amadey | 626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e

Analysis

max time kernel
105s
max time network
122s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26-03-2023 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exe
Size

1.0MB
MD5

28e484a67d5c2417f5f4eee194b60077
SHA1

fad4bdde48d3c3a8cc188dc68908c2c21698a7ba
SHA256

626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e
SHA512

2045835b1a82f1461782ab0dc1006beed0fcac045b6b0b1b57574b5b8eda921c6f0dcf515262f18e29edc76f97808e951f68f83d2b0e1291db3cbc659fd33740
SSDEEP

24576:oyc60IrUOO0OnMhj1lrbHVAwV5Gn2cTwGUML1vc0l:vcVcUOAnEXHJG2kwrcvc0

Score

10^/10

amadey lumma redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v2541qv.exetz4804.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v2541qv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz4804.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz4804.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz4804.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v2541qv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v2541qv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v2541qv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v2541qv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz4804.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz4804.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4752-196-0x00000000046B0000-0x00000000046F6000-memory.dmp	family_redline
behavioral1/memory/4752-197-0x00000000048D0000-0x0000000004914000-memory.dmp	family_redline
behavioral1/memory/4752-199-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-198-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-201-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-203-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-205-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-207-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-209-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-211-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-213-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-215-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-217-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-219-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-221-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-223-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-225-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-227-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-229-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-232-0x00000000048D0000-0x000000000490F000-memory.dmp	family_redline
behavioral1/memory/4752-1118-0x00000000072E0000-0x00000000072F0000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

zap2341.exezap4804.exezap9286.exetz4804.exev2541qv.exew34Aa52.exexLqYe36.exey48Qd57.exelegenda.exeLummas.exelegenda.exe

pid	process
3940	zap2341.exe
728	zap4804.exe
3608	zap9286.exe
3612	tz4804.exe
3908	v2541qv.exe
4752	w34Aa52.exe
3800	xLqYe36.exe
4100	y48Qd57.exe
4388	legenda.exe
5004	Lummas.exe
4316	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2188 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2188	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz4804.exev2541qv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz4804.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v2541qv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v2541qv.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap4804.exezap9286.exe626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exezap2341.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4804.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap4804.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9286.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap9286.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2341.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2341.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Lummas.exe

description pid process target process

PID 5004 set thread context of 556 5004 Lummas.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4428 schtasks.exe

description	pid	process	target process
PID 5004 set thread context of 556	5004	Lummas.exe	AddInProcess32.exe

pid	process
4428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

tz4804.exev2541qv.exew34Aa52.exexLqYe36.exeLummas.exe

pid	process
3612	tz4804.exe
3612	tz4804.exe
3908	v2541qv.exe
3908	v2541qv.exe
4752	w34Aa52.exe
4752	w34Aa52.exe
3800	xLqYe36.exe
3800	xLqYe36.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe
5004	Lummas.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz4804.exev2541qv.exew34Aa52.exexLqYe36.exeLummas.exe

description	pid	process
Token: SeDebugPrivilege	3612	tz4804.exe
Token: SeDebugPrivilege	3908	v2541qv.exe
Token: SeDebugPrivilege	4752	w34Aa52.exe
Token: SeDebugPrivilege	3800	xLqYe36.exe
Token: SeDebugPrivilege	5004	Lummas.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exezap2341.exezap4804.exezap9286.exey48Qd57.exelegenda.execmd.exeLummas.exe

