amadey | 4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653

Analysis

max time kernel
143s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exe
Size

1.0MB
MD5

5bec04040be18b1c880558675c487e10
SHA1

e0ed29ecae9153498d937220d56846fdb387bcdc
SHA256

4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653
SHA512

8857eb5d468ad1722ab9be5dc36bc7ad7e31830bed5c2d9e3f8705a258ea14920352eeb9f4de8cd78a8fd367ff6dbe8016a76000e422e2674b13a7982e66850d
SSDEEP

24576:syrI5O5jlqkDtUiQWq0vRwqPaS2oWGWsbf+UOT:b2EZUp6R9D2oXSUO

Score

10^/10

amadey redline boris ngan003 store discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

store

193.233.20.32:4125

Attributes

auth_value
e34e5836de4e256271ab56c648765bcd

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

ngan003

199.115.193.116:11300

Attributes

auth_value
b500a5cf0cb429e32a81c6ddcd8d4545

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v0894Nu.exetz2831.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0894Nu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0894Nu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0894Nu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0894Nu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0894Nu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0894Nu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2831.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1400-212-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-213-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-216-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-218-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-220-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-222-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-224-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-226-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-228-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-230-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-232-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-234-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-236-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-238-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-240-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-242-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-244-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline
behavioral1/memory/1400-246-0x0000000004BF0000-0x0000000004C2F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y83nn46.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y83nn46.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 12 IoCs

Processes:

zap8479.exezap3485.exezap7343.exetz2831.exev0894Nu.exew77TJ92.exexBqwU97.exey83nn46.exelegenda.exeSprawl.exeSprawl.exelegenda.exe

pid	process
2172	zap8479.exe
2940	zap3485.exe
4696	zap7343.exe
4632	tz2831.exe
1152	v0894Nu.exe
1400	w77TJ92.exe
3412	xBqwU97.exe
2820	y83nn46.exe
3212	legenda.exe
4748	Sprawl.exe
1952	Sprawl.exe
3784	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4224 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4224	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v0894Nu.exetz2831.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0894Nu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0894Nu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2831.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8479.exezap3485.exezap7343.exe4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap8479.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3485.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3485.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7343.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8479.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Sprawl.exe

description pid process target process

PID 4748 set thread context of 1952 4748 Sprawl.exe Sprawl.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4084 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4800 1152 WerFault.exe v0894Nu.exe
4888 1400 WerFault.exe w77TJ92.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4808 schtasks.exe

description	pid	process	target process
PID 4748 set thread context of 1952	4748	Sprawl.exe	Sprawl.exe

pid	process
4084	sc.exe

pid	pid_target	process	target process
4800	1152	WerFault.exe	v0894Nu.exe
4888	1400	WerFault.exe	w77TJ92.exe

pid	process
4808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tz2831.exev0894Nu.exew77TJ92.exexBqwU97.exeSprawl.exe

pid	process
4632	tz2831.exe
4632	tz2831.exe
1152	v0894Nu.exe
1152	v0894Nu.exe
1400	w77TJ92.exe
1400	w77TJ92.exe
3412	xBqwU97.exe
3412	xBqwU97.exe
1952	Sprawl.exe
1952	Sprawl.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz2831.exev0894Nu.exew77TJ92.exexBqwU97.exeSprawl.exe

description	pid	process
Token: SeDebugPrivilege	4632	tz2831.exe
Token: SeDebugPrivilege	1152	v0894Nu.exe
Token: SeDebugPrivilege	1400	w77TJ92.exe
Token: SeDebugPrivilege	3412	xBqwU97.exe
Token: SeDebugPrivilege	1952	Sprawl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exezap8479.exezap3485.exezap7343.exey83nn46.exelegenda.execmd.exeSprawl.exe

