amadey | cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exe
Size

1.0MB
MD5

9758bdd830fc1aea92d4228da220be0b
SHA1

06467734d162bdb2e1dcd6155022d1bb509cb771
SHA256

cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8
SHA512

179b8d432ac5bdc3c9d37e60ef87782c3bfc35cc91076e0c58f1a3eb6a155dd657c6a12e544c8022abb3c6eb7a13923b9bcb7b8f0634726443179316ef46b03a
SSDEEP

24576:ry3o2aqxVnpMdZFq2mT6Zbmb3q/Wf6b9ci1pbispepP:e5xol3mT6ZAwWybKijWspe

Score

10^/10

amadey lumma redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz3535.exev4990ho.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz3535.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v4990ho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4990ho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4990ho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4990ho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz3535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz3535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz3535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz3535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4990ho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4990ho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz3535.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3708-213-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-214-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-216-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-218-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-220-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-222-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-224-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-226-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-228-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-230-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-232-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-234-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-236-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-238-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-240-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-242-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-244-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/3708-246-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y98jx15.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	y98jx15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 11 IoCs

Processes:

zap2542.exezap2017.exezap9605.exetz3535.exev4990ho.exew54Ja57.exexgmvy60.exey98jx15.exelegenda.exeLummas.exelegenda.exe

pid	process
1556	zap2542.exe
1308	zap2017.exe
3908	zap9605.exe
2748	tz3535.exe
948	v4990ho.exe
3708	w54Ja57.exe
2952	xgmvy60.exe
4932	y98jx15.exe
1344	legenda.exe
1536	Lummas.exe
4784	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4500 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4500	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz3535.exev4990ho.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz3535.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v4990ho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4990ho.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap2017.exezap9605.execbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exezap2542.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap2017.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap9605.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2542.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2542.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2017.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Lummas.exe

description pid process target process

PID 1536 set thread context of 2060 1536 Lummas.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4244 948 WerFault.exe v4990ho.exe
4284 3708 WerFault.exe w54Ja57.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

212 schtasks.exe

description	pid	process	target process
PID 1536 set thread context of 2060	1536	Lummas.exe	AddInProcess32.exe

pid	pid_target	process	target process
4244	948	WerFault.exe	v4990ho.exe
4284	3708	WerFault.exe	w54Ja57.exe

pid	process
212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

tz3535.exev4990ho.exew54Ja57.exexgmvy60.exeLummas.exe

pid	process
2748	tz3535.exe
2748	tz3535.exe
948	v4990ho.exe
948	v4990ho.exe
3708	w54Ja57.exe
3708	w54Ja57.exe
2952	xgmvy60.exe
2952	xgmvy60.exe
1536	Lummas.exe
1536	Lummas.exe
1536	Lummas.exe
1536	Lummas.exe
1536	Lummas.exe
1536	Lummas.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz3535.exev4990ho.exew54Ja57.exexgmvy60.exeLummas.exe

description	pid	process
Token: SeDebugPrivilege	2748	tz3535.exe
Token: SeDebugPrivilege	948	v4990ho.exe
Token: SeDebugPrivilege	3708	w54Ja57.exe
Token: SeDebugPrivilege	2952	xgmvy60.exe
Token: SeDebugPrivilege	1536	Lummas.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exezap2542.exezap2017.exezap9605.exey98jx15.exelegenda.execmd.exeLummas.exe

