amadey | 9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df

Analysis

max time kernel
148s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exe
Size

1002KB
MD5

93560db785293d9bf75ce9001f7e1534
SHA1

989a467b5370e7d0e7a1fba13a580c6d3e9b393c
SHA256

9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df
SHA512

c37d34b3fad149a209c376e5be7885aac6d36adfea8c19cce05a9917f85f9499e453fa2a52bd2f25d5d4d26251fafadc09f47d05c78b965a0f9a4edde80d37a7
SSDEEP

24576:Ly4CdQqhEQIOBpMgBrUnBWcv1am2mdf8LnOkzxqXBNxBKWn:+RIUMgBYzTFc8XB9

Score

10^/10

amadey redline gena rocket vint discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

Rocket

95.217.188.21:7283

Attributes

auth_value
0095203c91b01efccf3842dc176e53f2

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz7123.exev9318jo.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7123.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v9318jo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7123.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7123.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7123.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v9318jo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v9318jo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v9318jo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v9318jo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v9318jo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7123.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7123.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4796-209-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-210-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-212-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-214-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-216-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-218-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-220-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-224-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-222-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-226-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-228-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-230-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-232-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-234-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-236-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-238-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-240-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-242-0x0000000004E80000-0x0000000004EBE000-memory.dmp	family_redline
behavioral1/memory/4796-262-0x0000000004FC0000-0x0000000004FD0000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

legenda.exey98FF92.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y98FF92.exe

Executes dropped EXE 11 IoCs

Processes:

zap1256.exezap6412.exezap1289.exetz7123.exev9318jo.exew01rk74.exexfrfA54.exey98FF92.exelegenda.exeAlCapone99.exelegenda.exe

pid	process
2352	zap1256.exe
1504	zap6412.exe
2844	zap1289.exe
1196	tz7123.exe
1096	v9318jo.exe
4796	w01rk74.exe
2908	xfrfA54.exe
2336	y98FF92.exe
1516	legenda.exe
4236	AlCapone99.exe
1412	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2156 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2156	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz7123.exev9318jo.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7123.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v9318jo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v9318jo.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exezap1256.exezap6412.exezap1289.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1256.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6412.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap6412.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1289.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1289.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

AlCapone99.exe

description pid process target process

PID 4236 set thread context of 2672 4236 AlCapone99.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3140 1096 WerFault.exe v9318jo.exe
448 4796 WerFault.exe w01rk74.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2428 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

tz7123.exev9318jo.exew01rk74.exexfrfA54.exeAppLaunch.exe

pid process

1196 tz7123.exe
1196 tz7123.exe
1096 v9318jo.exe
1096 v9318jo.exe
4796 w01rk74.exe
4796 w01rk74.exe
2908 xfrfA54.exe
2908 xfrfA54.exe
2672 AppLaunch.exe

description	pid	process	target process
PID 4236 set thread context of 2672	4236	AlCapone99.exe	AppLaunch.exe

pid	pid_target	process	target process
3140	1096	WerFault.exe	v9318jo.exe
448	4796	WerFault.exe	w01rk74.exe

pid	process
2428	schtasks.exe

pid	process
1196	tz7123.exe
1196	tz7123.exe
1096	v9318jo.exe
1096	v9318jo.exe
4796	w01rk74.exe
4796	w01rk74.exe
2908	xfrfA54.exe
2908	xfrfA54.exe
2672	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz7123.exev9318jo.exew01rk74.exexfrfA54.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1196	tz7123.exe
Token: SeDebugPrivilege	1096	v9318jo.exe
Token: SeDebugPrivilege	4796	w01rk74.exe
Token: SeDebugPrivilege	2908	xfrfA54.exe
Token: SeDebugPrivilege	2672	AppLaunch.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exezap1256.exezap6412.exezap1289.exey98FF92.exelegenda.execmd.exeAlCapone99.exe