description	pid	process	target process
PID 1644 wrote to memory of 2172	1644	4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exe	zap8479.exe
PID 1644 wrote to memory of 2172	1644	4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exe	zap8479.exe
PID 1644 wrote to memory of 2172	1644	4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exe	zap8479.exe
PID 2172 wrote to memory of 2940	2172	zap8479.exe	zap3485.exe
PID 2172 wrote to memory of 2940	2172	zap8479.exe	zap3485.exe
PID 2172 wrote to memory of 2940	2172	zap8479.exe	zap3485.exe
PID 2940 wrote to memory of 4696	2940	zap3485.exe	zap7343.exe
PID 2940 wrote to memory of 4696	2940	zap3485.exe	zap7343.exe
PID 2940 wrote to memory of 4696	2940	zap3485.exe	zap7343.exe
PID 4696 wrote to memory of 4632	4696	zap7343.exe	tz2831.exe
PID 4696 wrote to memory of 4632	4696	zap7343.exe	tz2831.exe
PID 4696 wrote to memory of 1152	4696	zap7343.exe	v0894Nu.exe
PID 4696 wrote to memory of 1152	4696	zap7343.exe	v0894Nu.exe
PID 4696 wrote to memory of 1152	4696	zap7343.exe	v0894Nu.exe
PID 2940 wrote to memory of 1400	2940	zap3485.exe	w77TJ92.exe
PID 2940 wrote to memory of 1400	2940	zap3485.exe	w77TJ92.exe
PID 2940 wrote to memory of 1400	2940	zap3485.exe	w77TJ92.exe
PID 2172 wrote to memory of 3412	2172	zap8479.exe	xBqwU97.exe
PID 2172 wrote to memory of 3412	2172	zap8479.exe	xBqwU97.exe
PID 2172 wrote to memory of 3412	2172	zap8479.exe	xBqwU97.exe
PID 1644 wrote to memory of 2820	1644	4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exe	y83nn46.exe
PID 1644 wrote to memory of 2820	1644	4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exe	y83nn46.exe
PID 1644 wrote to memory of 2820	1644	4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exe	y83nn46.exe
PID 2820 wrote to memory of 3212	2820	y83nn46.exe	legenda.exe
PID 2820 wrote to memory of 3212	2820	y83nn46.exe	legenda.exe
PID 2820 wrote to memory of 3212	2820	y83nn46.exe	legenda.exe
PID 3212 wrote to memory of 4808	3212	legenda.exe	schtasks.exe
PID 3212 wrote to memory of 4808	3212	legenda.exe	schtasks.exe
PID 3212 wrote to memory of 4808	3212	legenda.exe	schtasks.exe
PID 3212 wrote to memory of 4896	3212	legenda.exe	cmd.exe
PID 3212 wrote to memory of 4896	3212	legenda.exe	cmd.exe
PID 3212 wrote to memory of 4896	3212	legenda.exe	cmd.exe
PID 4896 wrote to memory of 1932	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 1932	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 1932	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 3028	4896	cmd.exe	cacls.exe
PID 4896 wrote to memory of 3028	4896	cmd.exe	cacls.exe
PID 4896 wrote to memory of 3028	4896	cmd.exe	cacls.exe
PID 4896 wrote to memory of 844	4896	cmd.exe	cacls.exe
PID 4896 wrote to memory of 844	4896	cmd.exe	cacls.exe
PID 4896 wrote to memory of 844	4896	cmd.exe	cacls.exe
PID 4896 wrote to memory of 4716	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 4716	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 4716	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 3752	4896	cmd.exe	cacls.exe
PID 4896 wrote to memory of 3752	4896	cmd.exe	cacls.exe
PID 4896 wrote to memory of 3752	4896	cmd.exe	cacls.exe
PID 4896 wrote to memory of 380	4896	cmd.exe	cacls.exe
PID 4896 wrote to memory of 380	4896	cmd.exe	cacls.exe
PID 4896 wrote to memory of 380	4896	cmd.exe	cacls.exe
PID 3212 wrote to memory of 4748	3212	legenda.exe	Sprawl.exe
PID 3212 wrote to memory of 4748	3212	legenda.exe	Sprawl.exe
PID 3212 wrote to memory of 4748	3212	legenda.exe	Sprawl.exe
PID 4748 wrote to memory of 1952	4748	Sprawl.exe	Sprawl.exe
PID 4748 wrote to memory of 1952	4748	Sprawl.exe	Sprawl.exe
PID 4748 wrote to memory of 1952	4748	Sprawl.exe	Sprawl.exe
PID 4748 wrote to memory of 1952	4748	Sprawl.exe	Sprawl.exe
PID 4748 wrote to memory of 1952	4748	Sprawl.exe	Sprawl.exe
PID 4748 wrote to memory of 1952	4748	Sprawl.exe	Sprawl.exe
PID 4748 wrote to memory of 1952	4748	Sprawl.exe	Sprawl.exe
PID 4748 wrote to memory of 1952	4748	Sprawl.exe	Sprawl.exe
PID 3212 wrote to memory of 4224	3212	legenda.exe	rundll32.exe
PID 3212 wrote to memory of 4224	3212	legenda.exe	rundll32.exe
PID 3212 wrote to memory of 4224	3212	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exe
"C:\Users\Admin\AppData\Local\Temp\4940c7970eb8d9689fc93c6e6aa16b860a9f01e7275d8ff93b3df97004cb9653.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8479.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8479.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3485.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3485.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7343.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7343.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4696