description	pid	process	target process
PID 4316 wrote to memory of 1556	4316	cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exe	zap2542.exe
PID 4316 wrote to memory of 1556	4316	cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exe	zap2542.exe
PID 4316 wrote to memory of 1556	4316	cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exe	zap2542.exe
PID 1556 wrote to memory of 1308	1556	zap2542.exe	zap2017.exe
PID 1556 wrote to memory of 1308	1556	zap2542.exe	zap2017.exe
PID 1556 wrote to memory of 1308	1556	zap2542.exe	zap2017.exe
PID 1308 wrote to memory of 3908	1308	zap2017.exe	zap9605.exe
PID 1308 wrote to memory of 3908	1308	zap2017.exe	zap9605.exe
PID 1308 wrote to memory of 3908	1308	zap2017.exe	zap9605.exe
PID 3908 wrote to memory of 2748	3908	zap9605.exe	tz3535.exe
PID 3908 wrote to memory of 2748	3908	zap9605.exe	tz3535.exe
PID 3908 wrote to memory of 948	3908	zap9605.exe	v4990ho.exe
PID 3908 wrote to memory of 948	3908	zap9605.exe	v4990ho.exe
PID 3908 wrote to memory of 948	3908	zap9605.exe	v4990ho.exe
PID 1308 wrote to memory of 3708	1308	zap2017.exe	w54Ja57.exe
PID 1308 wrote to memory of 3708	1308	zap2017.exe	w54Ja57.exe
PID 1308 wrote to memory of 3708	1308	zap2017.exe	w54Ja57.exe
PID 1556 wrote to memory of 2952	1556	zap2542.exe	xgmvy60.exe
PID 1556 wrote to memory of 2952	1556	zap2542.exe	xgmvy60.exe
PID 1556 wrote to memory of 2952	1556	zap2542.exe	xgmvy60.exe
PID 4316 wrote to memory of 4932	4316	cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exe	y98jx15.exe
PID 4316 wrote to memory of 4932	4316	cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exe	y98jx15.exe
PID 4316 wrote to memory of 4932	4316	cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exe	y98jx15.exe
PID 4932 wrote to memory of 1344	4932	y98jx15.exe	legenda.exe
PID 4932 wrote to memory of 1344	4932	y98jx15.exe	legenda.exe
PID 4932 wrote to memory of 1344	4932	y98jx15.exe	legenda.exe
PID 1344 wrote to memory of 212	1344	legenda.exe	schtasks.exe
PID 1344 wrote to memory of 212	1344	legenda.exe	schtasks.exe
PID 1344 wrote to memory of 212	1344	legenda.exe	schtasks.exe
PID 1344 wrote to memory of 4764	1344	legenda.exe	cmd.exe
PID 1344 wrote to memory of 4764	1344	legenda.exe	cmd.exe
PID 1344 wrote to memory of 4764	1344	legenda.exe	cmd.exe
PID 4764 wrote to memory of 2820	4764	cmd.exe	cmd.exe
PID 4764 wrote to memory of 2820	4764	cmd.exe	cmd.exe
PID 4764 wrote to memory of 2820	4764	cmd.exe	cmd.exe
PID 4764 wrote to memory of 3156	4764	cmd.exe	cacls.exe
PID 4764 wrote to memory of 3156	4764	cmd.exe	cacls.exe
PID 4764 wrote to memory of 3156	4764	cmd.exe	cacls.exe
PID 4764 wrote to memory of 3904	4764	cmd.exe	cacls.exe
PID 4764 wrote to memory of 3904	4764	cmd.exe	cacls.exe
PID 4764 wrote to memory of 3904	4764	cmd.exe	cacls.exe
PID 4764 wrote to memory of 4460	4764	cmd.exe	cmd.exe
PID 4764 wrote to memory of 4460	4764	cmd.exe	cmd.exe
PID 4764 wrote to memory of 4460	4764	cmd.exe	cmd.exe
PID 4764 wrote to memory of 4360	4764	cmd.exe	cacls.exe
PID 4764 wrote to memory of 4360	4764	cmd.exe	cacls.exe
PID 4764 wrote to memory of 4360	4764	cmd.exe	cacls.exe
PID 4764 wrote to memory of 3576	4764	cmd.exe	cacls.exe
PID 4764 wrote to memory of 3576	4764	cmd.exe	cacls.exe
PID 4764 wrote to memory of 3576	4764	cmd.exe	cacls.exe
PID 1344 wrote to memory of 1536	1344	legenda.exe	Lummas.exe
PID 1344 wrote to memory of 1536	1344	legenda.exe	Lummas.exe
PID 1536 wrote to memory of 1144	1536	Lummas.exe	WsatConfig.exe
PID 1536 wrote to memory of 1144	1536	Lummas.exe	WsatConfig.exe
PID 1536 wrote to memory of 1420	1536	Lummas.exe	Microsoft.Workflow.Compiler.exe
PID 1536 wrote to memory of 1420	1536	Lummas.exe	Microsoft.Workflow.Compiler.exe
PID 1536 wrote to memory of 2300	1536	Lummas.exe	aspnet_state.exe
PID 1536 wrote to memory of 2300	1536	Lummas.exe	aspnet_state.exe
PID 1536 wrote to memory of 2060	1536	Lummas.exe	AddInProcess32.exe
PID 1536 wrote to memory of 2060	1536	Lummas.exe	AddInProcess32.exe
PID 1536 wrote to memory of 2060	1536	Lummas.exe	AddInProcess32.exe
PID 1536 wrote to memory of 2060	1536	Lummas.exe	AddInProcess32.exe
PID 1536 wrote to memory of 2060	1536	Lummas.exe	AddInProcess32.exe
PID 1536 wrote to memory of 2060	1536	Lummas.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exe
"C:\Users\Admin\AppData\Local\Temp\cbc20896ba4f6a36d6a3776a33bca2e1c6ebef5c825fb9c5e0786e221f66dfa8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2542.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2542.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2017.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2017.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9605.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9605.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3535.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3535.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4990ho.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4990ho.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 1088
6⤵
- Program crash
PID:4244

