amadey | 260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exe
Size

1.0MB
MD5

820691288b901833418d3eb9faf9113a
SHA1

c6a2be4165b20f6863e03792e2777453f4e48223
SHA256

260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e
SHA512

4d1192f682558fb299aecba589b324eecc8fac17be62ec27c834d9dabd08a511a2a98ff37a3f4107396c251bde7d1b89d338c97aa99222609555fa335e2ae8b2
SSDEEP

24576:Uymc2mXQtgjNr0ALzV1kXSqkzbuZli//IikInw8Z:jj28fL6k+3inuIF

Score

10^/10

amadey aurora redline nado rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

nado

176.113.115.145:4125

Attributes

auth_value
a648e365d8e0df895a84152ad68ffc56

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz0001.exev0808rg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz0001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0808rg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0808rg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0808rg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0808rg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz0001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz0001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz0001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0808rg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0808rg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz0001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz0001.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3544-209-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-210-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-212-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-214-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-216-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-218-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-220-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-222-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-224-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-226-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-228-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-230-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-233-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-238-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-240-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-242-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-244-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline
behavioral1/memory/3544-246-0x0000000004A20000-0x0000000004A5F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y93WV83.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y93WV83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 13 IoCs

Processes:

zap2139.exezap8495.exezap0147.exetz0001.exev0808rg.exew14XP30.exexPUxD99.exey93WV83.exelegenda.exe2023.exew.exelegenda.exelegenda.exe

pid	process
2748	zap2139.exe
2156	zap8495.exe
4496	zap0147.exe
2388	tz0001.exe
3880	v0808rg.exe
3544	w14XP30.exe
4860	xPUxD99.exe
2224	y93WV83.exe
4764	legenda.exe
1500	2023.exe
1852	w.exe
4100	legenda.exe
2456	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2296 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2296	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v0808rg.exetz0001.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0808rg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz0001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0808rg.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exezap2139.exezap8495.exew.exezap0147.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2139.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2139.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8495.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8495.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0147.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap0147.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Updater.exe"	w.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1916 3880 WerFault.exe v0808rg.exe
4932 3544 WerFault.exe w14XP30.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4500 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz0001.exev0808rg.exew14XP30.exexPUxD99.exe

pid process

2388 tz0001.exe
2388 tz0001.exe
3880 v0808rg.exe
3880 v0808rg.exe
3544 w14XP30.exe
3544 w14XP30.exe
4860 xPUxD99.exe
4860 xPUxD99.exe

pid	pid_target	process	target process
1916	3880	WerFault.exe	v0808rg.exe
4932	3544	WerFault.exe	w14XP30.exe

pid	process
4500	schtasks.exe

pid	process
2388	tz0001.exe
2388	tz0001.exe
3880	v0808rg.exe
3880	v0808rg.exe
3544	w14XP30.exe
3544	w14XP30.exe
4860	xPUxD99.exe
4860	xPUxD99.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz0001.exev0808rg.exew14XP30.exexPUxD99.exe

description	pid	process
Token: SeDebugPrivilege	2388	tz0001.exe
Token: SeDebugPrivilege	3880	v0808rg.exe
Token: SeDebugPrivilege	3544	w14XP30.exe
Token: SeDebugPrivilege	4860	xPUxD99.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

w.exe

pid process

1852 w.exe

pid	process
1852	w.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exezap2139.exezap8495.exezap0147.exey93WV83.exelegenda.execmd.exe

