amadey | 3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2

Analysis

max time kernel
146s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exe
Size

1008KB
MD5

e5e55a8118a4372ce0b49bfde5573b78
SHA1

3395e08ad643c702fd51b9ff8ada6f3a3286d1dc
SHA256

3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2
SHA512

ebfb08524d69502aba37f985c6661fc6e6318e3608e554522260512ece7ba880d76c99a8c56d0a71f309e3782d078f0354c51c6f5751ec2e7e68a013bee8d14c
SSDEEP

12288:2Mrsy90PsdxaX2VhlbpAsIlMl+NxsG6Efv2PN94XPmDLbuWl9zLJOX2oAv4Tllyw:Gymkg2hXA1Ml+NGG6EfYMwLhLJ4vr

Score

10^/10

amadey redline anh123 boris lida discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

lida

193.233.20.32:4125

Attributes

auth_value
24052aa2e9b85984a98d80cf08623e8d

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

Anh123

199.115.193.116:11300

Attributes

auth_value
db990971ec3911c24ea05eeccc2e1f60

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v5884Jr.exetz0831.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5884Jr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5884Jr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz0831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz0831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz0831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz0831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5884Jr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz0831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz0831.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v5884Jr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5884Jr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5884Jr.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3492-210-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-209-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-212-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-214-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-216-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-220-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-224-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-226-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-228-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-230-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-232-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-234-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-236-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-238-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-240-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-242-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-244-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline
behavioral1/memory/3492-246-0x00000000071B0000-0x00000000071EF000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y44hl43.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	y44hl43.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 13 IoCs

Processes:

zap4720.exezap0522.exezap8317.exetz0831.exev5884Jr.exew61bc33.exexqCIv54.exey44hl43.exelegenda.exeNasalized.exeNasalized.exeNasalized.exelegenda.exe

pid	process
1932	zap4720.exe
696	zap0522.exe
3100	zap8317.exe
4972	tz0831.exe
1816	v5884Jr.exe
3492	w61bc33.exe
1184	xqCIv54.exe
4088	y44hl43.exe
4448	legenda.exe
4712	Nasalized.exe
5024	Nasalized.exe
3892	Nasalized.exe
5048	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4252 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4252	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz0831.exev5884Jr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz0831.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5884Jr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5884Jr.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exezap4720.exezap0522.exezap8317.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap4720.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap0522.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8317.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8317.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Nasalized.exe

description pid process target process

PID 4712 set thread context of 3892 4712 Nasalized.exe Nasalized.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4152 1816 WerFault.exe v5884Jr.exe
4684 3492 WerFault.exe w61bc33.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4276 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz0831.exev5884Jr.exew61bc33.exexqCIv54.exe

pid process

4972 tz0831.exe
4972 tz0831.exe
1816 v5884Jr.exe
1816 v5884Jr.exe
3492 w61bc33.exe
3492 w61bc33.exe
1184 xqCIv54.exe
1184 xqCIv54.exe

description	pid	process	target process
PID 4712 set thread context of 3892	4712	Nasalized.exe	Nasalized.exe

pid	pid_target	process	target process
4152	1816	WerFault.exe	v5884Jr.exe
4684	3492	WerFault.exe	w61bc33.exe

pid	process
4276	schtasks.exe

pid	process
4972	tz0831.exe
4972	tz0831.exe
1816	v5884Jr.exe
1816	v5884Jr.exe
3492	w61bc33.exe
3492	w61bc33.exe
1184	xqCIv54.exe
1184	xqCIv54.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz0831.exev5884Jr.exew61bc33.exexqCIv54.exe

description	pid	process
Token: SeDebugPrivilege	4972	tz0831.exe
Token: SeDebugPrivilege	1816	v5884Jr.exe
Token: SeDebugPrivilege	3492	w61bc33.exe
Token: SeDebugPrivilege	1184	xqCIv54.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exezap4720.exezap0522.exezap8317.exey44hl43.exelegenda.execmd.exeNasalized.exe

