amadey | 64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af

Analysis

max time kernel
107s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2022, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af.exe
Size

278KB
MD5

946f67d81f0a0eb16319e583de94a4af
SHA1

83d9bf21f17fcd2aa0b0a133ffed35825fedc9b7
SHA256

64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af
SHA512

7d89622cfdf1c1967d9631438746bae51769eb47adbd71225d04aba600fb50982983addaea83479f2ae944f038db45a3b082002b98b33be2b9e9938496abc651
SSDEEP

3072:QqiELFlaIw5gtRXQrzFFGaYPn2ek2E0h4plXeCh2GYNWbsuQg+auDpiN3aRf/ln:L3LFltLS9FDSnuphpNNJQg+aMgKn

Score

10^/10

amadey collection persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.61

62.204.41.79/U7vfDb3kg/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e10-182.dat	amadey_cred_module
behavioral1/files/0x0006000000022e10-183.dat	amadey_cred_module

Blocklisted process makes network request 1 IoCs

flow	pid	Process
51	2340	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
4540	gntuud.exe
3136	linda5.exe
3784	clim.exe
4644	gntuud.exe
2616	gntuud.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	gntuud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	linda5.exe

Loads dropped DLL 3 IoCs

pid	Process
4188	rundll32.exe
1944	rundll32.exe
2340	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000051051\\linda5.exe"	gntuud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\clim.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000052051\\clim.exe"	gntuud.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3784 set thread context of 3108	3784	clim.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2740	4284	WerFault.exe	80
3300	4644	WerFault.exe	103
4452	2616	WerFault.exe	107

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4380	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	linda5.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3784	clim.exe
3784	clim.exe
2340	rundll32.exe
2340	rundll32.exe
2340	rundll32.exe
2340	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3784	clim.exe
Token: SeDebugPrivilege	3108	AppLaunch.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4540	4284	64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af.exe	81
PID 4284 wrote to memory of 4540	4284	64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af.exe	81
PID 4284 wrote to memory of 4540	4284	64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af.exe	81
PID 4540 wrote to memory of 4380	4540	gntuud.exe	84
PID 4540 wrote to memory of 4380	4540	gntuud.exe	84
PID 4540 wrote to memory of 4380	4540	gntuud.exe	84
PID 4540 wrote to memory of 3136	4540	gntuud.exe	86
PID 4540 wrote to memory of 3136	4540	gntuud.exe	86
PID 4540 wrote to memory of 3136	4540	gntuud.exe	86
PID 4540 wrote to memory of 3784	4540	gntuud.exe	87
PID 4540 wrote to memory of 3784	4540	gntuud.exe	87
PID 4540 wrote to memory of 3784	4540	gntuud.exe	87
PID 3136 wrote to memory of 344	3136	linda5.exe	88
PID 3136 wrote to memory of 344	3136	linda5.exe	88
PID 3136 wrote to memory of 344	3136	linda5.exe	88
PID 344 wrote to memory of 4188	344	control.exe	90
PID 344 wrote to memory of 4188	344	control.exe	90
PID 344 wrote to memory of 4188	344	control.exe	90
PID 4188 wrote to memory of 4940	4188	rundll32.exe	95
PID 4188 wrote to memory of 4940	4188	rundll32.exe	95
PID 4940 wrote to memory of 1944	4940	RunDll32.exe	96
PID 4940 wrote to memory of 1944	4940	RunDll32.exe	96
PID 4940 wrote to memory of 1944	4940	RunDll32.exe	96
PID 3784 wrote to memory of 1404	3784	clim.exe	100
PID 3784 wrote to memory of 1404	3784	clim.exe	100
PID 3784 wrote to memory of 1404	3784	clim.exe	100
PID 3784 wrote to memory of 3108	3784	clim.exe	101
PID 3784 wrote to memory of 3108	3784	clim.exe	101
PID 3784 wrote to memory of 3108	3784	clim.exe	101
PID 3784 wrote to memory of 3108	3784	clim.exe	101
PID 3784 wrote to memory of 3108	3784	clim.exe	101
PID 3784 wrote to memory of 3108	3784	clim.exe	101
PID 3784 wrote to memory of 3108	3784	clim.exe	101
PID 3784 wrote to memory of 3108	3784	clim.exe	101
PID 4540 wrote to memory of 2340	4540	gntuud.exe	106
PID 4540 wrote to memory of 2340	4540	gntuud.exe	106
PID 4540 wrote to memory of 2340	4540	gntuud.exe	106

