amadey | fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25

Analysis

max time kernel
141s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exe
Size

1.0MB
MD5

fde6f1aeb47e1d9117e67858be43adbc
SHA1

45682b5a867f9db4af567673b944f5694e7a8f13
SHA256

fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25
SHA512

dde24882bf7861af0d3af004b8b0f637b3d2e02846be2afb463910174be5c9146e02f90839326670d58d6d2efc02e5f5eb736329b5a8e68e8c151366f9a73363
SSDEEP

24576:yyTECxGdlelBATINc5iE34lCMhajetEaPsL60WJ/:ZI2GbezGs44lYymksLBa

Score

10^/10

amadey redline @redlinevipchat cloud (tg: @fatherofcarders)boris ngan003 store discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

store

193.233.20.32:4125

Attributes

auth_value
e34e5836de4e256271ab56c648765bcd

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

@REDLINEVIPCHAT Cloud (TG: @FATHEROFCARDERS)

151.80.89.234:19388

Attributes

auth_value
56af49c3278d982f9a41ef2abb7c4d09

Extracted

Family

redline

Botnet

ngan003

199.115.193.116:11300

Attributes

auth_value
b500a5cf0cb429e32a81c6ddcd8d4545

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz4086.exev9503Yy.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz4086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v9503Yy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz4086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz4086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz4086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz4086.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v9503Yy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v9503Yy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v9503Yy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v9503Yy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz4086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v9503Yy.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4780-209-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-210-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-212-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-216-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-214-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-218-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-220-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-222-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-224-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-226-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-229-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-233-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-235-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-237-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-239-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-241-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-243-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-245-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4780-1127-0x0000000004D10000-0x0000000004D20000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y93Fi44.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	y93Fi44.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 14 IoCs

Processes:

zap6345.exezap8322.exezap3610.exetz4086.exev9503Yy.exew27gZ40.exexYsoz84.exey93Fi44.exelegenda.exe1millRDX.exeSprawl.exeSprawl.exelegenda.exelegenda.exe

pid	process
4984	zap6345.exe
3356	zap8322.exe
4268	zap3610.exe
432	tz4086.exe
1740	v9503Yy.exe
4780	w27gZ40.exe
1552	xYsoz84.exe
1584	y93Fi44.exe
2020	legenda.exe
3900	1millRDX.exe
412	Sprawl.exe
2916	Sprawl.exe
3728	legenda.exe
3132	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3500 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3500	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz4086.exev9503Yy.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz4086.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v9503Yy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v9503Yy.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8322.exezap3610.exefe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exezap6345.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8322.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8322.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3610.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6345.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6345.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Sprawl.exe

description pid process target process

PID 412 set thread context of 2916 412 Sprawl.exe Sprawl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4884 1740 WerFault.exe v9503Yy.exe
4956 4780 WerFault.exe w27gZ40.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3036 schtasks.exe

description	pid	process	target process
PID 412 set thread context of 2916	412	Sprawl.exe	Sprawl.exe

pid	pid_target	process	target process
4884	1740	WerFault.exe	v9503Yy.exe
4956	4780	WerFault.exe	w27gZ40.exe

pid	process
3036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

tz4086.exev9503Yy.exew27gZ40.exexYsoz84.exe1millRDX.exeSprawl.exe

pid	process
432	tz4086.exe
432	tz4086.exe
1740	v9503Yy.exe
1740	v9503Yy.exe
4780	w27gZ40.exe
4780	w27gZ40.exe
1552	xYsoz84.exe
1552	xYsoz84.exe
3900	1millRDX.exe
3900	1millRDX.exe
2916	Sprawl.exe
2916	Sprawl.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

tz4086.exev9503Yy.exew27gZ40.exexYsoz84.exe1millRDX.exeSprawl.exe

description	pid	process
Token: SeDebugPrivilege	432	tz4086.exe
Token: SeDebugPrivilege	1740	v9503Yy.exe
Token: SeDebugPrivilege	4780	w27gZ40.exe
Token: SeDebugPrivilege	1552	xYsoz84.exe
Token: SeDebugPrivilege	3900	1millRDX.exe
Token: SeDebugPrivilege	2916	Sprawl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exezap6345.exezap8322.exezap3610.exey93Fi44.exelegenda.execmd.exeSprawl.exe

