amadey | 5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023

Analysis

max time kernel
111s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2022, 21:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023.exe
Size

272KB
MD5

0c569e87bcb0d34c7c7c8426ab7ae6d7
SHA1

3467ee4c23aaa4c49764d817c221e8a70fd5a4bd
SHA256

5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023
SHA512

14639b276932a926151badd5c88364072d86785fcfdef35e3231e5bba20de2ee83db2e82b5fc55950a24af9a0bf392900a11c34b4b7ebc7f18f7402d505b99cc
SSDEEP

6144:GS4LQoZi6M4ykUJ8EpOklzc1gweQIa+MK5jlVklPH:GS4coZdM4ykzEgpfoaWlU

Score

10^/10

amadey collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

31.41.244.237/jg94cVd30f/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

resource	yara_rule
behavioral2/files/0x000b00000001f020-198.dat	amadey_cred_module
behavioral2/files/0x000b00000001f020-199.dat	amadey_cred_module

Blocklisted process makes network request 1 IoCs

flow	pid	Process
43	2760	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
5020	gntuud.exe
3900	linda5.exe
4800	ladia.exe
2188	gntuud.exe
3140	gntuud.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	gntuud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	linda5.exe

Loads dropped DLL 3 IoCs

pid	Process
4848	rundll32.exe
1372	rundll32.exe
2760	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\linda5.exe"	gntuud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ladia.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021001\\ladia.exe"	gntuud.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3032	5036	WerFault.exe	80
1136	4800	WerFault.exe	104
3164	2188	WerFault.exe	110
3336	3140	WerFault.exe	114

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
216	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	linda5.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4800	ladia.exe
4800	ladia.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	ladia.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 5020	5036	5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023.exe	81
PID 5036 wrote to memory of 5020	5036	5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023.exe	81
PID 5036 wrote to memory of 5020	5036	5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023.exe	81
PID 5020 wrote to memory of 216	5020	gntuud.exe	87
PID 5020 wrote to memory of 216	5020	gntuud.exe	87
PID 5020 wrote to memory of 216	5020	gntuud.exe	87
PID 5020 wrote to memory of 4732	5020	gntuud.exe	89
PID 5020 wrote to memory of 4732	5020	gntuud.exe	89
PID 5020 wrote to memory of 4732	5020	gntuud.exe	89
PID 4732 wrote to memory of 3328	4732	cmd.exe	91
PID 4732 wrote to memory of 3328	4732	cmd.exe	91
PID 4732 wrote to memory of 3328	4732	cmd.exe	91
PID 4732 wrote to memory of 4260	4732	cmd.exe	92
PID 4732 wrote to memory of 4260	4732	cmd.exe	92
PID 4732 wrote to memory of 4260	4732	cmd.exe	92
PID 4732 wrote to memory of 64	4732	cmd.exe	93
PID 4732 wrote to memory of 64	4732	cmd.exe	93
PID 4732 wrote to memory of 64	4732	cmd.exe	93
PID 4732 wrote to memory of 3056	4732	cmd.exe	94
PID 4732 wrote to memory of 3056	4732	cmd.exe	94
PID 4732 wrote to memory of 3056	4732	cmd.exe	94
PID 4732 wrote to memory of 2164	4732	cmd.exe	95
PID 4732 wrote to memory of 2164	4732	cmd.exe	95
PID 4732 wrote to memory of 2164	4732	cmd.exe	95
PID 4732 wrote to memory of 2484	4732	cmd.exe	96
PID 4732 wrote to memory of 2484	4732	cmd.exe	96
PID 4732 wrote to memory of 2484	4732	cmd.exe	96
PID 5020 wrote to memory of 3900	5020	gntuud.exe	98
PID 5020 wrote to memory of 3900	5020	gntuud.exe	98
PID 5020 wrote to memory of 3900	5020	gntuud.exe	98
PID 3900 wrote to memory of 3976	3900	linda5.exe	99
PID 3900 wrote to memory of 3976	3900	linda5.exe	99
PID 3900 wrote to memory of 3976	3900	linda5.exe	99
PID 3976 wrote to memory of 4848	3976	control.exe	101
PID 3976 wrote to memory of 4848	3976	control.exe	101
PID 3976 wrote to memory of 4848	3976	control.exe	101
PID 5020 wrote to memory of 4800	5020	gntuud.exe	104
PID 5020 wrote to memory of 4800	5020	gntuud.exe	104
PID 5020 wrote to memory of 4800	5020	gntuud.exe	104
PID 4848 wrote to memory of 1892	4848	rundll32.exe	105
PID 4848 wrote to memory of 1892	4848	rundll32.exe	105
PID 1892 wrote to memory of 1372	1892	RunDll32.exe	106
PID 1892 wrote to memory of 1372	1892	RunDll32.exe	106
PID 1892 wrote to memory of 1372	1892	RunDll32.exe	106
PID 5020 wrote to memory of 2760	5020	gntuud.exe	113
PID 5020 wrote to memory of 2760	5020	gntuud.exe	113
PID 5020 wrote to memory of 2760	5020	gntuud.exe	113

