amadey | d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1

Analysis

max time kernel
143s
max time network
122s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26-03-2023 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exe
Size

1.0MB
MD5

0327ff5fdeb297b08accf17d726fc91f
SHA1

bc9a8ad3809c54f02996b51b001db9dad334d368
SHA256

d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1
SHA512

4df25bb6f615bc888d2bbae673397948b30e045703724e950ea343843c3e966536e736b8e28ebaccf7879f0f3b4027e99e77eff85f31a1005701d99397b1eea6
SSDEEP

24576:CycCpgLZt8cHJZPC6sdODbIXaz3CiWDJxBqq/U:pxgjRpJ/sdOJC/t/

Score

10^/10

amadey lumma redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v2997rx.exetz6924.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v2997rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v2997rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v2997rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz6924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz6924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz6924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz6924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v2997rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v2997rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz6924.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/960-196-0x00000000047A0000-0x00000000047E6000-memory.dmp	family_redline
behavioral1/memory/960-197-0x0000000007020000-0x0000000007064000-memory.dmp	family_redline
behavioral1/memory/960-198-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-199-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-201-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-203-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-205-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-207-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-209-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-211-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-213-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-215-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-217-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-219-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-221-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-223-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-225-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-227-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-229-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-231-0x0000000007020000-0x000000000705F000-memory.dmp	family_redline
behavioral1/memory/960-1121-0x00000000070E0000-0x00000000070F0000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

zap8713.exezap4394.exezap1955.exetz6924.exev2997rx.exew60QC40.exexHLFC19.exey68Cm26.exelegenda.exeLummas.exelegenda.exelegenda.exe

pid	process
3372	zap8713.exe
4168	zap4394.exe
4200	zap1955.exe
4192	tz6924.exe
1452	v2997rx.exe
960	w60QC40.exe
4848	xHLFC19.exe
4432	y68Cm26.exe
4484	legenda.exe
4092	Lummas.exe
368	legenda.exe
1584	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

672 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
672	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz6924.exev2997rx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz6924.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v2997rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v2997rx.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap1955.exed4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exezap8713.exezap4394.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1955.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap8713.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4394.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap4394.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1955.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Lummas.exe

description pid process target process

PID 4092 set thread context of 4068 4092 Lummas.exe jsc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5028 schtasks.exe

description	pid	process	target process
PID 4092 set thread context of 4068	4092	Lummas.exe	jsc.exe

pid	process
5028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

tz6924.exev2997rx.exew60QC40.exexHLFC19.exeLummas.exe

pid	process
4192	tz6924.exe
4192	tz6924.exe
1452	v2997rx.exe
1452	v2997rx.exe
960	w60QC40.exe
960	w60QC40.exe
4848	xHLFC19.exe
4848	xHLFC19.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe
4092	Lummas.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz6924.exev2997rx.exew60QC40.exexHLFC19.exeLummas.exe

description	pid	process
Token: SeDebugPrivilege	4192	tz6924.exe
Token: SeDebugPrivilege	1452	v2997rx.exe
Token: SeDebugPrivilege	960	w60QC40.exe
Token: SeDebugPrivilege	4848	xHLFC19.exe
Token: SeDebugPrivilege	4092	Lummas.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exezap8713.exezap4394.exezap1955.exey68Cm26.exelegenda.execmd.exeLummas.exe