description	pid	process	target process
PID 4996 wrote to memory of 4984	4996	fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exe	zap6345.exe
PID 4996 wrote to memory of 4984	4996	fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exe	zap6345.exe
PID 4996 wrote to memory of 4984	4996	fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exe	zap6345.exe
PID 4984 wrote to memory of 3356	4984	zap6345.exe	zap8322.exe
PID 4984 wrote to memory of 3356	4984	zap6345.exe	zap8322.exe
PID 4984 wrote to memory of 3356	4984	zap6345.exe	zap8322.exe
PID 3356 wrote to memory of 4268	3356	zap8322.exe	zap3610.exe
PID 3356 wrote to memory of 4268	3356	zap8322.exe	zap3610.exe
PID 3356 wrote to memory of 4268	3356	zap8322.exe	zap3610.exe
PID 4268 wrote to memory of 432	4268	zap3610.exe	tz4086.exe
PID 4268 wrote to memory of 432	4268	zap3610.exe	tz4086.exe
PID 4268 wrote to memory of 1740	4268	zap3610.exe	v9503Yy.exe
PID 4268 wrote to memory of 1740	4268	zap3610.exe	v9503Yy.exe
PID 4268 wrote to memory of 1740	4268	zap3610.exe	v9503Yy.exe
PID 3356 wrote to memory of 4780	3356	zap8322.exe	w27gZ40.exe
PID 3356 wrote to memory of 4780	3356	zap8322.exe	w27gZ40.exe
PID 3356 wrote to memory of 4780	3356	zap8322.exe	w27gZ40.exe
PID 4984 wrote to memory of 1552	4984	zap6345.exe	xYsoz84.exe
PID 4984 wrote to memory of 1552	4984	zap6345.exe	xYsoz84.exe
PID 4984 wrote to memory of 1552	4984	zap6345.exe	xYsoz84.exe
PID 4996 wrote to memory of 1584	4996	fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exe	y93Fi44.exe
PID 4996 wrote to memory of 1584	4996	fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exe	y93Fi44.exe
PID 4996 wrote to memory of 1584	4996	fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exe	y93Fi44.exe
PID 1584 wrote to memory of 2020	1584	y93Fi44.exe	legenda.exe
PID 1584 wrote to memory of 2020	1584	y93Fi44.exe	legenda.exe
PID 1584 wrote to memory of 2020	1584	y93Fi44.exe	legenda.exe
PID 2020 wrote to memory of 3036	2020	legenda.exe	schtasks.exe
PID 2020 wrote to memory of 3036	2020	legenda.exe	schtasks.exe
PID 2020 wrote to memory of 3036	2020	legenda.exe	schtasks.exe
PID 2020 wrote to memory of 1416	2020	legenda.exe	cmd.exe
PID 2020 wrote to memory of 1416	2020	legenda.exe	cmd.exe
PID 2020 wrote to memory of 1416	2020	legenda.exe	cmd.exe
PID 1416 wrote to memory of 1300	1416	cmd.exe	cmd.exe
PID 1416 wrote to memory of 1300	1416	cmd.exe	cmd.exe
PID 1416 wrote to memory of 1300	1416	cmd.exe	cmd.exe
PID 1416 wrote to memory of 4308	1416	cmd.exe	cacls.exe
PID 1416 wrote to memory of 4308	1416	cmd.exe	cacls.exe
PID 1416 wrote to memory of 4308	1416	cmd.exe	cacls.exe
PID 1416 wrote to memory of 2688	1416	cmd.exe	cacls.exe
PID 1416 wrote to memory of 2688	1416	cmd.exe	cacls.exe
PID 1416 wrote to memory of 2688	1416	cmd.exe	cacls.exe
PID 1416 wrote to memory of 2684	1416	cmd.exe	cmd.exe
PID 1416 wrote to memory of 2684	1416	cmd.exe	cmd.exe
PID 1416 wrote to memory of 2684	1416	cmd.exe	cmd.exe
PID 1416 wrote to memory of 3472	1416	cmd.exe	cacls.exe
PID 1416 wrote to memory of 3472	1416	cmd.exe	cacls.exe
PID 1416 wrote to memory of 3472	1416	cmd.exe	cacls.exe
PID 1416 wrote to memory of 3332	1416	cmd.exe	cacls.exe
PID 1416 wrote to memory of 3332	1416	cmd.exe	cacls.exe
PID 1416 wrote to memory of 3332	1416	cmd.exe	cacls.exe
PID 2020 wrote to memory of 3900	2020	legenda.exe	1millRDX.exe
PID 2020 wrote to memory of 3900	2020	legenda.exe	1millRDX.exe
PID 2020 wrote to memory of 3900	2020	legenda.exe	1millRDX.exe
PID 2020 wrote to memory of 412	2020	legenda.exe	Sprawl.exe
PID 2020 wrote to memory of 412	2020	legenda.exe	Sprawl.exe
PID 2020 wrote to memory of 412	2020	legenda.exe	Sprawl.exe
PID 412 wrote to memory of 2916	412	Sprawl.exe	Sprawl.exe
PID 412 wrote to memory of 2916	412	Sprawl.exe	Sprawl.exe
PID 412 wrote to memory of 2916	412	Sprawl.exe	Sprawl.exe
PID 412 wrote to memory of 2916	412	Sprawl.exe	Sprawl.exe
PID 412 wrote to memory of 2916	412	Sprawl.exe	Sprawl.exe
PID 412 wrote to memory of 2916	412	Sprawl.exe	Sprawl.exe
PID 412 wrote to memory of 2916	412	Sprawl.exe	Sprawl.exe
PID 412 wrote to memory of 2916	412	Sprawl.exe	Sprawl.exe