description	pid	process	target process
PID 3720 wrote to memory of 3940	3720	626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exe	zap2341.exe
PID 3720 wrote to memory of 3940	3720	626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exe	zap2341.exe
PID 3720 wrote to memory of 3940	3720	626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exe	zap2341.exe
PID 3940 wrote to memory of 728	3940	zap2341.exe	zap4804.exe
PID 3940 wrote to memory of 728	3940	zap2341.exe	zap4804.exe
PID 3940 wrote to memory of 728	3940	zap2341.exe	zap4804.exe
PID 728 wrote to memory of 3608	728	zap4804.exe	zap9286.exe
PID 728 wrote to memory of 3608	728	zap4804.exe	zap9286.exe
PID 728 wrote to memory of 3608	728	zap4804.exe	zap9286.exe
PID 3608 wrote to memory of 3612	3608	zap9286.exe	tz4804.exe
PID 3608 wrote to memory of 3612	3608	zap9286.exe	tz4804.exe
PID 3608 wrote to memory of 3908	3608	zap9286.exe	v2541qv.exe
PID 3608 wrote to memory of 3908	3608	zap9286.exe	v2541qv.exe
PID 3608 wrote to memory of 3908	3608	zap9286.exe	v2541qv.exe
PID 728 wrote to memory of 4752	728	zap4804.exe	w34Aa52.exe
PID 728 wrote to memory of 4752	728	zap4804.exe	w34Aa52.exe
PID 728 wrote to memory of 4752	728	zap4804.exe	w34Aa52.exe
PID 3940 wrote to memory of 3800	3940	zap2341.exe	xLqYe36.exe
PID 3940 wrote to memory of 3800	3940	zap2341.exe	xLqYe36.exe
PID 3940 wrote to memory of 3800	3940	zap2341.exe	xLqYe36.exe
PID 3720 wrote to memory of 4100	3720	626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exe	y48Qd57.exe
PID 3720 wrote to memory of 4100	3720	626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exe	y48Qd57.exe
PID 3720 wrote to memory of 4100	3720	626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exe	y48Qd57.exe
PID 4100 wrote to memory of 4388	4100	y48Qd57.exe	legenda.exe
PID 4100 wrote to memory of 4388	4100	y48Qd57.exe	legenda.exe
PID 4100 wrote to memory of 4388	4100	y48Qd57.exe	legenda.exe
PID 4388 wrote to memory of 4428	4388	legenda.exe	schtasks.exe
PID 4388 wrote to memory of 4428	4388	legenda.exe	schtasks.exe
PID 4388 wrote to memory of 4428	4388	legenda.exe	schtasks.exe
PID 4388 wrote to memory of 4348	4388	legenda.exe	cmd.exe
PID 4388 wrote to memory of 4348	4388	legenda.exe	cmd.exe
PID 4388 wrote to memory of 4348	4388	legenda.exe	cmd.exe
PID 4348 wrote to memory of 3404	4348	cmd.exe	cmd.exe
PID 4348 wrote to memory of 3404	4348	cmd.exe	cmd.exe
PID 4348 wrote to memory of 3404	4348	cmd.exe	cmd.exe
PID 4348 wrote to memory of 3460	4348	cmd.exe	cacls.exe
PID 4348 wrote to memory of 3460	4348	cmd.exe	cacls.exe
PID 4348 wrote to memory of 3460	4348	cmd.exe	cacls.exe
PID 4348 wrote to memory of 3388	4348	cmd.exe	cacls.exe
PID 4348 wrote to memory of 3388	4348	cmd.exe	cacls.exe
PID 4348 wrote to memory of 3388	4348	cmd.exe	cacls.exe
PID 4348 wrote to memory of 3964	4348	cmd.exe	cmd.exe
PID 4348 wrote to memory of 3964	4348	cmd.exe	cmd.exe
PID 4348 wrote to memory of 3964	4348	cmd.exe	cmd.exe
PID 4348 wrote to memory of 5032	4348	cmd.exe	cacls.exe
PID 4348 wrote to memory of 5032	4348	cmd.exe	cacls.exe
PID 4348 wrote to memory of 5032	4348	cmd.exe	cacls.exe
PID 4348 wrote to memory of 3172	4348	cmd.exe	cacls.exe
PID 4348 wrote to memory of 3172	4348	cmd.exe	cacls.exe
PID 4348 wrote to memory of 3172	4348	cmd.exe	cacls.exe
PID 4388 wrote to memory of 5004	4388	legenda.exe	Lummas.exe
PID 4388 wrote to memory of 5004	4388	legenda.exe	Lummas.exe
PID 5004 wrote to memory of 4892	5004	Lummas.exe	ngen.exe
PID 5004 wrote to memory of 4892	5004	Lummas.exe	ngen.exe
PID 5004 wrote to memory of 4964	5004	Lummas.exe	DataSvcUtil.exe
PID 5004 wrote to memory of 4964	5004	Lummas.exe	DataSvcUtil.exe
PID 5004 wrote to memory of 4984	5004	Lummas.exe	InstallUtil.exe
PID 5004 wrote to memory of 4984	5004	Lummas.exe	InstallUtil.exe
PID 5004 wrote to memory of 4992	5004	Lummas.exe	RegAsm.exe
PID 5004 wrote to memory of 4992	5004	Lummas.exe	RegAsm.exe
PID 5004 wrote to memory of 4948	5004	Lummas.exe	cvtres.exe
PID 5004 wrote to memory of 4948	5004	Lummas.exe	cvtres.exe
PID 5004 wrote to memory of 804	5004	Lummas.exe	ilasm.exe
PID 5004 wrote to memory of 804	5004	Lummas.exe	ilasm.exe