description	pid	process	target process
PID 3240 wrote to memory of 3372	3240	d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exe	zap8713.exe
PID 3240 wrote to memory of 3372	3240	d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exe	zap8713.exe
PID 3240 wrote to memory of 3372	3240	d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exe	zap8713.exe
PID 3372 wrote to memory of 4168	3372	zap8713.exe	zap4394.exe
PID 3372 wrote to memory of 4168	3372	zap8713.exe	zap4394.exe
PID 3372 wrote to memory of 4168	3372	zap8713.exe	zap4394.exe
PID 4168 wrote to memory of 4200	4168	zap4394.exe	zap1955.exe
PID 4168 wrote to memory of 4200	4168	zap4394.exe	zap1955.exe
PID 4168 wrote to memory of 4200	4168	zap4394.exe	zap1955.exe
PID 4200 wrote to memory of 4192	4200	zap1955.exe	tz6924.exe
PID 4200 wrote to memory of 4192	4200	zap1955.exe	tz6924.exe
PID 4200 wrote to memory of 1452	4200	zap1955.exe	v2997rx.exe
PID 4200 wrote to memory of 1452	4200	zap1955.exe	v2997rx.exe
PID 4200 wrote to memory of 1452	4200	zap1955.exe	v2997rx.exe
PID 4168 wrote to memory of 960	4168	zap4394.exe	w60QC40.exe
PID 4168 wrote to memory of 960	4168	zap4394.exe	w60QC40.exe
PID 4168 wrote to memory of 960	4168	zap4394.exe	w60QC40.exe
PID 3372 wrote to memory of 4848	3372	zap8713.exe	xHLFC19.exe
PID 3372 wrote to memory of 4848	3372	zap8713.exe	xHLFC19.exe
PID 3372 wrote to memory of 4848	3372	zap8713.exe	xHLFC19.exe
PID 3240 wrote to memory of 4432	3240	d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exe	y68Cm26.exe
PID 3240 wrote to memory of 4432	3240	d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exe	y68Cm26.exe
PID 3240 wrote to memory of 4432	3240	d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exe	y68Cm26.exe
PID 4432 wrote to memory of 4484	4432	y68Cm26.exe	legenda.exe
PID 4432 wrote to memory of 4484	4432	y68Cm26.exe	legenda.exe
PID 4432 wrote to memory of 4484	4432	y68Cm26.exe	legenda.exe
PID 4484 wrote to memory of 5028	4484	legenda.exe	schtasks.exe
PID 4484 wrote to memory of 5028	4484	legenda.exe	schtasks.exe
PID 4484 wrote to memory of 5028	4484	legenda.exe	schtasks.exe
PID 4484 wrote to memory of 4388	4484	legenda.exe	cmd.exe
PID 4484 wrote to memory of 4388	4484	legenda.exe	cmd.exe
PID 4484 wrote to memory of 4388	4484	legenda.exe	cmd.exe
PID 4388 wrote to memory of 5000	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 5000	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 5000	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 4996	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 4996	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 4996	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 4940	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 4940	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 4940	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 4916	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 4916	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 4916	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 1824	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 1824	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 1824	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 4960	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 4960	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 4960	4388	cmd.exe	cacls.exe
PID 4484 wrote to memory of 4092	4484	legenda.exe	Lummas.exe
PID 4484 wrote to memory of 4092	4484	legenda.exe	Lummas.exe
PID 4092 wrote to memory of 2924	4092	Lummas.exe	aspnet_regiis.exe
PID 4092 wrote to memory of 2924	4092	Lummas.exe	aspnet_regiis.exe
PID 4092 wrote to memory of 4064	4092	Lummas.exe	Microsoft.Workflow.Compiler.exe
PID 4092 wrote to memory of 4064	4092	Lummas.exe	Microsoft.Workflow.Compiler.exe
PID 4092 wrote to memory of 3280	4092	Lummas.exe	csc.exe
PID 4092 wrote to memory of 3280	4092	Lummas.exe	csc.exe
PID 4092 wrote to memory of 4116	4092	Lummas.exe	CasPol.exe
PID 4092 wrote to memory of 4116	4092	Lummas.exe	CasPol.exe
PID 4092 wrote to memory of 4124	4092	Lummas.exe	aspnet_regbrowsers.exe
PID 4092 wrote to memory of 4124	4092	Lummas.exe	aspnet_regbrowsers.exe
PID 4092 wrote to memory of 4132	4092	Lummas.exe	WsatConfig.exe
PID 4092 wrote to memory of 4132	4092	Lummas.exe	WsatConfig.exe

