amadey | f991e808ed44c731fea1758fd6a275ec4e3ee66a5a691dbf1f9414a5faa144a1

Resubmissions

03/08/2023, 11:48

230803-nypxjaec4z 10

03/08/2023, 11:20

230803-nfec3seb8x 10

Analysis

max time kernel
157s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2023, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

497KB
MD5

f06f0f0288cdc3abca062037eed25964
SHA1

0b13302622c80b36385bedce93b999081ed20d87
SHA256

f991e808ed44c731fea1758fd6a275ec4e3ee66a5a691dbf1f9414a5faa144a1
SHA512

d40993a93ad0a92570a80f96d33d55f8a44157a5a0a8bf83f1044394c5eface950c5be763b331e50dbc121890b70ab2bc72ca29096601d1c2952f242c8c44394
SSDEEP

12288:OnDOS1B4EjNHiBWOB3o5GzxUiuJZHOifD:ODOojNHi0Mo5GzCTJM

Score

10^/10

amadey smokeloader pub5 backdoor trojan

Malware Config

Extracted

Family

amadey

Version

3.83

45.9.74.80/0bjdn2Z/index.php

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

smokeloader

Version

2022

http://greenbi.net/tmp/

http://speakdyn.com/tmp/

http://pik96.ru/tmp/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 5 IoCs

pid	Process
4908	cb5946c8.exe
3888	newplayer.exe
2220	oneetx.exe
3856	oneetx.exe
3976	oneetx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3308	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4908	cb5946c8.exe
4908	cb5946c8.exe
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
684	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4908	cb5946c8.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found
Token: SeShutdownPrivilege	684	Process not Found
Token: SeCreatePagefilePrivilege	684	Process not Found

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3888	newplayer.exe
684	Process not Found
684	Process not Found

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 4908	2236	tmp.exe	86
PID 2236 wrote to memory of 4908	2236	tmp.exe	86
PID 2236 wrote to memory of 4908	2236	tmp.exe	86
PID 2236 wrote to memory of 3888	2236	tmp.exe	87
PID 2236 wrote to memory of 3888	2236	tmp.exe	87
PID 2236 wrote to memory of 3888	2236	tmp.exe	87
PID 3888 wrote to memory of 2220	3888	newplayer.exe	88
PID 3888 wrote to memory of 2220	3888	newplayer.exe	88
PID 3888 wrote to memory of 2220	3888	newplayer.exe	88
PID 2220 wrote to memory of 3308	2220	oneetx.exe	89
PID 2220 wrote to memory of 3308	2220	oneetx.exe	89
PID 2220 wrote to memory of 3308	2220	oneetx.exe	89
PID 2220 wrote to memory of 3588	2220	oneetx.exe	91
PID 2220 wrote to memory of 3588	2220	oneetx.exe	91
PID 2220 wrote to memory of 3588	2220	oneetx.exe	91
PID 3588 wrote to memory of 4304	3588	cmd.exe	93
PID 3588 wrote to memory of 4304	3588	cmd.exe	93
PID 3588 wrote to memory of 4304	3588	cmd.exe	93
PID 3588 wrote to memory of 2224	3588	cmd.exe	94
PID 3588 wrote to memory of 2224	3588	cmd.exe	94
PID 3588 wrote to memory of 2224	3588	cmd.exe	94
PID 3588 wrote to memory of 2272	3588	cmd.exe	95
PID 3588 wrote to memory of 2272	3588	cmd.exe	95
PID 3588 wrote to memory of 2272	3588	cmd.exe	95
PID 3588 wrote to memory of 4576	3588	cmd.exe	96
PID 3588 wrote to memory of 4576	3588	cmd.exe	96
PID 3588 wrote to memory of 4576	3588	cmd.exe	96
PID 3588 wrote to memory of 3076	3588	cmd.exe	97
PID 3588 wrote to memory of 3076	3588	cmd.exe	97
PID 3588 wrote to memory of 3076	3588	cmd.exe	97
PID 3588 wrote to memory of 3788	3588	cmd.exe	98
PID 3588 wrote to memory of 3788	3588	cmd.exe	98
PID 3588 wrote to memory of 3788	3588	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\cb5946c8.exe
  "C:\Users\Admin\AppData\Local\Temp\cb5946c8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\newplayer.exe
  "C:\Users\Admin\AppData\Local\Temp\newplayer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4304
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:2224
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:2272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:N"
        5⤵
        