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023.exe
"C:\Users\Admin\AppData\Local\Temp\5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9c69749b54" /P "Admin:N"&&CACLS "..\9c69749b54" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3328
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "gntuud.exe" /P "Admin:N"
      4⤵
      PID:4260
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "gntuud.exe" /P "Admin:R" /E
      4⤵
      PID:64
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3056
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9c69749b54" /P "Admin:N"
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9c69749b54" /P "Admin:R" /E
      4⤵
      PID:2484
- - C:\Users\Admin\AppData\Local\Temp\1000020001\linda5.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\linda5.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\DNiQ.CPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3976
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DNiQ.CPl",
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DNiQ.CPl",
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\DNiQ.CPl",
        7⤵
        Loads dropped DLL
        
        PID:1372
- - C:\Users\Admin\AppData\Local\Temp\1000021001\ladia.exe
    "C:\Users\Admin\AppData\Local\Temp\1000021001\ladia.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1272
      4⤵
      Program crash
      PID:1136
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:2760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 884
  2⤵
  - Program crash
  PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5036 -ip 5036
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4800 -ip 4800
1⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
1⤵
- Executes dropped EXE
PID:2188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 432
  2⤵
  - Program crash
  PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2188 -ip 2188
1⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
1⤵
- Executes dropped EXE
PID:3140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 416
  2⤵
  - Program crash
  PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3140 -ip 3140
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000020001\linda5.exe

Filesize
1.7MB

MD5
1eeacea8b9aa738477b666c9226b1318

SHA1
6be5369fd5daee09332eb66468a14dbd07e25322

SHA256
bba7d719129244665a3aebd437e4cbb25a3e2129b153e2316b45d72e2fc4fb31

SHA512
41126da021ce9d3ca3592546bc815705113a9670b909e38162297e3c265e4780269ccbd21e94c5fe682d675d0842595b18aec234f3c46ecf04bebd4fda2087b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\linda5.exe

Filesize
1.7MB

MD5
1eeacea8b9aa738477b666c9226b1318

SHA1
6be5369fd5daee09332eb66468a14dbd07e25322

SHA256
bba7d719129244665a3aebd437e4cbb25a3e2129b153e2316b45d72e2fc4fb31

SHA512
41126da021ce9d3ca3592546bc815705113a9670b909e38162297e3c265e4780269ccbd21e94c5fe682d675d0842595b18aec234f3c46ecf04bebd4fda2087b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000021001\ladia.exe

Filesize
404KB

MD5
6747e23236494ef0a33899575c078f49

SHA1
a55660a38b76454388d02d719e8b3aa819887030

SHA256
5646ec98ad856716379feaf6005b17904ac7960b1cd22279481bf99254829d23

SHA512
bf67e452bb609fbec2836225d418e888b79e9db8c2bed3f98e160e40ff6c73daab2027a15e7ff5a706f16859883b0825a474cdd2f5b03cb4fcf06f9c242bd5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000021001\ladia.exe