C:\Users\Admin\AppData\Local\Temp\d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exe
"C:\Users\Admin\AppData\Local\Temp\d4a2999e1cf3908ed47659dc5c4b324b2f40a82f919b0c2755aa18ff0f1d55f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8713.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8713.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4394.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4394.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4168

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1955.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1955.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6924.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6924.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2997rx.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2997rx.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w60QC40.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w60QC40.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHLFC19.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHLFC19.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y68Cm26.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y68Cm26.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:5028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5000

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4996

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4916

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:1824

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
5⤵
PID:2924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
5⤵
PID:4064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
5⤵
PID:3280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
5⤵
PID:4116

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
5⤵
PID:4124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
5⤵
PID:4132

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
5⤵
PID:4828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
5⤵
PID:5088

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
5⤵
PID:708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
5⤵
PID:608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
5⤵
PID:516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
5⤵
PID:4312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
5⤵
PID:424

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
5⤵
PID:504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
5⤵
PID:4292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
5⤵
PID:4068

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:672

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:368

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y68Cm26.exe
Filesize
235KB

MD5
1881d221fec84b985abbb32eb313145a

SHA1
f5289600716ab29edecd34f95ec08ae28f1188eb

SHA256
270e9fbc38639ec33da98d7266ccce28b87c251d2619ab9ba9e31dd7ca4c720f

SHA512
23d8e0334061bea5684f7eb52388261eaf52eb511b79d6286949aa041d53622fc399bd5bab69ff1f1a9855e36256dfde5c3a4a5048eb119a0047af5fade648ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y68Cm26.exe
Filesize
235KB

MD5
1881d221fec84b985abbb32eb313145a

SHA1
f5289600716ab29edecd34f95ec08ae28f1188eb

SHA256
270e9fbc38639ec33da98d7266ccce28b87c251d2619ab9ba9e31dd7ca4c720f

SHA512
23d8e0334061bea5684f7eb52388261eaf52eb511b79d6286949aa041d53622fc399bd5bab69ff1f1a9855e36256dfde5c3a4a5048eb119a0047af5fade648ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8713.exe
Filesize
853KB

MD5
47c17fc369b7e3276d29be386b0009cb

SHA1
e35f3446d1e56a290f3236a34d5606a8ff0a9caa

SHA256
860910839707ffc418e18089a0c1b89e81b117582aad62e05f1c21108212f964

SHA512
a32dc67906405ecfa3e94c714f7b92b6c6cbce9de926f74b28a047afac4959c1e17c3897aa781f4d635200fafc63ac3f4a7ab96b612c3a363cabf8456177211a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8713.exe
Filesize
853KB

MD5
47c17fc369b7e3276d29be386b0009cb

SHA1
e35f3446d1e56a290f3236a34d5606a8ff0a9caa

SHA256
860910839707ffc418e18089a0c1b89e81b117582aad62e05f1c21108212f964

SHA512
a32dc67906405ecfa3e94c714f7b92b6c6cbce9de926f74b28a047afac4959c1e17c3897aa781f4d635200fafc63ac3f4a7ab96b612c3a363cabf8456177211a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHLFC19.exe
Filesize
175KB

MD5
4cbe287cbfa86c14592610ff48803160

SHA1
72f04f78b616adc416a4c6f087c5c13bd5bb769a

SHA256
f0fcafddbd7d8258e30e5387e5a4c0d812b40a27f7221ade96eb5eb3e8a41edb

SHA512
097e778c5b42ef1477e7951ef3bdd9176a1dc24bd4bd1493831cff7feb2b6f2aeba882eebe6a41c9df93530c7e82eb94fcb25942440c45116b52a5074dc8b229