description	pid	process	target process
PID 2400 wrote to memory of 1932	2400	3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exe	zap4720.exe
PID 2400 wrote to memory of 1932	2400	3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exe	zap4720.exe
PID 2400 wrote to memory of 1932	2400	3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exe	zap4720.exe
PID 1932 wrote to memory of 696	1932	zap4720.exe	zap0522.exe
PID 1932 wrote to memory of 696	1932	zap4720.exe	zap0522.exe
PID 1932 wrote to memory of 696	1932	zap4720.exe	zap0522.exe
PID 696 wrote to memory of 3100	696	zap0522.exe	zap8317.exe
PID 696 wrote to memory of 3100	696	zap0522.exe	zap8317.exe
PID 696 wrote to memory of 3100	696	zap0522.exe	zap8317.exe
PID 3100 wrote to memory of 4972	3100	zap8317.exe	tz0831.exe
PID 3100 wrote to memory of 4972	3100	zap8317.exe	tz0831.exe
PID 3100 wrote to memory of 1816	3100	zap8317.exe	v5884Jr.exe
PID 3100 wrote to memory of 1816	3100	zap8317.exe	v5884Jr.exe
PID 3100 wrote to memory of 1816	3100	zap8317.exe	v5884Jr.exe
PID 696 wrote to memory of 3492	696	zap0522.exe	w61bc33.exe
PID 696 wrote to memory of 3492	696	zap0522.exe	w61bc33.exe
PID 696 wrote to memory of 3492	696	zap0522.exe	w61bc33.exe
PID 1932 wrote to memory of 1184	1932	zap4720.exe	xqCIv54.exe
PID 1932 wrote to memory of 1184	1932	zap4720.exe	xqCIv54.exe
PID 1932 wrote to memory of 1184	1932	zap4720.exe	xqCIv54.exe
PID 2400 wrote to memory of 4088	2400	3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exe	y44hl43.exe
PID 2400 wrote to memory of 4088	2400	3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exe	y44hl43.exe
PID 2400 wrote to memory of 4088	2400	3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exe	y44hl43.exe
PID 4088 wrote to memory of 4448	4088	y44hl43.exe	legenda.exe
PID 4088 wrote to memory of 4448	4088	y44hl43.exe	legenda.exe
PID 4088 wrote to memory of 4448	4088	y44hl43.exe	legenda.exe
PID 4448 wrote to memory of 4276	4448	legenda.exe	schtasks.exe
PID 4448 wrote to memory of 4276	4448	legenda.exe	schtasks.exe
PID 4448 wrote to memory of 4276	4448	legenda.exe	schtasks.exe
PID 4448 wrote to memory of 2664	4448	legenda.exe	cmd.exe
PID 4448 wrote to memory of 2664	4448	legenda.exe	cmd.exe
PID 4448 wrote to memory of 2664	4448	legenda.exe	cmd.exe
PID 2664 wrote to memory of 4948	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 4948	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 4948	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 4636	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 4636	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 4636	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 3724	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 3724	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 3724	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 3912	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 3912	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 3912	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 4432	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 4432	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 4432	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 3444	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 3444	2664	cmd.exe	cacls.exe
PID 2664 wrote to memory of 3444	2664	cmd.exe	cacls.exe
PID 4448 wrote to memory of 4712	4448	legenda.exe	Nasalized.exe
PID 4448 wrote to memory of 4712	4448	legenda.exe	Nasalized.exe
PID 4448 wrote to memory of 4712	4448	legenda.exe	Nasalized.exe
PID 4712 wrote to memory of 5024	4712	Nasalized.exe	Nasalized.exe
PID 4712 wrote to memory of 5024	4712	Nasalized.exe	Nasalized.exe
PID 4712 wrote to memory of 5024	4712	Nasalized.exe	Nasalized.exe
PID 4712 wrote to memory of 5024	4712	Nasalized.exe	Nasalized.exe
PID 4712 wrote to memory of 3892	4712	Nasalized.exe	Nasalized.exe
PID 4712 wrote to memory of 3892	4712	Nasalized.exe	Nasalized.exe
PID 4712 wrote to memory of 3892	4712	Nasalized.exe	Nasalized.exe
PID 4712 wrote to memory of 3892	4712	Nasalized.exe	Nasalized.exe
PID 4712 wrote to memory of 3892	4712	Nasalized.exe	Nasalized.exe
PID 4712 wrote to memory of 3892	4712	Nasalized.exe	Nasalized.exe
PID 4712 wrote to memory of 3892	4712	Nasalized.exe	Nasalized.exe

