amadey | 80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89

Analysis

max time kernel
288s
max time network
297s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
23-12-2022 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89.exe
Size

410KB
MD5

33bc7cf2d107b85e41d0f2694d1cc1fc
SHA1

705f7a9b207d3a4c531149fae9f44783d4e7d487
SHA256

80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89
SHA512

68567f90881b32c21cffb0a66221b4fe605de083e0c0324f1c79782e6b93dbfd422b4099eb291099c0de917fbd2615a7d4e2547b448cee7a777688b17f931d02
SSDEEP

12288:sohy43jx7ve5qCid/GOnJQJN4I8KQPkRqej9eWGtbUJXJU5MCrjuuhDzvFceyxO2:sKyKjBeIdGOnJQJN4I8KQPkRqej9eWGs

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.60

85.209.135.11/gjend7w/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

7 4676 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

gntuud.exegntuud.exegntuud.exegntuud.exe

pid process

2008 gntuud.exe
1712 gntuud.exe
5008 gntuud.exe
3764 gntuud.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4676 rundll32.exe
4676 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
7	4676	rundll32.exe

pid	process
2008	gntuud.exe
1712	gntuud.exe
5008	gntuud.exe
3764	gntuud.exe

pid	process
4676	rundll32.exe
4676	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

rundll32.exe

pid process

4676 rundll32.exe
4676 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4084 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32.exe

pid process

4676 rundll32.exe
4676 rundll32.exe
4676 rundll32.exe
4676 rundll32.exe
4676 rundll32.exe
4676 rundll32.exe
4676 rundll32.exe
4676 rundll32.exe

pid	process
4676	rundll32.exe
4676	rundll32.exe

pid	process
4084	schtasks.exe

pid	process
4676	rundll32.exe
4676	rundll32.exe
4676	rundll32.exe
4676	rundll32.exe
4676	rundll32.exe
4676	rundll32.exe
4676	rundll32.exe
4676	rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89.exegntuud.execmd.exe

description	pid	process	target process
PID 3512 wrote to memory of 2008	3512	80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89.exe	gntuud.exe
PID 3512 wrote to memory of 2008	3512	80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89.exe	gntuud.exe
PID 3512 wrote to memory of 2008	3512	80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89.exe	gntuud.exe
PID 2008 wrote to memory of 4084	2008	gntuud.exe	schtasks.exe
PID 2008 wrote to memory of 4084	2008	gntuud.exe	schtasks.exe
PID 2008 wrote to memory of 4084	2008	gntuud.exe	schtasks.exe
PID 2008 wrote to memory of 4336	2008	gntuud.exe	cmd.exe
PID 2008 wrote to memory of 4336	2008	gntuud.exe	cmd.exe
PID 2008 wrote to memory of 4336	2008	gntuud.exe	cmd.exe
PID 4336 wrote to memory of 4900	4336	cmd.exe	cmd.exe
PID 4336 wrote to memory of 4900	4336	cmd.exe	cmd.exe
PID 4336 wrote to memory of 4900	4336	cmd.exe	cmd.exe
PID 4336 wrote to memory of 4484	4336	cmd.exe	cacls.exe
PID 4336 wrote to memory of 4484	4336	cmd.exe	cacls.exe
PID 4336 wrote to memory of 4484	4336	cmd.exe	cacls.exe
PID 4336 wrote to memory of 4588	4336	cmd.exe	cacls.exe
PID 4336 wrote to memory of 4588	4336	cmd.exe	cacls.exe
PID 4336 wrote to memory of 4588	4336	cmd.exe	cacls.exe
PID 4336 wrote to memory of 5048	4336	cmd.exe	cmd.exe
PID 4336 wrote to memory of 5048	4336	cmd.exe	cmd.exe
PID 4336 wrote to memory of 5048	4336	cmd.exe	cmd.exe
PID 4336 wrote to memory of 4056	4336	cmd.exe	cacls.exe
PID 4336 wrote to memory of 4056	4336	cmd.exe	cacls.exe
PID 4336 wrote to memory of 4056	4336	cmd.exe	cacls.exe
PID 4336 wrote to memory of 2916	4336	cmd.exe	cacls.exe
PID 4336 wrote to memory of 2916	4336	cmd.exe	cacls.exe
PID 4336 wrote to memory of 2916	4336	cmd.exe	cacls.exe
PID 2008 wrote to memory of 4676	2008	gntuud.exe	rundll32.exe
PID 2008 wrote to memory of 4676	2008	gntuud.exe	rundll32.exe
PID 2008 wrote to memory of 4676	2008	gntuud.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89.exe
"C:\Users\Admin\AppData\Local\Temp\80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:4084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\acc0b83959" /P "Admin:N"&&CACLS "..\acc0b83959" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4900

C:\Windows\SysWOW64\cacls.exe
CACLS "gntuud.exe" /P "Admin:N"
4⤵
PID:4484

C:\Windows\SysWOW64\cacls.exe
CACLS "gntuud.exe" /P "Admin:R" /E
4⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:5048

C:\Windows\SysWOW64\cacls.exe
CACLS "..\acc0b83959" /P "Admin:N"
4⤵
PID:4056

C:\Windows\SysWOW64\cacls.exe
CACLS "..\acc0b83959" /P "Admin:R" /E
4⤵
PID:2916

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:4676

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
1⤵
- Executes dropped EXE
PID:3764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
410KB

MD5
33bc7cf2d107b85e41d0f2694d1cc1fc

SHA1
705f7a9b207d3a4c531149fae9f44783d4e7d487

SHA256
80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89

SHA512
68567f90881b32c21cffb0a66221b4fe605de083e0c0324f1c79782e6b93dbfd422b4099eb291099c0de917fbd2615a7d4e2547b448cee7a777688b17f931d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
410KB

