amadey | 986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921

Analysis

max time kernel
126s
max time network
126s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25-03-2023 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exe
Size

1.0MB
MD5

b3126c7a4375ba77b0bc0e2983131388
SHA1

d6dd669d6a6299b4b9c3fd7aa3c50ff782172fcb
SHA256

986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921
SHA512

538f13a8ff24705dc9e3baee95a46c648003840ec18097890777309a508a950cf3785f890d5c1930c30a3219685309ff3e7e0c6c7fa4ded9fde5be3c0bf02ff6
SSDEEP

24576:fybCaxyyP7VaLoNAxIZz8FgcTpWrYESFUzkZR:qbvxhHNy2IFgc1clSWAZ

Score

10^/10

amadey redline boris ngan003 store discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

store

193.233.20.32:4125

Attributes

auth_value
e34e5836de4e256271ab56c648765bcd

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

ngan003

199.115.193.116:11300

Attributes

auth_value
b500a5cf0cb429e32a81c6ddcd8d4545

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz0113.exev4115hf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz0113.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz0113.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4115hf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4115hf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4115hf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz0113.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz0113.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4115hf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4115hf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz0113.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2856-199-0x00000000070E0000-0x0000000007126000-memory.dmp	family_redline
behavioral1/memory/2856-201-0x0000000007680000-0x00000000076C4000-memory.dmp	family_redline
behavioral1/memory/2856-205-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-206-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-208-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-210-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-212-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-214-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-216-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-218-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-220-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-222-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-224-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-226-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-228-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-230-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-232-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-234-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-236-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline
behavioral1/memory/2856-238-0x0000000007680000-0x00000000076BF000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

zap2538.exezap3007.exezap8365.exetz0113.exev4115hf.exew67GB09.exexTEAb51.exey23eu91.exelegenda.exeSprawl.exeSprawl.exelegenda.exelegenda.exe

pid	process
2584	zap2538.exe
4132	zap3007.exe
4492	zap8365.exe
4848	tz0113.exe
1864	v4115hf.exe
2856	w67GB09.exe
3956	xTEAb51.exe
4640	y23eu91.exe
4344	legenda.exe
4900	Sprawl.exe
664	Sprawl.exe
5048	legenda.exe
1532	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1688 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1688	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz0113.exev4115hf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz0113.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v4115hf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4115hf.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8365.exe986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exezap2538.exezap3007.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8365.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8365.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2538.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3007.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3007.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Sprawl.exe

description pid process target process

PID 4900 set thread context of 664 4900 Sprawl.exe Sprawl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1488 schtasks.exe

description	pid	process	target process
PID 4900 set thread context of 664	4900	Sprawl.exe	Sprawl.exe

pid	process
1488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tz0113.exev4115hf.exew67GB09.exexTEAb51.exeSprawl.exe

pid	process
4848	tz0113.exe
4848	tz0113.exe
1864	v4115hf.exe
1864	v4115hf.exe
2856	w67GB09.exe
2856	w67GB09.exe
3956	xTEAb51.exe
3956	xTEAb51.exe
664	Sprawl.exe
664	Sprawl.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz0113.exev4115hf.exew67GB09.exexTEAb51.exeSprawl.exe

description	pid	process
Token: SeDebugPrivilege	4848	tz0113.exe
Token: SeDebugPrivilege	1864	v4115hf.exe
Token: SeDebugPrivilege	2856	w67GB09.exe
Token: SeDebugPrivilege	3956	xTEAb51.exe
Token: SeDebugPrivilege	664	Sprawl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exezap2538.exezap3007.exezap8365.exey23eu91.exelegenda.execmd.exeSprawl.exe

