amadey | 17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
Size

1.8MB
MD5

4cf346373d331ff441b71ae12c4420ff
SHA1

e4d53520a0b925b9122cba1f9f7cac6661ac014c
SHA256

17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa
SHA512

d82d681438a1df724b3b698d12049f0b4b11c829ec94de15bbf7c68a1b456675b4a5e2fa0f25a67d8daf6da28310df508f88b3cc0906fe02eb43a0c36dcb7a09
SSDEEP

49152:9fRIz2Mkd2gce9Umg7kce1AmWp6/9V/eIxe2Lj4zVUw5xJS:1R6vkd2synNbm4k9V/eMeIwP5xJ

Score

10^/10

amadey gcleaner stealc fed3aa stok discovery evasion loader persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fe486d5dfc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f6369c294c.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fe486d5dfc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fe486d5dfc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f6369c294c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f6369c294c.exe

Executes dropped EXE 5 IoCs

pid	Process
2868	axplong.exe
2912	roblox.exe
2952	fe486d5dfc.exe
1688	stub.exe
1976	f6369c294c.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	fe486d5dfc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	f6369c294c.exe

Loads dropped DLL 10 IoCs

pid	Process
2208	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
2208	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
2868	axplong.exe
2868	axplong.exe
2868	axplong.exe
2912	roblox.exe
1688	stub.exe
2868	axplong.exe
2868	axplong.exe
1976	f6369c294c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\fe486d5dfc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006272001\\fe486d5dfc.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\f6369c294c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006273001\\f6369c294c.exe"	axplong.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2208	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
2868	axplong.exe
2952	fe486d5dfc.exe
1976	f6369c294c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe486d5dfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6369c294c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2208	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
2868	axplong.exe
2952	fe486d5dfc.exe
1976	f6369c294c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2208	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2868	2208	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe	30
PID 2208 wrote to memory of 2868	2208	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe	30
PID 2208 wrote to memory of 2868	2208	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe	30
PID 2208 wrote to memory of 2868	2208	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe	30
PID 2868 wrote to memory of 2912	2868	axplong.exe	32
PID 2868 wrote to memory of 2912	2868	axplong.exe	32
PID 2868 wrote to memory of 2912	2868	axplong.exe	32
PID 2868 wrote to memory of 2912	2868	axplong.exe	32
PID 2868 wrote to memory of 2952	2868	axplong.exe	34
PID 2868 wrote to memory of 2952	2868	axplong.exe	34
PID 2868 wrote to memory of 2952	2868	axplong.exe	34
PID 2868 wrote to memory of 2952	2868	axplong.exe	34
PID 2912 wrote to memory of 1688	2912	roblox.exe	35
PID 2912 wrote to memory of 1688	2912	roblox.exe	35
PID 2912 wrote to memory of 1688	2912	roblox.exe	35
PID 2868 wrote to memory of 1976	2868	axplong.exe	36
PID 2868 wrote to memory of 1976	2868	axplong.exe	36
PID 2868 wrote to memory of 1976	2868	axplong.exe	36
PID 2868 wrote to memory of 1976	2868	axplong.exe	36

C:\Users\Admin\AppData\Local\Temp\17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
"C:\Users\Admin\AppData\Local\Temp\17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe
    "C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2912_133785293963648000\stub.exe
      C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1688
- - C:\Users\Admin\AppData\Local\Temp\1006272001\fe486d5dfc.exe
    "C:\Users\Admin\AppData\Local\Temp\1006272001\fe486d5dfc.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2952
- - C:\Users\Admin\AppData\Local\Temp\1006273001\f6369c294c.exe
    "C:\Users\Admin\AppData\Local\Temp\1006273001\f6369c294c.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe

Filesize
10.7MB

MD5
6898eace70e2da82f257bc78cb081b2f

SHA1
5ac5ed21436d8b4c59c0b62836d531844c571d6d

SHA256
bcdd8b7c9ec736765d4596332c0fec1334b035d4456df1ec25b569f9b6431a23

SHA512
ca719707417a095fe092837e870aefc7e8874ef351e27b5b41e40f46a9e2f6cb2ba915858bc3c99a14c2f1288c71c7ddd9c2adee6588d6b43cd3ba276e1585d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006272001\fe486d5dfc.exe

Filesize
1.7MB

MD5
91c87d6521355c02422acb98aea28b43

SHA1
71f5a66b2d645b355e675ce458f302b192da214b

SHA256
f7df3bbf114ddb67167ed7b1bbea2ce1a575b0cba8d5b54a21a59b662dfd5139

SHA512
dea14418513777047d89268e316fa71a2f17f3cdd7d912688302ee332b4a15343ee4a0bf515beb308b58ea742b905b5e29f57531fcf8da1d3d83708ce8cab1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006273001\f6369c294c.exe