C:\Users\Admin\AppData\Local\Temp\fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exe
"C:\Users\Admin\AppData\Local\Temp\fe1dcf7fdad74ff5ebd30485523d108d484794e90c29956d43b3a33d9ce34e25.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6345.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6345.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8322.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8322.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3356

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3610.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3610.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4086.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4086.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503Yy.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503Yy.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1088
6⤵
- Program crash
PID:4884

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w27gZ40.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w27gZ40.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1476
5⤵
- Program crash
PID:4956

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xYsoz84.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xYsoz84.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y93Fi44.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y93Fi44.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1300

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4308

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2684

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:3472

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\1000161001\1millRDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000161001\1millRDX.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
"C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1740 -ip 1740
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4780 -ip 4780
1⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sprawl.exe.log
Filesize
1KB

MD5
a3c82409506a33dec1856104ca55cbfd

SHA1
2e2ba4e4227590f8821002831c5410f7f45fe812

SHA256
780a0d4410f5f9798cb573bcd774561d1439987a39b1368d3c890226928cd203

SHA512
9621cfd3dab86d964a2bea6b3788fc19a895307962dcc41428741b8a86291f114df722e9017f755f63d53d09b5111e68f05aa505d9c9deae6c4378a87cdfa69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000161001\1millRDX.exe
Filesize
175KB

MD5
f197d1eb5c9a1f9e586e2438529067b6

SHA1
143d53443170406749b1a56eab31cfd532105677

SHA256
3a65f720bc48f5ea51dd7c073961f71332cf864ec6ae1e3469a1a284dfaabdd8

SHA512
d20a7f47d033257751134687f0e0da3864864e0adb6575115e827c22d5b0a5f454023607dd5b0b37f1133715e3fae20e1bd60dca8d596d9763b4def339d5f4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000161001\1millRDX.exe
Filesize
175KB

MD5
f197d1eb5c9a1f9e586e2438529067b6

SHA1
143d53443170406749b1a56eab31cfd532105677

SHA256
3a65f720bc48f5ea51dd7c073961f71332cf864ec6ae1e3469a1a284dfaabdd8

SHA512
d20a7f47d033257751134687f0e0da3864864e0adb6575115e827c22d5b0a5f454023607dd5b0b37f1133715e3fae20e1bd60dca8d596d9763b4def339d5f4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000161001\1millRDX.exe
Filesize
175KB

MD5
f197d1eb5c9a1f9e586e2438529067b6

SHA1
143d53443170406749b1a56eab31cfd532105677

SHA256
3a65f720bc48f5ea51dd7c073961f71332cf864ec6ae1e3469a1a284dfaabdd8

SHA512
d20a7f47d033257751134687f0e0da3864864e0adb6575115e827c22d5b0a5f454023607dd5b0b37f1133715e3fae20e1bd60dca8d596d9763b4def339d5f4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y93Fi44.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y93Fi44.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6345.exe
Filesize
853KB

