amadey | 90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

Analysis

max time kernel
116s
max time network
129s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
18/12/2022, 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

273KB
MD5

67d588981512c4db6508225a1d7b1644
SHA1

baaa04249099b2faede5550e4410a82651f64d46
SHA256

90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334
SHA512

fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b
SSDEEP

6144:329dkLiUR5PW5BRGhSPLETPNCxZWT4x6hng3CDNLU0V6:329i28e5fVPLELzT4whgS54O

Score

10^/10

amadey collection persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

31.41.244.237/jg94cVd30f/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 5 IoCs

resource	yara_rule
behavioral1/files/0x00060000000142d7-95.dat	amadey_cred_module
behavioral1/files/0x00060000000142d7-102.dat	amadey_cred_module
behavioral1/files/0x00060000000142d7-101.dat	amadey_cred_module
behavioral1/files/0x00060000000142d7-100.dat	amadey_cred_module
behavioral1/files/0x00060000000142d7-99.dat	amadey_cred_module

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	1584	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1420	gntuud.exe
1752	linda5.exe
1608	gntuud.exe
336	gntuud.exe

Loads dropped DLL 8 IoCs

pid	Process
1640	file.exe
1640	file.exe
1420	gntuud.exe
908	msiexec.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\linda5.exe"	gntuud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1420	1640	file.exe	28
PID 1640 wrote to memory of 1420	1640	file.exe	28
PID 1640 wrote to memory of 1420	1640	file.exe	28
PID 1640 wrote to memory of 1420	1640	file.exe	28
PID 1420 wrote to memory of 788	1420	gntuud.exe	29
PID 1420 wrote to memory of 788	1420	gntuud.exe	29
PID 1420 wrote to memory of 788	1420	gntuud.exe	29
PID 1420 wrote to memory of 788	1420	gntuud.exe	29
PID 1420 wrote to memory of 472	1420	gntuud.exe	31
PID 1420 wrote to memory of 472	1420	gntuud.exe	31
PID 1420 wrote to memory of 472	1420	gntuud.exe	31
PID 1420 wrote to memory of 472	1420	gntuud.exe	31
PID 472 wrote to memory of 1680	472	cmd.exe	33
PID 472 wrote to memory of 1680	472	cmd.exe	33
PID 472 wrote to memory of 1680	472	cmd.exe	33
PID 472 wrote to memory of 1680	472	cmd.exe	33
PID 472 wrote to memory of 336	472	cmd.exe	34
PID 472 wrote to memory of 336	472	cmd.exe	34
PID 472 wrote to memory of 336	472	cmd.exe	34
PID 472 wrote to memory of 336	472	cmd.exe	34
PID 472 wrote to memory of 668	472	cmd.exe	35
PID 472 wrote to memory of 668	472	cmd.exe	35
PID 472 wrote to memory of 668	472	cmd.exe	35
PID 472 wrote to memory of 668	472	cmd.exe	35
PID 472 wrote to memory of 1244	472	cmd.exe	36
PID 472 wrote to memory of 1244	472	cmd.exe	36
PID 472 wrote to memory of 1244	472	cmd.exe	36
PID 472 wrote to memory of 1244	472	cmd.exe	36
PID 472 wrote to memory of 540	472	cmd.exe	37
PID 472 wrote to memory of 540	472	cmd.exe	37
PID 472 wrote to memory of 540	472	cmd.exe	37
PID 472 wrote to memory of 540	472	cmd.exe	37
PID 472 wrote to memory of 876	472	cmd.exe	38
PID 472 wrote to memory of 876	472	cmd.exe	38
PID 472 wrote to memory of 876	472	cmd.exe	38
PID 472 wrote to memory of 876	472	cmd.exe	38
PID 1420 wrote to memory of 1752	1420	gntuud.exe	41
PID 1420 wrote to memory of 1752	1420	gntuud.exe	41
PID 1420 wrote to memory of 1752	1420	gntuud.exe	41
PID 1420 wrote to memory of 1752	1420	gntuud.exe	41
PID 1752 wrote to memory of 908	1752	linda5.exe	42
PID 1752 wrote to memory of 908	1752	linda5.exe	42
PID 1752 wrote to memory of 908	1752	linda5.exe	42
PID 1752 wrote to memory of 908	1752	linda5.exe	42
PID 1752 wrote to memory of 908	1752	linda5.exe	42
PID 1752 wrote to memory of 908	1752	linda5.exe	42
PID 1752 wrote to memory of 908	1752	linda5.exe	42
PID 2016 wrote to memory of 1608	2016	taskeng.exe	44
PID 2016 wrote to memory of 1608	2016	taskeng.exe	44
PID 2016 wrote to memory of 1608	2016	taskeng.exe	44
PID 2016 wrote to memory of 1608	2016	taskeng.exe	44
PID 1420 wrote to memory of 1584	1420	gntuud.exe	45
PID 1420 wrote to memory of 1584	1420	gntuud.exe	45
PID 1420 wrote to memory of 1584	1420	gntuud.exe	45
PID 1420 wrote to memory of 1584	1420	gntuud.exe	45
PID 1420 wrote to memory of 1584	1420	gntuud.exe	45
PID 1420 wrote to memory of 1584	1420	gntuud.exe	45
PID 1420 wrote to memory of 1584	1420	gntuud.exe	45
PID 2016 wrote to memory of 336	2016	taskeng.exe	46
PID 2016 wrote to memory of 336	2016	taskeng.exe	46
PID 2016 wrote to memory of 336	2016	taskeng.exe	46
PID 2016 wrote to memory of 336	2016	taskeng.exe	46

