amadey | 4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48

Analysis

max time kernel
138s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exe
Size

1.0MB
MD5

1cbea0a9fa6ebf22b51e43f512443c2d
SHA1

8203104eba330ce465e127c5e683b06392fda3fd
SHA256

4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48
SHA512

d97156efb68eed64032b6ef34e623c554ac5c19558277d4209805950d285356e3f8badc4e5d47a1eca6f04dfd36245c8cc1f96b0ebf6aca5dd9db1274260598c
SSDEEP

12288:8Mr6y90gpXZ9u1OnjifOTHtJNwq9XUmK9bTuxfO929wgovZGQjayMbLR6O8jqYM:Gyv9ZE1OnjifctZ9XmbTY294ZaDWbLd

Score

10^/10

amadey aurora redline bolt down discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

bolt

193.233.20.31:4125

Attributes

auth_value
29540c7bf0277243e2faf6601e15a754

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz9645.exev8202eH.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz9645.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz9645.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz9645.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v8202eH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v8202eH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v8202eH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v8202eH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz9645.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v8202eH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz9645.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v8202eH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz9645.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3112-207-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-210-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-208-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-212-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-214-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-216-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-218-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-220-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-222-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-224-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-226-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-228-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-230-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-232-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-234-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-236-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-238-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-240-0x0000000002710000-0x000000000274E000-memory.dmp	family_redline
behavioral1/memory/3112-434-0x0000000004F70000-0x0000000004F80000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y14Us67.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y14Us67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 12 IoCs

Processes:

zap3408.exezap3889.exezap3551.exetz9645.exev8202eH.exew41Zw60.exexLfVl23.exey14Us67.exelegenda.exe1.exelegenda.exelegenda.exe

pid	process
1768	zap3408.exe
1508	zap3889.exe
1088	zap3551.exe
312	tz9645.exe
2704	v8202eH.exe
3112	w41Zw60.exe
648	xLfVl23.exe
3016	y14Us67.exe
1124	legenda.exe
4296	1.exe
1964	legenda.exe
2540	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3448 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3448	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v8202eH.exetz9645.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v8202eH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz9645.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v8202eH.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap3408.exezap3889.exezap3551.exe4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3408.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap3408.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3889.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3889.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3551.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3551.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1568 2704 WerFault.exe v8202eH.exe
2120 3112 WerFault.exe w41Zw60.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3332 schtasks.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4956 systeminfo.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz9645.exev8202eH.exew41Zw60.exexLfVl23.exe

pid process

312 tz9645.exe
312 tz9645.exe
2704 v8202eH.exe
2704 v8202eH.exe
3112 w41Zw60.exe
3112 w41Zw60.exe
648 xLfVl23.exe
648 xLfVl23.exe

pid	pid_target	process	target process
1568	2704	WerFault.exe	v8202eH.exe
2120	3112	WerFault.exe	w41Zw60.exe