MD5
664174b59111160f59cae97e66c5c58e

SHA1
62df982dbd0e906198cb2fcb919045ba9f938f78

SHA256
3b7f4da024d3b1a725b09c86161f54dd486cd4a55d91af5f895d9af7a17d2579

SHA512
eb20a764006640a03bf82ad53b7c3495496786f444a5e4c57143a75f2d8246a3099618ea5059d3c3e1f26a4d1679d61bfb2f1eaa9fb5c036a7d718f992c415a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6345.exe
Filesize
853KB

MD5
664174b59111160f59cae97e66c5c58e

SHA1
62df982dbd0e906198cb2fcb919045ba9f938f78

SHA256
3b7f4da024d3b1a725b09c86161f54dd486cd4a55d91af5f895d9af7a17d2579

SHA512
eb20a764006640a03bf82ad53b7c3495496786f444a5e4c57143a75f2d8246a3099618ea5059d3c3e1f26a4d1679d61bfb2f1eaa9fb5c036a7d718f992c415a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xYsoz84.exe
Filesize
175KB

MD5
b783667d0c585c46827e232ccffe3d3d

SHA1
4db4604de14d2fb90545025b4dbdbe1bfdf6d3ca

SHA256
d41b7f7d025174a4a44684a50d88f634e6e5ac54338e61043cc330ecdb1a4435

SHA512
c24d8d45253f8c7daf2cebe4c80eb0fca527791ae69832a15243ef963ddeb0ab390ffc9b94fdd1812ba1bd16a68a6d3546d217da71a2f826cf6dca43af1c547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xYsoz84.exe
Filesize
175KB

MD5
b783667d0c585c46827e232ccffe3d3d

SHA1
4db4604de14d2fb90545025b4dbdbe1bfdf6d3ca

SHA256
d41b7f7d025174a4a44684a50d88f634e6e5ac54338e61043cc330ecdb1a4435

SHA512
c24d8d45253f8c7daf2cebe4c80eb0fca527791ae69832a15243ef963ddeb0ab390ffc9b94fdd1812ba1bd16a68a6d3546d217da71a2f826cf6dca43af1c547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8322.exe
Filesize
711KB

MD5
6d629528128dc4164412c6f16eb18f32

SHA1
2bfa56464a5055b8478c48da131d41b44e2d0025

SHA256
32c400b41b97625c1fe39cb81eec5d0dae0f21cb1e8e1a7d26b20116ae4cd45e

SHA512
5cc82b5704a85f32975f90392e0205c028fe6cd06aa5a5eec83fab6c1065546ff160e10e15ed54802ddcd216c34b8426565f7fa5bccc81017866209f18fed57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8322.exe
Filesize
711KB

MD5
6d629528128dc4164412c6f16eb18f32

SHA1
2bfa56464a5055b8478c48da131d41b44e2d0025

SHA256
32c400b41b97625c1fe39cb81eec5d0dae0f21cb1e8e1a7d26b20116ae4cd45e

SHA512
5cc82b5704a85f32975f90392e0205c028fe6cd06aa5a5eec83fab6c1065546ff160e10e15ed54802ddcd216c34b8426565f7fa5bccc81017866209f18fed57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w27gZ40.exe
Filesize
383KB

MD5
6f7a5846481b5b3520ef0999a2424e8d

SHA1
5f01d3c63ed1a493ac6b93452de3bb7d585eb6c1

SHA256
172db547ab60f94c7519c2a986c96100acd3436db278186ad87426c94ca950cf

SHA512
21fdd073d5eefd6051978b64b30367009c1f976451e319f6e3835f5c3bcdb29353854186ae826147eea4d90be8483288c36483ca5b1a5083f804ba3622c9dd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w27gZ40.exe
Filesize
383KB

MD5
6f7a5846481b5b3520ef0999a2424e8d

SHA1
5f01d3c63ed1a493ac6b93452de3bb7d585eb6c1

SHA256
172db547ab60f94c7519c2a986c96100acd3436db278186ad87426c94ca950cf

SHA512
21fdd073d5eefd6051978b64b30367009c1f976451e319f6e3835f5c3bcdb29353854186ae826147eea4d90be8483288c36483ca5b1a5083f804ba3622c9dd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3610.exe
Filesize
352KB

