amadey | 21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2

Analysis

max time kernel
127s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26-03-2023 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exe
Size

1.0MB
MD5

4e081263d6507cb94eafb307b10c5121
SHA1

87532a37eab79c7f20778f5b4e19b22f9b0f54eb
SHA256

21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2
SHA512

8bc3802b7bbd6348bd4c5127c5ec2edf7769e6fab139fd3d5795beb49cb3d413966dfb048d6381bce9491d27b37d2c04e9bba70915df413ad76de216aad2a136
SSDEEP

24576:Py/9Ot60XvhjTvLeb6tBkqt+oZc64OMo20uDeym:a/Ut60X9TvSek2hVtMow5

Score

10^/10

amadey lumma redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz9558.exev4217RI.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz9558.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz9558.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4217RI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4217RI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4217RI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz9558.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz9558.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz9558.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4217RI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4217RI.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4660-200-0x0000000004A50000-0x0000000004A96000-memory.dmp	family_redline
behavioral1/memory/4660-201-0x0000000007120000-0x0000000007164000-memory.dmp	family_redline
behavioral1/memory/4660-202-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-203-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-205-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-209-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-212-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-214-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-216-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-218-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-220-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-222-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-224-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-226-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-228-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-230-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-232-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-234-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-236-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline
behavioral1/memory/4660-238-0x0000000007120000-0x000000000715F000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

zap2864.exezap0122.exezap7113.exetz9558.exev4217RI.exew83FC49.exexFRvg94.exey51CX98.exelegenda.exeLummas.exelegenda.exelegenda.exe

pid	process
3776	zap2864.exe
3652	zap0122.exe
4172	zap7113.exe
2136	tz9558.exe
4184	v4217RI.exe
4660	w83FC49.exe
1732	xFRvg94.exe
4072	y51CX98.exe
784	legenda.exe
5028	Lummas.exe
4316	legenda.exe
1528	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1136 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1136	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz9558.exev4217RI.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz9558.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v4217RI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4217RI.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap7113.exe21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exezap2864.exezap0122.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7113.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2864.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap0122.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Lummas.exe

description pid process target process

PID 5028 set thread context of 916 5028 Lummas.exe jsc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4004 schtasks.exe

description	pid	process	target process
PID 5028 set thread context of 916	5028	Lummas.exe	jsc.exe

pid	process
4004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

tz9558.exev4217RI.exew83FC49.exexFRvg94.exeLummas.exe

pid	process
2136	tz9558.exe
2136	tz9558.exe
4184	v4217RI.exe
4184	v4217RI.exe
4660	w83FC49.exe
4660	w83FC49.exe
1732	xFRvg94.exe
1732	xFRvg94.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe
5028	Lummas.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz9558.exev4217RI.exew83FC49.exexFRvg94.exeLummas.exe

description	pid	process
Token: SeDebugPrivilege	2136	tz9558.exe
Token: SeDebugPrivilege	4184	v4217RI.exe
Token: SeDebugPrivilege	4660	w83FC49.exe
Token: SeDebugPrivilege	1732	xFRvg94.exe
Token: SeDebugPrivilege	5028	Lummas.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exezap2864.exezap0122.exezap7113.exey51CX98.exelegenda.execmd.exeLummas.exe

