amadey | bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exe
Size

1.0MB
MD5

45dadd790053b8143ceda48b2893b9b2
SHA1

cb62041b3034f78e54913c17fd2142cc4e564869
SHA256

bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49
SHA512

acecb9e3011e67c4798672ecdc1693b64d6582a9762cc2704f67e7a42fe540c4f474b93cbd89ccca3ec230e28a0b4f78bb1a18af0341843f8016879449ab6de5
SSDEEP

24576:eyCWfkBMTrDBgJGNxdo9HOMwAZr3Fus4/biCOS:tCWjr2JgCZMp/biV

Score

10^/10

amadey lumma redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz9120.exev5054sB.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz9120.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz9120.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz9120.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v5054sB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5054sB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5054sB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz9120.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz9120.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz9120.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5054sB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5054sB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5054sB.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3688-210-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-211-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-213-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-215-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-218-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-221-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-227-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-229-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-225-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-231-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-233-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-235-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-237-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-239-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-241-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-243-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-245-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3688-247-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y04Uo65.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y04Uo65.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 12 IoCs

Processes:

zap1931.exezap3715.exezap7103.exetz9120.exev5054sB.exew17ug44.exexSAJv55.exey04Uo65.exelegenda.exeLummas.exelegenda.exelegenda.exe

pid	process
3436	zap1931.exe
1540	zap3715.exe
3264	zap7103.exe
4112	tz9120.exe
4120	v5054sB.exe
3688	w17ug44.exe
4152	xSAJv55.exe
3300	y04Uo65.exe
1856	legenda.exe
2748	Lummas.exe
3264	legenda.exe
4284	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4344 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4344	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz9120.exev5054sB.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz9120.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5054sB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5054sB.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap3715.exezap7103.exebf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exezap1931.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3715.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3715.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7103.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7103.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1931.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Lummas.exe

description pid process target process

PID 2748 set thread context of 1980 2748 Lummas.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3708 4120 WerFault.exe v5054sB.exe
1876 3688 WerFault.exe w17ug44.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4512 schtasks.exe

description	pid	process	target process
PID 2748 set thread context of 1980	2748	Lummas.exe	AddInProcess32.exe

pid	pid_target	process	target process
3708	4120	WerFault.exe	v5054sB.exe
1876	3688	WerFault.exe	w17ug44.exe

pid	process
4512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

tz9120.exev5054sB.exew17ug44.exexSAJv55.exeLummas.exe

pid	process
4112	tz9120.exe
4112	tz9120.exe
4120	v5054sB.exe
4120	v5054sB.exe
3688	w17ug44.exe
3688	w17ug44.exe
4152	xSAJv55.exe
4152	xSAJv55.exe
2748	Lummas.exe
2748	Lummas.exe
2748	Lummas.exe
2748	Lummas.exe
2748	Lummas.exe
2748	Lummas.exe
2748	Lummas.exe
2748	Lummas.exe
2748	Lummas.exe
2748	Lummas.exe
2748	Lummas.exe
2748	Lummas.exe
2748	Lummas.exe
2748	Lummas.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz9120.exev5054sB.exew17ug44.exexSAJv55.exeLummas.exe

description	pid	process
Token: SeDebugPrivilege	4112	tz9120.exe
Token: SeDebugPrivilege	4120	v5054sB.exe
Token: SeDebugPrivilege	3688	w17ug44.exe
Token: SeDebugPrivilege	4152	xSAJv55.exe
Token: SeDebugPrivilege	2748	Lummas.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exezap1931.exezap3715.exezap7103.exey04Uo65.exelegenda.execmd.exeLummas.exe

