amadey | 4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409

Analysis

max time kernel
144s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exe
Size

962KB
MD5

d835544a2cbc53a194fcd786f16279cb
SHA1

b23a20ee61cf720b305c886af9487e48d55c1671
SHA256

4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409
SHA512

094d9c88dead8bd5f089b21895bd0f9bd2bc14b13395c80fca8ec62fd29738030518f5725090e67e64e26f89dc203cd92e5e342407b078ad2bc90ea5761e2d22
SSDEEP

12288:/Mrny90i5EhgQe4nT07xMOtBJp2OvlvX2pLadwuCNKFlpcja8NddKPTGzoKfL/98:oyx5Q6MOtXHdQNolmhVf1/98

Score

10^/10

amadey redline 14 gena vint discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

45.12.253.144:40145

Attributes

auth_value
6528d0f243ad9e530a68f2a487521a80

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz2109.exev0357ms.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2109.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2109.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2109.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0357ms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0357ms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0357ms.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2109.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2109.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0357ms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0357ms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2109.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0357ms.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/852-210-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-211-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-213-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-215-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-217-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-219-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-224-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-226-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-228-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-230-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-232-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-234-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-236-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-238-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-240-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-242-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-244-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline
behavioral1/memory/852-246-0x0000000004970000-0x00000000049AE000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y62Ac89.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y62Ac89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 12 IoCs

Processes:

zap4374.exezap0951.exezap7645.exetz2109.exev0357ms.exew33Ln13.exexeESW10.exey62Ac89.exelegenda.exeworld.exelegenda.exelegenda.exe

pid	process
2536	zap4374.exe
2128	zap0951.exe
3704	zap7645.exe
2096	tz2109.exe
2988	v0357ms.exe
852	w33Ln13.exe
2608	xeESW10.exe
1520	y62Ac89.exe
3168	legenda.exe
4064	world.exe
4880	legenda.exe
2240	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4768 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4768	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz2109.exev0357ms.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2109.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0357ms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0357ms.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap7645.exe4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exezap4374.exezap0951.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7645.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7645.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4374.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap4374.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap0951.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1036 2988 WerFault.exe v0357ms.exe
736 852 WerFault.exe w33Ln13.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4712 schtasks.exe

pid	pid_target	process	target process
1036	2988	WerFault.exe	v0357ms.exe
736	852	WerFault.exe	w33Ln13.exe

pid	process
4712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tz2109.exev0357ms.exew33Ln13.exexeESW10.exeworld.exe

pid	process
2096	tz2109.exe
2096	tz2109.exe
2988	v0357ms.exe
2988	v0357ms.exe
852	w33Ln13.exe
852	w33Ln13.exe
2608	xeESW10.exe
2608	xeESW10.exe
4064	world.exe
4064	world.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz2109.exev0357ms.exew33Ln13.exexeESW10.exeworld.exe

description	pid	process
Token: SeDebugPrivilege	2096	tz2109.exe
Token: SeDebugPrivilege	2988	v0357ms.exe
Token: SeDebugPrivilege	852	w33Ln13.exe
Token: SeDebugPrivilege	2608	xeESW10.exe
Token: SeDebugPrivilege	4064	world.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exezap4374.exezap0951.exezap7645.exey62Ac89.exelegenda.execmd.exe