description	pid	process	target process
PID 3044 wrote to memory of 3776	3044	21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exe	zap2864.exe
PID 3044 wrote to memory of 3776	3044	21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exe	zap2864.exe
PID 3044 wrote to memory of 3776	3044	21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exe	zap2864.exe
PID 3776 wrote to memory of 3652	3776	zap2864.exe	zap0122.exe
PID 3776 wrote to memory of 3652	3776	zap2864.exe	zap0122.exe
PID 3776 wrote to memory of 3652	3776	zap2864.exe	zap0122.exe
PID 3652 wrote to memory of 4172	3652	zap0122.exe	zap7113.exe
PID 3652 wrote to memory of 4172	3652	zap0122.exe	zap7113.exe
PID 3652 wrote to memory of 4172	3652	zap0122.exe	zap7113.exe
PID 4172 wrote to memory of 2136	4172	zap7113.exe	tz9558.exe
PID 4172 wrote to memory of 2136	4172	zap7113.exe	tz9558.exe
PID 4172 wrote to memory of 4184	4172	zap7113.exe	v4217RI.exe
PID 4172 wrote to memory of 4184	4172	zap7113.exe	v4217RI.exe
PID 4172 wrote to memory of 4184	4172	zap7113.exe	v4217RI.exe
PID 3652 wrote to memory of 4660	3652	zap0122.exe	w83FC49.exe
PID 3652 wrote to memory of 4660	3652	zap0122.exe	w83FC49.exe
PID 3652 wrote to memory of 4660	3652	zap0122.exe	w83FC49.exe
PID 3776 wrote to memory of 1732	3776	zap2864.exe	xFRvg94.exe
PID 3776 wrote to memory of 1732	3776	zap2864.exe	xFRvg94.exe
PID 3776 wrote to memory of 1732	3776	zap2864.exe	xFRvg94.exe
PID 3044 wrote to memory of 4072	3044	21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exe	y51CX98.exe
PID 3044 wrote to memory of 4072	3044	21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exe	y51CX98.exe
PID 3044 wrote to memory of 4072	3044	21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exe	y51CX98.exe
PID 4072 wrote to memory of 784	4072	y51CX98.exe	legenda.exe
PID 4072 wrote to memory of 784	4072	y51CX98.exe	legenda.exe
PID 4072 wrote to memory of 784	4072	y51CX98.exe	legenda.exe
PID 784 wrote to memory of 4004	784	legenda.exe	schtasks.exe
PID 784 wrote to memory of 4004	784	legenda.exe	schtasks.exe
PID 784 wrote to memory of 4004	784	legenda.exe	schtasks.exe
PID 784 wrote to memory of 3108	784	legenda.exe	cmd.exe
PID 784 wrote to memory of 3108	784	legenda.exe	cmd.exe
PID 784 wrote to memory of 3108	784	legenda.exe	cmd.exe
PID 3108 wrote to memory of 4368	3108	cmd.exe	cmd.exe
PID 3108 wrote to memory of 4368	3108	cmd.exe	cmd.exe
PID 3108 wrote to memory of 4368	3108	cmd.exe	cmd.exe
PID 3108 wrote to memory of 4916	3108	cmd.exe	cacls.exe
PID 3108 wrote to memory of 4916	3108	cmd.exe	cacls.exe
PID 3108 wrote to memory of 4916	3108	cmd.exe	cacls.exe
PID 3108 wrote to memory of 4908	3108	cmd.exe	cacls.exe
PID 3108 wrote to memory of 4908	3108	cmd.exe	cacls.exe
PID 3108 wrote to memory of 4908	3108	cmd.exe	cacls.exe
PID 3108 wrote to memory of 4256	3108	cmd.exe	cmd.exe
PID 3108 wrote to memory of 4256	3108	cmd.exe	cmd.exe
PID 3108 wrote to memory of 4256	3108	cmd.exe	cmd.exe
PID 3108 wrote to memory of 5052	3108	cmd.exe	cacls.exe
PID 3108 wrote to memory of 5052	3108	cmd.exe	cacls.exe
PID 3108 wrote to memory of 5052	3108	cmd.exe	cacls.exe
PID 3108 wrote to memory of 4904	3108	cmd.exe	cacls.exe
PID 3108 wrote to memory of 4904	3108	cmd.exe	cacls.exe
PID 3108 wrote to memory of 4904	3108	cmd.exe	cacls.exe
PID 784 wrote to memory of 5028	784	legenda.exe	Lummas.exe
PID 784 wrote to memory of 5028	784	legenda.exe	Lummas.exe
PID 5028 wrote to memory of 5108	5028	Lummas.exe	ComSvcConfig.exe
PID 5028 wrote to memory of 5108	5028	Lummas.exe	ComSvcConfig.exe
PID 5028 wrote to memory of 5100	5028	Lummas.exe	WsatConfig.exe
PID 5028 wrote to memory of 5100	5028	Lummas.exe	WsatConfig.exe
PID 5028 wrote to memory of 4032	5028	Lummas.exe	aspnet_regsql.exe
PID 5028 wrote to memory of 4032	5028	Lummas.exe	aspnet_regsql.exe
PID 5028 wrote to memory of 4520	5028	Lummas.exe	aspnet_compiler.exe
PID 5028 wrote to memory of 4520	5028	Lummas.exe	aspnet_compiler.exe
PID 5028 wrote to memory of 4476	5028	Lummas.exe	RegSvcs.exe
PID 5028 wrote to memory of 4476	5028	Lummas.exe	RegSvcs.exe
PID 5028 wrote to memory of 3240	5028	Lummas.exe	aspnet_wp.exe
PID 5028 wrote to memory of 3240	5028	Lummas.exe	aspnet_wp.exe