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9c69749b54" /P "Admin:N"&&CACLS "..\9c69749b54" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "gntuud.exe" /P "Admin:N"
      4⤵
      PID:336
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "gntuud.exe" /P "Admin:R" /E
      4⤵
      PID:668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9c69749b54" /P "Admin:N"
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9c69749b54" /P "Admin:R" /E
      4⤵
      PID:876
- - C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /y .\JKXD.TK
      4⤵
      Loads dropped DLL
      PID:908
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:1584

C:\Windows\system32\taskeng.exe
taskeng.exe {AFF1AE73-8908-4E36-881D-F07DED213F13} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
  C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
  C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
  2⤵
  - Executes dropped EXE
  PID:336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe

Filesize
1.6MB

MD5
3a4e11c08616a3ff092252247319fc69

SHA1
5f2c09aee73a06de21712bc3c500cd79bac372ee

SHA256
5a9cbf6ce9beaa771b9c59a76573c1954ebcdf02aa31ecf161081a27302eee4a

SHA512
9c0b098190614c2896d43530551c3853dbfd9d7ad075c00840b046ad1effc87af556bdd1b84f1083da95171d98f787acdb3dd1a998043196bf1e6a36adb8efa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe

Filesize
1.6MB

MD5
3a4e11c08616a3ff092252247319fc69

SHA1
5f2c09aee73a06de21712bc3c500cd79bac372ee

SHA256
5a9cbf6ce9beaa771b9c59a76573c1954ebcdf02aa31ecf161081a27302eee4a

SHA512
9c0b098190614c2896d43530551c3853dbfd9d7ad075c00840b046ad1effc87af556bdd1b84f1083da95171d98f787acdb3dd1a998043196bf1e6a36adb8efa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
273KB

MD5
67d588981512c4db6508225a1d7b1644

SHA1
baaa04249099b2faede5550e4410a82651f64d46

SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
273KB

MD5
67d588981512c4db6508225a1d7b1644

SHA1
baaa04249099b2faede5550e4410a82651f64d46

SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
273KB

MD5
67d588981512c4db6508225a1d7b1644

SHA1
baaa04249099b2faede5550e4410a82651f64d46

SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
273KB

MD5
67d588981512c4db6508225a1d7b1644

SHA1
baaa04249099b2faede5550e4410a82651f64d46

SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKXD.TK

Filesize
1.5MB

MD5
91f53769ce7683539c24dbee102808b1

SHA1
4a6e5916446476ec8e8aeab14cd9b8bae252f981

SHA256
3e1a99a3db505aff6d1bd9e7d38016b0b5b8db4170b6e3c8b7876c9f67552ebe

SHA512
e043c23ed30d3c0bf2fccda4ee4a8f5f5c58535b072c3f030e64e8bec851e3ce47b5af2cee5e3e33cc364bb80ca84e33cbfa47c49cd337920369734a0ec772a7