Filesize
1.9MB

MD5
0a2e0cf36cb5586fb3ecff4872b27b9d

SHA1
b8ab43272fbbad21c1985ee536ecd5ccbdc0a761

SHA256
417e7e396fbadbf07bf6952dbd3c0b6b496bc18871047645879db777552552b1

SHA512
54f788a088be98537649567c9c9c1c13fb148502900862832b91438a4e0ea1cfab5d8c465834059556f2799d83390ef2bc07efa6c3a63b225484528c2e85eedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
4cf346373d331ff441b71ae12c4420ff

SHA1
e4d53520a0b925b9122cba1f9f7cac6661ac014c

SHA256
17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa

SHA512
d82d681438a1df724b3b698d12049f0b4b11c829ec94de15bbf7c68a1b456675b4a5e2fa0f25a67d8daf6da28310df508f88b3cc0906fe02eb43a0c36dcb7a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2912_133785293963648000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2912_133785293963648000\stub.exe

Filesize
16.1MB

MD5
d09a400f60c7a298e884f90539e9c72f

SHA1
41582ba130bef907e24f87534e7a0fdd37025101

SHA256
700962aa295e2fa207ff522e2f5ca051a2929eb6f252d42c9cb0a56a4f084bfe

SHA512
d8ba2859bb2ea109c1ca33cb924e40bf61db79aefb59324101d9f47a08835d86834790d3bc6bad4151a561ef82265b32d5111bc80f95dce769c5eb4da5116cc9

Download Submit
\Users\Admin\AppData\Local\Temp\7BD2rFeff8RN0FS\Y-Cleaner.exe

Filesize
1.4MB

MD5
a8cf5621811f7fac55cfe8cb3fa6b9f6

SHA1
121356839e8138a03141f5f5856936a85bd2a474

SHA256
614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c

SHA512
4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd

Download Submit
memory/1688-124-0x000000013FEB0000-0x0000000140F19000-memory.dmp

Filesize
16.4MB

Download
memory/1976-180-0x0000000000400000-0x0000000000C7D000-memory.dmp

Filesize
8.5MB

Download
memory/1976-168-0x0000000000400000-0x0000000000C7D000-memory.dmp

Filesize
8.5MB

Download
memory/1976-187-0x0000000000400000-0x0000000000C7D000-memory.dmp

Filesize
8.5MB

Download
memory/1976-120-0x0000000000400000-0x0000000000C7D000-memory.dmp

Filesize
8.5MB

Download
memory/1976-198-0x0000000000400000-0x0000000000C7D000-memory.dmp

Filesize
8.5MB

Download
memory/1976-140-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1976-143-0x0000000000400000-0x0000000000C7D000-memory.dmp

Filesize
8.5MB

Download
memory/2208-0-0x0000000000280000-0x0000000000754000-memory.dmp

Filesize
4.8MB

Download
memory/2208-4-0x0000000000280000-0x0000000000754000-memory.dmp

Filesize
4.8MB

Download
memory/2208-6-0x0000000000280000-0x0000000000754000-memory.dmp

Filesize
4.8MB

Download
memory/2208-20-0x0000000000280000-0x0000000000754000-memory.dmp

Filesize
4.8MB

Download
memory/2208-3-0x0000000000280000-0x0000000000754000-memory.dmp

Filesize
4.8MB

Download
memory/2208-13-0x0000000000280000-0x0000000000754000-memory.dmp

Filesize
4.8MB

Download
memory/2208-2-0x0000000000281000-0x00000000002AF000-memory.dmp

Filesize
184KB

Download
memory/2208-1-0x00000000777D0000-0x00000000777D2000-memory.dmp

Filesize
8KB

Download
memory/2868-26-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-177-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-207-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-119-0x0000000006570000-0x0000000006DED000-memory.dmp

Filesize
8.5MB

Download
memory/2868-123-0x0000000006570000-0x0000000006DED000-memory.dmp

Filesize
8.5MB

Download
memory/2868-206-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-72-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-67-0x0000000006570000-0x0000000006C03000-memory.dmp

Filesize
6.6MB

Download
memory/2868-132-0x0000000006570000-0x0000000006C03000-memory.dmp

Filesize
6.6MB

Download
memory/2868-133-0x0000000006570000-0x0000000006C03000-memory.dmp

Filesize
6.6MB

Download
memory/2868-205-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-135-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-66-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-167-0x0000000006570000-0x0000000006DED000-memory.dmp

Filesize
8.5MB

Download
memory/2868-40-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-52-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-204-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-68-0x0000000006570000-0x0000000006C03000-memory.dmp

Filesize
6.6MB

Download
memory/2868-35-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-24-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-184-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-23-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-191-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-22-0x0000000000841000-0x000000000086F000-memory.dmp

Filesize
184KB

Download
memory/2868-21-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-199-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-200-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-201-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-202-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2868-203-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2912-174-0x000000013F920000-0x00000001403F2000-memory.dmp

Filesize
10.8MB

Download
memory/2912-134-0x000000013F920000-0x00000001403F2000-memory.dmp

Filesize
10.8MB

Download
memory/2952-122-0x0000000000390000-0x0000000000A23000-memory.dmp

Filesize
6.6MB

Download
memory/2952-69-0x0000000000390000-0x0000000000A23000-memory.dmp

Filesize
6.6MB

Download