amadey | bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338

Analysis

max time kernel
144s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exe
Size

1.0MB
MD5

235e0a32ca4682f650b6b5e2e675fb86
SHA1

30789088f4ddde9d2815b8e0173749fe70e584c6
SHA256

bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338
SHA512

abb8c2e4d300e4fa0a9177917d39fe673f0df23bd8ebe7bbe1e25d1eebf897e5ca62d3cb1e4f030b6ca56ecdce2c294353431491d4a37c9b087fb3479ef9a241
SSDEEP

24576:Ryd/kiKt9PIbh5SRCwe+LwfIWWGBKl81I:Ed/kiKHPI15SUXgwfIWWGwl81

Score

10^/10

amadey aurora redline fort sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

fort

193.233.20.33:4125

Attributes

auth_value
5ea5673154a804d8c80f565f7276f720

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

66.42.108.195:40499

Attributes

auth_value
f93019ca42e7f9440be3a7ee1ebc636d

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz7785.exev5611Lu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7785.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v5611Lu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5611Lu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5611Lu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5611Lu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5611Lu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5611Lu.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3348-209-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-210-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-212-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-214-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-216-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-218-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-220-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-222-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-224-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-226-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-228-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-230-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-232-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-234-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-238-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-241-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-244-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline
behavioral1/memory/3348-246-0x0000000007270000-0x00000000072AE000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y24lD91.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	y24lD91.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 13 IoCs

Processes:

zap3299.exezap7299.exezap1084.exetz7785.exev5611Lu.exew76Jb45.exexdHPf26.exey24lD91.exelegenda.exe123ds.exe2023.exelegenda.exelegenda.exe

pid	process
4772	zap3299.exe
4436	zap7299.exe
2756	zap1084.exe
1572	tz7785.exe
2240	v5611Lu.exe
3348	w76Jb45.exe
4176	xdHPf26.exe
3080	y24lD91.exe
2412	legenda.exe
1008	123ds.exe
4636	2023.exe
1932	legenda.exe
1028	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4628 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4628	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz7785.exev5611Lu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7785.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5611Lu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5611Lu.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap7299.exezap1084.exebdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exezap3299.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7299.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1084.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3299.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap3299.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7299.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3776 schtasks.exe

pid	process
3776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tz7785.exev5611Lu.exew76Jb45.exexdHPf26.exe123ds.exe

pid	process
1572	tz7785.exe
1572	tz7785.exe
2240	v5611Lu.exe
2240	v5611Lu.exe
3348	w76Jb45.exe
3348	w76Jb45.exe
4176	xdHPf26.exe
4176	xdHPf26.exe
1008	123ds.exe
1008	123ds.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz7785.exev5611Lu.exew76Jb45.exexdHPf26.exe123ds.exe

description	pid	process
Token: SeDebugPrivilege	1572	tz7785.exe
Token: SeDebugPrivilege	2240	v5611Lu.exe
Token: SeDebugPrivilege	3348	w76Jb45.exe
Token: SeDebugPrivilege	4176	xdHPf26.exe
Token: SeDebugPrivilege	1008	123ds.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exezap3299.exezap7299.exezap1084.exey24lD91.exelegenda.execmd.exe