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2831.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2831.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0894Nu.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0894Nu.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1080
6⤵
- Program crash
PID:4800

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w77TJ92.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w77TJ92.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1332
5⤵
- Program crash
PID:4888

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xBqwU97.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xBqwU97.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y83nn46.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y83nn46.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1932

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:3028

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4716

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:3752

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
"C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1152 -ip 1152
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1400 -ip 1400
1⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3784

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sprawl.exe.log
Filesize
1KB

MD5
a3c82409506a33dec1856104ca55cbfd

SHA1
2e2ba4e4227590f8821002831c5410f7f45fe812

SHA256
780a0d4410f5f9798cb573bcd774561d1439987a39b1368d3c890226928cd203

SHA512
9621cfd3dab86d964a2bea6b3788fc19a895307962dcc41428741b8a86291f114df722e9017f755f63d53d09b5111e68f05aa505d9c9deae6c4378a87cdfa69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y83nn46.exe
Filesize
235KB

MD5
1a27a1334fcd005735dd931771480d03

SHA1
c2917f76ddbb71273e63fa6cec1c43aa8ccba7d1

SHA256
c26e7d045c6c30600ad80dc366d06aa98e4e2cb769850750fe7fc340f7bd6ae7

SHA512
c98d9360e3395cf0f724d6ec2a6e2ce899fec87098447c6589b3402739134ebf5d138174562c68a5ab48d4b0687dd96ee4f34686b87fe7ca0193cc6ee088911a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y83nn46.exe
Filesize
235KB

MD5
1a27a1334fcd005735dd931771480d03

SHA1
c2917f76ddbb71273e63fa6cec1c43aa8ccba7d1

SHA256
c26e7d045c6c30600ad80dc366d06aa98e4e2cb769850750fe7fc340f7bd6ae7

SHA512
c98d9360e3395cf0f724d6ec2a6e2ce899fec87098447c6589b3402739134ebf5d138174562c68a5ab48d4b0687dd96ee4f34686b87fe7ca0193cc6ee088911a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8479.exe
Filesize
855KB

MD5
473f66e9e82f178818cb3ed4c8f509bc

SHA1
5d2a7dbd6728657fa3d5d95fef3cdd8224cd56e7

SHA256
c09c65496b3be4ee485ce68984e231892f2bcf1354ce2e2f1ac2a68b71292b4e

SHA512
bc13fa54a6cf72d9b5c407e30bd23fa35c853579961b3b599a1232b87e08ce937b99add8e62cad0b8f6050f0b1e3cc443996fea05685e3a44b2f49e0bf83e109

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8479.exe
Filesize
855KB

MD5
473f66e9e82f178818cb3ed4c8f509bc

SHA1
5d2a7dbd6728657fa3d5d95fef3cdd8224cd56e7

SHA256
c09c65496b3be4ee485ce68984e231892f2bcf1354ce2e2f1ac2a68b71292b4e

SHA512
bc13fa54a6cf72d9b5c407e30bd23fa35c853579961b3b599a1232b87e08ce937b99add8e62cad0b8f6050f0b1e3cc443996fea05685e3a44b2f49e0bf83e109

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xBqwU97.exe
Filesize
175KB

MD5
1b0fbe7babd514615de67a8d143c1bc0

SHA1
29eaffff3c6caadac09060efeaf950b99671cbb3

SHA256
69ff605a9079972e70aebf288e1a8eba8428fedb3a461e4aa4dc3ff0bfd8705d

SHA512
394d4bd1035c646d6b712c97cf43087ad3b33e86204f54233ebe871ec65302459fc2b3d0afe4201051cb6e9a457dd6ab8cf22ac05316af70e0895c56a9a571a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xBqwU97.exe
Filesize
175KB

MD5
1b0fbe7babd514615de67a8d143c1bc0

SHA1
29eaffff3c6caadac09060efeaf950b99671cbb3

SHA256
69ff605a9079972e70aebf288e1a8eba8428fedb3a461e4aa4dc3ff0bfd8705d

SHA512
394d4bd1035c646d6b712c97cf43087ad3b33e86204f54233ebe871ec65302459fc2b3d0afe4201051cb6e9a457dd6ab8cf22ac05316af70e0895c56a9a571a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3485.exe
Filesize
713KB