description	pid	process	target process
PID 864 wrote to memory of 2352	864	9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exe	zap1256.exe
PID 864 wrote to memory of 2352	864	9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exe	zap1256.exe
PID 864 wrote to memory of 2352	864	9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exe	zap1256.exe
PID 2352 wrote to memory of 1504	2352	zap1256.exe	zap6412.exe
PID 2352 wrote to memory of 1504	2352	zap1256.exe	zap6412.exe
PID 2352 wrote to memory of 1504	2352	zap1256.exe	zap6412.exe
PID 1504 wrote to memory of 2844	1504	zap6412.exe	zap1289.exe
PID 1504 wrote to memory of 2844	1504	zap6412.exe	zap1289.exe
PID 1504 wrote to memory of 2844	1504	zap6412.exe	zap1289.exe
PID 2844 wrote to memory of 1196	2844	zap1289.exe	tz7123.exe
PID 2844 wrote to memory of 1196	2844	zap1289.exe	tz7123.exe
PID 2844 wrote to memory of 1096	2844	zap1289.exe	v9318jo.exe
PID 2844 wrote to memory of 1096	2844	zap1289.exe	v9318jo.exe
PID 2844 wrote to memory of 1096	2844	zap1289.exe	v9318jo.exe
PID 1504 wrote to memory of 4796	1504	zap6412.exe	w01rk74.exe
PID 1504 wrote to memory of 4796	1504	zap6412.exe	w01rk74.exe
PID 1504 wrote to memory of 4796	1504	zap6412.exe	w01rk74.exe
PID 2352 wrote to memory of 2908	2352	zap1256.exe	xfrfA54.exe
PID 2352 wrote to memory of 2908	2352	zap1256.exe	xfrfA54.exe
PID 2352 wrote to memory of 2908	2352	zap1256.exe	xfrfA54.exe
PID 864 wrote to memory of 2336	864	9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exe	y98FF92.exe
PID 864 wrote to memory of 2336	864	9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exe	y98FF92.exe
PID 864 wrote to memory of 2336	864	9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exe	y98FF92.exe
PID 2336 wrote to memory of 1516	2336	y98FF92.exe	legenda.exe
PID 2336 wrote to memory of 1516	2336	y98FF92.exe	legenda.exe
PID 2336 wrote to memory of 1516	2336	y98FF92.exe	legenda.exe
PID 1516 wrote to memory of 2428	1516	legenda.exe	schtasks.exe
PID 1516 wrote to memory of 2428	1516	legenda.exe	schtasks.exe
PID 1516 wrote to memory of 2428	1516	legenda.exe	schtasks.exe
PID 1516 wrote to memory of 2308	1516	legenda.exe	cmd.exe
PID 1516 wrote to memory of 2308	1516	legenda.exe	cmd.exe
PID 1516 wrote to memory of 2308	1516	legenda.exe	cmd.exe
PID 2308 wrote to memory of 2116	2308	cmd.exe	cmd.exe
PID 2308 wrote to memory of 2116	2308	cmd.exe	cmd.exe
PID 2308 wrote to memory of 2116	2308	cmd.exe	cmd.exe
PID 2308 wrote to memory of 32	2308	cmd.exe	cacls.exe
PID 2308 wrote to memory of 32	2308	cmd.exe	cacls.exe
PID 2308 wrote to memory of 32	2308	cmd.exe	cacls.exe
PID 2308 wrote to memory of 3660	2308	cmd.exe	cacls.exe
PID 2308 wrote to memory of 3660	2308	cmd.exe	cacls.exe
PID 2308 wrote to memory of 3660	2308	cmd.exe	cacls.exe
PID 2308 wrote to memory of 1240	2308	cmd.exe	cmd.exe
PID 2308 wrote to memory of 1240	2308	cmd.exe	cmd.exe
PID 2308 wrote to memory of 1240	2308	cmd.exe	cmd.exe
PID 2308 wrote to memory of 3896	2308	cmd.exe	cacls.exe
PID 2308 wrote to memory of 3896	2308	cmd.exe	cacls.exe
PID 2308 wrote to memory of 3896	2308	cmd.exe	cacls.exe
PID 2308 wrote to memory of 3684	2308	cmd.exe	cacls.exe
PID 2308 wrote to memory of 3684	2308	cmd.exe	cacls.exe
PID 2308 wrote to memory of 3684	2308	cmd.exe	cacls.exe
PID 1516 wrote to memory of 4236	1516	legenda.exe	AlCapone99.exe
PID 1516 wrote to memory of 4236	1516	legenda.exe	AlCapone99.exe
PID 1516 wrote to memory of 4236	1516	legenda.exe	AlCapone99.exe
PID 4236 wrote to memory of 2672	4236	AlCapone99.exe	AppLaunch.exe
PID 4236 wrote to memory of 2672	4236	AlCapone99.exe	AppLaunch.exe
PID 4236 wrote to memory of 2672	4236	AlCapone99.exe	AppLaunch.exe
PID 4236 wrote to memory of 2672	4236	AlCapone99.exe	AppLaunch.exe
PID 4236 wrote to memory of 2672	4236	AlCapone99.exe	AppLaunch.exe
PID 1516 wrote to memory of 2156	1516	legenda.exe	rundll32.exe
PID 1516 wrote to memory of 2156	1516	legenda.exe	rundll32.exe
PID 1516 wrote to memory of 2156	1516	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exe
"C:\Users\Admin\AppData\Local\Temp\9d5bf606cb76adbc185218a6d470650546b826a842f41a81c4f573256e4411df.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1256.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1256.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6412.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6412.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1289.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1289.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7123.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7123.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9318jo.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9318jo.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1076
6⤵
- Program crash
PID:3140