description	pid	process	target process
PID 1328 wrote to memory of 2536	1328	4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exe	zap4374.exe
PID 1328 wrote to memory of 2536	1328	4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exe	zap4374.exe
PID 1328 wrote to memory of 2536	1328	4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exe	zap4374.exe
PID 2536 wrote to memory of 2128	2536	zap4374.exe	zap0951.exe
PID 2536 wrote to memory of 2128	2536	zap4374.exe	zap0951.exe
PID 2536 wrote to memory of 2128	2536	zap4374.exe	zap0951.exe
PID 2128 wrote to memory of 3704	2128	zap0951.exe	zap7645.exe
PID 2128 wrote to memory of 3704	2128	zap0951.exe	zap7645.exe
PID 2128 wrote to memory of 3704	2128	zap0951.exe	zap7645.exe
PID 3704 wrote to memory of 2096	3704	zap7645.exe	tz2109.exe
PID 3704 wrote to memory of 2096	3704	zap7645.exe	tz2109.exe
PID 3704 wrote to memory of 2988	3704	zap7645.exe	v0357ms.exe
PID 3704 wrote to memory of 2988	3704	zap7645.exe	v0357ms.exe
PID 3704 wrote to memory of 2988	3704	zap7645.exe	v0357ms.exe
PID 2128 wrote to memory of 852	2128	zap0951.exe	w33Ln13.exe
PID 2128 wrote to memory of 852	2128	zap0951.exe	w33Ln13.exe
PID 2128 wrote to memory of 852	2128	zap0951.exe	w33Ln13.exe
PID 2536 wrote to memory of 2608	2536	zap4374.exe	xeESW10.exe
PID 2536 wrote to memory of 2608	2536	zap4374.exe	xeESW10.exe
PID 2536 wrote to memory of 2608	2536	zap4374.exe	xeESW10.exe
PID 1328 wrote to memory of 1520	1328	4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exe	y62Ac89.exe
PID 1328 wrote to memory of 1520	1328	4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exe	y62Ac89.exe
PID 1328 wrote to memory of 1520	1328	4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exe	y62Ac89.exe
PID 1520 wrote to memory of 3168	1520	y62Ac89.exe	legenda.exe
PID 1520 wrote to memory of 3168	1520	y62Ac89.exe	legenda.exe
PID 1520 wrote to memory of 3168	1520	y62Ac89.exe	legenda.exe
PID 3168 wrote to memory of 4712	3168	legenda.exe	schtasks.exe
PID 3168 wrote to memory of 4712	3168	legenda.exe	schtasks.exe
PID 3168 wrote to memory of 4712	3168	legenda.exe	schtasks.exe
PID 3168 wrote to memory of 2292	3168	legenda.exe	cmd.exe
PID 3168 wrote to memory of 2292	3168	legenda.exe	cmd.exe
PID 3168 wrote to memory of 2292	3168	legenda.exe	cmd.exe
PID 2292 wrote to memory of 4696	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 4696	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 4696	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 4548	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 4548	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 4548	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 864	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 864	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 864	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 224	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 224	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 224	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 116	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 116	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 116	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 4444	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 4444	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 4444	2292	cmd.exe	cacls.exe
PID 3168 wrote to memory of 4064	3168	legenda.exe	world.exe
PID 3168 wrote to memory of 4064	3168	legenda.exe	world.exe
PID 3168 wrote to memory of 4064	3168	legenda.exe	world.exe
PID 3168 wrote to memory of 4768	3168	legenda.exe	rundll32.exe
PID 3168 wrote to memory of 4768	3168	legenda.exe	rundll32.exe
PID 3168 wrote to memory of 4768	3168	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exe
"C:\Users\Admin\AppData\Local\Temp\4fabe31bf2eb6e0539c92966d9bc561cfec9098933379afb1ea8da24adeb9409.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4374.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4374.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0951.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0951.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7645.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7645.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2109.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2109.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0357ms.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0357ms.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 1088
6⤵
- Program crash
PID:1036

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w33Ln13.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w33Ln13.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1340
5⤵
- Program crash
PID:736

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xeESW10.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xeESW10.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y62Ac89.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y62Ac89.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4696

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4548

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:224

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:116

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
"C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2988 -ip 2988
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 852 -ip 852
1⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
Filesize
336KB

