amadey | 29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117

Analysis

max time kernel
141s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2023 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exe
Size

960KB
MD5

973d6bd3e5ecc2ded165ee0857c4bb4e
SHA1

a64f51bf2fa87ca1649c68f7b8f51580337b1600
SHA256

29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117
SHA512

6de356e61be977a10a340f5e638063c03afb3bf8c55c8bab152b7d27d08c55e762fd0e5c479b2c01acbb643efa303daed0b8a62014dcaa996f3b2a955c4b13d6
SSDEEP

24576:FyvxDwHXpTkyGR3pUo9nBAvYzFQ81v5I+Om9vos1rS53Nw9o:gvdiPE5UOnBAAq8TdHvZ1rk3N

Score

10^/10

amadey redline gena vint discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v3992ac.exetz5561.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3992ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz5561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz5561.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v3992ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3992ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3992ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3992ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz5561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz5561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz5561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz5561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3992ac.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1012-210-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-211-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-214-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-217-0x00000000023A0000-0x00000000023B0000-memory.dmp	family_redline
behavioral1/memory/1012-223-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-221-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-218-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-225-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-227-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-229-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-231-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-233-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-235-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-237-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-239-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-241-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-243-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-245-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline
behavioral1/memory/1012-247-0x0000000002440000-0x000000000247E000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

legenda.exebuil.exey03Yc45.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	buil.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y03Yc45.exe

Executes dropped EXE 12 IoCs

Processes:

zap9950.exezap9596.exezap3993.exetz5561.exev3992ac.exew99nQ79.exexiGnN57.exey03Yc45.exelegenda.exebuil.exelegenda.exelegenda.exe

pid	process
4980	zap9950.exe
4964	zap9596.exe
4288	zap3993.exe
3612	tz5561.exe
3160	v3992ac.exe
1012	w99nQ79.exe
3376	xiGnN57.exe
3768	y03Yc45.exe
2356	legenda.exe
464	buil.exe
3608	legenda.exe
1668	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1904 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1904	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v3992ac.exetz5561.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3992ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3992ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz5561.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exezap9950.exezap9596.exezap3993.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9950.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9596.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap9596.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3993.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3993.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

65 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4428 3160 WerFault.exe v3992ac.exe
980 1012 WerFault.exe w99nQ79.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4792 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

208 PING.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz5561.exev3992ac.exew99nQ79.exexiGnN57.exe

pid process

3612 tz5561.exe
3612 tz5561.exe
3160 v3992ac.exe
3160 v3992ac.exe
1012 w99nQ79.exe
1012 w99nQ79.exe
3376 xiGnN57.exe
3376 xiGnN57.exe

flow	ioc
65	ip-api.com

pid	pid_target	process	target process
4428	3160	WerFault.exe	v3992ac.exe
980	1012	WerFault.exe	w99nQ79.exe

pid	process
4792	schtasks.exe

pid	process
208	PING.EXE

pid	process
3612	tz5561.exe
3612	tz5561.exe
3160	v3992ac.exe
3160	v3992ac.exe
1012	w99nQ79.exe
1012	w99nQ79.exe
3376	xiGnN57.exe
3376	xiGnN57.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz5561.exev3992ac.exew99nQ79.exexiGnN57.exebuil.exe

description	pid	process
Token: SeDebugPrivilege	3612	tz5561.exe
Token: SeDebugPrivilege	3160	v3992ac.exe
Token: SeDebugPrivilege	1012	w99nQ79.exe
Token: SeDebugPrivilege	3376	xiGnN57.exe
Token: SeDebugPrivilege	464	buil.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exezap9950.exezap9596.exezap3993.exey03Yc45.exelegenda.execmd.exebuil.execmd.exe