C:\Users\Admin\AppData\Local\Temp\3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exe
"C:\Users\Admin\AppData\Local\Temp\3d4e73538fe0af0540e167674d16d9bf83256c224fc4890b02ffc952db5b2de2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4720.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4720.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0522.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0522.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:696

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8317.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8317.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3100

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0831.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0831.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5884Jr.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5884Jr.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1036
6⤵
- Program crash
PID:4152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61bc33.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61bc33.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1832
5⤵
- Program crash
PID:4684

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqCIv54.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqCIv54.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y44hl43.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y44hl43.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4948

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4636

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3912

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4432

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\1000155001\Nasalized.exe
"C:\Users\Admin\AppData\Local\Temp\1000155001\Nasalized.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4712

C:\Users\Admin\AppData\Local\Temp\1000155001\Nasalized.exe
C:\Users\Admin\AppData\Local\Temp\1000155001\Nasalized.exe
5⤵
- Executes dropped EXE
PID:5024

C:\Users\Admin\AppData\Local\Temp\1000155001\Nasalized.exe
C:\Users\Admin\AppData\Local\Temp\1000155001\Nasalized.exe
5⤵
- Executes dropped EXE
PID:3892

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1816 -ip 1816
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3492 -ip 3492
1⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nasalized.exe.log
Filesize
1KB

MD5
99f88b99e0d77c5607bb7826596c5340

SHA1
4d2902c0c3a8c134139e9e85f4ca557750c7b21a

SHA256
baa2292d20266e157ecc8340d1c201b82dcce67629a1c95ec27fea646624c56d

SHA512
ff3ee0ad2a99c952f3fb709f9c3159138d66abb16f022e8f62f717c2edf621f43967fc3d7418b3bdd78b1399567fcc899c1e38aaf44abf97032d2c696b928a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000155001\Nasalized.exe
Filesize
898KB

MD5
4c42520a02966a874eb4fbdc0a74e208

SHA1
8c17320204683ca1dcf81c0a031a6e6c0d679d84

SHA256
0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d

SHA512
c9891c1a8428ba8ece0880c725a8fbbc0a77573f3460c35eeb7385c6993712fd35143b9662599d09f25af36f30ff856b32ae085161b1baa431aa428ecd5ea512

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000155001\Nasalized.exe
Filesize
898KB

MD5
4c42520a02966a874eb4fbdc0a74e208

SHA1
8c17320204683ca1dcf81c0a031a6e6c0d679d84

SHA256
0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d

SHA512
c9891c1a8428ba8ece0880c725a8fbbc0a77573f3460c35eeb7385c6993712fd35143b9662599d09f25af36f30ff856b32ae085161b1baa431aa428ecd5ea512

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000155001\Nasalized.exe
Filesize
898KB

MD5
4c42520a02966a874eb4fbdc0a74e208

SHA1
8c17320204683ca1dcf81c0a031a6e6c0d679d84

SHA256
0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d

SHA512
c9891c1a8428ba8ece0880c725a8fbbc0a77573f3460c35eeb7385c6993712fd35143b9662599d09f25af36f30ff856b32ae085161b1baa431aa428ecd5ea512

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000155001\Nasalized.exe
Filesize
898KB

MD5
4c42520a02966a874eb4fbdc0a74e208

SHA1
8c17320204683ca1dcf81c0a031a6e6c0d679d84

SHA256
0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d

SHA512
c9891c1a8428ba8ece0880c725a8fbbc0a77573f3460c35eeb7385c6993712fd35143b9662599d09f25af36f30ff856b32ae085161b1baa431aa428ecd5ea512

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000155001\Nasalized.exe
Filesize
898KB