description	pid	process	target process
PID 3608 wrote to memory of 2584	3608	986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exe	zap2538.exe
PID 3608 wrote to memory of 2584	3608	986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exe	zap2538.exe
PID 3608 wrote to memory of 2584	3608	986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exe	zap2538.exe
PID 2584 wrote to memory of 4132	2584	zap2538.exe	zap3007.exe
PID 2584 wrote to memory of 4132	2584	zap2538.exe	zap3007.exe
PID 2584 wrote to memory of 4132	2584	zap2538.exe	zap3007.exe
PID 4132 wrote to memory of 4492	4132	zap3007.exe	zap8365.exe
PID 4132 wrote to memory of 4492	4132	zap3007.exe	zap8365.exe
PID 4132 wrote to memory of 4492	4132	zap3007.exe	zap8365.exe
PID 4492 wrote to memory of 4848	4492	zap8365.exe	tz0113.exe
PID 4492 wrote to memory of 4848	4492	zap8365.exe	tz0113.exe
PID 4492 wrote to memory of 1864	4492	zap8365.exe	v4115hf.exe
PID 4492 wrote to memory of 1864	4492	zap8365.exe	v4115hf.exe
PID 4492 wrote to memory of 1864	4492	zap8365.exe	v4115hf.exe
PID 4132 wrote to memory of 2856	4132	zap3007.exe	w67GB09.exe
PID 4132 wrote to memory of 2856	4132	zap3007.exe	w67GB09.exe
PID 4132 wrote to memory of 2856	4132	zap3007.exe	w67GB09.exe
PID 2584 wrote to memory of 3956	2584	zap2538.exe	xTEAb51.exe
PID 2584 wrote to memory of 3956	2584	zap2538.exe	xTEAb51.exe
PID 2584 wrote to memory of 3956	2584	zap2538.exe	xTEAb51.exe
PID 3608 wrote to memory of 4640	3608	986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exe	y23eu91.exe
PID 3608 wrote to memory of 4640	3608	986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exe	y23eu91.exe
PID 3608 wrote to memory of 4640	3608	986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exe	y23eu91.exe
PID 4640 wrote to memory of 4344	4640	y23eu91.exe	legenda.exe
PID 4640 wrote to memory of 4344	4640	y23eu91.exe	legenda.exe
PID 4640 wrote to memory of 4344	4640	y23eu91.exe	legenda.exe
PID 4344 wrote to memory of 1488	4344	legenda.exe	schtasks.exe
PID 4344 wrote to memory of 1488	4344	legenda.exe	schtasks.exe
PID 4344 wrote to memory of 1488	4344	legenda.exe	schtasks.exe
PID 4344 wrote to memory of 704	4344	legenda.exe	cmd.exe
PID 4344 wrote to memory of 704	4344	legenda.exe	cmd.exe
PID 4344 wrote to memory of 704	4344	legenda.exe	cmd.exe
PID 704 wrote to memory of 4956	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 4956	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 4956	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 1712	704	cmd.exe	cacls.exe
PID 704 wrote to memory of 1712	704	cmd.exe	cacls.exe
PID 704 wrote to memory of 1712	704	cmd.exe	cacls.exe
PID 704 wrote to memory of 2652	704	cmd.exe	cacls.exe
PID 704 wrote to memory of 2652	704	cmd.exe	cacls.exe
PID 704 wrote to memory of 2652	704	cmd.exe	cacls.exe
PID 704 wrote to memory of 3212	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 3212	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 3212	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 2648	704	cmd.exe	cacls.exe
PID 704 wrote to memory of 2648	704	cmd.exe	cacls.exe
PID 704 wrote to memory of 2648	704	cmd.exe	cacls.exe
PID 704 wrote to memory of 4936	704	cmd.exe	cacls.exe
PID 704 wrote to memory of 4936	704	cmd.exe	cacls.exe
PID 704 wrote to memory of 4936	704	cmd.exe	cacls.exe
PID 4344 wrote to memory of 4900	4344	legenda.exe	Sprawl.exe
PID 4344 wrote to memory of 4900	4344	legenda.exe	Sprawl.exe
PID 4344 wrote to memory of 4900	4344	legenda.exe	Sprawl.exe
PID 4900 wrote to memory of 664	4900	Sprawl.exe	Sprawl.exe
PID 4900 wrote to memory of 664	4900	Sprawl.exe	Sprawl.exe
PID 4900 wrote to memory of 664	4900	Sprawl.exe	Sprawl.exe
PID 4900 wrote to memory of 664	4900	Sprawl.exe	Sprawl.exe
PID 4900 wrote to memory of 664	4900	Sprawl.exe	Sprawl.exe
PID 4900 wrote to memory of 664	4900	Sprawl.exe	Sprawl.exe
PID 4900 wrote to memory of 664	4900	Sprawl.exe	Sprawl.exe
PID 4900 wrote to memory of 664	4900	Sprawl.exe	Sprawl.exe
PID 4344 wrote to memory of 1688	4344	legenda.exe	rundll32.exe
PID 4344 wrote to memory of 1688	4344	legenda.exe	rundll32.exe
PID 4344 wrote to memory of 1688	4344	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exe
"C:\Users\Admin\AppData\Local\Temp\986c92b3624b6db1be57e933674ac44e1b127816c768ef6d41c79a227108d921.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3608