description	pid	process	target process
PID 1344 wrote to memory of 2748	1344	260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exe	zap2139.exe
PID 1344 wrote to memory of 2748	1344	260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exe	zap2139.exe
PID 1344 wrote to memory of 2748	1344	260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exe	zap2139.exe
PID 2748 wrote to memory of 2156	2748	zap2139.exe	zap8495.exe
PID 2748 wrote to memory of 2156	2748	zap2139.exe	zap8495.exe
PID 2748 wrote to memory of 2156	2748	zap2139.exe	zap8495.exe
PID 2156 wrote to memory of 4496	2156	zap8495.exe	zap0147.exe
PID 2156 wrote to memory of 4496	2156	zap8495.exe	zap0147.exe
PID 2156 wrote to memory of 4496	2156	zap8495.exe	zap0147.exe
PID 4496 wrote to memory of 2388	4496	zap0147.exe	tz0001.exe
PID 4496 wrote to memory of 2388	4496	zap0147.exe	tz0001.exe
PID 4496 wrote to memory of 3880	4496	zap0147.exe	v0808rg.exe
PID 4496 wrote to memory of 3880	4496	zap0147.exe	v0808rg.exe
PID 4496 wrote to memory of 3880	4496	zap0147.exe	v0808rg.exe
PID 2156 wrote to memory of 3544	2156	zap8495.exe	w14XP30.exe
PID 2156 wrote to memory of 3544	2156	zap8495.exe	w14XP30.exe
PID 2156 wrote to memory of 3544	2156	zap8495.exe	w14XP30.exe
PID 2748 wrote to memory of 4860	2748	zap2139.exe	xPUxD99.exe
PID 2748 wrote to memory of 4860	2748	zap2139.exe	xPUxD99.exe
PID 2748 wrote to memory of 4860	2748	zap2139.exe	xPUxD99.exe
PID 1344 wrote to memory of 2224	1344	260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exe	y93WV83.exe
PID 1344 wrote to memory of 2224	1344	260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exe	y93WV83.exe
PID 1344 wrote to memory of 2224	1344	260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exe	y93WV83.exe
PID 2224 wrote to memory of 4764	2224	y93WV83.exe	legenda.exe
PID 2224 wrote to memory of 4764	2224	y93WV83.exe	legenda.exe
PID 2224 wrote to memory of 4764	2224	y93WV83.exe	legenda.exe
PID 4764 wrote to memory of 4500	4764	legenda.exe	schtasks.exe
PID 4764 wrote to memory of 4500	4764	legenda.exe	schtasks.exe
PID 4764 wrote to memory of 4500	4764	legenda.exe	schtasks.exe
PID 4764 wrote to memory of 2396	4764	legenda.exe	cmd.exe
PID 4764 wrote to memory of 2396	4764	legenda.exe	cmd.exe
PID 4764 wrote to memory of 2396	4764	legenda.exe	cmd.exe
PID 2396 wrote to memory of 64	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 64	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 64	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 1936	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 1936	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 1936	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 5032	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 5032	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 5032	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 3600	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 3600	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 3600	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2948	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 2948	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 2948	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 2724	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 2724	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 2724	2396	cmd.exe	cacls.exe
PID 4764 wrote to memory of 1500	4764	legenda.exe	2023.exe
PID 4764 wrote to memory of 1500	4764	legenda.exe	2023.exe
PID 4764 wrote to memory of 1500	4764	legenda.exe	2023.exe
PID 4764 wrote to memory of 1852	4764	legenda.exe	w.exe
PID 4764 wrote to memory of 1852	4764	legenda.exe	w.exe
PID 4764 wrote to memory of 1852	4764	legenda.exe	w.exe
PID 4764 wrote to memory of 2296	4764	legenda.exe	rundll32.exe
PID 4764 wrote to memory of 2296	4764	legenda.exe	rundll32.exe
PID 4764 wrote to memory of 2296	4764	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exe
"C:\Users\Admin\AppData\Local\Temp\260ad6b9cd2ba9dce990041e954eed68ed78f819897d74ca5a1469be9abdf58e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2139.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2139.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8495.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8495.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0147.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0147.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0001.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0001.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0808rg.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0808rg.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1100
6⤵
- Program crash
PID:1916

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w14XP30.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w14XP30.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1200
5⤵
- Program crash
PID:4932

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xPUxD99.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xPUxD99.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y93WV83.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y93WV83.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:64

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:1936

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3600

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:2948

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
"C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe"
4⤵
- Executes dropped EXE
PID:1500

C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
"C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1852

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3880 -ip 3880
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3544 -ip 3544
1⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:2456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y93WV83.exe
Filesize
235KB

MD5
4e60359d1d57dad3db5123648779817a

SHA1
195506abadb358d3016dfd46ed055d97ac0d48de

SHA256
b152d6ef2898f37cd43294dc30bc8efc73b2cb3f151260afedefe98cb4702720

SHA512
003ab2285322376404c2e03107f56e3af808d1cedc6b25f7d09493ab9ec9c35abddb9e9fda9bdfc4d2b6410831530e24a264228fc335bde8263cadf0df7c5137

