amadey | d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130

Analysis

max time kernel
107s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exe
Size

1.0MB
MD5

5d8b8c415dd1bbca33711a5b6d5d8744
SHA1

7491f732aa77e1b06122ef6ba59d81ada4791705
SHA256

d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130
SHA512

265068f5cd59314c2e74a86465c6fd87b0b7376ae96672c6fdc7fa8581a3d60e0906470c18915847962ff24e5621b56ed0dfae3bb6b857bff495e8acf115f9e2
SSDEEP

24576:qy+cEcg8Ub+5l1ZzXY/PZAbcfnrVgcbSjxbf3u:x+Ugvevo/+b2nhgccxT

Score

10^/10

amadey lumma redline boris netu ngan003 discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

ngan003

199.115.193.116:11300

Attributes

auth_value
b500a5cf0cb429e32a81c6ddcd8d4545

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz8895.exev0476pF.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8895.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8895.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8895.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8895.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0476pF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8895.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8895.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0476pF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0476pF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0476pF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0476pF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0476pF.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/8-210-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-211-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-217-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-221-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-214-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-223-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-225-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-227-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-229-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-231-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-233-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-235-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-237-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-239-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-241-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-243-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-245-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline
behavioral1/memory/8-247-0x0000000004DE0000-0x0000000004E1F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y65Yz45.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y65Yz45.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 13 IoCs

Processes:

zap2950.exezap9040.exezap6722.exetz8895.exev0476pF.exew46Xg32.exexqQAa57.exey65Yz45.exelegenda.exeSprawl.exeLummas.exeSprawl.exelegenda.exe

pid	process
3428	zap2950.exe
4368	zap9040.exe
1352	zap6722.exe
784	tz8895.exe
336	v0476pF.exe
8	w46Xg32.exe
4100	xqQAa57.exe
408	y65Yz45.exe
4412	legenda.exe
3488	Sprawl.exe
2700	Lummas.exe
2176	Sprawl.exe
4800	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4172 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4172	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz8895.exev0476pF.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8895.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0476pF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0476pF.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap2950.exezap9040.exezap6722.exed606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2950.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap9040.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6722.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap6722.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2950.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

Sprawl.exeLummas.exe

description	pid	process	target process
PID 3488 set thread context of 2176	3488	Sprawl.exe	Sprawl.exe
PID 2700 set thread context of 3864	2700	Lummas.exe	jsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4828 336 WerFault.exe v0476pF.exe
4196 8 WerFault.exe w46Xg32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5116 schtasks.exe

pid	pid_target	process	target process
4828	336	WerFault.exe	v0476pF.exe
4196	8	WerFault.exe	w46Xg32.exe

pid	process
5116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

tz8895.exev0476pF.exew46Xg32.exexqQAa57.exeLummas.exeSprawl.exe

pid	process
784	tz8895.exe
784	tz8895.exe
336	v0476pF.exe
336	v0476pF.exe
8	w46Xg32.exe
8	w46Xg32.exe
4100	xqQAa57.exe
4100	xqQAa57.exe
2700	Lummas.exe
2700	Lummas.exe
2700	Lummas.exe
2700	Lummas.exe
2700	Lummas.exe
2700	Lummas.exe
2176	Sprawl.exe
2176	Sprawl.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

tz8895.exev0476pF.exew46Xg32.exexqQAa57.exeLummas.exeSprawl.exe

description	pid	process
Token: SeDebugPrivilege	784	tz8895.exe
Token: SeDebugPrivilege	336	v0476pF.exe
Token: SeDebugPrivilege	8	w46Xg32.exe
Token: SeDebugPrivilege	4100	xqQAa57.exe
Token: SeDebugPrivilege	2700	Lummas.exe
Token: SeDebugPrivilege	2176	Sprawl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exezap2950.exezap9040.exezap6722.exey65Yz45.exelegenda.execmd.exeSprawl.exeLummas.exe

