amadey | af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

Analysis

max time kernel
310s
max time network
344s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spicis4.amdy.exe
Size

2.8MB
MD5

26fa97abd73e1517729549b2b27d03a2
SHA1

f74d14de09519cc6a8f77d867bcc20a554fabe89
SHA256

af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc
SHA512

d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a
SSDEEP

49152:6skDShXlT0EeNYaDbp9CN/BRh0MvaBtb6iOPXk3:VXXd0Epanp9IBRPv2tSk

Score

10^/10

amadey collection evasion spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

3.50

77.73.134.68/hfk3vK9/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll	amadey_cred_module

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

spicis4.amdy.exegntuud.exegntuud.exegntuud.exegntuud.exegntuud.exegntuud.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spicis4.amdy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	gntuud.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	gntuud.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	gntuud.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	gntuud.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	gntuud.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	gntuud.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

28 3624 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

gntuud.exegntuud.exegntuud.exegntuud.exegntuud.exegntuud.exe

pid process

2324 gntuud.exe
1924 gntuud.exe
3704 gntuud.exe
4948 gntuud.exe
1252 gntuud.exe
3204 gntuud.exe

flow	pid	process
28	3624	rundll32.exe

pid	process
2324	gntuud.exe
1924	gntuud.exe
3704	gntuud.exe
4948	gntuud.exe
1252	gntuud.exe
3204	gntuud.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

spicis4.amdy.exegntuud.exegntuud.exegntuud.exegntuud.exegntuud.exegntuud.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spicis4.amdy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spicis4.amdy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gntuud.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gntuud.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gntuud.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gntuud.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gntuud.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gntuud.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gntuud.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gntuud.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gntuud.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gntuud.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gntuud.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gntuud.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

spicis4.amdy.exegntuud.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	spicis4.amdy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	gntuud.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3624 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3624	rundll32.exe

Themida packer 31 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4408-132-0x0000000000A70000-0x0000000000D3D000-memory.dmp	themida
behavioral2/memory/4408-133-0x0000000000A70000-0x0000000000D3D000-memory.dmp	themida
behavioral2/memory/4408-134-0x0000000000A70000-0x0000000000D3D000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe	themida
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe	themida
behavioral2/memory/4408-138-0x0000000000A70000-0x0000000000D3D000-memory.dmp	themida
behavioral2/memory/2324-139-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/2324-140-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/2324-141-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe	themida
behavioral2/memory/1924-144-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/1924-145-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/1924-146-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/2324-147-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe	themida
behavioral2/memory/3704-152-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/3704-153-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/3704-154-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe	themida
behavioral2/memory/4948-156-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/4948-157-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/4948-158-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/4948-159-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe	themida
behavioral2/memory/1252-161-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/1252-162-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/1252-163-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe	themida
behavioral2/memory/3204-165-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/3204-166-0x0000000000710000-0x00000000009DD000-memory.dmp	themida
behavioral2/memory/3204-167-0x0000000000710000-0x00000000009DD000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

gntuud.exegntuud.exespicis4.amdy.exegntuud.exegntuud.exegntuud.exegntuud.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gntuud.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gntuud.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spicis4.amdy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gntuud.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gntuud.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gntuud.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gntuud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1976 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

3624 rundll32.exe
3624 rundll32.exe
3624 rundll32.exe
3624 rundll32.exe

pid	process
1976	schtasks.exe

pid	process
3624	rundll32.exe
3624	rundll32.exe
3624	rundll32.exe
3624	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

spicis4.amdy.exegntuud.exe

description	pid	process	target process
PID 4408 wrote to memory of 2324	4408	spicis4.amdy.exe	gntuud.exe
PID 4408 wrote to memory of 2324	4408	spicis4.amdy.exe	gntuud.exe
PID 4408 wrote to memory of 2324	4408	spicis4.amdy.exe	gntuud.exe
PID 2324 wrote to memory of 1976	2324	gntuud.exe	schtasks.exe
PID 2324 wrote to memory of 1976	2324	gntuud.exe	schtasks.exe
PID 2324 wrote to memory of 1976	2324	gntuud.exe	schtasks.exe
PID 2324 wrote to memory of 3624	2324	gntuud.exe	rundll32.exe
PID 2324 wrote to memory of 3624	2324	gntuud.exe	rundll32.exe
PID 2324 wrote to memory of 3624	2324	gntuud.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\spicis4.amdy.exe
"C:\Users\Admin\AppData\Local\Temp\spicis4.amdy.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:4408

