amadey | e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7

Analysis

max time kernel
116s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exe
Size

1.0MB
MD5

c129a342786004aa59300ef1529e7854
SHA1

b1c920ed1e6b43ff76ed5c041fe74278db78623e
SHA256

e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7
SHA512

6d9acc46df4c66d0b266d84713fdbd2991fd0c85c2e801b6abed44d604e6205fa16519a9c4d34e3681650dd5373a670f2f59e09729d19407f2a6ad704128497f
SSDEEP

24576:NyhBMmYWTZtoBsNHhhLv5QG7Dczy0sTcKqntP9A0+dIg2w:oRoeJhhgzrKIVA1dI

Score

10^/10

amadey lumma redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz6660.exev5540WN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz6660.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v5540WN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5540WN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5540WN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5540WN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz6660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz6660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz6660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz6660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5540WN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5540WN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz6660.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2956-206-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-207-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-209-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-211-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-213-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-215-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-217-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-219-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-221-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-226-0x0000000004B40000-0x0000000004B50000-memory.dmp	family_redline
behavioral1/memory/2956-225-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-229-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-231-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-233-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-235-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-237-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-239-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-241-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/2956-243-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y35Ng90.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	y35Ng90.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 11 IoCs

Processes:

zap8082.exezap3783.exezap3732.exetz6660.exev5540WN.exew03Zz82.exexgbLt91.exey35Ng90.exelegenda.exeLummas.exelegenda.exe

pid	process
3604	zap8082.exe
3540	zap3783.exe
3488	zap3732.exe
5064	tz6660.exe
2860	v5540WN.exe
2956	w03Zz82.exe
3980	xgbLt91.exe
1256	y35Ng90.exe
3500	legenda.exe
1000	Lummas.exe
2996	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3004 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3004	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz6660.exev5540WN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz6660.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5540WN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5540WN.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap3783.exezap3732.exee588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exezap8082.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3783.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3783.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3732.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3732.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap8082.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Lummas.exe

description pid process target process

PID 1000 set thread context of 4736 1000 Lummas.exe jsc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4484 2860 WerFault.exe v5540WN.exe
4992 2956 WerFault.exe w03Zz82.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1320 schtasks.exe

description	pid	process	target process
PID 1000 set thread context of 4736	1000	Lummas.exe	jsc.exe

pid	pid_target	process	target process
4484	2860	WerFault.exe	v5540WN.exe
4992	2956	WerFault.exe	w03Zz82.exe

pid	process
1320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

tz6660.exev5540WN.exew03Zz82.exexgbLt91.exeLummas.exe

pid	process
5064	tz6660.exe
5064	tz6660.exe
2860	v5540WN.exe
2860	v5540WN.exe
2956	w03Zz82.exe
2956	w03Zz82.exe
3980	xgbLt91.exe
3980	xgbLt91.exe
1000	Lummas.exe
1000	Lummas.exe
1000	Lummas.exe
1000	Lummas.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz6660.exev5540WN.exew03Zz82.exexgbLt91.exeLummas.exe

description	pid	process
Token: SeDebugPrivilege	5064	tz6660.exe
Token: SeDebugPrivilege	2860	v5540WN.exe
Token: SeDebugPrivilege	2956	w03Zz82.exe
Token: SeDebugPrivilege	3980	xgbLt91.exe
Token: SeDebugPrivilege	1000	Lummas.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exezap8082.exezap3783.exezap3732.exey35Ng90.exelegenda.execmd.exeLummas.exe