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y93WV83.exe
Filesize
235KB

MD5
4e60359d1d57dad3db5123648779817a

SHA1
195506abadb358d3016dfd46ed055d97ac0d48de

SHA256
b152d6ef2898f37cd43294dc30bc8efc73b2cb3f151260afedefe98cb4702720

SHA512
003ab2285322376404c2e03107f56e3af808d1cedc6b25f7d09493ab9ec9c35abddb9e9fda9bdfc4d2b6410831530e24a264228fc335bde8263cadf0df7c5137

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2139.exe
Filesize
872KB

MD5
d2871524b97b06fc269ca0ce0e007115

SHA1
9de791d9fd0e38f1f61eee563976648eac46dfce

SHA256
e02263018a66d122ba2f4cb7681ac56392868a832a07ed49baddeb2b7d194284

SHA512
b65244a78f992944892865a1cbca42c3ba07b42008569d0b6bf98f529e831290310178bd991b5339462c01642d8ce35d78b915c82fb9b6c7e6a29ab8b588b964

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2139.exe
Filesize
872KB

MD5
d2871524b97b06fc269ca0ce0e007115

SHA1
9de791d9fd0e38f1f61eee563976648eac46dfce

SHA256
e02263018a66d122ba2f4cb7681ac56392868a832a07ed49baddeb2b7d194284

SHA512
b65244a78f992944892865a1cbca42c3ba07b42008569d0b6bf98f529e831290310178bd991b5339462c01642d8ce35d78b915c82fb9b6c7e6a29ab8b588b964

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xPUxD99.exe
Filesize
175KB

MD5
c50e2a12a1bffd51560292a749e8240e

SHA1
675cf9382491ed70accd9ab668b8d17754b21f88

SHA256
c7e52743ed8d683c3a195b39d85c65d5cafa6cff73878ea910e26275b9cbe108

SHA512
1fc07018777c12f2925c07ea265f08e0ee1cc660bbdc3be790694055a6a322d1da0cf1ed1013c71e237f2e0ab2aaa02468d3bd8db0f9a20ecd5d189eb805e2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xPUxD99.exe
Filesize
175KB

MD5
c50e2a12a1bffd51560292a749e8240e

SHA1
675cf9382491ed70accd9ab668b8d17754b21f88

SHA256
c7e52743ed8d683c3a195b39d85c65d5cafa6cff73878ea910e26275b9cbe108

SHA512
1fc07018777c12f2925c07ea265f08e0ee1cc660bbdc3be790694055a6a322d1da0cf1ed1013c71e237f2e0ab2aaa02468d3bd8db0f9a20ecd5d189eb805e2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8495.exe
Filesize
729KB

MD5
a0ded5c8060382790492834a0c08dbdd

SHA1
bbcff96573aa27d6938dc63cd3352ddbd8419b0d

SHA256
fade98181a7e8ab2fdb5601780e6b8762b46bed7a7e168bd8d3564a2ba79901c

SHA512
589f252f6d7a9c931017b8daf753097da3ddbddc777b7138b6a27a017b0c1fd5a07cae9e30c1341d731110dec4977c9177a8b8b80eb2f10aa243e149984250a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8495.exe
Filesize
729KB

MD5
a0ded5c8060382790492834a0c08dbdd

SHA1
bbcff96573aa27d6938dc63cd3352ddbd8419b0d

SHA256
fade98181a7e8ab2fdb5601780e6b8762b46bed7a7e168bd8d3564a2ba79901c

SHA512
589f252f6d7a9c931017b8daf753097da3ddbddc777b7138b6a27a017b0c1fd5a07cae9e30c1341d731110dec4977c9177a8b8b80eb2f10aa243e149984250a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w14XP30.exe
Filesize
403KB

MD5
cf9b82224c78636a6793713273e2f5bb

SHA1
7a15e5fed17b27ff3bf6c557f9878fd1c669f909

SHA256
22ae2945560b463cc03ca73c860aa318f971ce56d08d5d5f4ca6d720264d4113

SHA512
f0b5fac6f676d6fa5749d105e388360bc385401d8fdf74fe1733169a5a9374bf1d511ea3f35fdeb0c4d1a3becf6c455fea52a943973823f8ce0451e9649a4bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w14XP30.exe
Filesize
403KB

MD5
cf9b82224c78636a6793713273e2f5bb

SHA1
7a15e5fed17b27ff3bf6c557f9878fd1c669f909

SHA256
22ae2945560b463cc03ca73c860aa318f971ce56d08d5d5f4ca6d720264d4113

SHA512
f0b5fac6f676d6fa5749d105e388360bc385401d8fdf74fe1733169a5a9374bf1d511ea3f35fdeb0c4d1a3becf6c455fea52a943973823f8ce0451e9649a4bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0147.exe
Filesize
362KB