MD5
b162b5b1a5ae2e2819e6a0e6d6ccda17

SHA1
6b2915cef44b4c8e9a79b692b286f734531dd940

SHA256
a510def381a57f186cd9fa2687dd780f1b13bf683d1648049b552fff5f5e13b4

SHA512
6fdba01b4864413ef68a7162b09db8cf67c9bd31ca3c913a96f7d6624651e66cfbcd3f20f9d6911fa6ef8a3a92fd9c1d919b434268ab979883e77f1d2e8758be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3610.exe
Filesize
352KB

MD5
b162b5b1a5ae2e2819e6a0e6d6ccda17

SHA1
6b2915cef44b4c8e9a79b692b286f734531dd940

SHA256
a510def381a57f186cd9fa2687dd780f1b13bf683d1648049b552fff5f5e13b4

SHA512
6fdba01b4864413ef68a7162b09db8cf67c9bd31ca3c913a96f7d6624651e66cfbcd3f20f9d6911fa6ef8a3a92fd9c1d919b434268ab979883e77f1d2e8758be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4086.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4086.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503Yy.exe
Filesize
324KB

MD5
26c1ed0509fb8db10b094f047a6da593

SHA1
55cba152f634d2ebc9692e56227caaec77cbec78

SHA256
e4f44360211640fe9aec5196567d2565af36c74ffe5a3bb9cee22db3bfea0b0b

SHA512
d36364cc16d7d77456b5a03bac15acbef8fb075d90a3696838f868a709eabe9d2bf52a381f969f9c31e9b549d97f63bb5614ced9c69a057cd745cca994b42fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503Yy.exe
Filesize
324KB

MD5
26c1ed0509fb8db10b094f047a6da593

SHA1
55cba152f634d2ebc9692e56227caaec77cbec78

SHA256
e4f44360211640fe9aec5196567d2565af36c74ffe5a3bb9cee22db3bfea0b0b

SHA512
d36364cc16d7d77456b5a03bac15acbef8fb075d90a3696838f868a709eabe9d2bf52a381f969f9c31e9b549d97f63bb5614ced9c69a057cd745cca994b42fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/412-1195-0x00000000004C0000-0x00000000005A6000-memory.dmp

Filesize
920KB

Download
memory/412-1196-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/432-161-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/1552-1141-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/1552-1140-0x0000000000420000-0x0000000000452000-memory.dmp

Filesize
200KB

Download
memory/1740-191-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-177-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-167-0x0000000007360000-0x0000000007904000-memory.dmp

Filesize
5.6MB

Download
memory/1740-168-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-169-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-171-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-173-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-175-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-202-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1740-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1740-199-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-180-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1740-178-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/1740-203-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1740-182-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1740-184-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1740-181-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-185-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-197-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-195-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-187-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-189-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1740-193-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2916-1201-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2916-1202-0x0000000005C00000-0x0000000005C10000-memory.dmp

Filesize
64KB

Download
memory/2916-1204-0x0000000005C00000-0x0000000005C10000-memory.dmp

Filesize
64KB

Download
memory/3900-1174-0x00000000007B0000-0x00000000007E2000-memory.dmp

Filesize
200KB

Download
memory/3900-1175-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/4780-241-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-1118-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/4780-1129-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4780-1130-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4780-1131-0x0000000008DC0000-0x0000000008F82000-memory.dmp

Filesize
1.8MB

Download
memory/4780-1132-0x0000000008FB0000-0x00000000094DC000-memory.dmp

Filesize
5.2MB

Download
memory/4780-1133-0x0000000009600000-0x0000000009676000-memory.dmp

Filesize
472KB

Download
memory/4780-1134-0x00000000096A0000-0x00000000096F0000-memory.dmp

Filesize
320KB

Download
memory/4780-210-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-209-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-208-0x0000000002C80000-0x0000000002CCB000-memory.dmp

Filesize
300KB

Download
memory/4780-1127-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4780-1126-0x0000000008B80000-0x0000000008C12000-memory.dmp

Filesize
584KB

Download
memory/4780-1125-0x0000000002C80000-0x0000000002CCB000-memory.dmp

Filesize
300KB

Download
memory/4780-1124-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/4780-1122-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4780-1121-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4780-1120-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4780-1119-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/4780-1128-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4780-245-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-243-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-212-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-239-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-237-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-235-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-230-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4780-233-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-232-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4780-229-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-228-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4780-226-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-224-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-222-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-220-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-218-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-214-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4780-216-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download