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2538.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2538.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3007.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3007.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4132

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8365.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8365.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4492

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0113.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0113.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4115hf.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4115hf.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w67GB09.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w67GB09.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xTEAb51.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xTEAb51.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y23eu91.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y23eu91.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4956

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:1712

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3212

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:2648

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
"C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1688

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sprawl.exe.log
Filesize
1KB

MD5
8268d0ebb3b023f56d9a27f3933f124f

SHA1
def43e831ca0fcbc1df8a1e11a41fe3ea1734f3b

SHA256
2fdfee92c5ce81220a0b66cf0ec1411c923d48ae89232406c237e1bc5204392d

SHA512
c61c2f8df84e4bbcb6f871befd4dde44188cf106c4af91a56b33a45692b83d1c52a953477f14f4239726b66ecab66842e910c2996631137355a4aba4ea793c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y23eu91.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y23eu91.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2538.exe
Filesize
853KB

MD5
c4773d7cfdaae3a98585cbeca4c24501

SHA1
c28b26872dc21a48251e579923ae9573e4a3f986

SHA256
7b8c60d9642a3c60e58d72704a49bb84a8d8e2a3423ca410d2c3d037552fec1d

SHA512
8ce39cd177d287e2295ec8012ac047eb2d8aa5fee495ea3c3d2485834a8713fc6e1aa54125b33b7f34c084953d1fc7483c2d873e8fbaba267aa940362ce17362

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2538.exe
Filesize
853KB

MD5
c4773d7cfdaae3a98585cbeca4c24501

SHA1
c28b26872dc21a48251e579923ae9573e4a3f986

SHA256
7b8c60d9642a3c60e58d72704a49bb84a8d8e2a3423ca410d2c3d037552fec1d

SHA512
8ce39cd177d287e2295ec8012ac047eb2d8aa5fee495ea3c3d2485834a8713fc6e1aa54125b33b7f34c084953d1fc7483c2d873e8fbaba267aa940362ce17362

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xTEAb51.exe
Filesize
175KB

MD5
b783667d0c585c46827e232ccffe3d3d

SHA1
4db4604de14d2fb90545025b4dbdbe1bfdf6d3ca

SHA256
d41b7f7d025174a4a44684a50d88f634e6e5ac54338e61043cc330ecdb1a4435

SHA512
c24d8d45253f8c7daf2cebe4c80eb0fca527791ae69832a15243ef963ddeb0ab390ffc9b94fdd1812ba1bd16a68a6d3546d217da71a2f826cf6dca43af1c547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xTEAb51.exe
Filesize
175KB

MD5
b783667d0c585c46827e232ccffe3d3d

SHA1
4db4604de14d2fb90545025b4dbdbe1bfdf6d3ca

SHA256
d41b7f7d025174a4a44684a50d88f634e6e5ac54338e61043cc330ecdb1a4435

SHA512
c24d8d45253f8c7daf2cebe4c80eb0fca527791ae69832a15243ef963ddeb0ab390ffc9b94fdd1812ba1bd16a68a6d3546d217da71a2f826cf6dca43af1c547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3007.exe
Filesize
711KB