MD5
a12bbace4606d32715dadf07fc405c93

SHA1
50096efd3066ae307f39bd9ece6f19e6d9b7afa5

SHA256
d04fbc32bd664d6641b24cb6c1f8efff3feedf8823a5227563c48d559f191d4f

SHA512
28d2957a9c2ce25d5f232d7950f23f296120f0bdac6e007ff945478be6264614cb7c8dc0a9090653cc42cb8a01284a664ed78449988f624382b7b6fe83c64d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0147.exe
Filesize
362KB

MD5
a12bbace4606d32715dadf07fc405c93

SHA1
50096efd3066ae307f39bd9ece6f19e6d9b7afa5

SHA256
d04fbc32bd664d6641b24cb6c1f8efff3feedf8823a5227563c48d559f191d4f

SHA512
28d2957a9c2ce25d5f232d7950f23f296120f0bdac6e007ff945478be6264614cb7c8dc0a9090653cc42cb8a01284a664ed78449988f624382b7b6fe83c64d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0001.exe
Filesize
12KB

MD5
6cbffbe69479716ad5391be187161e8b

SHA1
749ef2a1ab13175e85d1b5404aebfe514e0fd25b

SHA256
b3120668552f5d171a8f7068d2a8a0e5c278aadd9765ef42289b3ee0f7e0abf0

SHA512
821079b9e925b2544de6eb9ec43b81fa0a56fb5dc38d2ed8af6d4821ca8244e42512bd40b7783e9395fff6bb39bcea1dcf86648e75dab160e77c15b6ff74bedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0001.exe
Filesize
12KB

MD5
6cbffbe69479716ad5391be187161e8b

SHA1
749ef2a1ab13175e85d1b5404aebfe514e0fd25b

SHA256
b3120668552f5d171a8f7068d2a8a0e5c278aadd9765ef42289b3ee0f7e0abf0

SHA512
821079b9e925b2544de6eb9ec43b81fa0a56fb5dc38d2ed8af6d4821ca8244e42512bd40b7783e9395fff6bb39bcea1dcf86648e75dab160e77c15b6ff74bedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0808rg.exe
Filesize
345KB

MD5
dd406a28ab216efb9c873dc35b67e2bc

SHA1
ef3c59043021aace1bc57d2e1c1d699474ee52d6

SHA256
f37d44bbcd596b080f2638e6fb5ecb316f7a364ffee5b5c546e5878e27113367

SHA512
67adbcc9f12aa5014059f4d8a8954df024f95d65b26b0459ab73161f4007c2bb7836ba8fa8fed72de33a83a5acfe69f6ff012a01f5ef01dbc3d1b91d281d2995

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0808rg.exe
Filesize
345KB

MD5
dd406a28ab216efb9c873dc35b67e2bc

SHA1
ef3c59043021aace1bc57d2e1c1d699474ee52d6

SHA256
f37d44bbcd596b080f2638e6fb5ecb316f7a364ffee5b5c546e5878e27113367

SHA512
67adbcc9f12aa5014059f4d8a8954df024f95d65b26b0459ab73161f4007c2bb7836ba8fa8fed72de33a83a5acfe69f6ff012a01f5ef01dbc3d1b91d281d2995

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
4e60359d1d57dad3db5123648779817a

SHA1
195506abadb358d3016dfd46ed055d97ac0d48de

SHA256
b152d6ef2898f37cd43294dc30bc8efc73b2cb3f151260afedefe98cb4702720

SHA512
003ab2285322376404c2e03107f56e3af808d1cedc6b25f7d09493ab9ec9c35abddb9e9fda9bdfc4d2b6410831530e24a264228fc335bde8263cadf0df7c5137

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
4e60359d1d57dad3db5123648779817a

SHA1
195506abadb358d3016dfd46ed055d97ac0d48de

SHA256
b152d6ef2898f37cd43294dc30bc8efc73b2cb3f151260afedefe98cb4702720

SHA512
003ab2285322376404c2e03107f56e3af808d1cedc6b25f7d09493ab9ec9c35abddb9e9fda9bdfc4d2b6410831530e24a264228fc335bde8263cadf0df7c5137

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
4e60359d1d57dad3db5123648779817a

