amadey | 1ce34eb3e4f496807e4fc1b26909664c47bf47918645aee30725f2e02409d519

Analysis

max time kernel
161s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33afe0d9831bf1b5c5f68486a6b78b70_NeikiAnalytics.exe
Size

1.7MB
MD5

33afe0d9831bf1b5c5f68486a6b78b70
SHA1

b8072fe876bbb198eaa3585b23f893d01aa333b8
SHA256

1ce34eb3e4f496807e4fc1b26909664c47bf47918645aee30725f2e02409d519
SHA512

c8b5c03666bb47649a006aa9aa04fce75a59bf5a41650d58893eff7e1b99d82a8c08172c8079054c3a9edbd221e691aa97f2276cc0d1d1fa4de6c24d7be5fb64
SSDEEP

49152:MyymmE0wLtAeK7aL5maghzJlLbZMa+K6:M94tAHC5/6lLNHH

Score

10^/10

amadey healer dropper evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/memory/2848-2166-0x0000000000560000-0x000000000056A000-memory.dmp	healer
behavioral1/files/0x0003000000000735-2171.dat	healer
behavioral1/memory/5452-2183-0x0000000000A80000-0x0000000000A8A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	a48536905.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c03133251.exe

Executes dropped EXE 9 IoCs

pid	Process
5000	iv140670.exe
2304	TI634819.exe
492	gd512424.exe
5068	jU902903.exe
2848	a48536905.exe
5452	1.exe
5448	b61318478.exe
5436	c03133251.exe
4036	oneetx.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	jU902903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	33afe0d9831bf1b5c5f68486a6b78b70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	iv140670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	TI634819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gd512424.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
716	5448	WerFault.exe	106

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5452	1.exe
5452	1.exe
5452	1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	a48536905.exe
Token: SeDebugPrivilege	5448	b61318478.exe
Token: SeDebugPrivilege	5452	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5436	c03133251.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 5000	4068	33afe0d9831bf1b5c5f68486a6b78b70_NeikiAnalytics.exe	92
PID 4068 wrote to memory of 5000	4068	33afe0d9831bf1b5c5f68486a6b78b70_NeikiAnalytics.exe	92
PID 4068 wrote to memory of 5000	4068	33afe0d9831bf1b5c5f68486a6b78b70_NeikiAnalytics.exe	92
PID 5000 wrote to memory of 2304	5000	iv140670.exe	93
PID 5000 wrote to memory of 2304	5000	iv140670.exe	93
PID 5000 wrote to memory of 2304	5000	iv140670.exe	93
PID 2304 wrote to memory of 492	2304	TI634819.exe	94
PID 2304 wrote to memory of 492	2304	TI634819.exe	94
PID 2304 wrote to memory of 492	2304	TI634819.exe	94
PID 492 wrote to memory of 5068	492	gd512424.exe	95
PID 492 wrote to memory of 5068	492	gd512424.exe	95
PID 492 wrote to memory of 5068	492	gd512424.exe	95
PID 5068 wrote to memory of 2848	5068	jU902903.exe	96
PID 5068 wrote to memory of 2848	5068	jU902903.exe	96
PID 5068 wrote to memory of 2848	5068	jU902903.exe	96
PID 2848 wrote to memory of 5452	2848	a48536905.exe	105
PID 2848 wrote to memory of 5452	2848	a48536905.exe	105
PID 5068 wrote to memory of 5448	5068	jU902903.exe	106
PID 5068 wrote to memory of 5448	5068	jU902903.exe	106
PID 5068 wrote to memory of 5448	5068	jU902903.exe	106
PID 492 wrote to memory of 5436	492	gd512424.exe	110
PID 492 wrote to memory of 5436	492	gd512424.exe	110
PID 492 wrote to memory of 5436	492	gd512424.exe	110
PID 5436 wrote to memory of 4036	5436	c03133251.exe	111
PID 5436 wrote to memory of 4036	5436	c03133251.exe	111
PID 5436 wrote to memory of 4036	5436	c03133251.exe	111

C:\Users\Admin\AppData\Local\Temp\33afe0d9831bf1b5c5f68486a6b78b70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33afe0d9831bf1b5c5f68486a6b78b70_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iv140670.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iv140670.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TI634819.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TI634819.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gd512424.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gd512424.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:492
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jU902903.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jU902903.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48536905.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48536905.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5452
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b61318478.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b61318478.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 1260
        7⤵
        Program crash
        
        PID:716
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c03133251.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c03133251.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5436
      - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
        6⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:5808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
        7⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        8⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        8⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        8⤵
        
        PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d11260793.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d11260793.exe
      4⤵
      PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3916 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5448 -ip 5448
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iv140670.exe