pid	process
3332	schtasks.exe

pid	process
4956	systeminfo.exe

pid	process
312	tz9645.exe
312	tz9645.exe
2704	v8202eH.exe
2704	v8202eH.exe
3112	w41Zw60.exe
3112	w41Zw60.exe
648	xLfVl23.exe
648	xLfVl23.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz9645.exev8202eH.exew41Zw60.exexLfVl23.exeWMIC.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	312	tz9645.exe
Token: SeDebugPrivilege	2704	v8202eH.exe
Token: SeDebugPrivilege	3112	w41Zw60.exe
Token: SeDebugPrivilege	648	xLfVl23.exe
Token: SeIncreaseQuotaPrivilege	4632	WMIC.exe
Token: SeSecurityPrivilege	4632	WMIC.exe
Token: SeTakeOwnershipPrivilege	4632	WMIC.exe
Token: SeLoadDriverPrivilege	4632	WMIC.exe
Token: SeSystemProfilePrivilege	4632	WMIC.exe
Token: SeSystemtimePrivilege	4632	WMIC.exe
Token: SeProfSingleProcessPrivilege	4632	WMIC.exe
Token: SeIncBasePriorityPrivilege	4632	WMIC.exe
Token: SeCreatePagefilePrivilege	4632	WMIC.exe
Token: SeBackupPrivilege	4632	WMIC.exe
Token: SeRestorePrivilege	4632	WMIC.exe
Token: SeShutdownPrivilege	4632	WMIC.exe
Token: SeDebugPrivilege	4632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4632	WMIC.exe
Token: SeRemoteShutdownPrivilege	4632	WMIC.exe
Token: SeUndockPrivilege	4632	WMIC.exe
Token: SeManageVolumePrivilege	4632	WMIC.exe
Token: 33	4632	WMIC.exe
Token: 34	4632	WMIC.exe
Token: 35	4632	WMIC.exe
Token: 36	4632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4632	WMIC.exe
Token: SeSecurityPrivilege	4632	WMIC.exe
Token: SeTakeOwnershipPrivilege	4632	WMIC.exe
Token: SeLoadDriverPrivilege	4632	WMIC.exe
Token: SeSystemProfilePrivilege	4632	WMIC.exe
Token: SeSystemtimePrivilege	4632	WMIC.exe
Token: SeProfSingleProcessPrivilege	4632	WMIC.exe
Token: SeIncBasePriorityPrivilege	4632	WMIC.exe
Token: SeCreatePagefilePrivilege	4632	WMIC.exe
Token: SeBackupPrivilege	4632	WMIC.exe
Token: SeRestorePrivilege	4632	WMIC.exe
Token: SeShutdownPrivilege	4632	WMIC.exe
Token: SeDebugPrivilege	4632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4632	WMIC.exe
Token: SeRemoteShutdownPrivilege	4632	WMIC.exe
Token: SeUndockPrivilege	4632	WMIC.exe
Token: SeManageVolumePrivilege	4632	WMIC.exe
Token: 33	4632	WMIC.exe
Token: 34	4632	WMIC.exe
Token: 35	4632	WMIC.exe
Token: 36	4632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2000	wmic.exe
Token: SeSecurityPrivilege	2000	wmic.exe
Token: SeTakeOwnershipPrivilege	2000	wmic.exe
Token: SeLoadDriverPrivilege	2000	wmic.exe
Token: SeSystemProfilePrivilege	2000	wmic.exe
Token: SeSystemtimePrivilege	2000	wmic.exe
Token: SeProfSingleProcessPrivilege	2000	wmic.exe
Token: SeIncBasePriorityPrivilege	2000	wmic.exe
Token: SeCreatePagefilePrivilege	2000	wmic.exe
Token: SeBackupPrivilege	2000	wmic.exe
Token: SeRestorePrivilege	2000	wmic.exe
Token: SeShutdownPrivilege	2000	wmic.exe
Token: SeDebugPrivilege	2000	wmic.exe
Token: SeSystemEnvironmentPrivilege	2000	wmic.exe
Token: SeRemoteShutdownPrivilege	2000	wmic.exe
Token: SeUndockPrivilege	2000	wmic.exe
Token: SeManageVolumePrivilege	2000	wmic.exe
Token: 33	2000	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exezap3408.exezap3889.exezap3551.exey14Us67.exelegenda.execmd.exe1.execmd.exe