description	pid	process	target process
PID 3052 wrote to memory of 3428	3052	d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exe	zap2950.exe
PID 3052 wrote to memory of 3428	3052	d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exe	zap2950.exe
PID 3052 wrote to memory of 3428	3052	d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exe	zap2950.exe
PID 3428 wrote to memory of 4368	3428	zap2950.exe	zap9040.exe
PID 3428 wrote to memory of 4368	3428	zap2950.exe	zap9040.exe
PID 3428 wrote to memory of 4368	3428	zap2950.exe	zap9040.exe
PID 4368 wrote to memory of 1352	4368	zap9040.exe	zap6722.exe
PID 4368 wrote to memory of 1352	4368	zap9040.exe	zap6722.exe
PID 4368 wrote to memory of 1352	4368	zap9040.exe	zap6722.exe
PID 1352 wrote to memory of 784	1352	zap6722.exe	tz8895.exe
PID 1352 wrote to memory of 784	1352	zap6722.exe	tz8895.exe
PID 1352 wrote to memory of 336	1352	zap6722.exe	v0476pF.exe
PID 1352 wrote to memory of 336	1352	zap6722.exe	v0476pF.exe
PID 1352 wrote to memory of 336	1352	zap6722.exe	v0476pF.exe
PID 4368 wrote to memory of 8	4368	zap9040.exe	w46Xg32.exe
PID 4368 wrote to memory of 8	4368	zap9040.exe	w46Xg32.exe
PID 4368 wrote to memory of 8	4368	zap9040.exe	w46Xg32.exe
PID 3428 wrote to memory of 4100	3428	zap2950.exe	xqQAa57.exe
PID 3428 wrote to memory of 4100	3428	zap2950.exe	xqQAa57.exe
PID 3428 wrote to memory of 4100	3428	zap2950.exe	xqQAa57.exe
PID 3052 wrote to memory of 408	3052	d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exe	y65Yz45.exe
PID 3052 wrote to memory of 408	3052	d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exe	y65Yz45.exe
PID 3052 wrote to memory of 408	3052	d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exe	y65Yz45.exe
PID 408 wrote to memory of 4412	408	y65Yz45.exe	legenda.exe
PID 408 wrote to memory of 4412	408	y65Yz45.exe	legenda.exe
PID 408 wrote to memory of 4412	408	y65Yz45.exe	legenda.exe
PID 4412 wrote to memory of 5116	4412	legenda.exe	schtasks.exe
PID 4412 wrote to memory of 5116	4412	legenda.exe	schtasks.exe
PID 4412 wrote to memory of 5116	4412	legenda.exe	schtasks.exe
PID 4412 wrote to memory of 3756	4412	legenda.exe	cmd.exe
PID 4412 wrote to memory of 3756	4412	legenda.exe	cmd.exe
PID 4412 wrote to memory of 3756	4412	legenda.exe	cmd.exe
PID 3756 wrote to memory of 4104	3756	cmd.exe	cmd.exe
PID 3756 wrote to memory of 4104	3756	cmd.exe	cmd.exe
PID 3756 wrote to memory of 4104	3756	cmd.exe	cmd.exe
PID 3756 wrote to memory of 4500	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 4500	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 4500	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 2388	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 2388	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 2388	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 1596	3756	cmd.exe	cmd.exe
PID 3756 wrote to memory of 1596	3756	cmd.exe	cmd.exe
PID 3756 wrote to memory of 1596	3756	cmd.exe	cmd.exe
PID 3756 wrote to memory of 3352	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 3352	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 3352	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 5108	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 5108	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 5108	3756	cmd.exe	cacls.exe
PID 4412 wrote to memory of 3488	4412	legenda.exe	Sprawl.exe
PID 4412 wrote to memory of 3488	4412	legenda.exe	Sprawl.exe
PID 4412 wrote to memory of 3488	4412	legenda.exe	Sprawl.exe
PID 3488 wrote to memory of 2176	3488	Sprawl.exe	Sprawl.exe
PID 3488 wrote to memory of 2176	3488	Sprawl.exe	Sprawl.exe
PID 3488 wrote to memory of 2176	3488	Sprawl.exe	Sprawl.exe
PID 4412 wrote to memory of 2700	4412	legenda.exe	Lummas.exe
PID 4412 wrote to memory of 2700	4412	legenda.exe	Lummas.exe
PID 3488 wrote to memory of 2176	3488	Sprawl.exe	Sprawl.exe
PID 3488 wrote to memory of 2176	3488	Sprawl.exe	Sprawl.exe
PID 3488 wrote to memory of 2176	3488	Sprawl.exe	Sprawl.exe
PID 3488 wrote to memory of 2176	3488	Sprawl.exe	Sprawl.exe
PID 3488 wrote to memory of 2176	3488	Sprawl.exe	Sprawl.exe
PID 2700 wrote to memory of 3332	2700	Lummas.exe	WsatConfig.exe

C:\Users\Admin\AppData\Local\Temp\d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exe
"C:\Users\Admin\AppData\Local\Temp\d606519e0e1a734a77b5ffb0d2a8897aadb01e309439dc1ace4c434bbe0eb130.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2950.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2950.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3428

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9040.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9040.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4368

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6722.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6722.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8895.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8895.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0476pF.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0476pF.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 1056
6⤵
- Program crash
PID:4828