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w54Ja57.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w54Ja57.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1968
5⤵
- Program crash
PID:4284

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xgmvy60.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xgmvy60.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y98jx15.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y98jx15.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2820

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:3156

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4460

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4360

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
5⤵
PID:1144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
5⤵
PID:1420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
5⤵
PID:2300

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
5⤵
PID:2060

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 948 -ip 948
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3708 -ip 3708
1⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y98jx15.exe
Filesize
235KB

MD5
93d8763d1d0f8930479a70cfd4d052d0

SHA1
9d57c62b658c5ab7ba239db77f18e016c1f34fe5

SHA256
27a7697489e610d95733c7b47e02df2c0322d9aaae2b657d7cc43bc35e856d11

SHA512
3abc9e694e70d7866845d24157a5606415648509abd68e37c03ccaad394e8f5ec63bd5fc6904d2f758b8017c0040fd7e2b1c7d0027ac2d29ea024abaa09dc5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y98jx15.exe
Filesize
235KB

MD5
93d8763d1d0f8930479a70cfd4d052d0

SHA1
9d57c62b658c5ab7ba239db77f18e016c1f34fe5

SHA256
27a7697489e610d95733c7b47e02df2c0322d9aaae2b657d7cc43bc35e856d11

SHA512
3abc9e694e70d7866845d24157a5606415648509abd68e37c03ccaad394e8f5ec63bd5fc6904d2f758b8017c0040fd7e2b1c7d0027ac2d29ea024abaa09dc5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2542.exe
Filesize
854KB

MD5
b0ee182b4b7b4c56abd9ddd55608d15e

SHA1
1c4d3886219a46b681743105163665fe6c6ec96f

SHA256
5d4c9e2e664d576c7d5814c270e5e7b427a13c66608a5449db075452a404b95d

SHA512
014ae951bd171ab67fc21b2446f3bbe8aa31f32086d1a014d2626c828d9c28e01eab5e606c29af3d17074c585cee7dc6d90ede54ca28fd0129b91363cfd366ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2542.exe
Filesize
854KB

MD5
b0ee182b4b7b4c56abd9ddd55608d15e

SHA1
1c4d3886219a46b681743105163665fe6c6ec96f

SHA256
5d4c9e2e664d576c7d5814c270e5e7b427a13c66608a5449db075452a404b95d

SHA512
014ae951bd171ab67fc21b2446f3bbe8aa31f32086d1a014d2626c828d9c28e01eab5e606c29af3d17074c585cee7dc6d90ede54ca28fd0129b91363cfd366ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xgmvy60.exe
Filesize
175KB

MD5
3d68575418a7fdc62fb090538e3342da

SHA1
21f5d1ce1b81415113dc38c4ba0144b9261060d4

SHA256
c20f569195d9ce1119bf79a207aefbf87e29d1d7ebccbba7ade9f47b163a9071

SHA512
1b22b74fc127456a16579fcf63c6eeaa2df0f5ad488bca825441ac040c9e215506463034075b472dc1c2998a40860639ebc26e6a1c617b68cf80d3e01a3153a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xgmvy60.exe
Filesize
175KB

MD5
3d68575418a7fdc62fb090538e3342da

SHA1
21f5d1ce1b81415113dc38c4ba0144b9261060d4

SHA256
c20f569195d9ce1119bf79a207aefbf87e29d1d7ebccbba7ade9f47b163a9071

SHA512
1b22b74fc127456a16579fcf63c6eeaa2df0f5ad488bca825441ac040c9e215506463034075b472dc1c2998a40860639ebc26e6a1c617b68cf80d3e01a3153a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2017.exe
Filesize
712KB

MD5
98079812cf97100ff9f3ae789571256b

SHA1
fa4f972f9774fc7ccebf2f6e939891933a65b242

SHA256
c7b9fb2f1d24b0e952fd86c0ef675faff1ae8b055b2636a11fe379bc8143a627

SHA512
f4272828ae49eac23902dbac8d4439a8f3e1311164cb38a5f4014a0045cb66fc717ca7a06aaedbfb51ba49e00ce350a002f25cd1c194742d3833beceb8e14eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2017.exe
Filesize
712KB