description	pid	process	target process
PID 1996 wrote to memory of 1768	1996	4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exe	zap3408.exe
PID 1996 wrote to memory of 1768	1996	4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exe	zap3408.exe
PID 1996 wrote to memory of 1768	1996	4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exe	zap3408.exe
PID 1768 wrote to memory of 1508	1768	zap3408.exe	zap3889.exe
PID 1768 wrote to memory of 1508	1768	zap3408.exe	zap3889.exe
PID 1768 wrote to memory of 1508	1768	zap3408.exe	zap3889.exe
PID 1508 wrote to memory of 1088	1508	zap3889.exe	zap3551.exe
PID 1508 wrote to memory of 1088	1508	zap3889.exe	zap3551.exe
PID 1508 wrote to memory of 1088	1508	zap3889.exe	zap3551.exe
PID 1088 wrote to memory of 312	1088	zap3551.exe	tz9645.exe
PID 1088 wrote to memory of 312	1088	zap3551.exe	tz9645.exe
PID 1088 wrote to memory of 2704	1088	zap3551.exe	v8202eH.exe
PID 1088 wrote to memory of 2704	1088	zap3551.exe	v8202eH.exe
PID 1088 wrote to memory of 2704	1088	zap3551.exe	v8202eH.exe
PID 1508 wrote to memory of 3112	1508	zap3889.exe	w41Zw60.exe
PID 1508 wrote to memory of 3112	1508	zap3889.exe	w41Zw60.exe
PID 1508 wrote to memory of 3112	1508	zap3889.exe	w41Zw60.exe
PID 1768 wrote to memory of 648	1768	zap3408.exe	xLfVl23.exe
PID 1768 wrote to memory of 648	1768	zap3408.exe	xLfVl23.exe
PID 1768 wrote to memory of 648	1768	zap3408.exe	xLfVl23.exe
PID 1996 wrote to memory of 3016	1996	4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exe	y14Us67.exe
PID 1996 wrote to memory of 3016	1996	4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exe	y14Us67.exe
PID 1996 wrote to memory of 3016	1996	4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exe	y14Us67.exe
PID 3016 wrote to memory of 1124	3016	y14Us67.exe	legenda.exe
PID 3016 wrote to memory of 1124	3016	y14Us67.exe	legenda.exe
PID 3016 wrote to memory of 1124	3016	y14Us67.exe	legenda.exe
PID 1124 wrote to memory of 3332	1124	legenda.exe	schtasks.exe
PID 1124 wrote to memory of 3332	1124	legenda.exe	schtasks.exe
PID 1124 wrote to memory of 3332	1124	legenda.exe	schtasks.exe
PID 1124 wrote to memory of 2712	1124	legenda.exe	cmd.exe
PID 1124 wrote to memory of 2712	1124	legenda.exe	cmd.exe
PID 1124 wrote to memory of 2712	1124	legenda.exe	cmd.exe
PID 2712 wrote to memory of 3820	2712	cmd.exe	cmd.exe
PID 2712 wrote to memory of 3820	2712	cmd.exe	cmd.exe
PID 2712 wrote to memory of 3820	2712	cmd.exe	cmd.exe
PID 2712 wrote to memory of 2012	2712	cmd.exe	cacls.exe
PID 2712 wrote to memory of 2012	2712	cmd.exe	cacls.exe
PID 2712 wrote to memory of 2012	2712	cmd.exe	cacls.exe
PID 2712 wrote to memory of 2328	2712	cmd.exe	cacls.exe
PID 2712 wrote to memory of 2328	2712	cmd.exe	cacls.exe
PID 2712 wrote to memory of 2328	2712	cmd.exe	cacls.exe
PID 2712 wrote to memory of 2220	2712	cmd.exe	cmd.exe
PID 2712 wrote to memory of 2220	2712	cmd.exe	cmd.exe
PID 2712 wrote to memory of 2220	2712	cmd.exe	cmd.exe
PID 2712 wrote to memory of 2640	2712	cmd.exe	cacls.exe
PID 2712 wrote to memory of 2640	2712	cmd.exe	cacls.exe
PID 2712 wrote to memory of 2640	2712	cmd.exe	cacls.exe
PID 2712 wrote to memory of 2740	2712	cmd.exe	cacls.exe
PID 2712 wrote to memory of 2740	2712	cmd.exe	cacls.exe
PID 2712 wrote to memory of 2740	2712	cmd.exe	cacls.exe
PID 1124 wrote to memory of 4296	1124	legenda.exe	1.exe
PID 1124 wrote to memory of 4296	1124	legenda.exe	1.exe
PID 1124 wrote to memory of 4296	1124	legenda.exe	1.exe
PID 4296 wrote to memory of 4188	4296	1.exe	cmd.exe
PID 4296 wrote to memory of 4188	4296	1.exe	cmd.exe
PID 4296 wrote to memory of 4188	4296	1.exe	cmd.exe
PID 4188 wrote to memory of 4632	4188	cmd.exe	WMIC.exe
PID 4188 wrote to memory of 4632	4188	cmd.exe	WMIC.exe
PID 4188 wrote to memory of 4632	4188	cmd.exe	WMIC.exe
PID 4296 wrote to memory of 2000	4296	1.exe	wmic.exe
PID 4296 wrote to memory of 2000	4296	1.exe	wmic.exe
PID 4296 wrote to memory of 2000	4296	1.exe	wmic.exe
PID 4296 wrote to memory of 3112	4296	1.exe	cmd.exe
PID 4296 wrote to memory of 3112	4296	1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exe
"C:\Users\Admin\AppData\Local\Temp\4cf30e686ebf453c1222ca0e1ad69f5f970229fbb4f23ccf2f8ecb8b6eb26a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3408.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3408.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3889.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3889.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3551.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3551.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9645.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9645.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8202eH.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8202eH.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1036
6⤵
- Program crash
PID:1568