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w46Xg32.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w46Xg32.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1352
5⤵
- Program crash
PID:4196

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqQAa57.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqQAa57.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y65Yz45.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y65Yz45.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:5116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4104

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4500

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1596

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:3352

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
"C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3488

C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
5⤵
PID:3332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
5⤵
PID:4260

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
5⤵
PID:1068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
5⤵
PID:3864

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 336 -ip 336
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 8 -ip 8
1⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sprawl.exe.log
Filesize
1KB

MD5
a3c82409506a33dec1856104ca55cbfd

SHA1
2e2ba4e4227590f8821002831c5410f7f45fe812

SHA256
780a0d4410f5f9798cb573bcd774561d1439987a39b1368d3c890226928cd203

SHA512
9621cfd3dab86d964a2bea6b3788fc19a895307962dcc41428741b8a86291f114df722e9017f755f63d53d09b5111e68f05aa505d9c9deae6c4378a87cdfa69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y65Yz45.exe
Filesize
235KB

MD5
e8970e2a21079832e72f6296469b6b1a

SHA1
47d2108254931ea5f10dbbff021dfc3ef5207216

SHA256
7950e5f100ba06b7110165a43cd8d882e6efc4292c9ea194e13f8ba75322221d

SHA512
604105bfcb32b3b7a46651ff472289779a2b690cf231d80e957c2bb11973a3134ad6ed69c12aa707a648c15ad6659ea1b891c1c3721f0bcedfdc17dd4c9bc1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y65Yz45.exe
Filesize
235KB

MD5
e8970e2a21079832e72f6296469b6b1a

SHA1
47d2108254931ea5f10dbbff021dfc3ef5207216

SHA256
7950e5f100ba06b7110165a43cd8d882e6efc4292c9ea194e13f8ba75322221d

SHA512
604105bfcb32b3b7a46651ff472289779a2b690cf231d80e957c2bb11973a3134ad6ed69c12aa707a648c15ad6659ea1b891c1c3721f0bcedfdc17dd4c9bc1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2950.exe
Filesize
854KB

MD5
8dba3764f821c5d32a9e2122085c62bd

SHA1
a7a56c5fa5c3b63ee5e46d381e7b8d195fff7588

SHA256
e806357cfa7d662b55453de6bf4930d5b56fe3a29b26627db9ea746e0868189a

SHA512
d28d20fe9503cdd770295a01541244b4cdfb09ab227f9bd3480c99d0f37e244117c0916eb91d60ceac26f48ed4505950d06a40319fd80d917ded7cf84bcbec83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2950.exe
Filesize
854KB

MD5
8dba3764f821c5d32a9e2122085c62bd

SHA1
a7a56c5fa5c3b63ee5e46d381e7b8d195fff7588

SHA256
e806357cfa7d662b55453de6bf4930d5b56fe3a29b26627db9ea746e0868189a

SHA512
d28d20fe9503cdd770295a01541244b4cdfb09ab227f9bd3480c99d0f37e244117c0916eb91d60ceac26f48ed4505950d06a40319fd80d917ded7cf84bcbec83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqQAa57.exe
Filesize
175KB

MD5
ca98ce069ca1acb2376e10c6b6a010c8

SHA1
db8e8a0f9f8a6d095ca1302b36cdd1da1e679bc6

SHA256
6fc6d7af2516b14c0ba43dcf527bc16b4b640351781adce5f04fdae3f04bef29

SHA512
9a5f40e5d1f1278fe05a390846fa0e7c6a815df15b065575cad28e53b239c0fd485cf52eafcb92b5936416ebbb788b7f4fa2b5e997a37e6e0e0b0a3cd79187a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqQAa57.exe
Filesize
175KB

MD5
ca98ce069ca1acb2376e10c6b6a010c8

SHA1
db8e8a0f9f8a6d095ca1302b36cdd1da1e679bc6

SHA256
6fc6d7af2516b14c0ba43dcf527bc16b4b640351781adce5f04fdae3f04bef29

SHA512
9a5f40e5d1f1278fe05a390846fa0e7c6a815df15b065575cad28e53b239c0fd485cf52eafcb92b5936416ebbb788b7f4fa2b5e997a37e6e0e0b0a3cd79187a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9040.exe
Filesize
712KB

MD5
c0c9623cf93a51e8521eeac27dec5dd1

SHA1
e7088e2093ed0eb46c1582c353187423de5d5520

SHA256
2cf6f8aa350eee2c1229f889d10160140e0a361ccfba91adfeaa0f057cdc79c9

SHA512
54585de3d8c554e35c7ff4d371275107770f51e2296dc11619c6b6922972b83af2e176846de0a3106eb7fd76501334ce7ad7f874a4736002da77de001c9042c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9040.exe
Filesize
712KB