description	pid	process	target process
PID 1648 wrote to memory of 3436	1648	bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exe	zap1931.exe
PID 1648 wrote to memory of 3436	1648	bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exe	zap1931.exe
PID 1648 wrote to memory of 3436	1648	bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exe	zap1931.exe
PID 3436 wrote to memory of 1540	3436	zap1931.exe	zap3715.exe
PID 3436 wrote to memory of 1540	3436	zap1931.exe	zap3715.exe
PID 3436 wrote to memory of 1540	3436	zap1931.exe	zap3715.exe
PID 1540 wrote to memory of 3264	1540	zap3715.exe	zap7103.exe
PID 1540 wrote to memory of 3264	1540	zap3715.exe	zap7103.exe
PID 1540 wrote to memory of 3264	1540	zap3715.exe	zap7103.exe
PID 3264 wrote to memory of 4112	3264	zap7103.exe	tz9120.exe
PID 3264 wrote to memory of 4112	3264	zap7103.exe	tz9120.exe
PID 3264 wrote to memory of 4120	3264	zap7103.exe	v5054sB.exe
PID 3264 wrote to memory of 4120	3264	zap7103.exe	v5054sB.exe
PID 3264 wrote to memory of 4120	3264	zap7103.exe	v5054sB.exe
PID 1540 wrote to memory of 3688	1540	zap3715.exe	w17ug44.exe
PID 1540 wrote to memory of 3688	1540	zap3715.exe	w17ug44.exe
PID 1540 wrote to memory of 3688	1540	zap3715.exe	w17ug44.exe
PID 3436 wrote to memory of 4152	3436	zap1931.exe	xSAJv55.exe
PID 3436 wrote to memory of 4152	3436	zap1931.exe	xSAJv55.exe
PID 3436 wrote to memory of 4152	3436	zap1931.exe	xSAJv55.exe
PID 1648 wrote to memory of 3300	1648	bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exe	y04Uo65.exe
PID 1648 wrote to memory of 3300	1648	bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exe	y04Uo65.exe
PID 1648 wrote to memory of 3300	1648	bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exe	y04Uo65.exe
PID 3300 wrote to memory of 1856	3300	y04Uo65.exe	legenda.exe
PID 3300 wrote to memory of 1856	3300	y04Uo65.exe	legenda.exe
PID 3300 wrote to memory of 1856	3300	y04Uo65.exe	legenda.exe
PID 1856 wrote to memory of 4512	1856	legenda.exe	schtasks.exe
PID 1856 wrote to memory of 4512	1856	legenda.exe	schtasks.exe
PID 1856 wrote to memory of 4512	1856	legenda.exe	schtasks.exe
PID 1856 wrote to memory of 4472	1856	legenda.exe	cmd.exe
PID 1856 wrote to memory of 4472	1856	legenda.exe	cmd.exe
PID 1856 wrote to memory of 4472	1856	legenda.exe	cmd.exe
PID 4472 wrote to memory of 3196	4472	cmd.exe	cmd.exe
PID 4472 wrote to memory of 3196	4472	cmd.exe	cmd.exe
PID 4472 wrote to memory of 3196	4472	cmd.exe	cmd.exe
PID 4472 wrote to memory of 4000	4472	cmd.exe	cacls.exe
PID 4472 wrote to memory of 4000	4472	cmd.exe	cacls.exe
PID 4472 wrote to memory of 4000	4472	cmd.exe	cacls.exe
PID 4472 wrote to memory of 1988	4472	cmd.exe	cacls.exe
PID 4472 wrote to memory of 1988	4472	cmd.exe	cacls.exe
PID 4472 wrote to memory of 1988	4472	cmd.exe	cacls.exe
PID 4472 wrote to memory of 4164	4472	cmd.exe	cmd.exe
PID 4472 wrote to memory of 4164	4472	cmd.exe	cmd.exe
PID 4472 wrote to memory of 4164	4472	cmd.exe	cmd.exe
PID 4472 wrote to memory of 4044	4472	cmd.exe	cacls.exe
PID 4472 wrote to memory of 4044	4472	cmd.exe	cacls.exe
PID 4472 wrote to memory of 4044	4472	cmd.exe	cacls.exe
PID 4472 wrote to memory of 5080	4472	cmd.exe	cacls.exe
PID 4472 wrote to memory of 5080	4472	cmd.exe	cacls.exe
PID 4472 wrote to memory of 5080	4472	cmd.exe	cacls.exe
PID 1856 wrote to memory of 2748	1856	legenda.exe	Lummas.exe
PID 1856 wrote to memory of 2748	1856	legenda.exe	Lummas.exe
PID 2748 wrote to memory of 4036	2748	Lummas.exe	SMSvcHost.exe
PID 2748 wrote to memory of 4036	2748	Lummas.exe	SMSvcHost.exe
PID 2748 wrote to memory of 1408	2748	Lummas.exe	ilasm.exe
PID 2748 wrote to memory of 1408	2748	Lummas.exe	ilasm.exe
PID 2748 wrote to memory of 4536	2748	Lummas.exe	mscorsvw.exe
PID 2748 wrote to memory of 4536	2748	Lummas.exe	mscorsvw.exe
PID 2748 wrote to memory of 1332	2748	Lummas.exe	Microsoft.Workflow.Compiler.exe
PID 2748 wrote to memory of 1332	2748	Lummas.exe	Microsoft.Workflow.Compiler.exe
PID 2748 wrote to memory of 1512	2748	Lummas.exe	MSBuild.exe
PID 2748 wrote to memory of 1512	2748	Lummas.exe	MSBuild.exe
PID 2748 wrote to memory of 4160	2748	Lummas.exe	InstallUtil.exe
PID 2748 wrote to memory of 4160	2748	Lummas.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exe
"C:\Users\Admin\AppData\Local\Temp\bf34db1e56f5930b2e6df42aa6da66eec07710475b11b9fdbbe0fabdc6622f49.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1931.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1931.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3715.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3715.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7103.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7103.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3264