MD5
f8e0e6946af017037e8bb4d5455d4e99

SHA1
6691a0d551c3991fbe5f18147711e829616099bb

SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e

SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
Filesize
336KB

MD5
f8e0e6946af017037e8bb4d5455d4e99

SHA1
6691a0d551c3991fbe5f18147711e829616099bb

SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e

SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
Filesize
336KB

MD5
f8e0e6946af017037e8bb4d5455d4e99

SHA1
6691a0d551c3991fbe5f18147711e829616099bb

SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e

SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y62Ac89.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y62Ac89.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4374.exe
Filesize
778KB

MD5
a20c4f737d9f3c7533b9fc11265e72bb

SHA1
f1bdccdf1984ea6061eb79dea3c6103d57beac8d

SHA256
fd57040ee1c9d7ba5948b3ae5316b2ee09a83d38728d38f13c303ab507a69347

SHA512
8253cb473dc3d4386f2e0f8b5bb769cfa522c881ebc4d98aec21cce6744f013d3cf6261b40ebe7266b422587167eeb27741ed14bdf38c286e3bb791f97e63d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4374.exe
Filesize
778KB

MD5
a20c4f737d9f3c7533b9fc11265e72bb

SHA1
f1bdccdf1984ea6061eb79dea3c6103d57beac8d

SHA256
fd57040ee1c9d7ba5948b3ae5316b2ee09a83d38728d38f13c303ab507a69347

SHA512
8253cb473dc3d4386f2e0f8b5bb769cfa522c881ebc4d98aec21cce6744f013d3cf6261b40ebe7266b422587167eeb27741ed14bdf38c286e3bb791f97e63d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xeESW10.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xeESW10.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0951.exe
Filesize
636KB

MD5
2979908b7c258277e779ec9178cc2e0e

SHA1
9c2095ca262c12061d74abe5e1c726b201ab4d2e

SHA256
dde657ceb0a11184dbe36f74ff9a1898c5b11893a211bfb8648234a407e01693

SHA512
d4f56fedf9ed3adaf5ec83ac1927512d571419906bab02a7de9fc4797bb234b883918212e6b517f576c197d9c0816b5eed00b7d059766027fdf8bd27284c10e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0951.exe
Filesize
636KB

MD5
2979908b7c258277e779ec9178cc2e0e

SHA1
9c2095ca262c12061d74abe5e1c726b201ab4d2e

SHA256
dde657ceb0a11184dbe36f74ff9a1898c5b11893a211bfb8648234a407e01693

SHA512
d4f56fedf9ed3adaf5ec83ac1927512d571419906bab02a7de9fc4797bb234b883918212e6b517f576c197d9c0816b5eed00b7d059766027fdf8bd27284c10e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w33Ln13.exe
Filesize
290KB

MD5
45861deb739a903d3f432935d5b82c1c

SHA1
37b044fac689629fe06c308c214c712c4870d862

SHA256
87d04e0fcbaaee6ff67b6637ad1b5ca17f03f9c442957e1ecaa1a550c5214966

SHA512
ab72ab9ee741593a9c37b269c3b9ff64d65e02408281a6d852ec8a6eb291278a61849638721eb013b0fe89133f85547871c6d606800418eea5bad6f171aaa79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w33Ln13.exe
Filesize
290KB

MD5
45861deb739a903d3f432935d5b82c1c

SHA1
37b044fac689629fe06c308c214c712c4870d862

SHA256
87d04e0fcbaaee6ff67b6637ad1b5ca17f03f9c442957e1ecaa1a550c5214966

SHA512
ab72ab9ee741593a9c37b269c3b9ff64d65e02408281a6d852ec8a6eb291278a61849638721eb013b0fe89133f85547871c6d606800418eea5bad6f171aaa79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7645.exe
Filesize
315KB