description	pid	process	target process
PID 552 wrote to memory of 3604	552	e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exe	zap8082.exe
PID 552 wrote to memory of 3604	552	e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exe	zap8082.exe
PID 552 wrote to memory of 3604	552	e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exe	zap8082.exe
PID 3604 wrote to memory of 3540	3604	zap8082.exe	zap3783.exe
PID 3604 wrote to memory of 3540	3604	zap8082.exe	zap3783.exe
PID 3604 wrote to memory of 3540	3604	zap8082.exe	zap3783.exe
PID 3540 wrote to memory of 3488	3540	zap3783.exe	zap3732.exe
PID 3540 wrote to memory of 3488	3540	zap3783.exe	zap3732.exe
PID 3540 wrote to memory of 3488	3540	zap3783.exe	zap3732.exe
PID 3488 wrote to memory of 5064	3488	zap3732.exe	tz6660.exe
PID 3488 wrote to memory of 5064	3488	zap3732.exe	tz6660.exe
PID 3488 wrote to memory of 2860	3488	zap3732.exe	v5540WN.exe
PID 3488 wrote to memory of 2860	3488	zap3732.exe	v5540WN.exe
PID 3488 wrote to memory of 2860	3488	zap3732.exe	v5540WN.exe
PID 3540 wrote to memory of 2956	3540	zap3783.exe	w03Zz82.exe
PID 3540 wrote to memory of 2956	3540	zap3783.exe	w03Zz82.exe
PID 3540 wrote to memory of 2956	3540	zap3783.exe	w03Zz82.exe
PID 3604 wrote to memory of 3980	3604	zap8082.exe	xgbLt91.exe
PID 3604 wrote to memory of 3980	3604	zap8082.exe	xgbLt91.exe
PID 3604 wrote to memory of 3980	3604	zap8082.exe	xgbLt91.exe
PID 552 wrote to memory of 1256	552	e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exe	y35Ng90.exe
PID 552 wrote to memory of 1256	552	e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exe	y35Ng90.exe
PID 552 wrote to memory of 1256	552	e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exe	y35Ng90.exe
PID 1256 wrote to memory of 3500	1256	y35Ng90.exe	legenda.exe
PID 1256 wrote to memory of 3500	1256	y35Ng90.exe	legenda.exe
PID 1256 wrote to memory of 3500	1256	y35Ng90.exe	legenda.exe
PID 3500 wrote to memory of 1320	3500	legenda.exe	schtasks.exe
PID 3500 wrote to memory of 1320	3500	legenda.exe	schtasks.exe
PID 3500 wrote to memory of 1320	3500	legenda.exe	schtasks.exe
PID 3500 wrote to memory of 584	3500	legenda.exe	cmd.exe
PID 3500 wrote to memory of 584	3500	legenda.exe	cmd.exe
PID 3500 wrote to memory of 584	3500	legenda.exe	cmd.exe
PID 584 wrote to memory of 4416	584	cmd.exe	cmd.exe
PID 584 wrote to memory of 4416	584	cmd.exe	cmd.exe
PID 584 wrote to memory of 4416	584	cmd.exe	cmd.exe
PID 584 wrote to memory of 2644	584	cmd.exe	cacls.exe
PID 584 wrote to memory of 2644	584	cmd.exe	cacls.exe
PID 584 wrote to memory of 2644	584	cmd.exe	cacls.exe
PID 584 wrote to memory of 2252	584	cmd.exe	cacls.exe
PID 584 wrote to memory of 2252	584	cmd.exe	cacls.exe
PID 584 wrote to memory of 2252	584	cmd.exe	cacls.exe
PID 584 wrote to memory of 460	584	cmd.exe	cmd.exe
PID 584 wrote to memory of 460	584	cmd.exe	cmd.exe
PID 584 wrote to memory of 460	584	cmd.exe	cmd.exe
PID 584 wrote to memory of 1340	584	cmd.exe	cacls.exe
PID 584 wrote to memory of 1340	584	cmd.exe	cacls.exe
PID 584 wrote to memory of 1340	584	cmd.exe	cacls.exe
PID 584 wrote to memory of 2280	584	cmd.exe	cacls.exe
PID 584 wrote to memory of 2280	584	cmd.exe	cacls.exe
PID 584 wrote to memory of 2280	584	cmd.exe	cacls.exe
PID 3500 wrote to memory of 1000	3500	legenda.exe	Lummas.exe
PID 3500 wrote to memory of 1000	3500	legenda.exe	Lummas.exe
PID 1000 wrote to memory of 444	1000	Lummas.exe	ilasm.exe
PID 1000 wrote to memory of 444	1000	Lummas.exe	ilasm.exe
PID 1000 wrote to memory of 2176	1000	Lummas.exe	csc.exe
PID 1000 wrote to memory of 2176	1000	Lummas.exe	csc.exe
PID 1000 wrote to memory of 4736	1000	Lummas.exe	jsc.exe
PID 1000 wrote to memory of 4736	1000	Lummas.exe	jsc.exe
PID 1000 wrote to memory of 4736	1000	Lummas.exe	jsc.exe
PID 1000 wrote to memory of 4736	1000	Lummas.exe	jsc.exe
PID 1000 wrote to memory of 4736	1000	Lummas.exe	jsc.exe
PID 1000 wrote to memory of 4736	1000	Lummas.exe	jsc.exe
PID 1000 wrote to memory of 4736	1000	Lummas.exe	jsc.exe
PID 1000 wrote to memory of 4736	1000	Lummas.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exe
"C:\Users\Admin\AppData\Local\Temp\e588c37044529af066c2a5dc55cf0f3993975328c80ee50af59e02b6bc3a51b7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8082.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8082.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3783.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3783.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3732.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3732.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3488