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01rk74.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01rk74.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1352
5⤵
- Program crash
PID:448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xfrfA54.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xfrfA54.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y98FF92.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y98FF92.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:2428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2116

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:32

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1240

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:3896

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\1000079001\AlCapone99.exe
"C:\Users\Admin\AppData\Local\Temp\1000079001\AlCapone99.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1096 -ip 1096
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4796 -ip 4796
1⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000079001\AlCapone99.exe
Filesize
261KB

MD5
3db6d94b8df4916aa7cb0d67f2bba3f6

SHA1
b27b508ce16462268b6a96a727007755fe62c8a1

SHA256
15b31a3a4ab58991a4e7c7e2cc49fdec1002ea907effb2402b949263dcf0a0bd

SHA512
47495567ab11743ec6e16ca61f86904a27383c6feb6c6d45015215679549a7137ca007164bc8ed9e5aa6a26006433327600679c4803ebb98d4c980e92dd0c1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\AlCapone99.exe
Filesize
261KB

MD5
3db6d94b8df4916aa7cb0d67f2bba3f6

SHA1
b27b508ce16462268b6a96a727007755fe62c8a1

SHA256
15b31a3a4ab58991a4e7c7e2cc49fdec1002ea907effb2402b949263dcf0a0bd

SHA512
47495567ab11743ec6e16ca61f86904a27383c6feb6c6d45015215679549a7137ca007164bc8ed9e5aa6a26006433327600679c4803ebb98d4c980e92dd0c1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\AlCapone99.exe
Filesize
261KB

MD5
3db6d94b8df4916aa7cb0d67f2bba3f6

SHA1
b27b508ce16462268b6a96a727007755fe62c8a1

SHA256
15b31a3a4ab58991a4e7c7e2cc49fdec1002ea907effb2402b949263dcf0a0bd

SHA512
47495567ab11743ec6e16ca61f86904a27383c6feb6c6d45015215679549a7137ca007164bc8ed9e5aa6a26006433327600679c4803ebb98d4c980e92dd0c1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y98FF92.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y98FF92.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1256.exe
Filesize
818KB