C:\Users\Admin\AppData\Local\Temp\626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exe
"C:\Users\Admin\AppData\Local\Temp\626fb73c7b46585071fbdbf45f12e0594be2272849499f8414aa02c6a452924e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3720

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2341.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2341.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3940

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4804.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4804.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:728

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9286.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9286.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3608

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4804.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4804.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2541qv.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2541qv.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w34Aa52.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w34Aa52.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLqYe36.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLqYe36.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y48Qd57.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y48Qd57.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3404

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:3460

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3964

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:5032

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
5⤵
PID:4892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
5⤵
PID:4964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
5⤵
PID:4984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
5⤵
PID:4992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
5⤵
PID:4948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
5⤵
PID:804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
5⤵
PID:4884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
5⤵
PID:780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
5⤵
PID:792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
5⤵
PID:784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
5⤵
PID:680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
5⤵
PID:4288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
5⤵
PID:4284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
5⤵
PID:3068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
5⤵
PID:4244

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
5⤵
PID:4012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
5⤵
PID:3420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
5⤵
PID:4968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
5⤵
PID:1560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
5⤵
PID:452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
5⤵
PID:556

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2188

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y48Qd57.exe
Filesize
235KB

MD5
810dec92cda616830a0ab33b5530c272

SHA1
39761fd3c683c6f190fc0d2aafe503d873076757

SHA256
f01f230ba33abf10a82ad202ed36c1b8ba2730117c06cb5a41504f09cfa6bd2c

SHA512
6dfc08b477eb144662c47208eabc581f7b68deeaf350cd18d24aac3b0ca5e82c7fca1d1e51a40b0227ee164165d51e7d5b9a1978f34458f6e39062080805097e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y48Qd57.exe
Filesize
235KB

MD5
810dec92cda616830a0ab33b5530c272

SHA1
39761fd3c683c6f190fc0d2aafe503d873076757

SHA256
f01f230ba33abf10a82ad202ed36c1b8ba2730117c06cb5a41504f09cfa6bd2c

SHA512
6dfc08b477eb144662c47208eabc581f7b68deeaf350cd18d24aac3b0ca5e82c7fca1d1e51a40b0227ee164165d51e7d5b9a1978f34458f6e39062080805097e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2341.exe
Filesize
854KB

MD5
ff70a19389d9f577264918361145d805

SHA1
5b39bb2f518bc451c3c148d0fd89b28de3770cf0

SHA256
42be77370851fe3e50f8ef78acf8fe66a3d55e574b7aeaede21c448582c1355d

SHA512
6b5a26f81f6697b7673feee3b57f17a197001b34ec2df63d8394ba2e58d6ece3b020e252cccf96cb2764c089f69161f93e383f6ccd2b3a305278e3894f38fcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2341.exe
Filesize
854KB

MD5
ff70a19389d9f577264918361145d805

SHA1
5b39bb2f518bc451c3c148d0fd89b28de3770cf0

SHA256
42be77370851fe3e50f8ef78acf8fe66a3d55e574b7aeaede21c448582c1355d

SHA512
6b5a26f81f6697b7673feee3b57f17a197001b34ec2df63d8394ba2e58d6ece3b020e252cccf96cb2764c089f69161f93e383f6ccd2b3a305278e3894f38fcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLqYe36.exe
Filesize
175KB