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6660.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6660.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5540WN.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5540WN.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1016
6⤵
- Program crash
PID:4484

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w03Zz82.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w03Zz82.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1648
5⤵
- Program crash
PID:4992

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xgbLt91.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xgbLt91.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y35Ng90.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y35Ng90.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4416

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:2644

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:460

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:1340

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
5⤵
PID:444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
5⤵
PID:2176

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
5⤵
PID:4736

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2860 -ip 2860
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2956 -ip 2956
1⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y35Ng90.exe
Filesize
235KB

MD5
99384e5a4dda0d08412fcbadf6572fe1

SHA1
528d3220c97e71b9d496e085456ab77c055c5bb8

SHA256
8709422e30caed7ba244ac989337afc887129f88c3faa3fcd736e37d58aba7af

SHA512
899b1f89c941bd2ca346f36672344417a4ef9a47f82f31ff7d28f804f2400ef5671afb2f06997b52e26c8301e6171a0482a1d94c5fed931a1cd0efa28cc6c9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y35Ng90.exe
Filesize
235KB

MD5
99384e5a4dda0d08412fcbadf6572fe1

SHA1
528d3220c97e71b9d496e085456ab77c055c5bb8

SHA256
8709422e30caed7ba244ac989337afc887129f88c3faa3fcd736e37d58aba7af

SHA512
899b1f89c941bd2ca346f36672344417a4ef9a47f82f31ff7d28f804f2400ef5671afb2f06997b52e26c8301e6171a0482a1d94c5fed931a1cd0efa28cc6c9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8082.exe
Filesize
854KB

MD5
273442e96024cee1817a31d08c0255af

SHA1
faaa11cf675bc59d4ea93b71dbb507e81cbf09c2

SHA256
de94825676727b73f0b650d1495f7e8a7409f34617e9939449b27d7d24cf8e6d

SHA512
3498dcabce23af219ed1c240d42bb082f7e53130b1c562f9a1890cc617faf56b6887eafa2a2dbfdb28677f84ecdf42e9cebd3097dc4453533348e08efe2466c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8082.exe
Filesize
854KB

MD5
273442e96024cee1817a31d08c0255af

SHA1
faaa11cf675bc59d4ea93b71dbb507e81cbf09c2

SHA256
de94825676727b73f0b650d1495f7e8a7409f34617e9939449b27d7d24cf8e6d

SHA512
3498dcabce23af219ed1c240d42bb082f7e53130b1c562f9a1890cc617faf56b6887eafa2a2dbfdb28677f84ecdf42e9cebd3097dc4453533348e08efe2466c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xgbLt91.exe
Filesize
175KB

MD5
6e6348171944d0a7bd3c6dd5dbf2df30

SHA1
c1ec8d7e2322451f1971c78f0f3201184c7584a4

SHA256
711483035ed606a34f0e65da5b05f6d5837aa3b64aba6e92459f31bc93ead287

SHA512
3b59744fd8983ec036cd2affeee2c1f5652e594f7e4134f205195426c2e458cfe4c01a0873faf5ee5f1cd585dbdd1f20c7e4268c66401e8ff8640b0e8db863b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xgbLt91.exe
Filesize
175KB

MD5
6e6348171944d0a7bd3c6dd5dbf2df30

SHA1
c1ec8d7e2322451f1971c78f0f3201184c7584a4

SHA256
711483035ed606a34f0e65da5b05f6d5837aa3b64aba6e92459f31bc93ead287

SHA512
3b59744fd8983ec036cd2affeee2c1f5652e594f7e4134f205195426c2e458cfe4c01a0873faf5ee5f1cd585dbdd1f20c7e4268c66401e8ff8640b0e8db863b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3783.exe
Filesize
712KB

MD5
e3bea9abe519a5524dcf82201ae28ce3

SHA1
405576467bacbf341b8fd5ab05a988aab32b5789

SHA256
f585190bd71b4764a331ce57dee4ae2755f0c88710595333d14dd74791a6abcb

SHA512
52bedf0f092df1cdde241dfbf6de4ce0015dd997ffc53cdb97ea5026fb01157c72db2e7cd342521e328cf9e53c4cf411f658bc0704cf56abfaa40e54d656306a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3783.exe
Filesize
712KB