Filesize
1.4MB

MD5
26ffb52098ca91ff899327526b10cd9f

SHA1
145a65ccb6ffa7c9c010a8babca132e905b10c20

SHA256
73d846782405f0f6037941c7b86bf2122b1ab9ba2fcf60415a43712a1a075eaf

SHA512
13b7d9e5e32d119b8e4a16a5875c6f9871468d447ffa945fbaae2f26299dd69b55ab9ca8571c38fe9a47aa2a9fa4e7d2a4501070f3a50e6695eb16da43569ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TI634819.exe

Filesize
1.3MB

MD5
08a9319732cbe8f346adaa4a63e2a1ac

SHA1
1b91af8d81e2ebc9ca33845045664b896f9a10dc

SHA256
f2c2ecdae01e8006e6e0383ce5c1ac2209ba685c707234ec7df7dad21d048a73

SHA512
5504b4fecacfa787e0344c043bf0f9b9fd0623d17f5e51d42d967175742d8d9b891e5fc5454b14e625337dd24f98da2b62641f81a4ae16d82f6ce51ba212b69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d11260793.exe

Filesize
582KB

MD5
0344cb53a5ae4ffedd1d30dbd2ef607d

SHA1
5516bd1b8f75b1852f2175f3fcafb51b0fdb4bc2

SHA256
f3dc7f949de8c06da3f521ba5d69d2dc699ac9b3301685ac5339575479bf03df

SHA512
5e73ca977348e0fc0bafd0b1b39913ad32f0e2440bd19a83f8ab9d0d7cd4c8ac8fe9f0b1830e72deeaa57eb04e05860d2ad8e1f21ea1c79e2d735633ae0c8395

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gd512424.exe

Filesize
851KB

MD5
6ff87fbd3728e8890f734aed576a66af

SHA1
5396eeb01bd18cc8a5a25a6fcc2bfa51d53e3c66

SHA256
8fb9265e46e24ed76f9e0c5845fb1fca104be9f786e476e0ca4823167a0af28f

SHA512
0b4ee56ef372056b6621af50d906c286ee9e8eefcb038c8b9eb58b9babbc1144e322588811e9aeb598634528c415a103b3024325eca3d8aeef746aac7134ca78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c03133251.exe

Filesize
205KB

MD5
90709cf5c75ac704c978e83d4676b329

SHA1
124c7f7dc9b85521d0447bb47d70454a87526710

SHA256
04cc1ef2da0804c42bad3b00e63b351810059df4be950954391bfd5d88afb0b0

SHA512
68b0a87a2ddc38c4c8bbe800d8b29e035e2c33280d5384d7889c9acd5a981c067211a8b16d335bfb9488497ce927f4fd20ff3dba1de830805693e8a237f59f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jU902903.exe

Filesize
679KB

MD5
874d5940cf48af52f3bd32b94c1b99af

SHA1
f76adb4d98c08cb7fe4b016cc264bb61666052cf

SHA256
8d38c6963c22ec8357c4c9dc7ddd2f9dd792e4ada150a79aff6389902174b326

SHA512
0efc5e9e56ad211e76764ee33054d1089192efc3ac3eb3e723e996b337d86e0639b2874abc84f8f774b7ef89eca300351cfb3a998105f3548af234796e24a15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48536905.exe

Filesize
301KB

MD5
77330d32b268aae7e9a54c98213557ec

SHA1
284b239010c180e9f9ee865949f4a485a46b47d0

SHA256
6bc20f2235597b07cf888e388ba76aaa84eaa2b7612638db84ad47c6eec3e96c

SHA512
ea24b95c5eeb234bb88c06448d0a0992fbfc5833dfdd030c26084eee97d1f44d4b858f2a1e40c7450243d13bf6f97ea1c375c99d1d8a1357159544c713ca8ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b61318478.exe

Filesize
521KB

MD5
dd55ac91c7100607fb7c1a214d0654b6

SHA1
9fa81d7c258ee01275708c6603ce48f4560ecb51

SHA256
44e8dbc157ae86062136f07cfe4918c902df651ed40ef835c85fb0ee57dc233f

SHA512
59a07b85897abdcdc8baba2a2ab90df3a0554938c3fb27a9c0baccf6e7a956d00cd820f00f7a4b03cd6e209670b1e92477d09f4129e5248c765f04d0645dffdb

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/2848-79-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-65-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-37-0x00000000049F0000-0x0000000004A46000-memory.dmp

Filesize
344KB

Download
memory/2848-39-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-47-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-101-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-99-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-97-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-95-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-93-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-89-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-87-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-85-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-83-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-81-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-35-0x0000000002500000-0x0000000002558000-memory.dmp

Filesize
352KB

Download
memory/2848-77-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-73-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-71-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-69-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-67-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-36-0x0000000004BB0000-0x0000000005154000-memory.dmp

Filesize
5.6MB

Download
memory/2848-63-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-61-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-57-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-55-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-51-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-49-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-45-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-43-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-41-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-91-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-75-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-59-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-53-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-38-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2848-2166-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/5448-4312-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/5452-2183-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/5964-4334-0x0000000004E90000-0x0000000004EF8000-memory.dmp

Filesize
416KB

Download
memory/5964-4335-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download