description	pid	process	target process
PID 2236 wrote to memory of 4980	2236	29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exe	zap9950.exe
PID 2236 wrote to memory of 4980	2236	29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exe	zap9950.exe
PID 2236 wrote to memory of 4980	2236	29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exe	zap9950.exe
PID 4980 wrote to memory of 4964	4980	zap9950.exe	zap9596.exe
PID 4980 wrote to memory of 4964	4980	zap9950.exe	zap9596.exe
PID 4980 wrote to memory of 4964	4980	zap9950.exe	zap9596.exe
PID 4964 wrote to memory of 4288	4964	zap9596.exe	zap3993.exe
PID 4964 wrote to memory of 4288	4964	zap9596.exe	zap3993.exe
PID 4964 wrote to memory of 4288	4964	zap9596.exe	zap3993.exe
PID 4288 wrote to memory of 3612	4288	zap3993.exe	tz5561.exe
PID 4288 wrote to memory of 3612	4288	zap3993.exe	tz5561.exe
PID 4288 wrote to memory of 3160	4288	zap3993.exe	v3992ac.exe
PID 4288 wrote to memory of 3160	4288	zap3993.exe	v3992ac.exe
PID 4288 wrote to memory of 3160	4288	zap3993.exe	v3992ac.exe
PID 4964 wrote to memory of 1012	4964	zap9596.exe	w99nQ79.exe
PID 4964 wrote to memory of 1012	4964	zap9596.exe	w99nQ79.exe
PID 4964 wrote to memory of 1012	4964	zap9596.exe	w99nQ79.exe
PID 4980 wrote to memory of 3376	4980	zap9950.exe	xiGnN57.exe
PID 4980 wrote to memory of 3376	4980	zap9950.exe	xiGnN57.exe
PID 4980 wrote to memory of 3376	4980	zap9950.exe	xiGnN57.exe
PID 2236 wrote to memory of 3768	2236	29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exe	y03Yc45.exe
PID 2236 wrote to memory of 3768	2236	29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exe	y03Yc45.exe
PID 2236 wrote to memory of 3768	2236	29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exe	y03Yc45.exe
PID 3768 wrote to memory of 2356	3768	y03Yc45.exe	legenda.exe
PID 3768 wrote to memory of 2356	3768	y03Yc45.exe	legenda.exe
PID 3768 wrote to memory of 2356	3768	y03Yc45.exe	legenda.exe
PID 2356 wrote to memory of 4792	2356	legenda.exe	schtasks.exe
PID 2356 wrote to memory of 4792	2356	legenda.exe	schtasks.exe
PID 2356 wrote to memory of 4792	2356	legenda.exe	schtasks.exe
PID 2356 wrote to memory of 2664	2356	legenda.exe	cmd.exe
PID 2356 wrote to memory of 2664	2356	legenda.exe	cmd.exe
PID 2356 wrote to memory of 2664	2356	legenda.exe	cmd.exe
PID 2664 wrote to memory of 4696	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 4696	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 4696	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 2364	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 2364	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 2364	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 1072	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 1072	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 1072	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 4928	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 4928	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 4928	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 4528	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 4528	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 4528	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 1968	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 1968	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 1968	2664	cmd.exe	cacls.exe
PID 2356 wrote to memory of 464	2356	legenda.exe	buil.exe
PID 2356 wrote to memory of 464	2356	legenda.exe	buil.exe
PID 464 wrote to memory of 2100	464	buil.exe	cmd.exe
PID 464 wrote to memory of 2100	464	buil.exe	cmd.exe
PID 2100 wrote to memory of 224	2100	cmd.exe	chcp.com
PID 2100 wrote to memory of 224	2100	cmd.exe	chcp.com
PID 2100 wrote to memory of 208	2100	cmd.exe	PING.EXE
PID 2100 wrote to memory of 208	2100	cmd.exe	PING.EXE
PID 2356 wrote to memory of 1904	2356	legenda.exe	rundll32.exe
PID 2356 wrote to memory of 1904	2356	legenda.exe	rundll32.exe
PID 2356 wrote to memory of 1904	2356	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exe
"C:\Users\Admin\AppData\Local\Temp\29522d1ce57a8d854452100a8ac5772a90ee0a46772b7a077f94ec2672976117.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9950.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9950.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9596.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9596.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3993.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3993.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5561.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5561.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3992ac.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3992ac.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1084
6⤵
- Program crash
PID:4428

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w99nQ79.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w99nQ79.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 2040
5⤵
- Program crash
PID:980

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xiGnN57.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xiGnN57.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y03Yc45.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y03Yc45.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4696

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:2364

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4928

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4528

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\1000082001\buil.exe
"C:\Users\Admin\AppData\Local\Temp\1000082001\buil.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000082001\buil.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:224

C:\Windows\system32\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:208

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3160 -ip 3160
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1012 -ip 1012
1⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000082001\buil.exe
Filesize
32KB

MD5
495ce8bc963f4b0d156e4b7e5ed97ed4

SHA1
2a2f72bbb5f111e0c8dd9038ea213dca3783e266

SHA256
66e254d86a825aaba511f1d0b75ceb4520fa38d518b305a770a03fdb17dc1243

SHA512
5ad2ea5696ffecf3318c5c2233da79fc0b849ac92a1550adda04f915196f831292f39058f38fd636b5615d93bbe6eedb489b0ef96bd7199c8a6ab1605e13e244