C:\Users\Admin\AppData\Local\Temp\21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exe
"C:\Users\Admin\AppData\Local\Temp\21713ca40276aa6d675ba107b8b2dfb501d1035f09b22fac5bb4689fed1135c2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2864.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2864.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0122.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0122.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3652

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7113.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7113.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9558.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9558.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4217RI.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4217RI.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83FC49.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83FC49.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFRvg94.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFRvg94.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y51CX98.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y51CX98.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4368

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4916

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4256

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:5052

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
5⤵
PID:5108

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
5⤵
PID:5100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
5⤵
PID:4032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:4520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
5⤵
PID:4476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
5⤵
PID:3240

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
5⤵
PID:4348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
5⤵
PID:4992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
5⤵
PID:5072

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
5⤵
PID:1784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
5⤵
PID:5080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
5⤵
PID:3332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
5⤵
PID:4452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
5⤵
PID:5084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
5⤵
PID:4880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
5⤵
PID:4444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
5⤵
PID:1804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
5⤵
PID:916

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1136

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y51CX98.exe
Filesize
235KB

MD5
7812fd5bbc6287448c1192e19f7bc69a

SHA1
b180cbc97f262b8bbb21b48ab343a07fcdac8f5a

SHA256
3303312de6d8b99a23ccf2465ad86f197771957bc557af8681ce8ef7c3f9d689

SHA512
11c733969ee9b6bfbd6a5fc60a52d754b8c5af7966c0eccf0b1dbaad184a97f98f4c288278b879b69fdce7a461f017867032133309ec80c240e9ee3be1d0d682

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y51CX98.exe
Filesize
235KB

MD5
7812fd5bbc6287448c1192e19f7bc69a

SHA1
b180cbc97f262b8bbb21b48ab343a07fcdac8f5a

SHA256
3303312de6d8b99a23ccf2465ad86f197771957bc557af8681ce8ef7c3f9d689

SHA512
11c733969ee9b6bfbd6a5fc60a52d754b8c5af7966c0eccf0b1dbaad184a97f98f4c288278b879b69fdce7a461f017867032133309ec80c240e9ee3be1d0d682

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2864.exe
Filesize
853KB

MD5
ff257022eb9b9bb8a64a0e75109be1fb

SHA1
d651bb3b7293755a6cb4b46726b1ff6e7d5c3778

SHA256
62347e531044b686b31b6dcb3e977204939f3b38b7feee8d041a63939d11646e

SHA512
288b82656f57f5f67617884a1de965fb1afc9068ecd1534e635a98d33b80d463606d99d262f8186d573673eddda16ead2f4b7f35dcb12504fc7e0167ee181514

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2864.exe
Filesize
853KB

MD5
ff257022eb9b9bb8a64a0e75109be1fb

SHA1
d651bb3b7293755a6cb4b46726b1ff6e7d5c3778

SHA256
62347e531044b686b31b6dcb3e977204939f3b38b7feee8d041a63939d11646e

SHA512
288b82656f57f5f67617884a1de965fb1afc9068ecd1534e635a98d33b80d463606d99d262f8186d573673eddda16ead2f4b7f35dcb12504fc7e0167ee181514