MD5
70b6598970b61da3604f830733c515f1

SHA1
f4d148f18864e5a129015e2452a99a0dc96eb901

SHA256
4dd6e41cdb8b4235a5a6700e880113f0d765932881672a2adf57fa80f50ce7ce

SHA512
cc4e693d5a74feed3be57b70c117ebda1cee354ff16fa758c448224be6725cfdf76a9eb896f4a7b1691e7e7ff4b85a7da62504db88e7580a5eac5626a01c2a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1256.exe
Filesize
818KB

MD5
70b6598970b61da3604f830733c515f1

SHA1
f4d148f18864e5a129015e2452a99a0dc96eb901

SHA256
4dd6e41cdb8b4235a5a6700e880113f0d765932881672a2adf57fa80f50ce7ce

SHA512
cc4e693d5a74feed3be57b70c117ebda1cee354ff16fa758c448224be6725cfdf76a9eb896f4a7b1691e7e7ff4b85a7da62504db88e7580a5eac5626a01c2a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xfrfA54.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xfrfA54.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6412.exe
Filesize
676KB

MD5
13320735339fa7d797f7a16afbf03d28

SHA1
f9ae59c78d33d1c473854f1cddefe0a0c0086b11

SHA256
c5e69ec701088ba5b8523919323885199a7c0afde35a59c9411205911c4b0905

SHA512
89b3641b6d9860f3498ba0964ff50da161aad19e721f309680c8085cb6330f94b0eec8c104328fa2b5186780038cc71c5506429aaf7f32c04c0f99d2419a37d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6412.exe
Filesize
676KB

MD5
13320735339fa7d797f7a16afbf03d28

SHA1
f9ae59c78d33d1c473854f1cddefe0a0c0086b11

SHA256
c5e69ec701088ba5b8523919323885199a7c0afde35a59c9411205911c4b0905

SHA512
89b3641b6d9860f3498ba0964ff50da161aad19e721f309680c8085cb6330f94b0eec8c104328fa2b5186780038cc71c5506429aaf7f32c04c0f99d2419a37d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01rk74.exe
Filesize
349KB

MD5
8634c932c1657487780d8b2b72c00538

SHA1
b5d44ef5bd8e8287af6214a1ee5284118eb02854

SHA256
a459a294675637f16d35815f71474a5443d267621c349c3fc9924e7e2daceeca

SHA512
a2c53e6db709b825cf5d86f9893279418c87b43e0eb151aeefd8b15934ffc92bb811727784060ce1afc8cdb6fd7171297c206f539b8f4da2e7b0a431adb2388a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01rk74.exe
Filesize
349KB

MD5
8634c932c1657487780d8b2b72c00538

SHA1
b5d44ef5bd8e8287af6214a1ee5284118eb02854

SHA256
a459a294675637f16d35815f71474a5443d267621c349c3fc9924e7e2daceeca

SHA512
a2c53e6db709b825cf5d86f9893279418c87b43e0eb151aeefd8b15934ffc92bb811727784060ce1afc8cdb6fd7171297c206f539b8f4da2e7b0a431adb2388a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1289.exe
Filesize
334KB

MD5
6334a03afdd299cb86572222ed28da5b

SHA1
58e52f35b971e795aac0ecaf8e8c5d40e2d9737b

SHA256
5d2b2a4c11eadf4a94cda31142fb0a952c33d6e0932022b7bb2ad5a54f6ddc04

SHA512
42325a41b4d5540b69481c85d111543c9a4d62da1c39e5108549d8eae80ad8087480d01296e29c6dbfd362258cc292177505da0fd5a8885b3d8b33885079041f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1289.exe
Filesize
334KB

MD5
6334a03afdd299cb86572222ed28da5b

SHA1
58e52f35b971e795aac0ecaf8e8c5d40e2d9737b

SHA256
5d2b2a4c11eadf4a94cda31142fb0a952c33d6e0932022b7bb2ad5a54f6ddc04

SHA512
42325a41b4d5540b69481c85d111543c9a4d62da1c39e5108549d8eae80ad8087480d01296e29c6dbfd362258cc292177505da0fd5a8885b3d8b33885079041f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7123.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7123.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9318jo.exe
Filesize
290KB