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\buil.exe
Filesize
32KB

MD5
495ce8bc963f4b0d156e4b7e5ed97ed4

SHA1
2a2f72bbb5f111e0c8dd9038ea213dca3783e266

SHA256
66e254d86a825aaba511f1d0b75ceb4520fa38d518b305a770a03fdb17dc1243

SHA512
5ad2ea5696ffecf3318c5c2233da79fc0b849ac92a1550adda04f915196f831292f39058f38fd636b5615d93bbe6eedb489b0ef96bd7199c8a6ab1605e13e244

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\buil.exe
Filesize
32KB

MD5
495ce8bc963f4b0d156e4b7e5ed97ed4

SHA1
2a2f72bbb5f111e0c8dd9038ea213dca3783e266

SHA256
66e254d86a825aaba511f1d0b75ceb4520fa38d518b305a770a03fdb17dc1243

SHA512
5ad2ea5696ffecf3318c5c2233da79fc0b849ac92a1550adda04f915196f831292f39058f38fd636b5615d93bbe6eedb489b0ef96bd7199c8a6ab1605e13e244

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y03Yc45.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y03Yc45.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9950.exe
Filesize
776KB

MD5
29ebbd6f75b7f3a2c0227aa30ec530c7

SHA1
0c3526f8605703e61ec1bc54a3df2ddb594d2971

SHA256
2ff453b9c1dc1bf6f090ac34d343a65811190116ebf955d018e708f71d80c437

SHA512
b35da2a8f43e59f616c5f79e2465ba999f389f447a573219e44e96ec8b8bf755736c3d5ab1d50cbfdf01006d874d64040700d55d31011e602cb819d27c860ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9950.exe
Filesize
776KB

MD5
29ebbd6f75b7f3a2c0227aa30ec530c7

SHA1
0c3526f8605703e61ec1bc54a3df2ddb594d2971

SHA256
2ff453b9c1dc1bf6f090ac34d343a65811190116ebf955d018e708f71d80c437

SHA512
b35da2a8f43e59f616c5f79e2465ba999f389f447a573219e44e96ec8b8bf755736c3d5ab1d50cbfdf01006d874d64040700d55d31011e602cb819d27c860ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xiGnN57.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xiGnN57.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9596.exe
Filesize
634KB

MD5
a40877d49263e47ca31b576aaa38ce42

SHA1
a1be4e3761124400cf73ce32998bb76ef0e5878f

SHA256
18a80cc71f7fb49bd1c1816e92a98a38028f3ec26fe9442defbe25d89ea34498

SHA512
7943e945bd9b34dbb45b276bcb3dbcdeac52a26951c2f17b08fd40b92a36086b30e308debe81bb37a224740763475afbf91e251049ef7a7405183623438369f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9596.exe
Filesize
634KB

MD5
a40877d49263e47ca31b576aaa38ce42

SHA1
a1be4e3761124400cf73ce32998bb76ef0e5878f

SHA256
18a80cc71f7fb49bd1c1816e92a98a38028f3ec26fe9442defbe25d89ea34498

SHA512
7943e945bd9b34dbb45b276bcb3dbcdeac52a26951c2f17b08fd40b92a36086b30e308debe81bb37a224740763475afbf91e251049ef7a7405183623438369f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w99nQ79.exe
Filesize
288KB

MD5
5da2368dbce45a781b79db60845b21b3

SHA1
1c79b07c450dbf714e824677f082e3e1b01577c0

SHA256
ebe02b22ef66c54299e1ec17f5dadbd95bc93287b487e8206d5a7219a75e14bf

SHA512
3c92d35e221d7db5a26f1087e4a0cba198039b0358206c16ca74d95432abe21a9acdcfef5b401c33e014b6ff3664f2b0478e738e3be4d9f69d3b26d819bf284e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w99nQ79.exe
Filesize
288KB

MD5
5da2368dbce45a781b79db60845b21b3

SHA1
1c79b07c450dbf714e824677f082e3e1b01577c0

SHA256
ebe02b22ef66c54299e1ec17f5dadbd95bc93287b487e8206d5a7219a75e14bf

SHA512
3c92d35e221d7db5a26f1087e4a0cba198039b0358206c16ca74d95432abe21a9acdcfef5b401c33e014b6ff3664f2b0478e738e3be4d9f69d3b26d819bf284e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3993.exe
Filesize
314KB

MD5
238187c5ef93f131e246da0f4162e7f3

SHA1
de6285b25d00cf48d3240e0c845ff48e1b743712

SHA256
922be56ab07521894ef74c89740d49e37bf9c606dcae700d9eb253399a324bf9

SHA512
c4585081650ce89452761d8d09a380b488dfb0f89b11a38c026abcb5dfe525bf68104ca79787e9e42b7d271689bc485621b861cbceacfc5e777779f6f82d94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3993.exe
Filesize
314KB