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9120.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9120.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5054sB.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5054sB.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1108
6⤵
- Program crash
PID:3708

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17ug44.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17ug44.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 1724
5⤵
- Program crash
PID:1876

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSAJv55.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSAJv55.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y04Uo65.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y04Uo65.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3196

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4000

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4164

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4044

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
5⤵
PID:4036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
5⤵
PID:1408

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
5⤵
PID:4536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
5⤵
PID:1332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
5⤵
PID:1512

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
5⤵
PID:4160

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
5⤵
PID:2296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
5⤵
PID:1980

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4120 -ip 4120
1⤵
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3688 -ip 3688
1⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y04Uo65.exe
Filesize
235KB

MD5
1e024000ab315f7184a38e4832aca3ef

SHA1
21398478dd1a84712872283e5dbfcc517e953db3

SHA256
527412520be3cbff58ff690b6283d1c4aa575ee99f2e50ca6cc4fa1a7e31974a

SHA512
92fb2bf5fc7ebc1ecb1bbf234e049c9cb0e8291bf6e647ab8c434aa7e69ac815efbc1a0d9c8278fe451621182b5cd7cfff36b7eb3a365ac0d162dfe39950b0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y04Uo65.exe
Filesize
235KB

MD5
1e024000ab315f7184a38e4832aca3ef

SHA1
21398478dd1a84712872283e5dbfcc517e953db3

SHA256
527412520be3cbff58ff690b6283d1c4aa575ee99f2e50ca6cc4fa1a7e31974a

SHA512
92fb2bf5fc7ebc1ecb1bbf234e049c9cb0e8291bf6e647ab8c434aa7e69ac815efbc1a0d9c8278fe451621182b5cd7cfff36b7eb3a365ac0d162dfe39950b0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1931.exe
Filesize
854KB

MD5
326b4b76ad2eed84320be43740976daa

SHA1
25554a3f39e84105a4e44e21125ca5c0ecf68422

SHA256
b05c435dd7b2b3287991632e1ab0ca12f8f9d016bf14580964eaec936fa7c2ac

SHA512
22acadd917c7c70b56a157c9e160dbaea8106765794322fad3f90c1eea57a64f3b275045d7c719d522c66eabf737a8592842e9def50674b4d1c11b2d06f08f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1931.exe
Filesize
854KB

MD5
326b4b76ad2eed84320be43740976daa

SHA1
25554a3f39e84105a4e44e21125ca5c0ecf68422

SHA256
b05c435dd7b2b3287991632e1ab0ca12f8f9d016bf14580964eaec936fa7c2ac

SHA512
22acadd917c7c70b56a157c9e160dbaea8106765794322fad3f90c1eea57a64f3b275045d7c719d522c66eabf737a8592842e9def50674b4d1c11b2d06f08f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSAJv55.exe
Filesize
175KB

MD5
2db27a55e2d9b2c6ca1c6b206af97fdd

SHA1
011a129161913e3df400f6f501c55c1fbe758ddb

SHA256
1e1ea7095844148a1570b727a746cea8f215787bb1296ca58fc2964e81eb0f42

SHA512
430b41fce61c490cdff28daf6ec8cc36583cf0a900e27e23ed04b4fb39f4d1134aa0ccbd47ad2b59e2563b68349cea1503fd331ae2c148134b7c1e0387bebe11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSAJv55.exe
Filesize
175KB

MD5
2db27a55e2d9b2c6ca1c6b206af97fdd

SHA1
011a129161913e3df400f6f501c55c1fbe758ddb

SHA256
1e1ea7095844148a1570b727a746cea8f215787bb1296ca58fc2964e81eb0f42

SHA512
430b41fce61c490cdff28daf6ec8cc36583cf0a900e27e23ed04b4fb39f4d1134aa0ccbd47ad2b59e2563b68349cea1503fd331ae2c148134b7c1e0387bebe11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3715.exe
Filesize
712KB

