amadey | 2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9

Analysis

max time kernel
116s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9N.exe
Size

726KB
MD5

4d68db262c928ea4e8a15cd2511a3920
SHA1

a40de6b6da6196bb6ab395050be1e3fd82d56d21
SHA256

2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9
SHA512

9ebad592121eed923f3e44cf2663e1969f31d5f6ff1ea2ab397bf045a2641c50355eabde7cb19b478af257ec7cf93d3e5c3ae49011a8761ef2a982d786c6f442
SSDEEP

12288:Yy90MBsCoSorpSYIpB/42eKyteKrAF+TBzNm5XPU5oqaJ:YyZarmgTtwgBzKs5oZ

Score

10^/10

amadey healer 9c0adb discovery dropper evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 5 IoCs

resource	yara_rule
behavioral1/memory/4004-2148-0x0000000004C70000-0x0000000004C7A000-memory.dmp	healer
behavioral1/files/0x000a000000023b76-2154.dat	healer
behavioral1/memory/3100-2163-0x0000000000790000-0x000000000079A000-memory.dmp	healer
behavioral1/memory/5324-2168-0x0000000002880000-0x000000000289A000-memory.dmp	healer
behavioral1/memory/5324-2169-0x0000000002A60000-0x0000000002A78000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	b57610576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b57610576.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b57610576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b57610576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b57610576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b57610576.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	a70777152.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	c89609778.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 8 IoCs

pid	Process
4768	fE357412.exe
4004	a70777152.exe
3100	1.exe
5324	b57610576.exe
4812	c89609778.exe
4656	oneetx.exe
2436	oneetx.exe
1792	oneetx.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	b57610576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	b57610576.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fE357412.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6112	5324	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fE357412.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a70777152.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c89609778.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b57610576.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3100	1.exe
3100	1.exe
5324	b57610576.exe
5324	b57610576.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4004	a70777152.exe
Token: SeDebugPrivilege	5324	b57610576.exe
Token: SeDebugPrivilege	3100	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4812	c89609778.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 4768	2344	2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9N.exe	83
PID 2344 wrote to memory of 4768	2344	2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9N.exe	83
PID 2344 wrote to memory of 4768	2344	2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9N.exe	83
PID 4768 wrote to memory of 4004	4768	fE357412.exe	84
PID 4768 wrote to memory of 4004	4768	fE357412.exe	84
PID 4768 wrote to memory of 4004	4768	fE357412.exe	84
PID 4004 wrote to memory of 3100	4004	a70777152.exe	88
PID 4004 wrote to memory of 3100	4004	a70777152.exe	88
PID 4768 wrote to memory of 5324	4768	fE357412.exe	89
PID 4768 wrote to memory of 5324	4768	fE357412.exe	89
PID 4768 wrote to memory of 5324	4768	fE357412.exe	89
PID 2344 wrote to memory of 4812	2344	2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9N.exe	99
PID 2344 wrote to memory of 4812	2344	2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9N.exe	99
PID 2344 wrote to memory of 4812	2344	2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9N.exe	99
PID 4812 wrote to memory of 4656	4812	c89609778.exe	100
PID 4812 wrote to memory of 4656	4812	c89609778.exe	100
PID 4812 wrote to memory of 4656	4812	c89609778.exe	100
PID 4656 wrote to memory of 4820	4656	oneetx.exe	101
PID 4656 wrote to memory of 4820	4656	oneetx.exe	101
PID 4656 wrote to memory of 4820	4656	oneetx.exe	101
PID 4656 wrote to memory of 2080	4656	oneetx.exe	103
PID 4656 wrote to memory of 2080	4656	oneetx.exe	103
PID 4656 wrote to memory of 2080	4656	oneetx.exe	103
PID 2080 wrote to memory of 5428	2080	cmd.exe	105
PID 2080 wrote to memory of 5428	2080	cmd.exe	105
PID 2080 wrote to memory of 5428	2080	cmd.exe	105
PID 2080 wrote to memory of 5444	2080	cmd.exe	106
PID 2080 wrote to memory of 5444	2080	cmd.exe	106
PID 2080 wrote to memory of 5444	2080	cmd.exe	106
PID 2080 wrote to memory of 2576	2080	cmd.exe	107
PID 2080 wrote to memory of 2576	2080	cmd.exe	107
PID 2080 wrote to memory of 2576	2080	cmd.exe	107
PID 2080 wrote to memory of 2808	2080	cmd.exe	108
PID 2080 wrote to memory of 2808	2080	cmd.exe	108
PID 2080 wrote to memory of 2808	2080	cmd.exe	108
PID 2080 wrote to memory of 5524	2080	cmd.exe	109
PID 2080 wrote to memory of 5524	2080	cmd.exe	109
PID 2080 wrote to memory of 5524	2080	cmd.exe	109
PID 2080 wrote to memory of 4076	2080	cmd.exe	110
PID 2080 wrote to memory of 4076	2080	cmd.exe	110
PID 2080 wrote to memory of 4076	2080	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9N.exe
"C:\Users\Admin\AppData\Local\Temp\2680837ac7ceb96938f7fd9b17a0a7bd91b0fd25af96f4bb111b5464f6cad9a9N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fE357412.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fE357412.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a70777152.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a70777152.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b57610576.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b57610576.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 1084
      4⤵
      Program crash
      PID:6112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c89609778.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c89609778.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4820
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5524
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5324 -ip 5324
1⤵
PID:6032