MD5
e3bea9abe519a5524dcf82201ae28ce3

SHA1
405576467bacbf341b8fd5ab05a988aab32b5789

SHA256
f585190bd71b4764a331ce57dee4ae2755f0c88710595333d14dd74791a6abcb

SHA512
52bedf0f092df1cdde241dfbf6de4ce0015dd997ffc53cdb97ea5026fb01157c72db2e7cd342521e328cf9e53c4cf411f658bc0704cf56abfaa40e54d656306a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w03Zz82.exe
Filesize
383KB

MD5
ea7a20cf834418c03375e8afdb31fa49

SHA1
3f2c713484255232378331a909a7ad19c6a979e1

SHA256
1a399954b360e1d516f072bc57307f92d0a05bdb3e538743b8779da6f958be23

SHA512
ff84007af4563b9df39cf64bd0d4f78dc15878bf13b71357df06b385ea79aad07e4df9b5d66688e506a77229fdfc4bbff424bd5f53380e0e2f13346a69a90bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w03Zz82.exe
Filesize
383KB

MD5
ea7a20cf834418c03375e8afdb31fa49

SHA1
3f2c713484255232378331a909a7ad19c6a979e1

SHA256
1a399954b360e1d516f072bc57307f92d0a05bdb3e538743b8779da6f958be23

SHA512
ff84007af4563b9df39cf64bd0d4f78dc15878bf13b71357df06b385ea79aad07e4df9b5d66688e506a77229fdfc4bbff424bd5f53380e0e2f13346a69a90bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3732.exe
Filesize
352KB

MD5
95d2c72d363e4550e32132bd5cbf68bd

SHA1
e26ab779d5f5935afbd0e3ebee8960d83b81d53a

SHA256
9ef8f8926bad6925177bb9db761d1fb030fcce69c22995182ce7760aa28eb050

SHA512
0d80d85a6b239dc3205e43f86fd5dfbc741084eb48b39f9ce7c2ca227848aaf06f20225cae0c440df0e08bae66d65c620e3e19b512491a65bcbed33b731d6bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3732.exe
Filesize
352KB

MD5
95d2c72d363e4550e32132bd5cbf68bd

SHA1
e26ab779d5f5935afbd0e3ebee8960d83b81d53a

SHA256
9ef8f8926bad6925177bb9db761d1fb030fcce69c22995182ce7760aa28eb050

SHA512
0d80d85a6b239dc3205e43f86fd5dfbc741084eb48b39f9ce7c2ca227848aaf06f20225cae0c440df0e08bae66d65c620e3e19b512491a65bcbed33b731d6bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6660.exe
Filesize
11KB

MD5
ef36915953487fc84279c436635d4a3a

SHA1
f3ee5b10c606a9f3e63f88c965992d754d68902b

SHA256
d8e291ba4a960ff4548551080729d200655eab4fba46bb8cf2300876cd764f4a

SHA512
700b0de9cda6a6381b79533af1e7ff74e510cc43c613e40f8889804f7e25ac50be365190861b68d4cc2323ce025b486b8582c8eabb05010bcc7734e4ae5ab7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6660.exe
Filesize
11KB

MD5
ef36915953487fc84279c436635d4a3a

SHA1
f3ee5b10c606a9f3e63f88c965992d754d68902b

SHA256
d8e291ba4a960ff4548551080729d200655eab4fba46bb8cf2300876cd764f4a

SHA512
700b0de9cda6a6381b79533af1e7ff74e510cc43c613e40f8889804f7e25ac50be365190861b68d4cc2323ce025b486b8582c8eabb05010bcc7734e4ae5ab7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5540WN.exe
Filesize
325KB

MD5
5f28745dbc2334b52a9776de065708da

SHA1
c5351759895ff80915be4ca43984222a19c0c12f

SHA256
37cf6b81601fef0190043141deb9353afc01f840da7912997e16a0ad5afc4a9f

SHA512
fd355447649e493eea97e057dc58e5b6610b88615b45fb8cb193c59b3b0115dac50b7f71a12e4edb470d64d157d22fa4f96fc08b5c6fe30a2af8bb2134a7a10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5540WN.exe
Filesize
325KB