MD5
050696205ab67ff3186c2d162d124627

SHA1
0204208c0eb81e14dbaacc774eff7e9a5932f7ed

SHA256
fdc3cda84e198753f8c463167a9f1498f5b5ffc7c594071b9449530cc6d61ebe

SHA512
dc800fb92d524f43678b21b669d67966e659f70f37f00c5b751ab876fc0ab0caa02a4590e8a6e9be80ed2b64c69ec742cb619bdfaa8cc7be8b6b06797c47b49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3715.exe
Filesize
712KB

MD5
050696205ab67ff3186c2d162d124627

SHA1
0204208c0eb81e14dbaacc774eff7e9a5932f7ed

SHA256
fdc3cda84e198753f8c463167a9f1498f5b5ffc7c594071b9449530cc6d61ebe

SHA512
dc800fb92d524f43678b21b669d67966e659f70f37f00c5b751ab876fc0ab0caa02a4590e8a6e9be80ed2b64c69ec742cb619bdfaa8cc7be8b6b06797c47b49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17ug44.exe
Filesize
384KB

MD5
101aa8d57686940a823d4b42c4e0cdd1

SHA1
0589a8d7be91ca3c0d3f24c36502325c477db6c8

SHA256
250d3bc15b7fa23cd56893433d241df940e11705348ad6fa9dac6fa0b5d52afe

SHA512
83560a5d0667c33f2954aee3a4fe2794de0d91225eeaa287e93cf7c84dc782c161c71c34753c3f5841f71ec2fe8592da288254b015434d9cd939bd4e0a1c4ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17ug44.exe
Filesize
384KB

MD5
101aa8d57686940a823d4b42c4e0cdd1

SHA1
0589a8d7be91ca3c0d3f24c36502325c477db6c8

SHA256
250d3bc15b7fa23cd56893433d241df940e11705348ad6fa9dac6fa0b5d52afe

SHA512
83560a5d0667c33f2954aee3a4fe2794de0d91225eeaa287e93cf7c84dc782c161c71c34753c3f5841f71ec2fe8592da288254b015434d9cd939bd4e0a1c4ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7103.exe
Filesize
353KB

MD5
520a452c054b8b21d3e81673ca6ecdcb

SHA1
50fa061e524d7d13fa17debed80eca8c00beb9e5

SHA256
34b6512a0cac2bfc82b61d4f01f540c7e468c63f3c1cb4a60541145125185a7a

SHA512
205de63b7e8db5a73fb2b0cc7cb01ef5d8315bc1a0ba7f39a44a53d6942493e5c0d4c07f7645e0f3de69b07d7ac49b0ce66ab9a9b66b946b0ec3ec361e660fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7103.exe
Filesize
353KB

MD5
520a452c054b8b21d3e81673ca6ecdcb

SHA1
50fa061e524d7d13fa17debed80eca8c00beb9e5

SHA256
34b6512a0cac2bfc82b61d4f01f540c7e468c63f3c1cb4a60541145125185a7a

SHA512
205de63b7e8db5a73fb2b0cc7cb01ef5d8315bc1a0ba7f39a44a53d6942493e5c0d4c07f7645e0f3de69b07d7ac49b0ce66ab9a9b66b946b0ec3ec361e660fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9120.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9120.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5054sB.exe
Filesize
325KB

MD5
73d206d226f22038751197e51c194f97

SHA1
adaea3f0d1122b7d9430114b024eb8c2364f697f

SHA256
7dfe4753440e27919abed79472d14b99c3f52f539d1995e52b70a6e169716222

SHA512
f3d19d7dfd32d65ffd70a79282e5f60b7b44f403354ed071fed348e339a100007880dee1a99308cf00af62911dca80684ff3c735546e9096444ea5e32328f947

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5054sB.exe
Filesize
325KB

MD5
73d206d226f22038751197e51c194f97

SHA1
adaea3f0d1122b7d9430114b024eb8c2364f697f

SHA256
7dfe4753440e27919abed79472d14b99c3f52f539d1995e52b70a6e169716222

SHA512
f3d19d7dfd32d65ffd70a79282e5f60b7b44f403354ed071fed348e339a100007880dee1a99308cf00af62911dca80684ff3c735546e9096444ea5e32328f947

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1e024000ab315f7184a38e4832aca3ef