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c89609778.exe

Filesize
205KB

MD5
cc47c40fded7e8c0052b4c05296becff

SHA1
b96a51f669c756d9a4fc350a02cf86c86e53e841

SHA256
d1338a08774985fbda0cab0bab0a6c3f0bfc49382d10e3153ed9e893ed5b499e

SHA512
04f58145e05b59003374bb5a92246f02738f1a014b65ab8d811a19ae016013d42e0b4b3347f0de635504ae388446b3f0f4efe294a5a9182746e6e0cdc67a73ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fE357412.exe

Filesize
554KB

MD5
ec35816fd5c348ea6c69d336010c0b4c

SHA1
31c1aec33115091f0f425132468241cedc29fab9

SHA256
b92253bde4b1b13c4d45ad1bcfe7a2631856092efa3b3c6dc9e79b3e71664669

SHA512
158a6f5e1fa17e1974efaeb6b53a0e54ac9bbc17d5716696705cd6d05d0059546f0e7d66957ebe80a46aa1968f56a55e4239186d2bd9f9b98ea50601ecd8d6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a70777152.exe

Filesize
303KB

MD5
339004f2db550eaecd16596664327dfc

SHA1
23efdb1263a40a7d1105d1c1a1e98e1849a62b76

SHA256
1b0d49f0e65bdc4b6821364ab22a19c54f34d1562fa2ca8ad8e29d93d4a3557d

SHA512
a366e41620aa129b11e3b143a2b46e6ca62856755695df7528ed67713d3a640ce587d8de0855449bf97af57f53d215ee59a25e956d8ccebdcc97e897468fa0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b57610576.exe

Filesize
391KB

MD5
8b415a139fac18f05949f65faf997cec

SHA1
e6f201007f1d258c9ba203b0017d964d48c184c6

SHA256
2c5524fb1f9383f0f387f9822329fc660bf2797322d34ce8a73e336da451ff39

SHA512
f897b0fa7f048d11bccfd35fc290520cd739cda5fcb77aa7341a2e0d24382651287185237eb317c0c655b4d3fdf2f65f3458d574d01332f6da7bad354a6af93f

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/3100-2163-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download
memory/4004-14-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/4004-15-0x0000000002610000-0x0000000002668000-memory.dmp

Filesize
352KB

Download
memory/4004-16-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/4004-17-0x0000000004C90000-0x0000000005234000-memory.dmp

Filesize
5.6MB

Download
memory/4004-18-0x0000000004B40000-0x0000000004B96000-memory.dmp

Filesize
344KB

Download
memory/4004-38-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-40-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-22-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-82-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-238-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/4004-80-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-78-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-76-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-74-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-72-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-68-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-66-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-64-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-62-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-60-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-58-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-56-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-52-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-50-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-48-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-46-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-44-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-42-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-36-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-34-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-32-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-30-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-28-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-26-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-24-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-19-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-70-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-54-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-20-0x0000000004B40000-0x0000000004B91000-memory.dmp

Filesize
324KB

Download
memory/4004-2148-0x0000000004C70000-0x0000000004C7A000-memory.dmp

Filesize
40KB

Download
memory/4004-2150-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/4004-2162-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/5324-2168-0x0000000002880000-0x000000000289A000-memory.dmp

Filesize
104KB

Download
memory/5324-2169-0x0000000002A60000-0x0000000002A78000-memory.dmp

Filesize
96KB

Download