Filesize
404KB

MD5
6747e23236494ef0a33899575c078f49

SHA1
a55660a38b76454388d02d719e8b3aa819887030

SHA256
5646ec98ad856716379feaf6005b17904ac7960b1cd22279481bf99254829d23

SHA512
bf67e452bb609fbec2836225d418e888b79e9db8c2bed3f98e160e40ff6c73daab2027a15e7ff5a706f16859883b0825a474cdd2f5b03cb4fcf06f9c242bd5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
272KB

MD5
0c569e87bcb0d34c7c7c8426ab7ae6d7

SHA1
3467ee4c23aaa4c49764d817c221e8a70fd5a4bd

SHA256
5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023

SHA512
14639b276932a926151badd5c88364072d86785fcfdef35e3231e5bba20de2ee83db2e82b5fc55950a24af9a0bf392900a11c34b4b7ebc7f18f7402d505b99cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
272KB

MD5
0c569e87bcb0d34c7c7c8426ab7ae6d7

SHA1
3467ee4c23aaa4c49764d817c221e8a70fd5a4bd

SHA256
5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023

SHA512
14639b276932a926151badd5c88364072d86785fcfdef35e3231e5bba20de2ee83db2e82b5fc55950a24af9a0bf392900a11c34b4b7ebc7f18f7402d505b99cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
272KB

MD5
0c569e87bcb0d34c7c7c8426ab7ae6d7

SHA1
3467ee4c23aaa4c49764d817c221e8a70fd5a4bd

SHA256
5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023

SHA512
14639b276932a926151badd5c88364072d86785fcfdef35e3231e5bba20de2ee83db2e82b5fc55950a24af9a0bf392900a11c34b4b7ebc7f18f7402d505b99cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
272KB

MD5
0c569e87bcb0d34c7c7c8426ab7ae6d7

SHA1
3467ee4c23aaa4c49764d817c221e8a70fd5a4bd

SHA256
5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023

SHA512
14639b276932a926151badd5c88364072d86785fcfdef35e3231e5bba20de2ee83db2e82b5fc55950a24af9a0bf392900a11c34b4b7ebc7f18f7402d505b99cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNiQ.CPl

Filesize
2.0MB

MD5
ba748bd0187d6215740729c09c7d16e8

SHA1
60276802196a67e63ca7832db2bced79af7a4cee

SHA256
ac11ad2da3db916631ca38d68101622aa375ae5ee7d6847e2e8dbc43cdb5d92b

SHA512
792a6797c4c48bde842d6a769f2ffce0f5e55ccdee135277b6133b633418e2da6fabaafde7edc792ab2d91f79ffe4d870a306f2a7866476feaa9ef64eb29ef75

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNiq.cpl

Filesize
2.0MB

MD5
ba748bd0187d6215740729c09c7d16e8

SHA1
60276802196a67e63ca7832db2bced79af7a4cee

SHA256
ac11ad2da3db916631ca38d68101622aa375ae5ee7d6847e2e8dbc43cdb5d92b

SHA512
792a6797c4c48bde842d6a769f2ffce0f5e55ccdee135277b6133b633418e2da6fabaafde7edc792ab2d91f79ffe4d870a306f2a7866476feaa9ef64eb29ef75

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNiq.cpl

Filesize
2.0MB

MD5
ba748bd0187d6215740729c09c7d16e8

SHA1
60276802196a67e63ca7832db2bced79af7a4cee

SHA256
ac11ad2da3db916631ca38d68101622aa375ae5ee7d6847e2e8dbc43cdb5d92b

SHA512
792a6797c4c48bde842d6a769f2ffce0f5e55ccdee135277b6133b633418e2da6fabaafde7edc792ab2d91f79ffe4d870a306f2a7866476feaa9ef64eb29ef75