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w41Zw60.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w41Zw60.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1560
5⤵
- Program crash
PID:2120

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLfVl23.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLfVl23.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y14Us67.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y14Us67.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3820

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:2012

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2220

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:2640

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\1000151001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000151001\1.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
5⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:3112

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:32

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
cmd "/c " systeminfo
5⤵
PID:312

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
6⤵
- Gathers system information
PID:4956

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2704 -ip 2704
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3112 -ip 3112
1⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:2540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000151001\1.exe

Filesize
3.1MB

MD5
64e554cd95971c4a00ae1f6677331cce

SHA1
d7189c4afd0bfbdf12323917434dcfdd55e8b300

SHA256
4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3

SHA512
4000e391279f0d930079d2355f78cb173cb00308e3c847edfe473daf9c08000c7acaa6fd5accc2a91b389cdbc4a0f5ca2511ca9a65760a7042d8d466fc726074

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000151001\1.exe

Filesize
3.1MB

MD5
64e554cd95971c4a00ae1f6677331cce

SHA1
d7189c4afd0bfbdf12323917434dcfdd55e8b300

SHA256
4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3

SHA512
4000e391279f0d930079d2355f78cb173cb00308e3c847edfe473daf9c08000c7acaa6fd5accc2a91b389cdbc4a0f5ca2511ca9a65760a7042d8d466fc726074

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000151001\1.exe

Filesize
3.1MB

MD5
64e554cd95971c4a00ae1f6677331cce

SHA1
d7189c4afd0bfbdf12323917434dcfdd55e8b300

SHA256
4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3

SHA512
4000e391279f0d930079d2355f78cb173cb00308e3c847edfe473daf9c08000c7acaa6fd5accc2a91b389cdbc4a0f5ca2511ca9a65760a7042d8d466fc726074

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y14Us67.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y14Us67.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3408.exe

Filesize
842KB

MD5
23e3904c9e4f8d235553a8799c8dc23b

SHA1
a6a1053b91ecdcc706064008819e16500a30090d

SHA256
b2b852f660cbde5af46707be56f3bafc3bb0cfc2ad21c9042087663c43bfdd98

SHA512
ebb3ea470b6a9948c54fb6501fd45b770a55d023b7f120503dc8708b6111a66838234f14008b1b767c3d7aead62795bfd60eb0a34f1c36a573a2a06e111c9334