SHA1
21398478dd1a84712872283e5dbfcc517e953db3

SHA256
527412520be3cbff58ff690b6283d1c4aa575ee99f2e50ca6cc4fa1a7e31974a

SHA512
92fb2bf5fc7ebc1ecb1bbf234e049c9cb0e8291bf6e647ab8c434aa7e69ac815efbc1a0d9c8278fe451621182b5cd7cfff36b7eb3a365ac0d162dfe39950b0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1e024000ab315f7184a38e4832aca3ef

SHA1
21398478dd1a84712872283e5dbfcc517e953db3

SHA256
527412520be3cbff58ff690b6283d1c4aa575ee99f2e50ca6cc4fa1a7e31974a

SHA512
92fb2bf5fc7ebc1ecb1bbf234e049c9cb0e8291bf6e647ab8c434aa7e69ac815efbc1a0d9c8278fe451621182b5cd7cfff36b7eb3a365ac0d162dfe39950b0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1e024000ab315f7184a38e4832aca3ef

SHA1
21398478dd1a84712872283e5dbfcc517e953db3

SHA256
527412520be3cbff58ff690b6283d1c4aa575ee99f2e50ca6cc4fa1a7e31974a

SHA512
92fb2bf5fc7ebc1ecb1bbf234e049c9cb0e8291bf6e647ab8c434aa7e69ac815efbc1a0d9c8278fe451621182b5cd7cfff36b7eb3a365ac0d162dfe39950b0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1e024000ab315f7184a38e4832aca3ef

SHA1
21398478dd1a84712872283e5dbfcc517e953db3

SHA256
527412520be3cbff58ff690b6283d1c4aa575ee99f2e50ca6cc4fa1a7e31974a

SHA512
92fb2bf5fc7ebc1ecb1bbf234e049c9cb0e8291bf6e647ab8c434aa7e69ac815efbc1a0d9c8278fe451621182b5cd7cfff36b7eb3a365ac0d162dfe39950b0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1e024000ab315f7184a38e4832aca3ef

SHA1
21398478dd1a84712872283e5dbfcc517e953db3

SHA256
527412520be3cbff58ff690b6283d1c4aa575ee99f2e50ca6cc4fa1a7e31974a

SHA512
92fb2bf5fc7ebc1ecb1bbf234e049c9cb0e8291bf6e647ab8c434aa7e69ac815efbc1a0d9c8278fe451621182b5cd7cfff36b7eb3a365ac0d162dfe39950b0d6

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1980-1182-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1980-1183-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1980-1185-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2748-1175-0x00000295F9110000-0x00000295F92FE000-memory.dmp

Filesize
1.9MB

Download
memory/2748-1176-0x00000295FCD90000-0x00000295FCDA0000-memory.dmp

Filesize
64KB

Download
memory/3688-1133-0x0000000009FE0000-0x000000000A1A2000-memory.dmp

Filesize
1.8MB

Download
memory/3688-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/3688-1135-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/3688-1134-0x000000000A1B0000-0x000000000A6DC000-memory.dmp

Filesize
5.2MB

Download
memory/3688-1132-0x0000000008CF0000-0x0000000008D40000-memory.dmp

Filesize
320KB

Download
memory/3688-210-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-211-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-213-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-215-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-217-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/3688-220-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/3688-218-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-222-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/3688-221-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-224-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/3688-227-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-229-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-225-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-231-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-233-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-235-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-237-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-239-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-241-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-243-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-245-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-247-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3688-1120-0x0000000007960000-0x0000000007F78000-memory.dmp

Filesize
6.1MB

Download
memory/3688-1121-0x0000000007F80000-0x000000000808A000-memory.dmp

Filesize
1.0MB

Download
memory/3688-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/3688-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3688-1124-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/3688-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/3688-1131-0x0000000008C60000-0x0000000008CD6000-memory.dmp

Filesize
472KB

Download
memory/3688-1128-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/3688-1129-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/3688-1130-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4112-161-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/4120-174-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-176-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-190-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-205-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4120-199-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/4120-198-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/4120-188-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4120-197-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/4120-196-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-194-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-192-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-203-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/4120-202-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/4120-172-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-184-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-182-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-180-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-178-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4120-204-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/4120-186-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-170-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-169-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4120-168-0x00000000074C0000-0x0000000007A64000-memory.dmp

Filesize
5.6MB

Download
memory/4152-1142-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/4152-1141-0x0000000000990000-0x00000000009C2000-memory.dmp

Filesize
200KB

Download