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFRvg94.exe
Filesize
175KB

MD5
6787aecd277ffee5fed00251fab3c5ff

SHA1
332e3a831afd57f8b549cb51bc6e08dd4751af70

SHA256
4b0f181e1d9dda5328e09e3be9f7c772969d273f2276908f6807323602f6177f

SHA512
9b84fae324140d5a6a3dfa511fadbea7417a117c2873cf70a2e53565d23e2723a86a89a871043a06e9f42f159b65fdcee38fb9a80a95acb9701363dda4fabbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFRvg94.exe
Filesize
175KB

MD5
6787aecd277ffee5fed00251fab3c5ff

SHA1
332e3a831afd57f8b549cb51bc6e08dd4751af70

SHA256
4b0f181e1d9dda5328e09e3be9f7c772969d273f2276908f6807323602f6177f

SHA512
9b84fae324140d5a6a3dfa511fadbea7417a117c2873cf70a2e53565d23e2723a86a89a871043a06e9f42f159b65fdcee38fb9a80a95acb9701363dda4fabbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0122.exe
Filesize
711KB

MD5
ed5d7688b8f700ceed46b74fdc2e181d

SHA1
5a5efa3278464c2a145f0a46a0b02284b705f7e2

SHA256
8c786309ce729d9275f543ad20efd77201cc45f18398a9060a42d9b7e079bb3a

SHA512
d6d9c9c9631e478e70b273f60ede58ca6bb175de072fd2a62657f2326f0cb8179517a1fe131c15dbaf5b5e3ff1eec3a083bc72ee051ab15203852e821223becd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0122.exe
Filesize
711KB

MD5
ed5d7688b8f700ceed46b74fdc2e181d

SHA1
5a5efa3278464c2a145f0a46a0b02284b705f7e2

SHA256
8c786309ce729d9275f543ad20efd77201cc45f18398a9060a42d9b7e079bb3a

SHA512
d6d9c9c9631e478e70b273f60ede58ca6bb175de072fd2a62657f2326f0cb8179517a1fe131c15dbaf5b5e3ff1eec3a083bc72ee051ab15203852e821223becd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83FC49.exe
Filesize
383KB

MD5
488c85484ba1c0aa0643a3d7135ae265

SHA1
87f0721a0cd1474880555c190a04d81f830a0ff3

SHA256
d25113802df910dc900e43b46b9102c16b529a6d49d551a03c2bf26ee3528684

SHA512
d106ae4db89e0b1a05f08d2d6f3a51d23569c11208ad08958fedbfa41aacc5b3b38742ee1c5f73a81618a4e8e9b24d9b1099a372d275f256220a71c27aeafc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83FC49.exe
Filesize
383KB

MD5
488c85484ba1c0aa0643a3d7135ae265

SHA1
87f0721a0cd1474880555c190a04d81f830a0ff3

SHA256
d25113802df910dc900e43b46b9102c16b529a6d49d551a03c2bf26ee3528684

SHA512
d106ae4db89e0b1a05f08d2d6f3a51d23569c11208ad08958fedbfa41aacc5b3b38742ee1c5f73a81618a4e8e9b24d9b1099a372d275f256220a71c27aeafc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7113.exe
Filesize
352KB

MD5
1e68aceb1f1bebb02919251cfe13a022

SHA1
e7032526852dbf692231d2e65656d3c7408efceb

SHA256
d9c2f52c679a3c53726bab6913e71c2d49e7a5a89e6ddac3855dbcc11f1202f8

SHA512
a7fc897fbef3c1e9d7efd04442e4fe69d36d18014ea5fb707ddd2a0572dfbc8a76b42aef58dc6dc6d51b4c490ac999ca7927a75f73bf9ade31834eaa1f3aaab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7113.exe
Filesize
352KB

MD5
1e68aceb1f1bebb02919251cfe13a022

SHA1
e7032526852dbf692231d2e65656d3c7408efceb

SHA256
d9c2f52c679a3c53726bab6913e71c2d49e7a5a89e6ddac3855dbcc11f1202f8

SHA512
a7fc897fbef3c1e9d7efd04442e4fe69d36d18014ea5fb707ddd2a0572dfbc8a76b42aef58dc6dc6d51b4c490ac999ca7927a75f73bf9ade31834eaa1f3aaab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9558.exe
Filesize
11KB