MD5
4c42520a02966a874eb4fbdc0a74e208

SHA1
8c17320204683ca1dcf81c0a031a6e6c0d679d84

SHA256
0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d

SHA512
c9891c1a8428ba8ece0880c725a8fbbc0a77573f3460c35eeb7385c6993712fd35143b9662599d09f25af36f30ff856b32ae085161b1baa431aa428ecd5ea512

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y44hl43.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y44hl43.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4720.exe
Filesize
830KB

MD5
fe2035934c36204bcf1caa2968e4a92e

SHA1
788fa969f01c73684eef9d56e4534015eb1644a7

SHA256
4f9e923990103e0f48c783d1a4819045de57843495934114c3d948464037e73d

SHA512
fc000837f6753834142234e61b9c3815d6f65eda754350341467ac30c4e876ac37181f86e7b86a368ac7c07b44ca1e333d66ab84b18bee37f54ad0b8faace381

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4720.exe
Filesize
830KB

MD5
fe2035934c36204bcf1caa2968e4a92e

SHA1
788fa969f01c73684eef9d56e4534015eb1644a7

SHA256
4f9e923990103e0f48c783d1a4819045de57843495934114c3d948464037e73d

SHA512
fc000837f6753834142234e61b9c3815d6f65eda754350341467ac30c4e876ac37181f86e7b86a368ac7c07b44ca1e333d66ab84b18bee37f54ad0b8faace381

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqCIv54.exe
Filesize
175KB

MD5
6b06147bf5fd26306978a93fe83127a4

SHA1
7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

SHA256
11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

SHA512
603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqCIv54.exe
Filesize
175KB

MD5
6b06147bf5fd26306978a93fe83127a4

SHA1
7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

SHA256
11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

SHA512
603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0522.exe
Filesize
688KB

MD5
8239ba0b88761c0be332e3282520669d

SHA1
3b7c72cee1c065b3958e66fac9ff919cf0c7e235

SHA256
e4114fd6e690f8276cd8fc881f6afe33581e56573862308e48baf38f49c1e772

SHA512
b914f49a0606a15b61c074df99eeeac8c46f41c9d2b0cefd39ccf962a7049183476bcc83cb3967c07ed4d5e75e2e89e5fdada256663de88dfdb88f9c5616d5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0522.exe
Filesize
688KB

MD5
8239ba0b88761c0be332e3282520669d

SHA1
3b7c72cee1c065b3958e66fac9ff919cf0c7e235

SHA256
e4114fd6e690f8276cd8fc881f6afe33581e56573862308e48baf38f49c1e772

SHA512
b914f49a0606a15b61c074df99eeeac8c46f41c9d2b0cefd39ccf962a7049183476bcc83cb3967c07ed4d5e75e2e89e5fdada256663de88dfdb88f9c5616d5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61bc33.exe
Filesize
357KB

MD5
71eeed7c557f2316845de7a61cf71a36

SHA1
fe00e952b8dfb23bf815869f32ffc3e83ab7fd2d

SHA256
b2caa3d0bb39d6dd397f5ae33cb0cbd7a89b812cca835dc940fe0c4c1e215f0e

SHA512
cf6fff164536d872a83f15ab1f2e2efd25520d60a6ebd63d03f1ca6ae497f94634f28919c20d6241b5b2eab357daeae0a95a3c825c91a06868557f758fbc93d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61bc33.exe
Filesize
357KB

MD5
71eeed7c557f2316845de7a61cf71a36

SHA1
fe00e952b8dfb23bf815869f32ffc3e83ab7fd2d

SHA256
b2caa3d0bb39d6dd397f5ae33cb0cbd7a89b812cca835dc940fe0c4c1e215f0e

SHA512
cf6fff164536d872a83f15ab1f2e2efd25520d60a6ebd63d03f1ca6ae497f94634f28919c20d6241b5b2eab357daeae0a95a3c825c91a06868557f758fbc93d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8317.exe
Filesize
340KB