MD5
60d340903c81febe2f3112c0e3a6d9e9

SHA1
4263fbcc45d8778ae5b7020ad7c1fcc76f7ddedd

SHA256
fb37d343f17696c0169dbc04ea94eb85dd65024217a8d8ec886c6ba162c9fe87

SHA512
b2d1ba0f435b06d5d06e14bb969615afb841e6d66daac6d2988d9ce8356c66018e8beb6129303c877300cbb63815e1abfac6264bd75ac3e308cbb79149b6eb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9318jo.exe
Filesize
290KB

MD5
60d340903c81febe2f3112c0e3a6d9e9

SHA1
4263fbcc45d8778ae5b7020ad7c1fcc76f7ddedd

SHA256
fb37d343f17696c0169dbc04ea94eb85dd65024217a8d8ec886c6ba162c9fe87

SHA512
b2d1ba0f435b06d5d06e14bb969615afb841e6d66daac6d2988d9ce8356c66018e8beb6129303c877300cbb63815e1abfac6264bd75ac3e308cbb79149b6eb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1096-168-0x0000000002460000-0x000000000248D000-memory.dmp

Filesize
180KB

Download
memory/1096-182-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-194-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-196-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-198-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-199-0x0000000000400000-0x0000000000830000-memory.dmp

Filesize
4.2MB

Download
memory/1096-201-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1096-200-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1096-202-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1096-204-0x0000000000400000-0x0000000000830000-memory.dmp

Filesize
4.2MB

Download
memory/1096-167-0x0000000004E30000-0x00000000053D4000-memory.dmp

Filesize
5.6MB

Download
memory/1096-190-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-188-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-186-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-184-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-192-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-169-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1096-170-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1096-180-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-178-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-176-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-174-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-172-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-171-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1196-161-0x0000000000920000-0x000000000092A000-memory.dmp

Filesize
40KB

Download
memory/2672-1179-0x0000000000570000-0x00000000005A2000-memory.dmp

Filesize
200KB

Download
memory/2672-1180-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/2908-1141-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/2908-1140-0x00000000001B0000-0x00000000001E2000-memory.dmp

Filesize
200KB

Download
memory/4796-222-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-264-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4796-265-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4796-260-0x00000000009D0000-0x0000000000A1B000-memory.dmp

Filesize
300KB

Download
memory/4796-1119-0x0000000005680000-0x0000000005C98000-memory.dmp

Filesize
6.1MB

Download
memory/4796-1120-0x0000000005CA0000-0x0000000005DAA000-memory.dmp

Filesize
1.0MB

Download
memory/4796-1121-0x0000000004F70000-0x0000000004F82000-memory.dmp

Filesize
72KB

Download
memory/4796-1122-0x0000000005DB0000-0x0000000005DEC000-memory.dmp

Filesize
240KB

Download
memory/4796-1123-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4796-1124-0x0000000006070000-0x0000000006102000-memory.dmp

Filesize
584KB

Download
memory/4796-1125-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/4796-1126-0x0000000006830000-0x00000000069F2000-memory.dmp

Filesize
1.8MB

Download
memory/4796-1128-0x0000000006A10000-0x0000000006F3C000-memory.dmp

Filesize
5.2MB

Download
memory/4796-1129-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4796-1130-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4796-1131-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4796-1132-0x00000000072C0000-0x0000000007336000-memory.dmp

Filesize
472KB

Download
memory/4796-1133-0x0000000007350000-0x00000000073A0000-memory.dmp

Filesize
320KB

Download
memory/4796-262-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4796-242-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-240-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-238-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-236-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-234-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-232-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-230-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-228-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-226-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-224-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-220-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-218-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-216-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-214-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-212-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-210-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-209-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4796-1135-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download