MD5
c0c9623cf93a51e8521eeac27dec5dd1

SHA1
e7088e2093ed0eb46c1582c353187423de5d5520

SHA256
2cf6f8aa350eee2c1229f889d10160140e0a361ccfba91adfeaa0f057cdc79c9

SHA512
54585de3d8c554e35c7ff4d371275107770f51e2296dc11619c6b6922972b83af2e176846de0a3106eb7fd76501334ce7ad7f874a4736002da77de001c9042c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w46Xg32.exe
Filesize
383KB

MD5
ef64e1de721636845578e6076d7a2996

SHA1
2826f8436d2ddfc9619057f073cc42909b88d5bc

SHA256
93b1c3b0076daae0e9644ebfccf199388b1922745d22f239d6c7fddfa7f6e7fa

SHA512
7864e65de7d8e0cd80397ce0b59ad9733ea1e8bb89fb0190db9bda225fcffe277b3aac750ff1218a3887330999e8ca76aaa6543cbd6a40d7c64baaaabaf1e4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w46Xg32.exe
Filesize
383KB

MD5
ef64e1de721636845578e6076d7a2996

SHA1
2826f8436d2ddfc9619057f073cc42909b88d5bc

SHA256
93b1c3b0076daae0e9644ebfccf199388b1922745d22f239d6c7fddfa7f6e7fa

SHA512
7864e65de7d8e0cd80397ce0b59ad9733ea1e8bb89fb0190db9bda225fcffe277b3aac750ff1218a3887330999e8ca76aaa6543cbd6a40d7c64baaaabaf1e4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6722.exe
Filesize
352KB

MD5
fde5441211ab5c428c12bcf944ffbd0f

SHA1
fae6107a0cfdcd8b4ccdc591720b748288736ac9

SHA256
b20bff8aa74e6d04ca149a07326dae2c4c8f463fe7f24c23b61cca454cc0dad0

SHA512
44def1d9f4a890c24224aecced13ef141e4ccf75a2aac4a51c18db045ec370237306aaf186684702fdec852f9c6212d94c7117a6af1b1c58ed0960fccf3ba11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6722.exe
Filesize
352KB

MD5
fde5441211ab5c428c12bcf944ffbd0f

SHA1
fae6107a0cfdcd8b4ccdc591720b748288736ac9

SHA256
b20bff8aa74e6d04ca149a07326dae2c4c8f463fe7f24c23b61cca454cc0dad0

SHA512
44def1d9f4a890c24224aecced13ef141e4ccf75a2aac4a51c18db045ec370237306aaf186684702fdec852f9c6212d94c7117a6af1b1c58ed0960fccf3ba11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8895.exe
Filesize
11KB

MD5
784824e2fee0a9f4042d47322c39316c

SHA1
502af8b8b8570847860c7beebb93df0caffe5f5c

SHA256
efc1de07c5570c007190ec75e53ad7835e84ca1579575dd1a85135f86ffb9f94

SHA512
0eba57bb6ec53f49b077472896fe85e68ddebfe54c1e676bdb34c79aac71483ef3bb58ad0f09bab431ae275d93310ed71fe22c673d42aeabc93447674efa5db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8895.exe
Filesize
11KB

MD5
784824e2fee0a9f4042d47322c39316c

SHA1
502af8b8b8570847860c7beebb93df0caffe5f5c

SHA256
efc1de07c5570c007190ec75e53ad7835e84ca1579575dd1a85135f86ffb9f94

SHA512
0eba57bb6ec53f49b077472896fe85e68ddebfe54c1e676bdb34c79aac71483ef3bb58ad0f09bab431ae275d93310ed71fe22c673d42aeabc93447674efa5db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0476pF.exe
Filesize
325KB

MD5
36e7e9a842e916b72e08d85323129db6

SHA1
8c7d079f8ae6ee07ab181651d206df3f1ecc1e9e

SHA256
c42ae72da72b7a0cd5f6fb2b1d8ec7ef46b373a40aa198d20d1d41fe9d1520d7

SHA512
4b4fd769972524ed96065d0d75f5636a96c7d7df7f29e4b78cbc7d528037572510d2c9c8eb57fbf356138958f0ef42916d4a08b152eb4c3fce1fbc9b55d296cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0476pF.exe
Filesize
325KB