description	pid	process	target process
PID 632 wrote to memory of 4772	632	bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exe	zap3299.exe
PID 632 wrote to memory of 4772	632	bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exe	zap3299.exe
PID 632 wrote to memory of 4772	632	bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exe	zap3299.exe
PID 4772 wrote to memory of 4436	4772	zap3299.exe	zap7299.exe
PID 4772 wrote to memory of 4436	4772	zap3299.exe	zap7299.exe
PID 4772 wrote to memory of 4436	4772	zap3299.exe	zap7299.exe
PID 4436 wrote to memory of 2756	4436	zap7299.exe	zap1084.exe
PID 4436 wrote to memory of 2756	4436	zap7299.exe	zap1084.exe
PID 4436 wrote to memory of 2756	4436	zap7299.exe	zap1084.exe
PID 2756 wrote to memory of 1572	2756	zap1084.exe	tz7785.exe
PID 2756 wrote to memory of 1572	2756	zap1084.exe	tz7785.exe
PID 2756 wrote to memory of 2240	2756	zap1084.exe	v5611Lu.exe
PID 2756 wrote to memory of 2240	2756	zap1084.exe	v5611Lu.exe
PID 2756 wrote to memory of 2240	2756	zap1084.exe	v5611Lu.exe
PID 4436 wrote to memory of 3348	4436	zap7299.exe	w76Jb45.exe
PID 4436 wrote to memory of 3348	4436	zap7299.exe	w76Jb45.exe
PID 4436 wrote to memory of 3348	4436	zap7299.exe	w76Jb45.exe
PID 4772 wrote to memory of 4176	4772	zap3299.exe	xdHPf26.exe
PID 4772 wrote to memory of 4176	4772	zap3299.exe	xdHPf26.exe
PID 4772 wrote to memory of 4176	4772	zap3299.exe	xdHPf26.exe
PID 632 wrote to memory of 3080	632	bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exe	y24lD91.exe
PID 632 wrote to memory of 3080	632	bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exe	y24lD91.exe
PID 632 wrote to memory of 3080	632	bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exe	y24lD91.exe
PID 3080 wrote to memory of 2412	3080	y24lD91.exe	legenda.exe
PID 3080 wrote to memory of 2412	3080	y24lD91.exe	legenda.exe
PID 3080 wrote to memory of 2412	3080	y24lD91.exe	legenda.exe
PID 2412 wrote to memory of 3776	2412	legenda.exe	schtasks.exe
PID 2412 wrote to memory of 3776	2412	legenda.exe	schtasks.exe
PID 2412 wrote to memory of 3776	2412	legenda.exe	schtasks.exe
PID 2412 wrote to memory of 3428	2412	legenda.exe	cmd.exe
PID 2412 wrote to memory of 3428	2412	legenda.exe	cmd.exe
PID 2412 wrote to memory of 3428	2412	legenda.exe	cmd.exe
PID 3428 wrote to memory of 4440	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 4440	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 4440	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 460	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 460	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 460	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 1552	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 1552	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 1552	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 4592	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 4592	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 4592	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 2416	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 2416	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 2416	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 3940	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 3940	3428	cmd.exe	cacls.exe
PID 3428 wrote to memory of 3940	3428	cmd.exe	cacls.exe
PID 2412 wrote to memory of 1008	2412	legenda.exe	123ds.exe
PID 2412 wrote to memory of 1008	2412	legenda.exe	123ds.exe
PID 2412 wrote to memory of 1008	2412	legenda.exe	123ds.exe
PID 2412 wrote to memory of 4636	2412	legenda.exe	2023.exe
PID 2412 wrote to memory of 4636	2412	legenda.exe	2023.exe
PID 2412 wrote to memory of 4636	2412	legenda.exe	2023.exe
PID 2412 wrote to memory of 4628	2412	legenda.exe	rundll32.exe
PID 2412 wrote to memory of 4628	2412	legenda.exe	rundll32.exe
PID 2412 wrote to memory of 4628	2412	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exe
"C:\Users\Admin\AppData\Local\Temp\bdf734d2e8bbb42c6c2d53be3f7868890e096e0401684570627b5da9007cd338.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3299.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3299.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7299.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7299.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1084.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1084.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7785.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7785.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5611Lu.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5611Lu.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76Jb45.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76Jb45.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xdHPf26.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xdHPf26.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y24lD91.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y24lD91.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4440

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:460

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4592

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:2416

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\1000175001\123ds.exe
"C:\Users\Admin\AppData\Local\Temp\1000175001\123ds.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Users\Admin\AppData\Roaming\1000177000\2023.exe
"C:\Users\Admin\AppData\Roaming\1000177000\2023.exe"
4⤵
- Executes dropped EXE
PID:4636

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4628

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000175001\123ds.exe
Filesize
175KB

MD5
20b01b94fec9143a2adf624945aa41c3

SHA1
3e3690bb58b1a42cea254a0eb039019c7ebbbf3f

SHA256
97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9

SHA512
52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000175001\123ds.exe
Filesize
175KB

MD5
20b01b94fec9143a2adf624945aa41c3

SHA1
3e3690bb58b1a42cea254a0eb039019c7ebbbf3f

SHA256
97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9

SHA512
52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000175001\123ds.exe
Filesize
175KB

MD5
20b01b94fec9143a2adf624945aa41c3

SHA1
3e3690bb58b1a42cea254a0eb039019c7ebbbf3f

SHA256
97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9

SHA512
52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y24lD91.exe
Filesize
236KB

