amadey | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe
Size

845KB
MD5

48567c75c4c768747990b660f8c98486
SHA1

c5d74fb54ab54eb6097414ab1a4c3f80481dfdbc
SHA256

b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5
SHA512

352575ff5f4c3d71905472f5fa1821bd89c0a74f2f66eec4a8529a05ff8155e24fb095fff87c9b425a855f94bd2e29178faa2a8b1bbf4d45c5dce2601f147cb2
SSDEEP

24576:wyTGPDzqeWDz0usMLfZU1nloJ6e6uVQgEb:3SP/9+z0usCq1nmLFE

Score

10^/10

amadey healer redline fb0fb8 mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6317664.exe	healer
behavioral12/memory/4484-35-0x0000000000390000-0x000000000039A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

q6317664.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q6317664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q6317664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q6317664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q6317664.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q6317664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q6317664.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5081066.exe	family_redline
behavioral12/memory/3092-52-0x0000000000140000-0x0000000000170000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

r3534172.exeexplonde.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	r3534172.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 11 IoCs

Processes:

z0767174.exez7195821.exez9272765.exez0303318.exeq6317664.exer3534172.exeexplonde.exes5081066.exeexplonde.exeexplonde.exeexplonde.exe

pid	process
1980	z0767174.exe
2928	z7195821.exe
1432	z9272765.exe
4828	z0303318.exe
4484	q6317664.exe
1600	r3534172.exe
3592	explonde.exe
3092	s5081066.exe
3084	explonde.exe
4544	explonde.exe
468	explonde.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

q6317664.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q6317664.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q6317664.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exez0767174.exez7195821.exez9272765.exez0303318.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0767174.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7195821.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9272765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z0303318.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3668 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1892 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

q6317664.exe

pid process

4484 q6317664.exe
4484 q6317664.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

q6317664.exe

description pid process

Token: SeDebugPrivilege 4484 q6317664.exe

pid	process
3668	sc.exe

pid	process
1892	schtasks.exe

pid	process
4484	q6317664.exe
4484	q6317664.exe

description	pid	process
Token: SeDebugPrivilege	4484	q6317664.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exez0767174.exez7195821.exez9272765.exez0303318.exer3534172.exeexplonde.execmd.exe

description	pid	process	target process
PID 3328 wrote to memory of 1980	3328	b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe	z0767174.exe
PID 3328 wrote to memory of 1980	3328	b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe	z0767174.exe
PID 3328 wrote to memory of 1980	3328	b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe	z0767174.exe
PID 1980 wrote to memory of 2928	1980	z0767174.exe	z7195821.exe
PID 1980 wrote to memory of 2928	1980	z0767174.exe	z7195821.exe
PID 1980 wrote to memory of 2928	1980	z0767174.exe	z7195821.exe
PID 2928 wrote to memory of 1432	2928	z7195821.exe	z9272765.exe
PID 2928 wrote to memory of 1432	2928	z7195821.exe	z9272765.exe
PID 2928 wrote to memory of 1432	2928	z7195821.exe	z9272765.exe
PID 1432 wrote to memory of 4828	1432	z9272765.exe	z0303318.exe
PID 1432 wrote to memory of 4828	1432	z9272765.exe	z0303318.exe
PID 1432 wrote to memory of 4828	1432	z9272765.exe	z0303318.exe
PID 4828 wrote to memory of 4484	4828	z0303318.exe	q6317664.exe
PID 4828 wrote to memory of 4484	4828	z0303318.exe	q6317664.exe
PID 4828 wrote to memory of 1600	4828	z0303318.exe	r3534172.exe
PID 4828 wrote to memory of 1600	4828	z0303318.exe	r3534172.exe
PID 4828 wrote to memory of 1600	4828	z0303318.exe	r3534172.exe
PID 1600 wrote to memory of 3592	1600	r3534172.exe	explonde.exe
PID 1600 wrote to memory of 3592	1600	r3534172.exe	explonde.exe
PID 1600 wrote to memory of 3592	1600	r3534172.exe	explonde.exe
PID 1432 wrote to memory of 3092	1432	z9272765.exe	s5081066.exe
PID 1432 wrote to memory of 3092	1432	z9272765.exe	s5081066.exe
PID 1432 wrote to memory of 3092	1432	z9272765.exe	s5081066.exe
PID 3592 wrote to memory of 1892	3592	explonde.exe	schtasks.exe
PID 3592 wrote to memory of 1892	3592	explonde.exe	schtasks.exe
PID 3592 wrote to memory of 1892	3592	explonde.exe	schtasks.exe
PID 3592 wrote to memory of 5112	3592	explonde.exe	cmd.exe
PID 3592 wrote to memory of 5112	3592	explonde.exe	cmd.exe
PID 3592 wrote to memory of 5112	3592	explonde.exe	cmd.exe
PID 5112 wrote to memory of 960	5112	cmd.exe	cmd.exe
PID 5112 wrote to memory of 960	5112	cmd.exe	cmd.exe
PID 5112 wrote to memory of 960	5112	cmd.exe	cmd.exe
PID 5112 wrote to memory of 4804	5112	cmd.exe	cacls.exe
PID 5112 wrote to memory of 4804	5112	cmd.exe	cacls.exe
PID 5112 wrote to memory of 4804	5112	cmd.exe	cacls.exe
PID 5112 wrote to memory of 1760	5112	cmd.exe	cacls.exe
PID 5112 wrote to memory of 1760	5112	cmd.exe	cacls.exe
PID 5112 wrote to memory of 1760	5112	cmd.exe	cacls.exe
PID 5112 wrote to memory of 3988	5112	cmd.exe	cmd.exe
PID 5112 wrote to memory of 3988	5112	cmd.exe	cmd.exe
PID 5112 wrote to memory of 3988	5112	cmd.exe	cmd.exe
PID 5112 wrote to memory of 4532	5112	cmd.exe	cacls.exe
PID 5112 wrote to memory of 4532	5112	cmd.exe	cacls.exe
PID 5112 wrote to memory of 4532	5112	cmd.exe	cacls.exe
PID 5112 wrote to memory of 448	5112	cmd.exe	cacls.exe
PID 5112 wrote to memory of 448	5112	cmd.exe	cacls.exe
PID 5112 wrote to memory of 448	5112	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe
"C:\Users\Admin\AppData\Local\Temp\b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3328