MD5
33bb91f2095fb3d2526cb33675f73916

SHA1
da826511a6abac469fcef0c78f96968aed8f1294

SHA256
85868c475b44504ae63b6e336efa8f1b50d9ee5146fb0ed9e779f95862d7fa63

SHA512
158236f65cb24d8583ad264448ec83245271079f81e122b12cb38bc804c76f4f03d1ba5b206cfbe8422c559ce475be0967d66518f000e9d57983ace1d9282c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3007.exe
Filesize
711KB

MD5
33bb91f2095fb3d2526cb33675f73916

SHA1
da826511a6abac469fcef0c78f96968aed8f1294

SHA256
85868c475b44504ae63b6e336efa8f1b50d9ee5146fb0ed9e779f95862d7fa63

SHA512
158236f65cb24d8583ad264448ec83245271079f81e122b12cb38bc804c76f4f03d1ba5b206cfbe8422c559ce475be0967d66518f000e9d57983ace1d9282c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w67GB09.exe
Filesize
383KB

MD5
5dbd297ac3f6e042cc85f19b4a161561

SHA1
185195163d1e352471b3b51931977935febad3ad

SHA256
2afcb123ae20d27a9592aecf7e44a8bcbcc5cd1307b3c132a77608dd35262ae2

SHA512
251d1d8281b5f876e1f89bc956ff9af11eb6ed985422d1afc1d35ba513fa283bb7dcb9caeda270fe84ff529f21781368aa785631726e9aff1d3666d59e0257b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w67GB09.exe
Filesize
383KB

MD5
5dbd297ac3f6e042cc85f19b4a161561

SHA1
185195163d1e352471b3b51931977935febad3ad

SHA256
2afcb123ae20d27a9592aecf7e44a8bcbcc5cd1307b3c132a77608dd35262ae2

SHA512
251d1d8281b5f876e1f89bc956ff9af11eb6ed985422d1afc1d35ba513fa283bb7dcb9caeda270fe84ff529f21781368aa785631726e9aff1d3666d59e0257b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8365.exe
Filesize
352KB

MD5
e9e22357c95e791ecb69a1290c6afeb0

SHA1
194f06fd42b79362a9b64e17d58ca013a6c7574f

SHA256
d40f362702b624184a8d7e7d45e45c1e88ba5d03a9b6d0b9e6419494ea6b45bf

SHA512
c3db77f12d5fefd437f7ffa8ec2aeca5247a051073a0e91a96dea800837a30b0d0868ad01e365786ac8401b89883dcde933e1d1e19d1acf0c8083e50c6b6a534

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8365.exe
Filesize
352KB

MD5
e9e22357c95e791ecb69a1290c6afeb0

SHA1
194f06fd42b79362a9b64e17d58ca013a6c7574f

SHA256
d40f362702b624184a8d7e7d45e45c1e88ba5d03a9b6d0b9e6419494ea6b45bf

SHA512
c3db77f12d5fefd437f7ffa8ec2aeca5247a051073a0e91a96dea800837a30b0d0868ad01e365786ac8401b89883dcde933e1d1e19d1acf0c8083e50c6b6a534

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0113.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0113.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4115hf.exe
Filesize
324KB

MD5
4fe3f4ed2dab1a768954e417ca1bab6e

SHA1
65547c873d77c0a00c90e6f5aa7dabbee98ab0d9

SHA256
f324dbd46f2eb91570b5e270340552724ebf66b73dc36640d5331b68f541c661

SHA512
8aab66c580fc61a56a97a0fc147a88a825b1e58dbcc9220318c2337a38d17eb99dd61093b36c8bc6653c19e013096e7bd9018f8192e5a7466d3b87940fe19b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4115hf.exe
Filesize
324KB