MD5
4180ef30eb27c93a372b9e6a9be38d39

SHA1
63d5a9d0044f659e5de5c6685241a657d9c7cdac

SHA256
2356a823459a84f6a28b26eb8a410d6658d07a1f08dbe767b801e8fa974bc600

SHA512
cea453facc2aa2b731e0d7da73c332af0607bf513a23cc35a1c34a41fb0ec906ce3b7bce3195fd36bcff29dfbafb705efafed972eed7f48e6202fbed4223693e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3485.exe
Filesize
713KB

MD5
4180ef30eb27c93a372b9e6a9be38d39

SHA1
63d5a9d0044f659e5de5c6685241a657d9c7cdac

SHA256
2356a823459a84f6a28b26eb8a410d6658d07a1f08dbe767b801e8fa974bc600

SHA512
cea453facc2aa2b731e0d7da73c332af0607bf513a23cc35a1c34a41fb0ec906ce3b7bce3195fd36bcff29dfbafb705efafed972eed7f48e6202fbed4223693e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w77TJ92.exe
Filesize
383KB

MD5
55351cec4fe4e041a5d268bc00903818

SHA1
e79633e3499d2acc926d236f9af73b63c0edfa2a

SHA256
839cf1a6596040b3c3f7017bedcc83ddced5011717e20bb8c9790b440c551d1d

SHA512
3699b93b634f24b073d4604d1bc8a972b9e5e1c438f7faa0d911b45eab2ac44744ab5457c87779149b0db70ac86f16af4222736dac9d3db2ab8544c27df13dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w77TJ92.exe
Filesize
383KB

MD5
55351cec4fe4e041a5d268bc00903818

SHA1
e79633e3499d2acc926d236f9af73b63c0edfa2a

SHA256
839cf1a6596040b3c3f7017bedcc83ddced5011717e20bb8c9790b440c551d1d

SHA512
3699b93b634f24b073d4604d1bc8a972b9e5e1c438f7faa0d911b45eab2ac44744ab5457c87779149b0db70ac86f16af4222736dac9d3db2ab8544c27df13dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7343.exe
Filesize
353KB

MD5
6842768b6bbfb58225ace853f2b18b1b

SHA1
7596c8f72e5a860a28f66156923117413db46604

SHA256
2537d6c1a379a4098db6973c676e377b2a4a759a365b5c2b1384dc22ff7806ce

SHA512
5538bd7d203f160c6b830cc49f01ae0349037fb0a253d80373192d42424815602f6e88d34b28c5d1d6f0640b9d5e06f093aed264f31832afd3c4de3704898911

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7343.exe
Filesize
353KB

MD5
6842768b6bbfb58225ace853f2b18b1b

SHA1
7596c8f72e5a860a28f66156923117413db46604

SHA256
2537d6c1a379a4098db6973c676e377b2a4a759a365b5c2b1384dc22ff7806ce

SHA512
5538bd7d203f160c6b830cc49f01ae0349037fb0a253d80373192d42424815602f6e88d34b28c5d1d6f0640b9d5e06f093aed264f31832afd3c4de3704898911

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2831.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2831.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0894Nu.exe
Filesize
325KB

MD5
6a457d853cb6d3fe9ffe12192727aed2

SHA1
be16a2880966003be75fa60a92a9a214bbd3f950

SHA256
bf92f81cb78f4c660139ed34b946718101625759837e8288f8be33ba9887d6ed

SHA512
e73500ee1e85f60a350cd97e9e9eb3eb14fa58ebffc831ceef94106c1c9073efd77579e3390e6abdff0da6f67b5689fdfbf9fa2a6a56c6bcf80ce4aa2f5c9505

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0894Nu.exe
Filesize
325KB

MD5
6a457d853cb6d3fe9ffe12192727aed2

SHA1
be16a2880966003be75fa60a92a9a214bbd3f950

SHA256
bf92f81cb78f4c660139ed34b946718101625759837e8288f8be33ba9887d6ed

SHA512
e73500ee1e85f60a350cd97e9e9eb3eb14fa58ebffc831ceef94106c1c9073efd77579e3390e6abdff0da6f67b5689fdfbf9fa2a6a56c6bcf80ce4aa2f5c9505

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1a27a1334fcd005735dd931771480d03