MD5
6c9bc691d792827f1381e04553451440

SHA1
2a577ab348c35f5671fe431829de84d63eb55315

SHA256
57b355ba48bcfc02a4f4f5e0129c0e9b66a666cb9f3e6683f249bea3226d9c79

SHA512
0231a91d69ba9dd8df27dd5825b37083f67b7738906d5350cb3670bba2dd627c279d322144541c65994e1c31ff0191e0a0ef3c2989139032f9c9759de185c347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y24lD91.exe
Filesize
236KB

MD5
6c9bc691d792827f1381e04553451440

SHA1
2a577ab348c35f5671fe431829de84d63eb55315

SHA256
57b355ba48bcfc02a4f4f5e0129c0e9b66a666cb9f3e6683f249bea3226d9c79

SHA512
0231a91d69ba9dd8df27dd5825b37083f67b7738906d5350cb3670bba2dd627c279d322144541c65994e1c31ff0191e0a0ef3c2989139032f9c9759de185c347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3299.exe
Filesize
846KB

MD5
625bfa32e6ccd022fac2af81dcdc3092

SHA1
127fff195f77398b16084dcaf23b4344ec52323c

SHA256
921091cd076b9e35518ba6657494d6f44cbf957c72492140664aedc7a3c25403

SHA512
f3fe0df6ebada3c1074afbfb0055441cc1f8bf5e759b38bba1c6db5436f3edd31d287c66b26b55e89349db736b651f075a620526b7dcffe80da2224eb84afbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3299.exe
Filesize
846KB

MD5
625bfa32e6ccd022fac2af81dcdc3092

SHA1
127fff195f77398b16084dcaf23b4344ec52323c

SHA256
921091cd076b9e35518ba6657494d6f44cbf957c72492140664aedc7a3c25403

SHA512
f3fe0df6ebada3c1074afbfb0055441cc1f8bf5e759b38bba1c6db5436f3edd31d287c66b26b55e89349db736b651f075a620526b7dcffe80da2224eb84afbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xdHPf26.exe
Filesize
175KB

MD5
a3d56141ad1bcfd34af82faf8bfa184a

SHA1
a22a49fcfdd00b38afae226ca50f4a61eb3fe2f4

SHA256
d6fa04dc54ed6e54a2d8de73e50aba6fdf4c47d251e1b886b4c561868b5f5c14

SHA512
8ceb3feed176cd62d680b37384ac7f6eb0aec420310782d919e70c2f834fb4fefc72282b0cabfa86738a23d2979523d4f6a1cada3c92186c3858be906f827399

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xdHPf26.exe
Filesize
175KB

MD5
a3d56141ad1bcfd34af82faf8bfa184a

SHA1
a22a49fcfdd00b38afae226ca50f4a61eb3fe2f4

SHA256
d6fa04dc54ed6e54a2d8de73e50aba6fdf4c47d251e1b886b4c561868b5f5c14

SHA512
8ceb3feed176cd62d680b37384ac7f6eb0aec420310782d919e70c2f834fb4fefc72282b0cabfa86738a23d2979523d4f6a1cada3c92186c3858be906f827399

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7299.exe
Filesize
704KB

MD5
6a83629f2ef3b2bf881dbdcf7474315f

SHA1
16d5611f4d6a8e1f6ee454dc034ea9041e20b0e4

SHA256
ba2d5591894d8342d853d4f62c46667ca6d2d220bde7e12a4f036196f5010e07

SHA512
29ca0ad2e6c794e2a24b661123bb610fdf2b7794ab7404f0cec1b9a31c28a1ac2a78cc9c3f063f3400d36cdfe38fd08130e462fca8a77df4f64ffb4ee54c5f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7299.exe
Filesize
704KB

MD5
6a83629f2ef3b2bf881dbdcf7474315f

SHA1
16d5611f4d6a8e1f6ee454dc034ea9041e20b0e4

SHA256
ba2d5591894d8342d853d4f62c46667ca6d2d220bde7e12a4f036196f5010e07

SHA512
29ca0ad2e6c794e2a24b661123bb610fdf2b7794ab7404f0cec1b9a31c28a1ac2a78cc9c3f063f3400d36cdfe38fd08130e462fca8a77df4f64ffb4ee54c5f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76Jb45.exe
Filesize
379KB