MD5
98079812cf97100ff9f3ae789571256b

SHA1
fa4f972f9774fc7ccebf2f6e939891933a65b242

SHA256
c7b9fb2f1d24b0e952fd86c0ef675faff1ae8b055b2636a11fe379bc8143a627

SHA512
f4272828ae49eac23902dbac8d4439a8f3e1311164cb38a5f4014a0045cb66fc717ca7a06aaedbfb51ba49e00ce350a002f25cd1c194742d3833beceb8e14eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w54Ja57.exe
Filesize
383KB

MD5
34f2b5cec1fb8ee665f1e906815737cf

SHA1
0192d5dcf509e7a54245c651217e2e148a1839b2

SHA256
88d9de3339f92561758307a04e86cef5ee8cc915326f13920a8f6266a9903537

SHA512
40790bc05d6ab4b5fd6ea2eda1e95a91d884f12741e9febbf08dbae6a7cc174bc0262ca7ea34146836de9cc367559c7d3f30c565d6a0804ddc477f498b58ec14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w54Ja57.exe
Filesize
383KB

MD5
34f2b5cec1fb8ee665f1e906815737cf

SHA1
0192d5dcf509e7a54245c651217e2e148a1839b2

SHA256
88d9de3339f92561758307a04e86cef5ee8cc915326f13920a8f6266a9903537

SHA512
40790bc05d6ab4b5fd6ea2eda1e95a91d884f12741e9febbf08dbae6a7cc174bc0262ca7ea34146836de9cc367559c7d3f30c565d6a0804ddc477f498b58ec14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9605.exe
Filesize
352KB

MD5
50ccbed4e0536331d571fe6877b7e7f7

SHA1
042760e7d7e2a0f26e86bcb59751412798e9bcd9

SHA256
946bf5d4a99fbfd00ecd15bd7527eb5a7129354b1e9cd0129cafffd7cbaf52d1

SHA512
000d452d8f000b60fad38018916d979d8c0db4408e53328579cb1be77a5f59fb0c2a3b3ae3057891b2bdd6a2f9bec3f28ebf39f0c14bc8998a3ece19ec643bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9605.exe
Filesize
352KB

MD5
50ccbed4e0536331d571fe6877b7e7f7

SHA1
042760e7d7e2a0f26e86bcb59751412798e9bcd9

SHA256
946bf5d4a99fbfd00ecd15bd7527eb5a7129354b1e9cd0129cafffd7cbaf52d1

SHA512
000d452d8f000b60fad38018916d979d8c0db4408e53328579cb1be77a5f59fb0c2a3b3ae3057891b2bdd6a2f9bec3f28ebf39f0c14bc8998a3ece19ec643bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3535.exe
Filesize
11KB

MD5
b604b3149b727efa1d0e58752192d1b1

SHA1
a252641a98daf0fa4ab673ce00766062620bacf8

SHA256
704a18785d3c052cb6a5c66c3bf458774edd33caac5755f1fb14c8a17192feb2

SHA512
2266cf3b4f2355cf936e5bda2fdc2d292e616efffac35b631fc253dfec2a59562fe99ae12415029a5151a333e71233822993b5a3c85233a58ee68d0f653e8275

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3535.exe
Filesize
11KB

MD5
b604b3149b727efa1d0e58752192d1b1

SHA1
a252641a98daf0fa4ab673ce00766062620bacf8

SHA256
704a18785d3c052cb6a5c66c3bf458774edd33caac5755f1fb14c8a17192feb2

SHA512
2266cf3b4f2355cf936e5bda2fdc2d292e616efffac35b631fc253dfec2a59562fe99ae12415029a5151a333e71233822993b5a3c85233a58ee68d0f653e8275

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4990ho.exe
Filesize
325KB

MD5
314f991de96d051c54b44c20ef0f486b

SHA1
3f094a9c9616e65ff41b4a7ddb812680ee8f5722

SHA256
b0b60365e1b12f189914a6d1b1f43b807a678a8b9b6a30aa217007b00fa3cb38

SHA512
4c367063313362400a5f14765439d58de8871a2d00cf0af9be2a6fa1130513809c45ad93670f925f2e853ea21ea45bf12038f6fa635cd2b1b1d4caa82125e66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4990ho.exe
Filesize
325KB