MD5
33bc7cf2d107b85e41d0f2694d1cc1fc

SHA1
705f7a9b207d3a4c531149fae9f44783d4e7d487

SHA256
80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89

SHA512
68567f90881b32c21cffb0a66221b4fe605de083e0c0324f1c79782e6b93dbfd422b4099eb291099c0de917fbd2615a7d4e2547b448cee7a777688b17f931d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
410KB

MD5
33bc7cf2d107b85e41d0f2694d1cc1fc

SHA1
705f7a9b207d3a4c531149fae9f44783d4e7d487

SHA256
80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89

SHA512
68567f90881b32c21cffb0a66221b4fe605de083e0c0324f1c79782e6b93dbfd422b4099eb291099c0de917fbd2615a7d4e2547b448cee7a777688b17f931d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
410KB

MD5
33bc7cf2d107b85e41d0f2694d1cc1fc

SHA1
705f7a9b207d3a4c531149fae9f44783d4e7d487

SHA256
80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89

SHA512
68567f90881b32c21cffb0a66221b4fe605de083e0c0324f1c79782e6b93dbfd422b4099eb291099c0de917fbd2615a7d4e2547b448cee7a777688b17f931d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
410KB

MD5
33bc7cf2d107b85e41d0f2694d1cc1fc

SHA1
705f7a9b207d3a4c531149fae9f44783d4e7d487

SHA256
80463ba4b64344c53e914a4df794bcb8da82ff50067baa5d2c98d38a765b1d89

SHA512
68567f90881b32c21cffb0a66221b4fe605de083e0c0324f1c79782e6b93dbfd422b4099eb291099c0de917fbd2615a7d4e2547b448cee7a777688b17f931d02

Download Submit
C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll
Filesize
7.3MB

MD5
e3024c1667894acf4391a3ec838777d2

SHA1
d0cb9012aa2a6029f1b558fed17a12553919f4b1

SHA256
0be3489d010af16e7447e2dcca3ce3fd6165c70a86bf4327201c60d7749d6cbf

SHA512
15e6c0a429adf5ac1afe44ef9450461e5a4b56168166655acfdc29184c7f31b1ec14866c4808940ecc80ddf5704d3dfd8e9161511ac99be3f08f6e9c81bd7af7

Download Submit
\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll
Filesize
7.3MB

MD5
e3024c1667894acf4391a3ec838777d2

SHA1
d0cb9012aa2a6029f1b558fed17a12553919f4b1

SHA256
0be3489d010af16e7447e2dcca3ce3fd6165c70a86bf4327201c60d7749d6cbf

SHA512
15e6c0a429adf5ac1afe44ef9450461e5a4b56168166655acfdc29184c7f31b1ec14866c4808940ecc80ddf5704d3dfd8e9161511ac99be3f08f6e9c81bd7af7

Download Submit
\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll
Filesize
7.3MB

MD5
e3024c1667894acf4391a3ec838777d2

SHA1
d0cb9012aa2a6029f1b558fed17a12553919f4b1

SHA256
0be3489d010af16e7447e2dcca3ce3fd6165c70a86bf4327201c60d7749d6cbf

SHA512
15e6c0a429adf5ac1afe44ef9450461e5a4b56168166655acfdc29184c7f31b1ec14866c4808940ecc80ddf5704d3dfd8e9161511ac99be3f08f6e9c81bd7af7

Download Submit
memory/1712-438-0x0000000002440000-0x0000000002484000-memory.dmp

Filesize
272KB

Download
memory/2008-181-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-164-0x0000000000000000-mapping.dmp

Download
memory/2008-185-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-184-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-177-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-169-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-182-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-180-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-179-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-178-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-176-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-228-0x00000000025A0000-0x00000000025E4000-memory.dmp

Filesize
272KB

Download
memory/2008-166-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-167-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-170-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-317-0x00000000025A0000-0x00000000025E4000-memory.dmp

Filesize
272KB

Download
memory/2008-174-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-175-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-172-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2008-171-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2916-303-0x0000000000000000-mapping.dmp

Download
memory/3512-139-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-137-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-149-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-150-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-151-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-152-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-154-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-155-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-153-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-156-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-157-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-158-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-159-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-160-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-161-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-162-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-163-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-147-0x0000000002D50000-0x0000000002D94000-memory.dmp

Filesize
272KB

Download
memory/3512-146-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-145-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-144-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-143-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-142-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-141-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-140-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-168-0x0000000002D50000-0x0000000002D94000-memory.dmp

Filesize
272KB

Download
memory/3512-117-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-138-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-136-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-148-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-135-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-134-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-133-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-132-0x0000000002D50000-0x0000000002D94000-memory.dmp

Filesize
272KB

Download
memory/3512-131-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-130-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-129-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-128-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-118-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-119-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-127-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-120-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-121-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-122-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-123-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-124-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-126-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-125-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-289-0x0000000000000000-mapping.dmp

Download
memory/4084-214-0x0000000000000000-mapping.dmp

Download
memory/4336-217-0x0000000000000000-mapping.dmp

Download
memory/4484-243-0x0000000000000000-mapping.dmp

Download
memory/4588-260-0x0000000000000000-mapping.dmp

Download
memory/4676-318-0x0000000000000000-mapping.dmp

Download
memory/4676-366-0x00000000047D0000-0x0000000005365000-memory.dmp

Filesize
11.6MB

Download
memory/4900-233-0x0000000000000000-mapping.dmp

Download
memory/5008-472-0x0000000000E50000-0x0000000000E94000-memory.dmp

Filesize
272KB

Download
memory/5048-280-0x0000000000000000-mapping.dmp

Download