.6MB

Download
memory/1844-161-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1844-162-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1844-163-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/4824-2350-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4824-2348-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4824-4447-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4824-4448-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/4824-4450-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4824-4451-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4824-4452-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4824-4454-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4824-2344-0x00000000008F0000-0x000000000093C000-memory.dmp

Filesize
304KB

Download
memory/4824-2346-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download