        PID:3076
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:R" /E
        5⤵
        
        PID:3788

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
- Executes dropped EXE
PID:3856

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
- Executes dropped EXE
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb5946c8.exe

Filesize
288KB

MD5
d35bb0807817a206e1c5ae04f1ffd126

SHA1
4c0e8530e2a03207d83e265e83c0b80b77909069

SHA256
4326cdc00eaa0dec92978fb6c14d5a49e08e63905b2f99df8a5c11253a2a6197

SHA512
a3446457306b50da210498447f4410aae6037b88206983da287e43a9f447b76d1909bdf7e16763f7a415a2dbe54fd98353181a6b3d1b5f9796111491d80ebf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb5946c8.exe

Filesize
288KB

MD5
d35bb0807817a206e1c5ae04f1ffd126

SHA1
4c0e8530e2a03207d83e265e83c0b80b77909069

SHA256
4326cdc00eaa0dec92978fb6c14d5a49e08e63905b2f99df8a5c11253a2a6197

SHA512
a3446457306b50da210498447f4410aae6037b88206983da287e43a9f447b76d1909bdf7e16763f7a415a2dbe54fd98353181a6b3d1b5f9796111491d80ebf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb5946c8.exe

Filesize
288KB

MD5
d35bb0807817a206e1c5ae04f1ffd126

SHA1
4c0e8530e2a03207d83e265e83c0b80b77909069

SHA256
4326cdc00eaa0dec92978fb6c14d5a49e08e63905b2f99df8a5c11253a2a6197

SHA512
a3446457306b50da210498447f4410aae6037b88206983da287e43a9f447b76d1909bdf7e16763f7a415a2dbe54fd98353181a6b3d1b5f9796111491d80ebf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\newplayer.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\newplayer.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\newplayer.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
memory/684-222-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-215-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-301-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-300-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-167-0x0000000003370000-0x0000000003386000-memory.dmp

Filesize
88KB

Download
memory/684-298-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-292-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-175-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-176-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-177-0x0000000008DF0000-0x0000000008E00000-memory.dmp

Filesize
64KB

Download
memory/684-178-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-179-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-180-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-182-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-184-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-186-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-181-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-187-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-188-0x0000000008DF0000-0x0000000008E00000-memory.dmp

Filesize
64KB

Download
memory/684-190-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-191-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-189-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-193-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-197-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-196-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-195-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-199-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-200-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-198-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-201-0x0000000008DF0000-0x0000000008E00000-memory.dmp

Filesize
64KB

Download
memory/684-202-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-205-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-204-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-206-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-208-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-209-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-291-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-211-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-212-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-213-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/684-214-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-234-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-216-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-217-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-218-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-220-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-289-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-223-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-224-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/684-225-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-226-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-227-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/684-287-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-276-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-228-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-230-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-236-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-237-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/684-238-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-239-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-241-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-240-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-242-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-243-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-245-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-244-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-246-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-247-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-248-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-250-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-249-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/684-251-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-252-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-253-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-254-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-256-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-259-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-258-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-260-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/684-261-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-262-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-263-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/684-264-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-266-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-268-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-267-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-270-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-272-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-273-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-274-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/684-275-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-277-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-278-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-232-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-279-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-280-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/684-284-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2236-133-0x00000000004E0000-0x0000000000562000-memory.dmp

Filesize
520KB

Download
memory/2236-134-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/2236-152-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/4908-163-0x0000000002670000-0x0000000002685000-memory.dmp

Filesize
84KB

Download
memory/4908-171-0x0000000002670000-0x0000000002685000-memory.dmp

Filesize
84KB

Download
memory/4908-168-0x0000000000400000-0x0000000002437000-memory.dmp

Filesize
32.2MB

Download
memory/4908-165-0x0000000000400000-0x0000000002437000-memory.dmp

Filesize
32.2MB

Download
memory/4908-164-0x0000000002550000-0x0000000002559000-memory.dmp

Filesize
36KB

Download