SHA1
195506abadb358d3016dfd46ed055d97ac0d48de

SHA256
b152d6ef2898f37cd43294dc30bc8efc73b2cb3f151260afedefe98cb4702720

SHA512
003ab2285322376404c2e03107f56e3af808d1cedc6b25f7d09493ab9ec9c35abddb9e9fda9bdfc4d2b6410831530e24a264228fc335bde8263cadf0df7c5137

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
4e60359d1d57dad3db5123648779817a

SHA1
195506abadb358d3016dfd46ed055d97ac0d48de

SHA256
b152d6ef2898f37cd43294dc30bc8efc73b2cb3f151260afedefe98cb4702720

SHA512
003ab2285322376404c2e03107f56e3af808d1cedc6b25f7d09493ab9ec9c35abddb9e9fda9bdfc4d2b6410831530e24a264228fc335bde8263cadf0df7c5137

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
4e60359d1d57dad3db5123648779817a

SHA1
195506abadb358d3016dfd46ed055d97ac0d48de

SHA256
b152d6ef2898f37cd43294dc30bc8efc73b2cb3f151260afedefe98cb4702720

SHA512
003ab2285322376404c2e03107f56e3af808d1cedc6b25f7d09493ab9ec9c35abddb9e9fda9bdfc4d2b6410831530e24a264228fc335bde8263cadf0df7c5137

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
C:\Users\Admin\AppData\Roaming\bitcoin-22.0-win64-setup.exe
Filesize
2.9MB

MD5
b3544787e135de3b97c6e26f0fa3920d

SHA1
52511998d72e50632b9f95978b27097b987d06f5

SHA256
0ced24d71e4f15d9a48bd6f68387ec9914f365f74eb027ac591095a0234a940a

SHA512
3b5d3430083379f62fe4175a7e675b82b0cd339254bb06eae7f320152937258c5af1fba398f3856d79a0ca0b47dbb7b45981d1bb2cf235d98b9bc2cf1d3a4c12

Download Submit
memory/2388-161-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

Filesize
40KB

Download
memory/3544-1133-0x0000000008F60000-0x000000000948C000-memory.dmp

Filesize
5.2MB

Download
memory/3544-1125-0x0000000008290000-0x00000000082F6000-memory.dmp

Filesize
408KB

Download
memory/3544-1134-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/3544-1132-0x0000000008D80000-0x0000000008F42000-memory.dmp

Filesize
1.8MB

Download
memory/3544-209-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-210-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-212-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-214-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-216-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-218-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-220-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-222-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-224-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-226-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-228-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-230-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-232-0x0000000002BA0000-0x0000000002BEB000-memory.dmp

Filesize
300KB

Download
memory/3544-233-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-234-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/3544-236-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/3544-238-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-237-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/3544-240-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-242-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-244-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-246-0x0000000004A20000-0x0000000004A5F000-memory.dmp

Filesize
252KB

Download
memory/3544-1119-0x0000000007870000-0x0000000007E88000-memory.dmp

Filesize
6.1MB

Download
memory/3544-1120-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/3544-1121-0x0000000004D40000-0x0000000004D52000-memory.dmp

Filesize
72KB

Download
memory/3544-1122-0x0000000007FA0000-0x0000000007FDC000-memory.dmp

Filesize
240KB

Download
memory/3544-1123-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/3544-1131-0x0000000008D20000-0x0000000008D70000-memory.dmp

Filesize
320KB

Download
memory/3544-1126-0x0000000008960000-0x00000000089F2000-memory.dmp

Filesize
584KB

Download
memory/3544-1127-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/3544-1128-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/3544-1129-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/3544-1130-0x0000000008C90000-0x0000000008D06000-memory.dmp

Filesize
472KB

Download
memory/3880-176-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-174-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-186-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-184-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-199-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/3880-198-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-188-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-169-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/3880-196-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-194-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-192-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-190-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-167-0x0000000007140000-0x00000000076E4000-memory.dmp

Filesize
5.6MB

Download
memory/3880-200-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/3880-203-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/3880-182-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-180-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-178-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-204-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/3880-201-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/3880-172-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-171-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/3880-170-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/3880-168-0x0000000002B90000-0x0000000002BBD000-memory.dmp

Filesize
180KB

Download
memory/4860-1141-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/4860-1140-0x0000000000E70000-0x0000000000EA2000-memory.dmp

Filesize
200KB

Download