MD5
b1f79154e59b5f3e06ff6e21f24e7109

SHA1
af8f64023d822bb68d99911e7a450a23b4a80b93

SHA256
71d7e954767d719978ae02ad4a6e75cce4f08e2cc394591528d7247678a523a9

SHA512
1ec860288512bba7e493b9f4223de67b287507190fd1fa14f60e3f18e1d21b9a5d1b6a55bdb9b1c963d5305d6718b414be1ed2566b83e65c6e031a581f005fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9558.exe
Filesize
11KB

MD5
b1f79154e59b5f3e06ff6e21f24e7109

SHA1
af8f64023d822bb68d99911e7a450a23b4a80b93

SHA256
71d7e954767d719978ae02ad4a6e75cce4f08e2cc394591528d7247678a523a9

SHA512
1ec860288512bba7e493b9f4223de67b287507190fd1fa14f60e3f18e1d21b9a5d1b6a55bdb9b1c963d5305d6718b414be1ed2566b83e65c6e031a581f005fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4217RI.exe
Filesize
325KB

MD5
d092c0a4e1f3e4f10350237c30fc344d

SHA1
5a6854e5dac82bae37eb130891a9e38f61ee4a8b

SHA256
0607a140fca7dd71f9bf57f33b7e7cd284e1d4b74019380158f6003a5b9dfa1a

SHA512
99a493be1e620f92871d79ea5203488cc71a15139418e5df5c838016045cc1844becedd62e64dd03ee8ab8d2fae97f80e534dd8f3ce0206d4ae501860c0c7db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4217RI.exe
Filesize
325KB

MD5
d092c0a4e1f3e4f10350237c30fc344d

SHA1
5a6854e5dac82bae37eb130891a9e38f61ee4a8b

SHA256
0607a140fca7dd71f9bf57f33b7e7cd284e1d4b74019380158f6003a5b9dfa1a

SHA512
99a493be1e620f92871d79ea5203488cc71a15139418e5df5c838016045cc1844becedd62e64dd03ee8ab8d2fae97f80e534dd8f3ce0206d4ae501860c0c7db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
7812fd5bbc6287448c1192e19f7bc69a

SHA1
b180cbc97f262b8bbb21b48ab343a07fcdac8f5a

SHA256
3303312de6d8b99a23ccf2465ad86f197771957bc557af8681ce8ef7c3f9d689

SHA512
11c733969ee9b6bfbd6a5fc60a52d754b8c5af7966c0eccf0b1dbaad184a97f98f4c288278b879b69fdce7a461f017867032133309ec80c240e9ee3be1d0d682

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
7812fd5bbc6287448c1192e19f7bc69a

SHA1
b180cbc97f262b8bbb21b48ab343a07fcdac8f5a

SHA256
3303312de6d8b99a23ccf2465ad86f197771957bc557af8681ce8ef7c3f9d689

SHA512
11c733969ee9b6bfbd6a5fc60a52d754b8c5af7966c0eccf0b1dbaad184a97f98f4c288278b879b69fdce7a461f017867032133309ec80c240e9ee3be1d0d682

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
7812fd5bbc6287448c1192e19f7bc69a

SHA1
b180cbc97f262b8bbb21b48ab343a07fcdac8f5a

SHA256
3303312de6d8b99a23ccf2465ad86f197771957bc557af8681ce8ef7c3f9d689

SHA512
11c733969ee9b6bfbd6a5fc60a52d754b8c5af7966c0eccf0b1dbaad184a97f98f4c288278b879b69fdce7a461f017867032133309ec80c240e9ee3be1d0d682

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
7812fd5bbc6287448c1192e19f7bc69a

SHA1
b180cbc97f262b8bbb21b48ab343a07fcdac8f5a

SHA256
3303312de6d8b99a23ccf2465ad86f197771957bc557af8681ce8ef7c3f9d689

SHA512
11c733969ee9b6bfbd6a5fc60a52d754b8c5af7966c0eccf0b1dbaad184a97f98f4c288278b879b69fdce7a461f017867032133309ec80c240e9ee3be1d0d682