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHLFC19.exe
Filesize
175KB

MD5
4cbe287cbfa86c14592610ff48803160

SHA1
72f04f78b616adc416a4c6f087c5c13bd5bb769a

SHA256
f0fcafddbd7d8258e30e5387e5a4c0d812b40a27f7221ade96eb5eb3e8a41edb

SHA512
097e778c5b42ef1477e7951ef3bdd9176a1dc24bd4bd1493831cff7feb2b6f2aeba882eebe6a41c9df93530c7e82eb94fcb25942440c45116b52a5074dc8b229

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4394.exe
Filesize
711KB

MD5
cd3e6e39942dc716dcdac416d724ec43

SHA1
d049e0e16f2e7fcd8e056f9d8e575d489bb6dfe9

SHA256
ea2179928feeb83c9d18e81a6535501eec8443b64920db728a68b9794ee9bce5

SHA512
dfd67c41fee29ef4629da9eb86844c35e6f8ed982222b60f1acbfe61435c8fe1f7e9b1571eaa3f5e66a746feb552885c8c7463c44bf56c90ea6ed2f05981aece

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4394.exe
Filesize
711KB

MD5
cd3e6e39942dc716dcdac416d724ec43

SHA1
d049e0e16f2e7fcd8e056f9d8e575d489bb6dfe9

SHA256
ea2179928feeb83c9d18e81a6535501eec8443b64920db728a68b9794ee9bce5

SHA512
dfd67c41fee29ef4629da9eb86844c35e6f8ed982222b60f1acbfe61435c8fe1f7e9b1571eaa3f5e66a746feb552885c8c7463c44bf56c90ea6ed2f05981aece

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w60QC40.exe
Filesize
384KB

MD5
c050651ee5a5237322591e0b3c3f113b

SHA1
77a7632705c7bdaa5a06e6d7d69f13eff23dcebf

SHA256
65ae12228752d82a65d2a1214dcba406346e5b812bcda74808c4ab127f3d7f5b

SHA512
1f8d6092efaf561b081e9a39f0ddd4bbf29ada96ad4c69cdd06f92040b22cde6a3aa2814f8ff58e8cc3e296bd7403954012706500c97518ba9f2b0365e220657

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w60QC40.exe
Filesize
384KB

MD5
c050651ee5a5237322591e0b3c3f113b

SHA1
77a7632705c7bdaa5a06e6d7d69f13eff23dcebf

SHA256
65ae12228752d82a65d2a1214dcba406346e5b812bcda74808c4ab127f3d7f5b

SHA512
1f8d6092efaf561b081e9a39f0ddd4bbf29ada96ad4c69cdd06f92040b22cde6a3aa2814f8ff58e8cc3e296bd7403954012706500c97518ba9f2b0365e220657

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1955.exe
Filesize
353KB

MD5
d8998b04b23147c824c33632cef7f12f

SHA1
4368c1460e651c2ba2435329199971797d9d0b58

SHA256
96e368416ba7e1d81e527a36ded99f8518d4a178e8bc0dcab0011532bd6ddb31

SHA512
05dbc3dfd32fb2e8b7713b6f71870c7bfc204bba61ed50ab5ac2973d142e79d60aa259b7fdc641ae47f3b0deef1888a595f0795dc343b6247b9348305eda454a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1955.exe
Filesize
353KB

MD5
d8998b04b23147c824c33632cef7f12f

SHA1
4368c1460e651c2ba2435329199971797d9d0b58

SHA256
96e368416ba7e1d81e527a36ded99f8518d4a178e8bc0dcab0011532bd6ddb31

SHA512
05dbc3dfd32fb2e8b7713b6f71870c7bfc204bba61ed50ab5ac2973d142e79d60aa259b7fdc641ae47f3b0deef1888a595f0795dc343b6247b9348305eda454a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6924.exe
Filesize
11KB