MD5
49184d3234d37e6dcfcb1683a9738161

SHA1
0b7e701dca66a95833270aaf76db8cc10db05954

SHA256
aa5e234a18cc2b21d65bffeb80252fc7d16885a514a52d3c7c9b7b8cb1eff676

SHA512
6abc8aba76191c97d372ea2aff8d100416bd1118d6b9d59b80645cfa1759260e38740f27f0e08dbd1f162aed3c703ca5f672036655d8ba221382c2d589f9deba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76Jb45.exe
Filesize
379KB

MD5
49184d3234d37e6dcfcb1683a9738161

SHA1
0b7e701dca66a95833270aaf76db8cc10db05954

SHA256
aa5e234a18cc2b21d65bffeb80252fc7d16885a514a52d3c7c9b7b8cb1eff676

SHA512
6abc8aba76191c97d372ea2aff8d100416bd1118d6b9d59b80645cfa1759260e38740f27f0e08dbd1f162aed3c703ca5f672036655d8ba221382c2d589f9deba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1084.exe
Filesize
349KB

MD5
6ba5377b5f00f42813193e65a6ecf497

SHA1
457a2c02f3624c4c1e7bcdfc7f340498145eead4

SHA256
1993258fa9e0e5702708dfd861a722237fc27fcc9c386e69d3589dc412240515

SHA512
b9f88b33d89367a80af1a14c56689b6de197c379966c5687f5b2ef6b04fd9cb30b21eb6a46fca90835a9cfdd02bf61d4ad7f2f1c8091bcea231ed277e126c59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1084.exe
Filesize
349KB

MD5
6ba5377b5f00f42813193e65a6ecf497

SHA1
457a2c02f3624c4c1e7bcdfc7f340498145eead4

SHA256
1993258fa9e0e5702708dfd861a722237fc27fcc9c386e69d3589dc412240515

SHA512
b9f88b33d89367a80af1a14c56689b6de197c379966c5687f5b2ef6b04fd9cb30b21eb6a46fca90835a9cfdd02bf61d4ad7f2f1c8091bcea231ed277e126c59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7785.exe
Filesize
12KB

MD5
4ecf3ff73df3eb539eb28b55fd929abb

SHA1
dee98e1d25c1e39592af927080765883f52d07e0

SHA256
9d24845dbcd9355edc93e2f98f9ed46a4452b3e40e0fec9370afa51e1397d53d

SHA512
4a9198b97b97ec058cf776f3a62eaf71e4a1fc5b7d55d8c33663467d471f20f1bd561b5c33799afddbb906de1575e69768f4e14b3f64ab5b02dcc2c278b27c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7785.exe
Filesize
12KB

MD5
4ecf3ff73df3eb539eb28b55fd929abb

SHA1
dee98e1d25c1e39592af927080765883f52d07e0

SHA256
9d24845dbcd9355edc93e2f98f9ed46a4452b3e40e0fec9370afa51e1397d53d

SHA512
4a9198b97b97ec058cf776f3a62eaf71e4a1fc5b7d55d8c33663467d471f20f1bd561b5c33799afddbb906de1575e69768f4e14b3f64ab5b02dcc2c278b27c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5611Lu.exe
Filesize
322KB

MD5
7b183c3dc1d091c8a396e4c85f5e8110

SHA1
f5e46bd178bc150a64d3a5bdccb356687908f266

SHA256
9305ea2440e4837dfeb24bc08a514b4d95d2c0ba7063a26200ea60ba3446b699

SHA512
a473fa6f93ee219f1320e07da9100557665d2e1a2c3f2e7d4b3f570c14a1ad4bc1108188e4e2347ac37cafceb77f5879690b6e8f77519c2d1d9d7a4d49c5884e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5611Lu.exe
Filesize
322KB

MD5
7b183c3dc1d091c8a396e4c85f5e8110

SHA1
f5e46bd178bc150a64d3a5bdccb356687908f266

SHA256
9305ea2440e4837dfeb24bc08a514b4d95d2c0ba7063a26200ea60ba3446b699

SHA512
a473fa6f93ee219f1320e07da9100557665d2e1a2c3f2e7d4b3f570c14a1ad4bc1108188e4e2347ac37cafceb77f5879690b6e8f77519c2d1d9d7a4d49c5884e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
236KB