MD5
36e7e9a842e916b72e08d85323129db6

SHA1
8c7d079f8ae6ee07ab181651d206df3f1ecc1e9e

SHA256
c42ae72da72b7a0cd5f6fb2b1d8ec7ef46b373a40aa198d20d1d41fe9d1520d7

SHA512
4b4fd769972524ed96065d0d75f5636a96c7d7df7f29e4b78cbc7d528037572510d2c9c8eb57fbf356138958f0ef42916d4a08b152eb4c3fce1fbc9b55d296cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
e8970e2a21079832e72f6296469b6b1a

SHA1
47d2108254931ea5f10dbbff021dfc3ef5207216

SHA256
7950e5f100ba06b7110165a43cd8d882e6efc4292c9ea194e13f8ba75322221d

SHA512
604105bfcb32b3b7a46651ff472289779a2b690cf231d80e957c2bb11973a3134ad6ed69c12aa707a648c15ad6659ea1b891c1c3721f0bcedfdc17dd4c9bc1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
e8970e2a21079832e72f6296469b6b1a

SHA1
47d2108254931ea5f10dbbff021dfc3ef5207216

SHA256
7950e5f100ba06b7110165a43cd8d882e6efc4292c9ea194e13f8ba75322221d

SHA512
604105bfcb32b3b7a46651ff472289779a2b690cf231d80e957c2bb11973a3134ad6ed69c12aa707a648c15ad6659ea1b891c1c3721f0bcedfdc17dd4c9bc1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
e8970e2a21079832e72f6296469b6b1a

SHA1
47d2108254931ea5f10dbbff021dfc3ef5207216

SHA256
7950e5f100ba06b7110165a43cd8d882e6efc4292c9ea194e13f8ba75322221d

SHA512
604105bfcb32b3b7a46651ff472289779a2b690cf231d80e957c2bb11973a3134ad6ed69c12aa707a648c15ad6659ea1b891c1c3721f0bcedfdc17dd4c9bc1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
e8970e2a21079832e72f6296469b6b1a

SHA1
47d2108254931ea5f10dbbff021dfc3ef5207216

SHA256
7950e5f100ba06b7110165a43cd8d882e6efc4292c9ea194e13f8ba75322221d

SHA512
604105bfcb32b3b7a46651ff472289779a2b690cf231d80e957c2bb11973a3134ad6ed69c12aa707a648c15ad6659ea1b891c1c3721f0bcedfdc17dd4c9bc1f4

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/8-1132-0x0000000008E90000-0x00000000093BC000-memory.dmp

Filesize
5.2MB

Download
memory/8-231-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-1130-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/8-1131-0x0000000008CC0000-0x0000000008E82000-memory.dmp

Filesize
1.8MB

Download
memory/8-1134-0x000000000A970000-0x000000000A9C0000-memory.dmp

Filesize
320KB

Download
memory/8-1136-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/8-210-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-213-0x0000000002DA0000-0x0000000002DEB000-memory.dmp

Filesize
300KB

Download
memory/8-211-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-215-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/8-217-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-221-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-218-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/8-214-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-219-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/8-223-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-225-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-227-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-229-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-1133-0x000000000A8E0000-0x000000000A956000-memory.dmp

Filesize
472KB

Download
memory/8-233-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-235-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-237-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-239-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-241-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-243-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-245-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-247-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

Filesize
252KB

Download
memory/8-1120-0x0000000007960000-0x0000000007F78000-memory.dmp

Filesize
6.1MB

Download
memory/8-1121-0x0000000007F80000-0x000000000808A000-memory.dmp

Filesize
1.0MB

Download
memory/8-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/8-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/8-1124-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/8-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/8-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/8-1128-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/8-1129-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/336-194-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-176-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-204-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/336-203-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/336-202-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/336-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/336-199-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/336-198-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/336-205-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/336-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/336-197-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/336-196-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-192-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-190-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-188-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-186-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-184-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-182-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-168-0x0000000007230000-0x00000000077D4000-memory.dmp

Filesize
5.6MB

Download
memory/336-169-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-180-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-178-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-172-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-170-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/336-174-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/784-161-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download
memory/2176-1201-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2176-1210-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/2176-1202-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/2700-1203-0x0000016870A30000-0x0000016870A40000-memory.dmp

Filesize
64KB

Download
memory/2700-1196-0x000001686E390000-0x000001686E57E000-memory.dmp

Filesize
1.9MB

Download
memory/3488-1176-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/3488-1175-0x0000000000770000-0x0000000000856000-memory.dmp

Filesize
920KB

Download
memory/3864-1209-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3864-1211-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3864-1212-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4100-1142-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/4100-1141-0x0000000000EE0000-0x0000000000F12000-memory.dmp

Filesize
200KB

Download