MD5
b42dd8589d88b328d4082f9a1456cde5

SHA1
65fdc6e25cd4099451e630a1993dae8be0c5868c

SHA256
208c8355b36dac2698c05e8aecc8185d70293da2709e8a262c7b6a3fe8475f6d

SHA512
f73de5e1ef14befa9f1b820f96afac00016befe4d56a257da8f3a546b6cea96df2cc40fa9dcdb5dcb9fa0640969c77b22465bda8d1cc84903f9594a1ac41f8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6924.exe
Filesize
11KB

MD5
b42dd8589d88b328d4082f9a1456cde5

SHA1
65fdc6e25cd4099451e630a1993dae8be0c5868c

SHA256
208c8355b36dac2698c05e8aecc8185d70293da2709e8a262c7b6a3fe8475f6d

SHA512
f73de5e1ef14befa9f1b820f96afac00016befe4d56a257da8f3a546b6cea96df2cc40fa9dcdb5dcb9fa0640969c77b22465bda8d1cc84903f9594a1ac41f8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2997rx.exe
Filesize
326KB

MD5
90d0bd441c083a09a0cec38038209cdb

SHA1
c091fc5838347e5b238c9870e60afb59691b2a70

SHA256
ecd7e23721b0046064169d811f5e6c6fc670ed8090bb53a4704ff63a38344cfd

SHA512
de3df56c72471f04fcd970e538571ab14c7d655ca15aa1f46bd9555dfdf33a0d1659d683211daf74c32dcee3e06fdfca96012d5e2596d0ef064a9f844c777d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2997rx.exe
Filesize
326KB

MD5
90d0bd441c083a09a0cec38038209cdb

SHA1
c091fc5838347e5b238c9870e60afb59691b2a70

SHA256
ecd7e23721b0046064169d811f5e6c6fc670ed8090bb53a4704ff63a38344cfd

SHA512
de3df56c72471f04fcd970e538571ab14c7d655ca15aa1f46bd9555dfdf33a0d1659d683211daf74c32dcee3e06fdfca96012d5e2596d0ef064a9f844c777d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1881d221fec84b985abbb32eb313145a

SHA1
f5289600716ab29edecd34f95ec08ae28f1188eb

SHA256
270e9fbc38639ec33da98d7266ccce28b87c251d2619ab9ba9e31dd7ca4c720f

SHA512
23d8e0334061bea5684f7eb52388261eaf52eb511b79d6286949aa041d53622fc399bd5bab69ff1f1a9855e36256dfde5c3a4a5048eb119a0047af5fade648ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1881d221fec84b985abbb32eb313145a

SHA1
f5289600716ab29edecd34f95ec08ae28f1188eb

SHA256
270e9fbc38639ec33da98d7266ccce28b87c251d2619ab9ba9e31dd7ca4c720f

SHA512
23d8e0334061bea5684f7eb52388261eaf52eb511b79d6286949aa041d53622fc399bd5bab69ff1f1a9855e36256dfde5c3a4a5048eb119a0047af5fade648ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1881d221fec84b985abbb32eb313145a

SHA1
f5289600716ab29edecd34f95ec08ae28f1188eb

SHA256
270e9fbc38639ec33da98d7266ccce28b87c251d2619ab9ba9e31dd7ca4c720f

SHA512
23d8e0334061bea5684f7eb52388261eaf52eb511b79d6286949aa041d53622fc399bd5bab69ff1f1a9855e36256dfde5c3a4a5048eb119a0047af5fade648ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1881d221fec84b985abbb32eb313145a

SHA1
f5289600716ab29edecd34f95ec08ae28f1188eb

SHA256
270e9fbc38639ec33da98d7266ccce28b87c251d2619ab9ba9e31dd7ca4c720f

SHA512
23d8e0334061bea5684f7eb52388261eaf52eb511b79d6286949aa041d53622fc399bd5bab69ff1f1a9855e36256dfde5c3a4a5048eb119a0047af5fade648ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1881d221fec84b985abbb32eb313145a