C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:3624

C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1924

C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:3704

C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4948

C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1252

C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:3204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
Filesize
2.8MB

MD5
26fa97abd73e1517729549b2b27d03a2

SHA1
f74d14de09519cc6a8f77d867bcc20a554fabe89

SHA256
af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

SHA512
d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
Filesize
2.8MB

MD5
26fa97abd73e1517729549b2b27d03a2

SHA1
f74d14de09519cc6a8f77d867bcc20a554fabe89

SHA256
af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

SHA512
d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
Filesize
2.8MB

MD5
26fa97abd73e1517729549b2b27d03a2

SHA1
f74d14de09519cc6a8f77d867bcc20a554fabe89

SHA256
af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

SHA512
d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
Filesize
2.8MB

MD5
26fa97abd73e1517729549b2b27d03a2

SHA1
f74d14de09519cc6a8f77d867bcc20a554fabe89

SHA256
af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

SHA512
d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
Filesize
2.8MB

MD5
26fa97abd73e1517729549b2b27d03a2

SHA1
f74d14de09519cc6a8f77d867bcc20a554fabe89

SHA256
af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

SHA512
d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
Filesize
2.8MB

MD5
26fa97abd73e1517729549b2b27d03a2

SHA1
f74d14de09519cc6a8f77d867bcc20a554fabe89

SHA256
af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

SHA512
d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
Filesize
2.8MB

MD5
26fa97abd73e1517729549b2b27d03a2

SHA1
f74d14de09519cc6a8f77d867bcc20a554fabe89

SHA256
af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

SHA512
d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

Download Submit
C:\Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll
Filesize
126KB

MD5
45de67357d1bbf74eb306173dba0a950

SHA1
d255f695f2a3f4aacbc8208af65cfc3037ce2c7b

SHA256
8b20dc4b46361e6d7f9a361de99dc67216ddb00cb67b41284b108d8232fc2e92

SHA512
7a79cfa1b50d1f5771c58837376d8d7d105234f38e68645a0d3ef79329d418be54cae22d6f789b503eab40f5482082b51b4d5a7e3dfafd3838844e7342624b23

Download Submit
C:\Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll
Filesize
126KB

MD5
45de67357d1bbf74eb306173dba0a950

SHA1
d255f695f2a3f4aacbc8208af65cfc3037ce2c7b

SHA256
8b20dc4b46361e6d7f9a361de99dc67216ddb00cb67b41284b108d8232fc2e92

SHA512
7a79cfa1b50d1f5771c58837376d8d7d105234f38e68645a0d3ef79329d418be54cae22d6f789b503eab40f5482082b51b4d5a7e3dfafd3838844e7342624b23

Download Submit
memory/1252-162-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/1252-161-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/1252-163-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/1924-144-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/1924-145-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/1924-146-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/1976-142-0x0000000000000000-mapping.dmp

Download
memory/2324-141-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/2324-139-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/2324-147-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/2324-140-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/2324-135-0x0000000000000000-mapping.dmp

Download
memory/3204-167-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/3204-166-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/3204-165-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/3624-148-0x0000000000000000-mapping.dmp

Download
memory/3704-152-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/3704-153-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/3704-154-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/4408-138-0x0000000000A70000-0x0000000000D3D000-memory.dmp

Filesize
2.8MB

Download
memory/4408-134-0x0000000000A70000-0x0000000000D3D000-memory.dmp

Filesize
2.8MB

Download
memory/4408-133-0x0000000000A70000-0x0000000000D3D000-memory.dmp

Filesize
2.8MB

Download
memory/4408-132-0x0000000000A70000-0x0000000000D3D000-memory.dmp

Filesize
2.8MB

Download
memory/4948-159-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/4948-158-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/4948-157-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download
memory/4948-156-0x0000000000710000-0x00000000009DD000-memory.dmp

Filesize
2.8MB

Download