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af.exe
"C:\Users\Admin\AppData\Local\Temp\64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4380
- - C:\Users\Admin\AppData\Local\Temp\1000051051\linda5.exe
    "C:\Users\Admin\AppData\Local\Temp\1000051051\linda5.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\KP0E.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:344
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\KP0E.cpl",
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4188
      - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\KP0E.cpl",
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\KP0E.cpl",
        7⤵
        Loads dropped DLL
        
        PID:1944
- - C:\Users\Admin\AppData\Local\Temp\1000052051\clim.exe
    "C:\Users\Admin\AppData\Local\Temp\1000052051\clim.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1404
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3108
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:2340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 904
  2⤵
  - Program crash
  PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4284 -ip 4284
1⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
1⤵
- Executes dropped EXE
PID:4644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 320
  2⤵
  - Program crash
  PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4644 -ip 4644
1⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
1⤵
- Executes dropped EXE
PID:2616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 312
  2⤵
  - Program crash
  PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2616 -ip 2616
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000051051\linda5.exe

Filesize
1.6MB

MD5
aceecfbe0cb56693861c476989911353

SHA1
69b345f1cb419d733ee523a2d56ae159c7bb68cd

SHA256
9db9183eee5cecbe151e9bb77cfc066cd278dd682c4d541871c9720a7473e928

SHA512
5c9513b719c6324a28accb711feda34b387cd6a675059be1801448786dbbc69ddf3794c77e270320438b9c241d6b0e089d6836ef2ea4c2ff424319e1a9f33009

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000051051\linda5.exe

Filesize
1.6MB

MD5
aceecfbe0cb56693861c476989911353

SHA1
69b345f1cb419d733ee523a2d56ae159c7bb68cd

SHA256
9db9183eee5cecbe151e9bb77cfc066cd278dd682c4d541871c9720a7473e928

SHA512
5c9513b719c6324a28accb711feda34b387cd6a675059be1801448786dbbc69ddf3794c77e270320438b9c241d6b0e089d6836ef2ea4c2ff424319e1a9f33009

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000052051\clim.exe

Filesize
923KB

MD5
e3dd3606cec2635e2c938d145e2e7fcd

SHA1
1c3d8912a745080c164f24e075e95554d2761e54

SHA256
518261f1fa66ad1a7336a7e499391a02c7239fe665adac002c67d2633e2f8676

SHA512
a084b1514299f6030dd2276dc06477b54df5f39245e6cbdccc19185d95bd7974229b82f2022442a25b4191fe959f4a770495050d9b95e2d2b52c6352b226be3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000052051\clim.exe

Filesize
923KB

MD5
e3dd3606cec2635e2c938d145e2e7fcd

SHA1
1c3d8912a745080c164f24e075e95554d2761e54

SHA256
518261f1fa66ad1a7336a7e499391a02c7239fe665adac002c67d2633e2f8676

SHA512
a084b1514299f6030dd2276dc06477b54df5f39245e6cbdccc19185d95bd7974229b82f2022442a25b4191fe959f4a770495050d9b95e2d2b52c6352b226be3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
278KB

MD5
946f67d81f0a0eb16319e583de94a4af

SHA1
83d9bf21f17fcd2aa0b0a133ffed35825fedc9b7

SHA256
64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af

SHA512
7d89622cfdf1c1967d9631438746bae51769eb47adbd71225d04aba600fb50982983addaea83479f2ae944f038db45a3b082002b98b33be2b9e9938496abc651

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
278KB

MD5
946f67d81f0a0eb16319e583de94a4af

SHA1
83d9bf21f17fcd2aa0b0a133ffed35825fedc9b7

SHA256
64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af

SHA512
7d89622cfdf1c1967d9631438746bae51769eb47adbd71225d04aba600fb50982983addaea83479f2ae944f038db45a3b082002b98b33be2b9e9938496abc651

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
278KB

MD5
946f67d81f0a0eb16319e583de94a4af

SHA1
83d9bf21f17fcd2aa0b0a133ffed35825fedc9b7

SHA256
64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af

SHA512
7d89622cfdf1c1967d9631438746bae51769eb47adbd71225d04aba600fb50982983addaea83479f2ae944f038db45a3b082002b98b33be2b9e9938496abc651

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
278KB

MD5
946f67d81f0a0eb16319e583de94a4af

SHA1
83d9bf21f17fcd2aa0b0a133ffed35825fedc9b7

SHA256
64255385483ede4acab5d8fd9c9a89c23f26d4969602936dcd835b5e52ae01af

SHA512
7d89622cfdf1c1967d9631438746bae51769eb47adbd71225d04aba600fb50982983addaea83479f2ae944f038db45a3b082002b98b33be2b9e9938496abc651