SHA1
f5289600716ab29edecd34f95ec08ae28f1188eb

SHA256
270e9fbc38639ec33da98d7266ccce28b87c251d2619ab9ba9e31dd7ca4c720f

SHA512
23d8e0334061bea5684f7eb52388261eaf52eb511b79d6286949aa041d53622fc399bd5bab69ff1f1a9855e36256dfde5c3a4a5048eb119a0047af5fade648ce

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/960-1123-0x0000000008F60000-0x000000000948C000-memory.dmp

Filesize
5.2MB

Download
memory/960-1112-0x00000000079C0000-0x00000000079FE000-memory.dmp

Filesize
248KB

Download
memory/960-1124-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/960-1122-0x0000000008D90000-0x0000000008F52000-memory.dmp

Filesize
1.8MB

Download
memory/960-1121-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/960-1120-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/960-1119-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/960-1118-0x0000000008AC0000-0x0000000008B10000-memory.dmp

Filesize
320KB

Download
memory/960-1117-0x0000000008A30000-0x0000000008AA6000-memory.dmp

Filesize
472KB

Download
memory/960-196-0x00000000047A0000-0x00000000047E6000-memory.dmp

Filesize
280KB

Download
memory/960-197-0x0000000007020000-0x0000000007064000-memory.dmp

Filesize
272KB

Download
memory/960-198-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-199-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-201-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-203-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-205-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-207-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-209-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-211-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-213-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-215-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-217-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-219-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-221-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-223-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-225-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-227-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-229-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-231-0x0000000007020000-0x000000000705F000-memory.dmp

Filesize
252KB

Download
memory/960-266-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/960-268-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/960-271-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/960-272-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/960-1108-0x0000000007E00000-0x0000000008406000-memory.dmp

Filesize
6.0MB

Download
memory/960-1109-0x0000000007860000-0x000000000796A000-memory.dmp

Filesize
1.0MB

Download
memory/960-1110-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/960-1111-0x00000000079A0000-0x00000000079B2000-memory.dmp

Filesize
72KB

Download
memory/960-1116-0x0000000007D40000-0x0000000007DA6000-memory.dmp

Filesize
408KB

Download
memory/960-1113-0x0000000007B10000-0x0000000007B5B000-memory.dmp

Filesize
300KB

Download
memory/960-1115-0x0000000007CA0000-0x0000000007D32000-memory.dmp

Filesize
584KB

Download
memory/1452-169-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-179-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-183-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-191-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/1452-185-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-188-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/1452-187-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/1452-167-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-186-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/1452-165-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-175-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-154-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/1452-155-0x00000000049E0000-0x00000000049FA000-memory.dmp

Filesize
104KB

Download
memory/1452-156-0x00000000071F0000-0x00000000076EE000-memory.dmp

Filesize
5.0MB

Download
memory/1452-173-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-171-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-189-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/1452-181-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-177-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-163-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-161-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-159-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1452-157-0x0000000004BB0000-0x0000000004BC8000-memory.dmp

Filesize
96KB

Download
memory/1452-158-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4068-1164-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4068-1165-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4068-1166-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4092-1158-0x000002D85F820000-0x000002D85F9BE000-memory.dmp

Filesize
1.6MB

Download
memory/4092-1157-0x000002D85F810000-0x000002D85F820000-memory.dmp

Filesize
64KB

Download
memory/4092-1156-0x000002D8450E0000-0x000002D8452CE000-memory.dmp

Filesize
1.9MB

Download
memory/4192-148-0x0000000000F40000-0x0000000000F4A000-memory.dmp

Filesize
40KB

Download
memory/4848-1132-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4848-1131-0x0000000004F90000-0x0000000004FDB000-memory.dmp

Filesize
300KB

Download
memory/4848-1130-0x0000000000690000-0x00000000006C2000-memory.dmp

Filesize
200KB

Download