Download Submit
C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll

Filesize
126KB

MD5
c0fd0167e213b6148333351bd16ed1fb

SHA1
1cfb2b42686557656dead53e02d1db3f2a848026

SHA256
c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

SHA512
d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

Download Submit
C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll

Filesize
126KB

MD5
c0fd0167e213b6148333351bd16ed1fb

SHA1
1cfb2b42686557656dead53e02d1db3f2a848026

SHA256
c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

SHA512
d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

Download Submit
memory/1372-185-0x0000000003690000-0x0000000003764000-memory.dmp

Filesize
848KB

Download
memory/1372-186-0x0000000003770000-0x000000000382E000-memory.dmp

Filesize
760KB

Download
memory/1372-177-0x0000000003370000-0x0000000003475000-memory.dmp

Filesize
1.0MB

Download
memory/1372-189-0x0000000003580000-0x0000000003682000-memory.dmp

Filesize
1.0MB

Download
memory/1372-178-0x0000000003580000-0x0000000003682000-memory.dmp

Filesize
1.0MB

Download
memory/2188-196-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2188-195-0x00000000006BC000-0x00000000006DB000-memory.dmp

Filesize
124KB

Download
memory/3140-201-0x000000000061C000-0x000000000063B000-memory.dmp

Filesize
124KB

Download
memory/3140-202-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4800-182-0x0000000006440000-0x0000000006602000-memory.dmp

Filesize
1.8MB

Download
memory/4800-193-0x00000000004B8000-0x00000000004E7000-memory.dmp

Filesize
188KB

Download
memory/4800-171-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/4800-172-0x0000000005980000-0x0000000005992000-memory.dmp

Filesize
72KB

Download
memory/4800-173-0x00000000059A0000-0x00000000059DC000-memory.dmp

Filesize
240KB

Download
memory/4800-169-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4800-170-0x00000000051A0000-0x00000000057B8000-memory.dmp

Filesize
6.1MB

Download
memory/4800-192-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4800-163-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/4800-191-0x0000000006D10000-0x0000000006D60000-memory.dmp

Filesize
320KB

Download
memory/4800-180-0x0000000005C90000-0x0000000005D22000-memory.dmp

Filesize
584KB

Download
memory/4800-181-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/4800-190-0x0000000006C90000-0x0000000006D06000-memory.dmp

Filesize
472KB

Download
memory/4800-183-0x0000000006610000-0x0000000006B3C000-memory.dmp

Filesize
5.2MB

Download
memory/4800-184-0x00000000004B8000-0x00000000004E7000-memory.dmp

Filesize
188KB

Download
memory/4800-160-0x00000000004B8000-0x00000000004E7000-memory.dmp

Filesize
188KB

Download
memory/4800-161-0x00000000005E0000-0x000000000062B000-memory.dmp

Filesize
300KB

Download
memory/4848-156-0x0000000003750000-0x0000000003852000-memory.dmp

Filesize
1.0MB

Download
memory/4848-179-0x0000000003750000-0x0000000003852000-memory.dmp

Filesize
1.0MB

Download
memory/4848-164-0x0000000003940000-0x00000000039FE000-memory.dmp

Filesize
760KB

Download
memory/4848-155-0x0000000003540000-0x0000000003645000-memory.dmp

Filesize
1.0MB

Download
memory/4848-162-0x0000000003860000-0x0000000003934000-memory.dmp

Filesize
848KB

Download
memory/5020-146-0x00000000004E8000-0x0000000000507000-memory.dmp

Filesize
124KB

Download
memory/5020-147-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5020-167-0x00000000004E8000-0x0000000000507000-memory.dmp

Filesize
124KB

Download
memory/5020-168-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5036-136-0x00000000021A0000-0x00000000021DE000-memory.dmp

Filesize
248KB

Download
memory/5036-137-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5036-135-0x00000000007C8000-0x00000000007E7000-memory.dmp

Filesize
124KB

Download