MD5
d1722eed458e5a163a17d084e4b95b7f

SHA1
5323c4e3ee135c0c7f9e6bf93ab3cce872d5baf6

SHA256
88aa3d8332415ac386f24a031a425f5f8ed57b70d39ef783ee425014c0c69120

SHA512
3f13416e84495576e2e3b02910a6b38da817fa722c30de7e23bd40f87a51896f5f6e8bfdbad874237dc80756bfe05a45c5f114b79350339db5bd0719a80ba3f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLqYe36.exe
Filesize
175KB

MD5
d1722eed458e5a163a17d084e4b95b7f

SHA1
5323c4e3ee135c0c7f9e6bf93ab3cce872d5baf6

SHA256
88aa3d8332415ac386f24a031a425f5f8ed57b70d39ef783ee425014c0c69120

SHA512
3f13416e84495576e2e3b02910a6b38da817fa722c30de7e23bd40f87a51896f5f6e8bfdbad874237dc80756bfe05a45c5f114b79350339db5bd0719a80ba3f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4804.exe
Filesize
712KB

MD5
3fbd9518475b809b92d11f48390e6a6b

SHA1
54d814a1fae523aded544c3299534cfe966174f8

SHA256
8bd24daaffd891e9aa591fc0e7f79035c5ef3395c7f25c8f3d55dd0a95cf19f2

SHA512
11d70df4c69f1653dd2f870e7b67cdf298b1af6bb536e2ae9ab875ff0403e9b403d135ee6e32a1ba2862858d1a503e19681b42882a41b82ac19aad9e5231885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4804.exe
Filesize
712KB

MD5
3fbd9518475b809b92d11f48390e6a6b

SHA1
54d814a1fae523aded544c3299534cfe966174f8

SHA256
8bd24daaffd891e9aa591fc0e7f79035c5ef3395c7f25c8f3d55dd0a95cf19f2

SHA512
11d70df4c69f1653dd2f870e7b67cdf298b1af6bb536e2ae9ab875ff0403e9b403d135ee6e32a1ba2862858d1a503e19681b42882a41b82ac19aad9e5231885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w34Aa52.exe
Filesize
383KB

MD5
4d5a592309602e97cb1cccd71e59e7b0

SHA1
6314b9ffe3c09986e5850253359e9aa5afd9e2c7

SHA256
f08588baeeeeb094b500ff6920bf588d54273c2cfeaecc3917f3ddaaf3aa3566

SHA512
2c02af8dac4bb4b87b487ecd5d5914f04e7a34398a39d03d4a3a838c1f5a1b7c6a295cb9e7bb92a2a937687a17905243b94408e2573a4bb8564afd1278a3c92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w34Aa52.exe
Filesize
383KB

MD5
4d5a592309602e97cb1cccd71e59e7b0

SHA1
6314b9ffe3c09986e5850253359e9aa5afd9e2c7

SHA256
f08588baeeeeb094b500ff6920bf588d54273c2cfeaecc3917f3ddaaf3aa3566

SHA512
2c02af8dac4bb4b87b487ecd5d5914f04e7a34398a39d03d4a3a838c1f5a1b7c6a295cb9e7bb92a2a937687a17905243b94408e2573a4bb8564afd1278a3c92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9286.exe
Filesize
352KB

MD5
88db68f3546f5f5bee8f1e454790d46f

SHA1
3c837a12c6c05a45869337dcad3313bb897cba6c

SHA256
2f74c5fb2ffd5c9dbee6067334cf947146ce302c1ab4a4d9a9b83f1633719cfa

SHA512
dc9ff4239e24a002d1eda8e989376650fdfc581345a44ea9a99f16393cb1f3b3bacfcc6532a6764b9c8b6335cdf9971770615816dd68535ebbcbb7cee4f27526