MD5
77cbd51c0e256346ffb826bc58f754dd

SHA1
d79d631bbc87b5cb5d086c314247d3db77201751

SHA256
ad52171deb82297835187ab2d132ad6bfb73c4675aafa84ebb09b24536510c83

SHA512
657bbd18886184853fd863994b09781f3b41058c4735040054c7f77ae77185ef9f9eb42bc3b607ac41f85c260cc7e1b6204a9a2f53c4287f277a5b45b1a132ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7645.exe
Filesize
315KB

MD5
77cbd51c0e256346ffb826bc58f754dd

SHA1
d79d631bbc87b5cb5d086c314247d3db77201751

SHA256
ad52171deb82297835187ab2d132ad6bfb73c4675aafa84ebb09b24536510c83

SHA512
657bbd18886184853fd863994b09781f3b41058c4735040054c7f77ae77185ef9f9eb42bc3b607ac41f85c260cc7e1b6204a9a2f53c4287f277a5b45b1a132ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2109.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2109.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0357ms.exe
Filesize
232KB

MD5
f90edbc89b9ab15e9614d55ce6360f9b

SHA1
703253d5782b85aeda593732acfbf2e391c894c2

SHA256
4dc2589012c14da8c142cff48857e73e2376702fec0a1ac97e3c27ef3febac63

SHA512
e941ec415a9d01efc2dc3a82b7043761cfd6162e1c8187e67370f9d5c3c7f674613f8e85bc78195bec5397ff5ba8d2bf6e6cf568d8562b6bbf6d9f9f45742cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0357ms.exe
Filesize
232KB

MD5
f90edbc89b9ab15e9614d55ce6360f9b

SHA1
703253d5782b85aeda593732acfbf2e391c894c2

SHA256
4dc2589012c14da8c142cff48857e73e2376702fec0a1ac97e3c27ef3febac63

SHA512
e941ec415a9d01efc2dc3a82b7043761cfd6162e1c8187e67370f9d5c3c7f674613f8e85bc78195bec5397ff5ba8d2bf6e6cf568d8562b6bbf6d9f9f45742cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/852-1130-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/852-1121-0x00000000059F0000-0x0000000005A02000-memory.dmp

Filesize
72KB

Download
memory/852-1135-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/852-1133-0x0000000006D90000-0x0000000006DE0000-memory.dmp

Filesize
320KB

Download
memory/852-1132-0x0000000006D10000-0x0000000006D86000-memory.dmp

Filesize
472KB

Download
memory/852-1131-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/852-1129-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/852-1128-0x00000000066A0000-0x0000000006BCC000-memory.dmp

Filesize
5.2MB

Download
memory/852-1127-0x00000000064C0000-0x0000000006682000-memory.dmp

Filesize
1.8MB

Download
memory/852-1125-0x00000000063C0000-0x0000000006452000-memory.dmp

Filesize
584KB

Download
memory/852-210-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-211-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-213-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-215-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-217-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-220-0x0000000000610000-0x000000000065B000-memory.dmp

Filesize
300KB

Download
memory/852-219-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-221-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/852-224-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-223-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/852-226-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-228-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-230-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-232-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-234-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-236-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-238-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-240-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-242-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-244-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-246-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/852-1119-0x0000000005210000-0x0000000005828000-memory.dmp

Filesize
6.1MB

Download
memory/852-1120-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/852-1124-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/852-1122-0x0000000005A10000-0x0000000005A4C000-memory.dmp

Filesize
240KB

Download
memory/852-1123-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/2096-161-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download
memory/2608-1140-0x0000000000F30000-0x0000000000F62000-memory.dmp

Filesize
200KB

Download
memory/2608-1141-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/2988-185-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-181-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-191-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-202-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2988-201-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2988-200-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2988-199-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-189-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-187-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-205-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2988-195-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-197-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-183-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-203-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2988-179-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-177-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-175-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-173-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-172-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-193-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/2988-167-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/2988-169-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2988-170-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2988-171-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2988-168-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/4064-1175-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4064-1174-0x00000000002F0000-0x000000000034A000-memory.dmp

Filesize
360KB

Download