MD5
5f28745dbc2334b52a9776de065708da

SHA1
c5351759895ff80915be4ca43984222a19c0c12f

SHA256
37cf6b81601fef0190043141deb9353afc01f840da7912997e16a0ad5afc4a9f

SHA512
fd355447649e493eea97e057dc58e5b6610b88615b45fb8cb193c59b3b0115dac50b7f71a12e4edb470d64d157d22fa4f96fc08b5c6fe30a2af8bb2134a7a10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
99384e5a4dda0d08412fcbadf6572fe1

SHA1
528d3220c97e71b9d496e085456ab77c055c5bb8

SHA256
8709422e30caed7ba244ac989337afc887129f88c3faa3fcd736e37d58aba7af

SHA512
899b1f89c941bd2ca346f36672344417a4ef9a47f82f31ff7d28f804f2400ef5671afb2f06997b52e26c8301e6171a0482a1d94c5fed931a1cd0efa28cc6c9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
99384e5a4dda0d08412fcbadf6572fe1

SHA1
528d3220c97e71b9d496e085456ab77c055c5bb8

SHA256
8709422e30caed7ba244ac989337afc887129f88c3faa3fcd736e37d58aba7af

SHA512
899b1f89c941bd2ca346f36672344417a4ef9a47f82f31ff7d28f804f2400ef5671afb2f06997b52e26c8301e6171a0482a1d94c5fed931a1cd0efa28cc6c9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
99384e5a4dda0d08412fcbadf6572fe1

SHA1
528d3220c97e71b9d496e085456ab77c055c5bb8

SHA256
8709422e30caed7ba244ac989337afc887129f88c3faa3fcd736e37d58aba7af

SHA512
899b1f89c941bd2ca346f36672344417a4ef9a47f82f31ff7d28f804f2400ef5671afb2f06997b52e26c8301e6171a0482a1d94c5fed931a1cd0efa28cc6c9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
99384e5a4dda0d08412fcbadf6572fe1

SHA1
528d3220c97e71b9d496e085456ab77c055c5bb8

SHA256
8709422e30caed7ba244ac989337afc887129f88c3faa3fcd736e37d58aba7af

SHA512
899b1f89c941bd2ca346f36672344417a4ef9a47f82f31ff7d28f804f2400ef5671afb2f06997b52e26c8301e6171a0482a1d94c5fed931a1cd0efa28cc6c9c6

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1000-1171-0x000001F9F6B60000-0x000001F9F6D4E000-memory.dmp

Filesize
1.9MB

Download
memory/1000-1172-0x000001F9F8A20000-0x000001F9F8A30000-memory.dmp

Filesize
64KB

Download
memory/2860-180-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-188-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-198-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-199-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/2860-201-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/2860-184-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-194-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-182-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-186-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-192-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-190-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-196-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-178-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-176-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-174-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-172-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-171-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2860-170-0x0000000007250000-0x00000000077F4000-memory.dmp

Filesize
5.6MB

Download
memory/2860-169-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/2860-168-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/2860-167-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/2956-225-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-1131-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2956-237-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-239-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-241-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-243-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-1116-0x0000000007A20000-0x0000000008038000-memory.dmp

Filesize
6.1MB

Download
memory/2956-1117-0x0000000008040000-0x000000000814A000-memory.dmp

Filesize
1.0MB

Download
memory/2956-1118-0x0000000004E80000-0x0000000004E92000-memory.dmp

Filesize
72KB

Download
memory/2956-1119-0x0000000004EA0000-0x0000000004EDC000-memory.dmp

Filesize
240KB

Download
memory/2956-1120-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2956-1122-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/2956-1123-0x0000000008A90000-0x0000000008B22000-memory.dmp

Filesize
584KB

Download
memory/2956-1124-0x0000000008C80000-0x0000000008E42000-memory.dmp

Filesize
1.8MB

Download
memory/2956-1125-0x0000000008E60000-0x000000000938C000-memory.dmp

Filesize
5.2MB

Download
memory/2956-1126-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2956-1127-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2956-1128-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2956-1129-0x00000000094D0000-0x0000000009546000-memory.dmp

Filesize
472KB

Download
memory/2956-1130-0x0000000009550000-0x00000000095A0000-memory.dmp

Filesize
320KB

Download
memory/2956-233-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-235-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-206-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-207-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-231-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-228-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2956-229-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-226-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2956-224-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2956-221-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-222-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/2956-219-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-217-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-215-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-209-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-211-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/2956-213-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3980-1138-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/3980-1137-0x0000000000BB0000-0x0000000000BE2000-memory.dmp

Filesize
200KB

Download
memory/4736-1180-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4736-1179-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4736-1178-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/5064-161-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

Filesize
40KB

Download