Download Submit
C:\Users\Admin\AppData\Local\Temp\KP0E.cpl

Filesize
1.6MB

MD5
2e4ce512efadb8b3cda385c85a791d72

SHA1
94f2f845d9b877e9b690f37eeaadef3d635405ae

SHA256
f13e32d625504d3f364fd1f8ba6d4580fdebfc602826ace5b780876d36015cc0

SHA512
b81b4414c259800b3de4b0b33ef63ba179d168a5690a922ee48e8a87169d9f9eae5e1b33a0a1bc74a68adddcf68bfd027f7ec17375567f089fdc4d6e269cf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KP0E.cpl

Filesize
1.6MB

MD5
2e4ce512efadb8b3cda385c85a791d72

SHA1
94f2f845d9b877e9b690f37eeaadef3d635405ae

SHA256
f13e32d625504d3f364fd1f8ba6d4580fdebfc602826ace5b780876d36015cc0

SHA512
b81b4414c259800b3de4b0b33ef63ba179d168a5690a922ee48e8a87169d9f9eae5e1b33a0a1bc74a68adddcf68bfd027f7ec17375567f089fdc4d6e269cf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KP0E.cpl

Filesize
1.6MB

MD5
2e4ce512efadb8b3cda385c85a791d72

SHA1
94f2f845d9b877e9b690f37eeaadef3d635405ae

SHA256
f13e32d625504d3f364fd1f8ba6d4580fdebfc602826ace5b780876d36015cc0

SHA512
b81b4414c259800b3de4b0b33ef63ba179d168a5690a922ee48e8a87169d9f9eae5e1b33a0a1bc74a68adddcf68bfd027f7ec17375567f089fdc4d6e269cf33f

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
af364df1b3d1011a1e53cc43a0f47931

SHA1
40a1afe04bb41b40c0369ac5d4707fc74583d2a3

SHA256
3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2

SHA512
e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
af364df1b3d1011a1e53cc43a0f47931

SHA1
40a1afe04bb41b40c0369ac5d4707fc74583d2a3

SHA256
3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2

SHA512
e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

Download Submit
memory/1944-167-0x0000000003160000-0x000000000323E000-memory.dmp

Filesize
888KB

Download
memory/1944-168-0x0000000003240000-0x000000000330A000-memory.dmp

Filesize
808KB

Download
memory/1944-166-0x0000000002A50000-0x0000000002BE4000-memory.dmp

Filesize
1.6MB

Download
memory/1944-169-0x0000000003240000-0x000000000330A000-memory.dmp

Filesize
808KB

Download
memory/2616-185-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download
memory/2616-186-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3108-173-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3108-177-0x000000000A510000-0x000000000A576000-memory.dmp

Filesize
408KB

Download
memory/3108-176-0x00000000077A0000-0x00000000077AA000-memory.dmp

Filesize
40KB

Download
memory/3108-175-0x0000000007830000-0x00000000078C2000-memory.dmp

Filesize
584KB

Download
memory/3108-174-0x0000000007D40000-0x00000000082E4000-memory.dmp

Filesize
5.6MB

Download
memory/3784-149-0x0000000000080000-0x000000000016C000-memory.dmp

Filesize
944KB

Download
memory/4188-154-0x0000000002510000-0x00000000026A4000-memory.dmp

Filesize
1.6MB

Download
memory/4188-165-0x0000000070830000-0x00000000709CD000-memory.dmp

Filesize
1.6MB

Download
memory/4188-155-0x0000000070830000-0x00000000709CD000-memory.dmp

Filesize
1.6MB

Download
memory/4188-160-0x0000000000660000-0x000000000072A000-memory.dmp

Filesize
808KB

Download
memory/4188-159-0x0000000000660000-0x000000000072A000-memory.dmp

Filesize
808KB

Download
memory/4188-158-0x0000000002C20000-0x0000000002CFE000-memory.dmp

Filesize
888KB

Download
memory/4284-133-0x0000000002060000-0x000000000209C000-memory.dmp

Filesize
240KB

Download
memory/4284-134-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4284-138-0x00000000004ED000-0x000000000050B000-memory.dmp

Filesize
120KB

Download
memory/4284-132-0x00000000004ED000-0x000000000050B000-memory.dmp

Filesize
120KB

Download
memory/4284-139-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4540-157-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4540-141-0x00000000006BC000-0x00000000006DA000-memory.dmp

Filesize
120KB

Download
memory/4540-142-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4540-156-0x00000000006BC000-0x00000000006DA000-memory.dmp

Filesize
120KB

Download
memory/4644-180-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4644-179-0x00000000006C0000-0x00000000006DE000-memory.dmp

Filesize
120KB

Download