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3408.exe

Filesize
842KB

MD5
23e3904c9e4f8d235553a8799c8dc23b

SHA1
a6a1053b91ecdcc706064008819e16500a30090d

SHA256
b2b852f660cbde5af46707be56f3bafc3bb0cfc2ad21c9042087663c43bfdd98

SHA512
ebb3ea470b6a9948c54fb6501fd45b770a55d023b7f120503dc8708b6111a66838234f14008b1b767c3d7aead62795bfd60eb0a34f1c36a573a2a06e111c9334

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLfVl23.exe

Filesize
175KB

MD5
78efaf7292c2027da40635ca1aae855a

SHA1
686227a48e23b382a06c74f17d9b6f36e76042fd

SHA256
2f1381bbe319ee3d19b3e07704205a3d31a7ffb7b5b7c282b9d884682bc892ab

SHA512
19e22ec7ad2295a1a3f4cbabb2e005df674ff3731cc33b74e175e10fcc4e482c8f0ce9c8722a8d14a0f9f9ad6e37360ce6816215512bea8324cd87a9fefc852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLfVl23.exe

Filesize
175KB

MD5
78efaf7292c2027da40635ca1aae855a

SHA1
686227a48e23b382a06c74f17d9b6f36e76042fd

SHA256
2f1381bbe319ee3d19b3e07704205a3d31a7ffb7b5b7c282b9d884682bc892ab

SHA512
19e22ec7ad2295a1a3f4cbabb2e005df674ff3731cc33b74e175e10fcc4e482c8f0ce9c8722a8d14a0f9f9ad6e37360ce6816215512bea8324cd87a9fefc852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3889.exe

Filesize
699KB

MD5
1aad23ad1fa8646f8eb55f9ccfdabd5c

SHA1
f05b40025566a592255fa38f79f63c5c12dc0fcc

SHA256
79a6e69c7b1bc1674bdfebc4095b4a7cd1c003229b682d596dbf2b3b9d23ca16

SHA512
34bd626e1d7ea96c62dec51a547e37fe0c00ed2d37f4ae15c6e462ee586a56f06b99ea5a2b2187a022c371d210085f7744a1178ae6978a6e47e75418b43c39e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3889.exe

Filesize
699KB

MD5
1aad23ad1fa8646f8eb55f9ccfdabd5c

SHA1
f05b40025566a592255fa38f79f63c5c12dc0fcc

SHA256
79a6e69c7b1bc1674bdfebc4095b4a7cd1c003229b682d596dbf2b3b9d23ca16

SHA512
34bd626e1d7ea96c62dec51a547e37fe0c00ed2d37f4ae15c6e462ee586a56f06b99ea5a2b2187a022c371d210085f7744a1178ae6978a6e47e75418b43c39e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w41Zw60.exe

Filesize
358KB

MD5
cf12f575abf67adb2f3011b36cadb270

SHA1
3327fb97b1bf7a61c17efc3c0b5b1700c5233dbe

SHA256
44c43f36694e6c941e50eccd17fe92cc2437feac273f87b7a8f6be9dab0b5510

SHA512
7691359ef9922978b1e97daba6e17bba26b79d66f2612c31f6e3a7d10266b6386a853bff2225486cfcff1c849d2e5387e492feece1a90269742edf6ea5eebb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w41Zw60.exe

Filesize
358KB

MD5
cf12f575abf67adb2f3011b36cadb270

SHA1
3327fb97b1bf7a61c17efc3c0b5b1700c5233dbe

SHA256
44c43f36694e6c941e50eccd17fe92cc2437feac273f87b7a8f6be9dab0b5510

SHA512
7691359ef9922978b1e97daba6e17bba26b79d66f2612c31f6e3a7d10266b6386a853bff2225486cfcff1c849d2e5387e492feece1a90269742edf6ea5eebb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3551.exe

Filesize
346KB

MD5
c6918e9b27e224a8a4aba46885bf684c

SHA1
b31b5802a9cb6edffb25ad50031bb65cd65111fc

SHA256
13fb487fba716ea29e41641aeee2ab4fb7ea55cc0f59d197a2c790046961f124

SHA512
2fc2243991cae71a84c2a5a9d040bd4e7514ed6a3246aaddabe7903d4a8c12859653ae3fa375aec40e7da9657bb2b78589e06e5fb33388f9d4f289e5e8a63782