SHA1
c2917f76ddbb71273e63fa6cec1c43aa8ccba7d1

SHA256
c26e7d045c6c30600ad80dc366d06aa98e4e2cb769850750fe7fc340f7bd6ae7

SHA512
c98d9360e3395cf0f724d6ec2a6e2ce899fec87098447c6589b3402739134ebf5d138174562c68a5ab48d4b0687dd96ee4f34686b87fe7ca0193cc6ee088911a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1a27a1334fcd005735dd931771480d03

SHA1
c2917f76ddbb71273e63fa6cec1c43aa8ccba7d1

SHA256
c26e7d045c6c30600ad80dc366d06aa98e4e2cb769850750fe7fc340f7bd6ae7

SHA512
c98d9360e3395cf0f724d6ec2a6e2ce899fec87098447c6589b3402739134ebf5d138174562c68a5ab48d4b0687dd96ee4f34686b87fe7ca0193cc6ee088911a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1a27a1334fcd005735dd931771480d03

SHA1
c2917f76ddbb71273e63fa6cec1c43aa8ccba7d1

SHA256
c26e7d045c6c30600ad80dc366d06aa98e4e2cb769850750fe7fc340f7bd6ae7

SHA512
c98d9360e3395cf0f724d6ec2a6e2ce899fec87098447c6589b3402739134ebf5d138174562c68a5ab48d4b0687dd96ee4f34686b87fe7ca0193cc6ee088911a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1a27a1334fcd005735dd931771480d03

SHA1
c2917f76ddbb71273e63fa6cec1c43aa8ccba7d1

SHA256
c26e7d045c6c30600ad80dc366d06aa98e4e2cb769850750fe7fc340f7bd6ae7

SHA512
c98d9360e3395cf0f724d6ec2a6e2ce899fec87098447c6589b3402739134ebf5d138174562c68a5ab48d4b0687dd96ee4f34686b87fe7ca0193cc6ee088911a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1152-168-0x0000000007230000-0x00000000077D4000-memory.dmp

Filesize
5.6MB

Download
memory/1152-198-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1152-199-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1152-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1152-202-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1152-203-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1152-204-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1152-197-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1152-196-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-194-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-192-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-190-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-188-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-186-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-184-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-182-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-180-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-178-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-176-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-174-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-170-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-172-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-169-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1152-167-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/1400-228-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-1134-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1400-242-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-244-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-246-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-1119-0x0000000007850000-0x0000000007E68000-memory.dmp

Filesize
6.1MB

Download
memory/1400-1120-0x0000000007E70000-0x0000000007F7A000-memory.dmp

Filesize
1.0MB

Download
memory/1400-1121-0x0000000007F80000-0x0000000007F92000-memory.dmp

Filesize
72KB

Download
memory/1400-1122-0x0000000007FA0000-0x0000000007FDC000-memory.dmp

Filesize
240KB

Download
memory/1400-1123-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1400-1125-0x0000000008280000-0x00000000082E6000-memory.dmp

Filesize
408KB

Download
memory/1400-1126-0x0000000008950000-0x00000000089E2000-memory.dmp

Filesize
584KB

Download
memory/1400-1127-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1400-1128-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1400-1129-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1400-1130-0x0000000008B40000-0x0000000008D02000-memory.dmp

Filesize
1.8MB

Download
memory/1400-1131-0x0000000008D20000-0x000000000924C000-memory.dmp

Filesize
5.2MB

Download
memory/1400-1132-0x00000000095A0000-0x0000000009616000-memory.dmp

Filesize
472KB

Download
memory/1400-1133-0x0000000009620000-0x0000000009670000-memory.dmp

Filesize
320KB

Download
memory/1400-214-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1400-238-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-236-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-209-0x0000000002C70000-0x0000000002CBB000-memory.dmp

Filesize
300KB

Download
memory/1400-240-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-234-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-232-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-230-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-226-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-224-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-222-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-220-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-218-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-210-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1400-211-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1400-212-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-216-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1400-213-0x0000000004BF0000-0x0000000004C2F000-memory.dmp

Filesize
252KB

Download
memory/1952-1180-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1952-1181-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/1952-1182-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/3412-1141-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/3412-1140-0x0000000000530000-0x0000000000562000-memory.dmp

Filesize
200KB

Download
memory/4632-161-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/4748-1175-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/4748-1174-0x0000000000340000-0x0000000000426000-memory.dmp

Filesize
920KB

Download