MD5
4fe3f4ed2dab1a768954e417ca1bab6e

SHA1
65547c873d77c0a00c90e6f5aa7dabbee98ab0d9

SHA256
f324dbd46f2eb91570b5e270340552724ebf66b73dc36640d5331b68f541c661

SHA512
8aab66c580fc61a56a97a0fc147a88a825b1e58dbcc9220318c2337a38d17eb99dd61093b36c8bc6653c19e013096e7bd9018f8192e5a7466d3b87940fe19b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/664-1166-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/664-1167-0x0000000002C10000-0x0000000002C5B000-memory.dmp

Filesize
300KB

Download
memory/664-1168-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/664-1170-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1864-181-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-188-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/1864-194-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/1864-192-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1864-191-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/1864-189-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1864-154-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/1864-155-0x0000000002DB0000-0x0000000002DCA000-memory.dmp

Filesize
104KB

Download
memory/1864-156-0x0000000007200000-0x00000000076FE000-memory.dmp

Filesize
5.0MB

Download
memory/1864-157-0x0000000004930000-0x0000000004948000-memory.dmp

Filesize
96KB

Download
memory/1864-158-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-159-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-161-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-163-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-165-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-167-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-169-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-171-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-173-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-193-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/1864-175-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-177-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-179-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-183-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-185-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/1864-186-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/1864-187-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/2856-218-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-234-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-238-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-1111-0x0000000007E10000-0x0000000008416000-memory.dmp

Filesize
6.0MB

Download
memory/2856-1112-0x0000000007860000-0x000000000796A000-memory.dmp

Filesize
1.0MB

Download
memory/2856-1113-0x00000000079A0000-0x00000000079B2000-memory.dmp

Filesize
72KB

Download
memory/2856-1114-0x00000000079C0000-0x00000000079FE000-memory.dmp

Filesize
248KB

Download
memory/2856-1115-0x0000000007B10000-0x0000000007B5B000-memory.dmp

Filesize
300KB

Download
memory/2856-1116-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/2856-1118-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/2856-1119-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/2856-1120-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/2856-1121-0x0000000007CA0000-0x0000000007D06000-memory.dmp

Filesize
408KB

Download
memory/2856-1122-0x0000000008980000-0x0000000008A12000-memory.dmp

Filesize
584KB

Download
memory/2856-1123-0x0000000008A20000-0x0000000008A96000-memory.dmp

Filesize
472KB

Download
memory/2856-1124-0x0000000008AB0000-0x0000000008B00000-memory.dmp

Filesize
320KB

Download
memory/2856-1125-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/2856-1126-0x0000000009EA0000-0x000000000A062000-memory.dmp

Filesize
1.8MB

Download
memory/2856-1127-0x000000000A070000-0x000000000A59C000-memory.dmp

Filesize
5.2MB

Download
memory/2856-202-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/2856-232-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-199-0x00000000070E0000-0x0000000007126000-memory.dmp

Filesize
280KB

Download
memory/2856-200-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/2856-236-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-230-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-228-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-226-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-224-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-222-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-220-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-216-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-214-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-201-0x0000000007680000-0x00000000076C4000-memory.dmp

Filesize
272KB

Download
memory/2856-204-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/2856-203-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/2856-212-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-210-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-208-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-206-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/2856-205-0x0000000007680000-0x00000000076BF000-memory.dmp

Filesize
252KB

Download
memory/3956-1135-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3956-1134-0x0000000004CF0000-0x0000000004D3B000-memory.dmp

Filesize
300KB

Download
memory/3956-1133-0x00000000002B0000-0x00000000002E2000-memory.dmp

Filesize
200KB

Download
memory/4848-148-0x0000000000640000-0x000000000064A000-memory.dmp

Filesize
40KB

Download
memory/4900-1161-0x0000000002BF0000-0x0000000002C00000-memory.dmp

Filesize
64KB

Download
memory/4900-1160-0x0000000005390000-0x00000000056E0000-memory.dmp

Filesize
3.3MB

Download
memory/4900-1159-0x0000000000970000-0x0000000000A56000-memory.dmp

Filesize
920KB

Download