MD5
6c9bc691d792827f1381e04553451440

SHA1
2a577ab348c35f5671fe431829de84d63eb55315

SHA256
57b355ba48bcfc02a4f4f5e0129c0e9b66a666cb9f3e6683f249bea3226d9c79

SHA512
0231a91d69ba9dd8df27dd5825b37083f67b7738906d5350cb3670bba2dd627c279d322144541c65994e1c31ff0191e0a0ef3c2989139032f9c9759de185c347

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
236KB

MD5
6c9bc691d792827f1381e04553451440

SHA1
2a577ab348c35f5671fe431829de84d63eb55315

SHA256
57b355ba48bcfc02a4f4f5e0129c0e9b66a666cb9f3e6683f249bea3226d9c79

SHA512
0231a91d69ba9dd8df27dd5825b37083f67b7738906d5350cb3670bba2dd627c279d322144541c65994e1c31ff0191e0a0ef3c2989139032f9c9759de185c347

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
236KB

MD5
6c9bc691d792827f1381e04553451440

SHA1
2a577ab348c35f5671fe431829de84d63eb55315

SHA256
57b355ba48bcfc02a4f4f5e0129c0e9b66a666cb9f3e6683f249bea3226d9c79

SHA512
0231a91d69ba9dd8df27dd5825b37083f67b7738906d5350cb3670bba2dd627c279d322144541c65994e1c31ff0191e0a0ef3c2989139032f9c9759de185c347

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
236KB

MD5
6c9bc691d792827f1381e04553451440

SHA1
2a577ab348c35f5671fe431829de84d63eb55315

SHA256
57b355ba48bcfc02a4f4f5e0129c0e9b66a666cb9f3e6683f249bea3226d9c79

SHA512
0231a91d69ba9dd8df27dd5825b37083f67b7738906d5350cb3670bba2dd627c279d322144541c65994e1c31ff0191e0a0ef3c2989139032f9c9759de185c347

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
236KB

MD5
6c9bc691d792827f1381e04553451440

SHA1
2a577ab348c35f5671fe431829de84d63eb55315

SHA256
57b355ba48bcfc02a4f4f5e0129c0e9b66a666cb9f3e6683f249bea3226d9c79

SHA512
0231a91d69ba9dd8df27dd5825b37083f67b7738906d5350cb3670bba2dd627c279d322144541c65994e1c31ff0191e0a0ef3c2989139032f9c9759de185c347

Download Submit
C:\Users\Admin\AppData\Roaming\1000177000\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Roaming\1000177000\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Roaming\1000177000\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1008-1187-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/1008-1192-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/1008-1174-0x0000000000290000-0x00000000002C2000-memory.dmp

Filesize
200KB

Download
memory/1572-161-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2240-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/2240-201-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2240-204-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2240-203-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/2240-198-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2240-199-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2240-191-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-195-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-197-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-193-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-189-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-187-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-185-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-183-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-181-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-177-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-179-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-173-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-175-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-171-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-170-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/2240-169-0x00000000072D0000-0x0000000007874000-memory.dmp

Filesize
5.6MB

Download
memory/2240-168-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2240-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/3348-226-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-244-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-1119-0x0000000007910000-0x0000000007F28000-memory.dmp

Filesize
6.1MB

Download
memory/3348-1120-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/3348-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/3348-1122-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/3348-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3348-1125-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/3348-1126-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/3348-1127-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/3348-1128-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/3348-1129-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/3348-1130-0x0000000008B60000-0x0000000008BD6000-memory.dmp

Filesize
472KB

Download
memory/3348-1131-0x0000000008BF0000-0x0000000008C40000-memory.dmp

Filesize
320KB

Download
memory/3348-1132-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/3348-1133-0x000000000A150000-0x000000000A312000-memory.dmp

Filesize
1.8MB

Download
memory/3348-1134-0x000000000A320000-0x000000000A84C000-memory.dmp

Filesize
5.2MB

Download
memory/3348-209-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-210-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-246-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-242-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/3348-237-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/3348-240-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/3348-241-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-238-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-235-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/3348-234-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-232-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-230-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-228-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-224-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-222-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-220-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-218-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-216-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-214-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/3348-212-0x0000000007270000-0x00000000072AE000-memory.dmp

Filesize
248KB

Download
memory/4176-1141-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4176-1140-0x00000000001C0000-0x00000000001F2000-memory.dmp

Filesize
200KB

Download