MD5
5808a593d66b8ef07d9d58e45b6116a6

SHA1
15710b5b2f86f8a48ae564c2ca6907cc2fc6c885

SHA256
38205d72b554df54738d8e5669dd6bbb2272affc4496b8d3efc17c68c1e0e675

SHA512
d0ca67134316e68e4713af8b77bc31f92b04d7d735f0038f5db9fb0793ec392e0f1ae8ef59a18a97af272518709015f0e25612fc58468c71323c76ec8cfcd3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8317.exe
Filesize
340KB

MD5
5808a593d66b8ef07d9d58e45b6116a6

SHA1
15710b5b2f86f8a48ae564c2ca6907cc2fc6c885

SHA256
38205d72b554df54738d8e5669dd6bbb2272affc4496b8d3efc17c68c1e0e675

SHA512
d0ca67134316e68e4713af8b77bc31f92b04d7d735f0038f5db9fb0793ec392e0f1ae8ef59a18a97af272518709015f0e25612fc58468c71323c76ec8cfcd3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0831.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0831.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5884Jr.exe
Filesize
298KB

MD5
3899c765415501eedc1f5f43f07ae247

SHA1
100e396f1f32700c4438510fad61b7105d0bdefe

SHA256
e25eb7103c5d40a1d5d814f9a65aecdc94c57d50053baf092d40ccd195b36f7b

SHA512
9fe597b7df02817290cc5f066203e91682a15aeac8c94aac25760268b32daa6ad130f0be7f3fa5923e3ec62f0c8c02a2172a6878e72594a368c82f0f2f07afcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5884Jr.exe
Filesize
298KB

MD5
3899c765415501eedc1f5f43f07ae247

SHA1
100e396f1f32700c4438510fad61b7105d0bdefe

SHA256
e25eb7103c5d40a1d5d814f9a65aecdc94c57d50053baf092d40ccd195b36f7b

SHA512
9fe597b7df02817290cc5f066203e91682a15aeac8c94aac25760268b32daa6ad130f0be7f3fa5923e3ec62f0c8c02a2172a6878e72594a368c82f0f2f07afcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1184-1142-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/1184-1141-0x0000000000670000-0x00000000006A2000-memory.dmp

Filesize
200KB

Download
memory/1816-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/1816-199-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/1816-201-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/1816-202-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/1816-204-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/1816-197-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-195-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-193-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-191-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-189-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-187-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-185-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-183-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-181-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-179-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-177-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-175-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-173-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-172-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1816-171-0x0000000007380000-0x0000000007924000-memory.dmp

Filesize
5.6MB

Download
memory/1816-170-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/1816-169-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/1816-168-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/3492-226-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-232-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-244-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-246-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-1119-0x0000000007960000-0x0000000007F78000-memory.dmp

Filesize
6.1MB

Download
memory/3492-1120-0x0000000007F80000-0x000000000808A000-memory.dmp

Filesize
1.0MB

Download
memory/3492-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/3492-1122-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3492-1123-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3492-1125-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3492-1126-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3492-1127-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3492-1128-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/3492-1129-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/3492-1130-0x0000000008C80000-0x0000000008CF6000-memory.dmp

Filesize
472KB

Download
memory/3492-1131-0x0000000008D00000-0x0000000008D50000-memory.dmp

Filesize
320KB

Download
memory/3492-1132-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3492-240-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-238-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-236-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-234-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-242-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-230-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-228-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-222-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3492-224-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-220-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-1133-0x000000000A040000-0x000000000A202000-memory.dmp

Filesize
1.8MB

Download
memory/3492-1134-0x000000000A210000-0x000000000A73C000-memory.dmp

Filesize
5.2MB

Download
memory/3492-210-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-209-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-221-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3492-219-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3492-212-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-217-0x0000000002CA0000-0x0000000002CEB000-memory.dmp

Filesize
300KB

Download
memory/3492-214-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3492-216-0x00000000071B0000-0x00000000071EF000-memory.dmp

Filesize
252KB

Download
memory/3892-1184-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/3892-1183-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/3892-1182-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4712-1176-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/4712-1175-0x0000000000D10000-0x0000000000DF6000-memory.dmp

Filesize
920KB

Download
memory/4972-161-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download