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9286.exe
Filesize
352KB

MD5
88db68f3546f5f5bee8f1e454790d46f

SHA1
3c837a12c6c05a45869337dcad3313bb897cba6c

SHA256
2f74c5fb2ffd5c9dbee6067334cf947146ce302c1ab4a4d9a9b83f1633719cfa

SHA512
dc9ff4239e24a002d1eda8e989376650fdfc581345a44ea9a99f16393cb1f3b3bacfcc6532a6764b9c8b6335cdf9971770615816dd68535ebbcbb7cee4f27526

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4804.exe
Filesize
11KB

MD5
b3bdcba2deb24557e8953fa1987a5d1c

SHA1
3fc4b37b5c8be4eb7ab2422f89272a826565df09

SHA256
d0d0ef1c9a6d7289d633263f96ed2884cff533b253cc98940c007cfe3e8698df

SHA512
cd9d4fc331d8e243479c74c5336d280daf7f110eba269a41ab6e2507ebaae5b12460cb98a9e43edfa0da51d43458fc2c7c67de9046bf3aa96417e3f7a302a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4804.exe
Filesize
11KB

MD5
b3bdcba2deb24557e8953fa1987a5d1c

SHA1
3fc4b37b5c8be4eb7ab2422f89272a826565df09

SHA256
d0d0ef1c9a6d7289d633263f96ed2884cff533b253cc98940c007cfe3e8698df

SHA512
cd9d4fc331d8e243479c74c5336d280daf7f110eba269a41ab6e2507ebaae5b12460cb98a9e43edfa0da51d43458fc2c7c67de9046bf3aa96417e3f7a302a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2541qv.exe
Filesize
325KB

MD5
9dab75b6dcf71b73ca38afc559875a94

SHA1
f54f3ae5195042d9c18dcc7fb302c50b33165d2a

SHA256
47e20d3f6448d1e95fb6202b68043f1bc09799459d17bd00b3305efd017a8866

SHA512
e2da06c863549c3e6ef05d4007602d74eb4358125f11a51980290f01b68b3c0f3e1d87aa991c5f004f6f2fa34b903cc190a5873940672bb0b45fdf90888ae25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2541qv.exe
Filesize
325KB

MD5
9dab75b6dcf71b73ca38afc559875a94

SHA1
f54f3ae5195042d9c18dcc7fb302c50b33165d2a

SHA256
47e20d3f6448d1e95fb6202b68043f1bc09799459d17bd00b3305efd017a8866

SHA512
e2da06c863549c3e6ef05d4007602d74eb4358125f11a51980290f01b68b3c0f3e1d87aa991c5f004f6f2fa34b903cc190a5873940672bb0b45fdf90888ae25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
810dec92cda616830a0ab33b5530c272

SHA1
39761fd3c683c6f190fc0d2aafe503d873076757

SHA256
f01f230ba33abf10a82ad202ed36c1b8ba2730117c06cb5a41504f09cfa6bd2c

SHA512
6dfc08b477eb144662c47208eabc581f7b68deeaf350cd18d24aac3b0ca5e82c7fca1d1e51a40b0227ee164165d51e7d5b9a1978f34458f6e39062080805097e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
810dec92cda616830a0ab33b5530c272

SHA1
39761fd3c683c6f190fc0d2aafe503d873076757

SHA256
f01f230ba33abf10a82ad202ed36c1b8ba2730117c06cb5a41504f09cfa6bd2c

SHA512
6dfc08b477eb144662c47208eabc581f7b68deeaf350cd18d24aac3b0ca5e82c7fca1d1e51a40b0227ee164165d51e7d5b9a1978f34458f6e39062080805097e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
810dec92cda616830a0ab33b5530c272

SHA1
39761fd3c683c6f190fc0d2aafe503d873076757

SHA256
f01f230ba33abf10a82ad202ed36c1b8ba2730117c06cb5a41504f09cfa6bd2c

SHA512
6dfc08b477eb144662c47208eabc581f7b68deeaf350cd18d24aac3b0ca5e82c7fca1d1e51a40b0227ee164165d51e7d5b9a1978f34458f6e39062080805097e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
810dec92cda616830a0ab33b5530c272