MD5
314f991de96d051c54b44c20ef0f486b

SHA1
3f094a9c9616e65ff41b4a7ddb812680ee8f5722

SHA256
b0b60365e1b12f189914a6d1b1f43b807a678a8b9b6a30aa217007b00fa3cb38

SHA512
4c367063313362400a5f14765439d58de8871a2d00cf0af9be2a6fa1130513809c45ad93670f925f2e853ea21ea45bf12038f6fa635cd2b1b1d4caa82125e66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
93d8763d1d0f8930479a70cfd4d052d0

SHA1
9d57c62b658c5ab7ba239db77f18e016c1f34fe5

SHA256
27a7697489e610d95733c7b47e02df2c0322d9aaae2b657d7cc43bc35e856d11

SHA512
3abc9e694e70d7866845d24157a5606415648509abd68e37c03ccaad394e8f5ec63bd5fc6904d2f758b8017c0040fd7e2b1c7d0027ac2d29ea024abaa09dc5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
93d8763d1d0f8930479a70cfd4d052d0

SHA1
9d57c62b658c5ab7ba239db77f18e016c1f34fe5

SHA256
27a7697489e610d95733c7b47e02df2c0322d9aaae2b657d7cc43bc35e856d11

SHA512
3abc9e694e70d7866845d24157a5606415648509abd68e37c03ccaad394e8f5ec63bd5fc6904d2f758b8017c0040fd7e2b1c7d0027ac2d29ea024abaa09dc5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
93d8763d1d0f8930479a70cfd4d052d0

SHA1
9d57c62b658c5ab7ba239db77f18e016c1f34fe5

SHA256
27a7697489e610d95733c7b47e02df2c0322d9aaae2b657d7cc43bc35e856d11

SHA512
3abc9e694e70d7866845d24157a5606415648509abd68e37c03ccaad394e8f5ec63bd5fc6904d2f758b8017c0040fd7e2b1c7d0027ac2d29ea024abaa09dc5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
93d8763d1d0f8930479a70cfd4d052d0

SHA1
9d57c62b658c5ab7ba239db77f18e016c1f34fe5

SHA256
27a7697489e610d95733c7b47e02df2c0322d9aaae2b657d7cc43bc35e856d11

SHA512
3abc9e694e70d7866845d24157a5606415648509abd68e37c03ccaad394e8f5ec63bd5fc6904d2f758b8017c0040fd7e2b1c7d0027ac2d29ea024abaa09dc5b7

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/948-193-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-179-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-191-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-167-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/948-195-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-199-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-197-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/948-202-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/948-201-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/948-203-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/948-205-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/948-168-0x0000000007190000-0x0000000007734000-memory.dmp

Filesize
5.6MB

Download
memory/948-185-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-187-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-181-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-183-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-189-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-169-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/948-170-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/948-171-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-175-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-173-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/948-172-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/948-177-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/1536-1174-0x000001E08C110000-0x000001E08C2FE000-memory.dmp

Filesize
1.9MB

Download
memory/1536-1175-0x000001E08E040000-0x000001E08E050000-memory.dmp

Filesize
64KB

Download
memory/2060-1181-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2060-1182-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2060-1183-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2748-161-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/2952-1140-0x00000000009F0000-0x0000000000A22000-memory.dmp

Filesize
200KB

Download
memory/2952-1141-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/3708-222-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-1119-0x0000000007820000-0x0000000007E38000-memory.dmp

Filesize
6.1MB

Download
memory/3708-1120-0x0000000007E40000-0x0000000007F4A000-memory.dmp

Filesize
1.0MB

Download
memory/3708-1121-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/3708-1122-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/3708-1123-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3708-1125-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3708-1126-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3708-1127-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3708-1128-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/3708-1129-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/3708-1130-0x0000000008C60000-0x0000000008CD6000-memory.dmp

Filesize
472KB

Download
memory/3708-1131-0x0000000008CF0000-0x0000000008D40000-memory.dmp

Filesize
320KB

Download
memory/3708-1132-0x0000000008FA0000-0x0000000009162000-memory.dmp

Filesize
1.8MB

Download
memory/3708-246-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-244-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-242-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-240-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-238-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-236-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-234-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-232-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-230-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-228-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-226-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-224-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-220-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-218-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-216-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-214-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-213-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/3708-212-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3708-211-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3708-210-0x0000000002F30000-0x0000000002F7B000-memory.dmp

Filesize
300KB

Download
memory/3708-1133-0x0000000009170000-0x000000000969C000-memory.dmp

Filesize
5.2MB

Download
memory/3708-1134-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download