Download Submit
C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll

Filesize
126KB

MD5
c0fd0167e213b6148333351bd16ed1fb

SHA1
1cfb2b42686557656dead53e02d1db3f2a848026

SHA256
c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

SHA512
d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

Download Submit
\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe

Filesize
1.6MB

MD5
3a4e11c08616a3ff092252247319fc69

SHA1
5f2c09aee73a06de21712bc3c500cd79bac372ee

SHA256
5a9cbf6ce9beaa771b9c59a76573c1954ebcdf02aa31ecf161081a27302eee4a

SHA512
9c0b098190614c2896d43530551c3853dbfd9d7ad075c00840b046ad1effc87af556bdd1b84f1083da95171d98f787acdb3dd1a998043196bf1e6a36adb8efa0

Download Submit
\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
273KB

MD5
67d588981512c4db6508225a1d7b1644

SHA1
baaa04249099b2faede5550e4410a82651f64d46

SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

Download Submit
\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
273KB

MD5
67d588981512c4db6508225a1d7b1644

SHA1
baaa04249099b2faede5550e4410a82651f64d46

SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

Download Submit
\Users\Admin\AppData\Local\Temp\JKXd.TK

Filesize
1.5MB

MD5
91f53769ce7683539c24dbee102808b1

SHA1
4a6e5916446476ec8e8aeab14cd9b8bae252f981

SHA256
3e1a99a3db505aff6d1bd9e7d38016b0b5b8db4170b6e3c8b7876c9f67552ebe

SHA512
e043c23ed30d3c0bf2fccda4ee4a8f5f5c58535b072c3f030e64e8bec851e3ce47b5af2cee5e3e33cc364bb80ca84e33cbfa47c49cd337920369734a0ec772a7

Download Submit
\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll

Filesize
126KB

MD5
c0fd0167e213b6148333351bd16ed1fb

SHA1
1cfb2b42686557656dead53e02d1db3f2a848026

SHA256
c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

SHA512
d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

Download Submit
\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll

Filesize
126KB

MD5
c0fd0167e213b6148333351bd16ed1fb

SHA1
1cfb2b42686557656dead53e02d1db3f2a848026

SHA256
c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

SHA512
d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

Download Submit
\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll

Filesize
126KB

MD5
c0fd0167e213b6148333351bd16ed1fb

SHA1
1cfb2b42686557656dead53e02d1db3f2a848026

SHA256
c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

SHA512
d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

Download Submit
\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll

Filesize
126KB

MD5
c0fd0167e213b6148333351bd16ed1fb

SHA1
1cfb2b42686557656dead53e02d1db3f2a848026

SHA256
c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

SHA512
d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

Download Submit
memory/336-113-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/336-112-0x00000000002A8000-0x00000000002C7000-memory.dmp

Filesize
124KB

Download
memory/336-110-0x00000000002A8000-0x00000000002C7000-memory.dmp

Filesize
124KB

Download
memory/908-107-0x0000000002860000-0x000000000295B000-memory.dmp

Filesize
1004KB

Download
memory/908-103-0x0000000000430000-0x0000000000501000-memory.dmp

Filesize
836KB

Download
memory/908-85-0x0000000001F80000-0x00000000020FB000-memory.dmp

Filesize
1.5MB

Download
memory/908-86-0x0000000002660000-0x000000000275D000-memory.dmp

Filesize
1012KB

Download
memory/908-87-0x0000000002860000-0x000000000295B000-memory.dmp

Filesize
1004KB

Download
memory/908-104-0x0000000002960000-0x0000000002A1B000-memory.dmp

Filesize
748KB

Download
memory/908-105-0x0000000002960000-0x0000000002A1B000-memory.dmp

Filesize
748KB

Download
memory/1420-89-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1420-74-0x0000000000648000-0x0000000000668000-memory.dmp

Filesize
128KB

Download
memory/1420-88-0x0000000000648000-0x0000000000668000-memory.dmp

Filesize
128KB

Download
memory/1420-63-0x0000000000648000-0x0000000000668000-memory.dmp

Filesize
128KB

Download
memory/1420-75-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1608-98-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1608-97-0x00000000005E8000-0x0000000000607000-memory.dmp

Filesize
124KB

Download
memory/1608-92-0x00000000005E8000-0x0000000000607000-memory.dmp

Filesize
124KB

Download
memory/1640-60-0x0000000000598000-0x00000000005B7000-memory.dmp

Filesize
124KB

Download
memory/1640-54-0x0000000000598000-0x00000000005B7000-memory.dmp

Filesize
124KB

Download
memory/1640-61-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1640-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1640-62-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download