SHA1
39761fd3c683c6f190fc0d2aafe503d873076757

SHA256
f01f230ba33abf10a82ad202ed36c1b8ba2730117c06cb5a41504f09cfa6bd2c

SHA512
6dfc08b477eb144662c47208eabc581f7b68deeaf350cd18d24aac3b0ca5e82c7fca1d1e51a40b0227ee164165d51e7d5b9a1978f34458f6e39062080805097e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/556-1163-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/556-1164-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/556-1165-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3612-147-0x0000000000C50000-0x0000000000C5A000-memory.dmp

Filesize
40KB

Download
memory/3800-1130-0x00000000007A0000-0x00000000007D2000-memory.dmp

Filesize
200KB

Download
memory/3800-1131-0x00000000051E0000-0x000000000522B000-memory.dmp

Filesize
300KB

Download
memory/3800-1132-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/3908-165-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-161-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-187-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-188-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/3908-190-0x0000000004680000-0x0000000004690000-memory.dmp

Filesize
64KB

Download
memory/3908-191-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/3908-175-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-173-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-171-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-169-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-167-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-177-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-163-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-185-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-160-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-159-0x0000000004680000-0x0000000004690000-memory.dmp

Filesize
64KB

Download
memory/3908-158-0x0000000004680000-0x0000000004690000-memory.dmp

Filesize
64KB

Download
memory/3908-157-0x0000000004680000-0x0000000004690000-memory.dmp

Filesize
64KB

Download
memory/3908-156-0x0000000002D60000-0x0000000002D8D000-memory.dmp

Filesize
180KB

Download
memory/3908-155-0x0000000004B50000-0x0000000004B68000-memory.dmp

Filesize
96KB

Download
memory/3908-154-0x0000000007140000-0x000000000763E000-memory.dmp

Filesize
5.0MB

Download
memory/3908-153-0x00000000047B0000-0x00000000047CA000-memory.dmp

Filesize
104KB

Download
memory/3908-183-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-181-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3908-179-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4752-213-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-227-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-234-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4752-237-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4752-239-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4752-1108-0x00000000077F0000-0x0000000007DF6000-memory.dmp

Filesize
6.0MB

Download
memory/4752-1109-0x0000000007E00000-0x0000000007F0A000-memory.dmp

Filesize
1.0MB

Download
memory/4752-1110-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/4752-1111-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4752-1112-0x0000000007280000-0x00000000072BE000-memory.dmp

Filesize
248KB

Download
memory/4752-1113-0x0000000008010000-0x000000000805B000-memory.dmp

Filesize
300KB

Download
memory/4752-1115-0x0000000008170000-0x00000000081D6000-memory.dmp

Filesize
408KB

Download
memory/4752-1116-0x0000000008710000-0x00000000087A2000-memory.dmp

Filesize
584KB

Download
memory/4752-1117-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4752-1118-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4752-1119-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4752-1120-0x0000000008920000-0x0000000008996000-memory.dmp

Filesize
472KB

Download
memory/4752-1121-0x00000000089A0000-0x00000000089F0000-memory.dmp

Filesize
320KB

Download
memory/4752-1122-0x0000000008B10000-0x0000000008CD2000-memory.dmp

Filesize
1.8MB

Download
memory/4752-231-0x0000000002C80000-0x0000000002CCB000-memory.dmp

Filesize
300KB

Download
memory/4752-229-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-232-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-225-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-223-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-221-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-219-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-217-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-215-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-211-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-209-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-1123-0x0000000008CE0000-0x000000000920C000-memory.dmp

Filesize
5.2MB

Download
memory/4752-1126-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4752-196-0x00000000046B0000-0x00000000046F6000-memory.dmp

Filesize
280KB

Download
memory/4752-197-0x00000000048D0000-0x0000000004914000-memory.dmp

Filesize
272KB

Download
memory/4752-207-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-205-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-203-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-201-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-198-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/4752-199-0x00000000048D0000-0x000000000490F000-memory.dmp

Filesize
252KB

Download
memory/5004-1157-0x0000018760410000-0x00000187605AE000-memory.dmp

Filesize
1.6MB

Download
memory/5004-1156-0x0000018745BE0000-0x0000018745DCE000-memory.dmp

Filesize
1.9MB

Download