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
7812fd5bbc6287448c1192e19f7bc69a

SHA1
b180cbc97f262b8bbb21b48ab343a07fcdac8f5a

SHA256
3303312de6d8b99a23ccf2465ad86f197771957bc557af8681ce8ef7c3f9d689

SHA512
11c733969ee9b6bfbd6a5fc60a52d754b8c5af7966c0eccf0b1dbaad184a97f98f4c288278b879b69fdce7a461f017867032133309ec80c240e9ee3be1d0d682

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/916-1171-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/916-1174-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/916-1173-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1732-1139-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/1732-1138-0x00000000054F0000-0x000000000553B000-memory.dmp

Filesize
300KB

Download
memory/1732-1137-0x0000000000C70000-0x0000000000CA2000-memory.dmp

Filesize
200KB

Download
memory/2136-149-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/4184-159-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4184-193-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4184-195-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4184-192-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4184-191-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4184-190-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4184-189-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-187-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-185-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-183-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-181-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-179-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-177-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-175-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-173-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-171-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-169-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-167-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-165-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-163-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-162-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4184-161-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4184-160-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4184-158-0x0000000004A10000-0x0000000004A28000-memory.dmp

Filesize
96KB

Download
memory/4184-157-0x0000000007110000-0x000000000760E000-memory.dmp

Filesize
5.0MB

Download
memory/4184-156-0x0000000004690000-0x00000000046AA000-memory.dmp

Filesize
104KB

Download
memory/4184-155-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4660-218-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-230-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-1112-0x0000000007DB0000-0x0000000007EBA000-memory.dmp

Filesize
1.0MB

Download
memory/4660-1113-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/4660-1114-0x0000000007EC0000-0x0000000007EFE000-memory.dmp

Filesize
248KB

Download
memory/4660-1115-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4660-1116-0x0000000008000000-0x000000000804B000-memory.dmp

Filesize
300KB

Download
memory/4660-1118-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4660-1119-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4660-1120-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4660-1121-0x0000000008170000-0x00000000081D6000-memory.dmp

Filesize
408KB

Download
memory/4660-1122-0x0000000008830000-0x00000000088C2000-memory.dmp

Filesize
584KB

Download
memory/4660-1123-0x0000000008A00000-0x0000000008A76000-memory.dmp

Filesize
472KB

Download
memory/4660-1124-0x0000000008A80000-0x0000000008AD0000-memory.dmp

Filesize
320KB

Download
memory/4660-1125-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4660-1126-0x0000000008B10000-0x0000000008CD2000-memory.dmp

Filesize
1.8MB

Download
memory/4660-1127-0x0000000008CE0000-0x000000000920C000-memory.dmp

Filesize
5.2MB

Download
memory/4660-238-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-236-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-234-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-232-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-1111-0x00000000077A0000-0x0000000007DA6000-memory.dmp

Filesize
6.0MB

Download
memory/4660-228-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-226-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-224-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-222-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-220-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-216-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-214-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-212-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-200-0x0000000004A50000-0x0000000004A96000-memory.dmp

Filesize
280KB

Download
memory/4660-201-0x0000000007120000-0x0000000007164000-memory.dmp

Filesize
272KB

Download
memory/4660-202-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-209-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-210-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4660-208-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4660-206-0x0000000004530000-0x000000000457B000-memory.dmp

Filesize
300KB

Download
memory/4660-205-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/4660-203-0x0000000007120000-0x000000000715F000-memory.dmp

Filesize
252KB

Download
memory/5028-1165-0x000001D5C2E60000-0x000001D5C2E70000-memory.dmp

Filesize
64KB

Download
memory/5028-1164-0x000001D5DB760000-0x000001D5DB8FE000-memory.dmp

Filesize
1.6MB

Download
memory/5028-1163-0x000001D5C10E0000-0x000001D5C12CE000-memory.dmp

Filesize
1.9MB

Download