MD5
238187c5ef93f131e246da0f4162e7f3

SHA1
de6285b25d00cf48d3240e0c845ff48e1b743712

SHA256
922be56ab07521894ef74c89740d49e37bf9c606dcae700d9eb253399a324bf9

SHA512
c4585081650ce89452761d8d09a380b488dfb0f89b11a38c026abcb5dfe525bf68104ca79787e9e42b7d271689bc485621b861cbceacfc5e777779f6f82d94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5561.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5561.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3992ac.exe
Filesize
230KB

MD5
dfb5e307f3eada8a0f7f4efd44faa19d

SHA1
e2e6e8b9abc8fc5c84ba278db5b0fb48ed5e2d4f

SHA256
ea34510993a3149feb9dac9cc65c6e05b6b670926d62cb525a6a5c4c844a6efc

SHA512
598a767031ec4132fcb539d3309f7f4b8abccbc581bb11c088f7cd76c8ec140f30860b5fd0cd0f3f21502adea8a69299d6d7d8dde9774a8a034e7ee000c337b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3992ac.exe
Filesize
230KB

MD5
dfb5e307f3eada8a0f7f4efd44faa19d

SHA1
e2e6e8b9abc8fc5c84ba278db5b0fb48ed5e2d4f

SHA256
ea34510993a3149feb9dac9cc65c6e05b6b670926d62cb525a6a5c4c844a6efc

SHA512
598a767031ec4132fcb539d3309f7f4b8abccbc581bb11c088f7cd76c8ec140f30860b5fd0cd0f3f21502adea8a69299d6d7d8dde9774a8a034e7ee000c337b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/464-1175-0x0000010D1CD60000-0x0000010D1CDB0000-memory.dmp

Filesize
320KB

Download
memory/464-1176-0x0000010D01DC0000-0x0000010D01DD0000-memory.dmp

Filesize
64KB

Download
memory/464-1174-0x0000010D01A50000-0x0000010D01A5E000-memory.dmp

Filesize
56KB

Download
memory/1012-1130-0x00000000065D0000-0x0000000006646000-memory.dmp

Filesize
472KB

Download
memory/1012-1122-0x00000000058B0000-0x00000000058C2000-memory.dmp

Filesize
72KB

Download
memory/1012-1134-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/1012-1133-0x0000000006880000-0x0000000006DAC000-memory.dmp

Filesize
5.2MB

Download
memory/1012-1132-0x00000000066B0000-0x0000000006872000-memory.dmp

Filesize
1.8MB

Download
memory/1012-1131-0x0000000006650000-0x00000000066A0000-memory.dmp

Filesize
320KB

Download
memory/1012-1129-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/1012-210-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-211-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-213-0x00000000004D0000-0x000000000051B000-memory.dmp

Filesize
300KB

Download
memory/1012-214-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-215-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/1012-217-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/1012-219-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/1012-223-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-221-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-218-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-225-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-227-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-229-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-231-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-233-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-235-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-237-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-239-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-241-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-243-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-245-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-247-0x0000000002440000-0x000000000247E000-memory.dmp

Filesize
248KB

Download
memory/1012-1120-0x00000000050D0000-0x00000000056E8000-memory.dmp

Filesize
6.1MB

Download
memory/1012-1121-0x0000000005770000-0x000000000587A000-memory.dmp

Filesize
1.0MB

Download
memory/1012-1128-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/1012-1123-0x00000000058D0000-0x000000000590C000-memory.dmp

Filesize
240KB

Download
memory/1012-1124-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/1012-1125-0x0000000005BC0000-0x0000000005C52000-memory.dmp

Filesize
584KB

Download
memory/1012-1126-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/3160-187-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-168-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/3160-198-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/3160-200-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3160-205-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3160-204-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/3160-203-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/3160-197-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-195-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-191-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-167-0x00000000004C0000-0x00000000004ED000-memory.dmp

Filesize
180KB

Download
memory/3160-193-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-189-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-199-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/3160-179-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-185-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-183-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-181-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-201-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/3160-177-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-175-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-173-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-171-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-170-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/3160-169-0x0000000004A70000-0x0000000005014000-memory.dmp

Filesize
5.6MB

Download
memory/3376-1141-0x0000000005B70000-0x0000000005B80000-memory.dmp

Filesize
64KB

Download
memory/3376-1140-0x0000000000F80000-0x0000000000FB2000-memory.dmp

Filesize
200KB

Download
memory/3612-161-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download