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0767174.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0767174.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7195821.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7195821.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9272765.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9272765.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0303318.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0303318.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6317664.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6317664.exe
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3534172.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3534172.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
8⤵
- Creates scheduled task(s)
PID:1892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
8⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
9⤵
PID:960

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
9⤵
PID:4804

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
9⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
9⤵
PID:3988

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
9⤵
PID:4532

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
9⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5081066.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5081066.exe
5⤵
- Executes dropped EXE
PID:3092

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3668

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0767174.exe
Filesize
739KB

MD5
1f1478a97885ee2786ea0dabfe4cd0f6

SHA1
ba07d4d4972718f40e7028b6ba5a3206cbec8f0a

SHA256
bb7fd4e73d69bd091eec4adcf7195b67c4967bf26a9f6e49d23cc1f8f1cb86ff

SHA512
d1850999c2342ed2353fb6eb0d590c085bee4892d51446c4db50b15df868ff0b90c6d5dfb259b4588aed51729bdfdc2fcc26957cd5ee56c66fc463fe06da78de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7195821.exe
Filesize
573KB

MD5
3cef8d01010e36c8ec99cf64df9c99c5

SHA1
9f707037219996936d8eb6f3b83f24d0ddd10bf9

SHA256
aeb7cc95a992ac4900bc0425baed7d55a5cba9715b62a832a719d622cc626382

SHA512
4feb44bbe29309c4cbe8129fa8fc439afed3db7fcd7307afa4be4931e170ca2f895ffca043d43353f026413094a12981ee8928bed71acbb93583e53c015cf933

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9272765.exe
Filesize
390KB

MD5
7560beb7322bd2692df3a03011caa912

SHA1
2dbc1f17d7b4235a8ece2bf86f641b3294aab8ec

SHA256
c9e9bef07fa4c791811556b72c9203cad57565f08289fde336f946c7e352d733

SHA512
d03372522b7193d76ea12d763554ba9d2d2cfbbff1fbbdea2fdf6fa85774b2e1242a1c5c0572618ee8c595cff5394fa884e214b5da9669a8622eb0219e6e68ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5081066.exe
Filesize
175KB

MD5
b9223d0c0d016a1b71628bac899b8c85

SHA1
1fcf1ca92a29ab20d60dc32c87814307dea3030c

SHA256
f5d965417ff0d03022452485374cbf1383d9e363456379c1176ff875b77b6efe

SHA512
e6bb7297988b57275f3962dcd920c9242caa6feb0d9fcd9f720f407710be0e033d131491aaa7f8fa5ca9efb88d7d183b784c9004c3a961f25d4373c38e61f5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0303318.exe
Filesize
234KB

MD5
5157199d2abd9f40948702814b18cdac

SHA1
c1d9db02998d50e0088b405b5a8c975bee7a1f07

SHA256
e2a8dd69ea92189cb06a62fdc7299a5d82bdbd44a6bb542adce3051123ff3e61

SHA512
03da39aececfccf87a09092db50a2187e76208fc47c95fc8cee420fec674aa0c9aa3cbd6ac0553d8bd2b004a77fdf519ee198a708f60914d7ccb05c5a98c5359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6317664.exe
Filesize
11KB

MD5
5134903f08843187dc208206f5e99368

SHA1
66a6002cd55b2a568938c5e6d4bc0f3c7fd16055

SHA256
f844b8f8aaf79e351fd89933625e8d0cb139de2c25f30cccbb42eb75ed496615

SHA512
24fdb5c79b79cb39e7792dc8aa9368cbb23d881b391a19bcff185f5d44748f26a5c3ab7264dc5f387052512b2c897fb0a8c17f0a7867a3f6963ab6814d4a9599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3534172.exe
Filesize
220KB

MD5
6ab82d832ff9bd75e6981da2371c51c2

SHA1
ba7cc8f447c7d0685ff59b6994413f02dfc0a588

SHA256
96dbe3d3af00eb9ff975f8240661f0e9d89fe00cf60e3cc35f52c43eaa12e795

SHA512
c51bf70c508e46a51425c44a89136752790e8cc5c0022e3f94d488d473fc75d17ab624a9be7eaa4734b0e3fe6f76b403e98a47b2f5aa14a3013f2edff40f8183

Download Submit
memory/3092-52-0x0000000000140000-0x0000000000170000-memory.dmp

Filesize
192KB

Download
memory/3092-53-0x0000000002430000-0x0000000002436000-memory.dmp

Filesize
24KB

Download
memory/3092-54-0x0000000005190000-0x00000000057A8000-memory.dmp

Filesize
6.1MB

Download
memory/3092-55-0x0000000004C80000-0x0000000004D8A000-memory.dmp

Filesize
1.0MB

Download
memory/3092-56-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/3092-57-0x0000000004A10000-0x0000000004A4C000-memory.dmp

Filesize
240KB

Download
memory/3092-58-0x0000000004B70000-0x0000000004BBC000-memory.dmp

Filesize
304KB

Download
memory/4484-35-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download