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3551.exe

Filesize
346KB

MD5
c6918e9b27e224a8a4aba46885bf684c

SHA1
b31b5802a9cb6edffb25ad50031bb65cd65111fc

SHA256
13fb487fba716ea29e41641aeee2ab4fb7ea55cc0f59d197a2c790046961f124

SHA512
2fc2243991cae71a84c2a5a9d040bd4e7514ed6a3246aaddabe7903d4a8c12859653ae3fa375aec40e7da9657bb2b78589e06e5fb33388f9d4f289e5e8a63782

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9645.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9645.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8202eH.exe

Filesize
300KB

MD5
be7b93d8ff5fc1c8b7483f76879704f1

SHA1
cb8939726b871c3a6acf02ea6730ac5cc645975e

SHA256
ecb19660ea7b18afaf1a1115cd9f4a622399bbbb64ac50ab3f498553f3450675

SHA512
7191ec3d81cfecb79ce937f9f9bc740b737c75253e2083723d7af5c09071ce559af00485caa54aecadf3b786d391c754ce5fbe1de65e02d52d35d83839e7bf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8202eH.exe

Filesize
300KB

MD5
be7b93d8ff5fc1c8b7483f76879704f1

SHA1
cb8939726b871c3a6acf02ea6730ac5cc645975e

SHA256
ecb19660ea7b18afaf1a1115cd9f4a622399bbbb64ac50ab3f498553f3450675

SHA512
7191ec3d81cfecb79ce937f9f9bc740b737c75253e2083723d7af5c09071ce559af00485caa54aecadf3b786d391c754ce5fbe1de65e02d52d35d83839e7bf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/312-161-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/648-1139-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/648-1138-0x00000000006A0000-0x00000000006D2000-memory.dmp

Filesize
200KB

Download
memory/2704-196-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-178-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-198-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-199-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/2704-200-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/2704-202-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/2704-182-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-194-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-192-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-180-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-190-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-184-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-176-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-174-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-172-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-171-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-170-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/2704-169-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/2704-168-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/2704-167-0x00000000009A0000-0x00000000009CD000-memory.dmp

Filesize
180KB

Download
memory/2704-188-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2704-186-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/3112-220-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-240-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-433-0x00000000023D0000-0x000000000241B000-memory.dmp

Filesize
300KB

Download
memory/3112-434-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3112-436-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3112-438-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3112-1117-0x0000000005530000-0x0000000005B48000-memory.dmp

Filesize
6.1MB

Download
memory/3112-1118-0x0000000005B50000-0x0000000005C5A000-memory.dmp

Filesize
1.0MB

Download
memory/3112-1119-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3112-1120-0x0000000002940000-0x000000000297C000-memory.dmp

Filesize
240KB

Download
memory/3112-1121-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3112-1122-0x0000000005E10000-0x0000000005EA2000-memory.dmp

Filesize
584KB

Download
memory/3112-1123-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/3112-1124-0x00000000065D0000-0x0000000006646000-memory.dmp

Filesize
472KB

Download
memory/3112-1125-0x0000000006650000-0x00000000066A0000-memory.dmp

Filesize
320KB

Download
memory/3112-1126-0x00000000066C0000-0x0000000006882000-memory.dmp

Filesize
1.8MB

Download
memory/3112-1127-0x0000000006890000-0x0000000006DBC000-memory.dmp

Filesize
5.2MB

Download
memory/3112-1130-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3112-1129-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3112-238-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-236-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-234-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-232-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-230-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-228-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-226-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-224-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-222-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-218-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-216-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-214-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-212-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-208-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-210-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-207-0x0000000002710000-0x000000000274E000-memory.dmp

Filesize
248KB

Download
memory/3112-1131-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3112-1133-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download