amadey | 8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exe
Size

1.0MB
MD5

5b057a18727ea06698f47eb536a9f8d1
SHA1

406ea566773d631e9426b532c9b13efb35344051
SHA256

8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249
SHA512

3a50329eadc508d6668e5d0877a8d06912c3d46e2226043eae4e3c458745e365e1fbbe83601cc9e150dce7dd11a7a78a550b90978f7460baaaceadb732c16c83
SSDEEP

24576:Xyflmvbecal2JG36sHsELJVwW23y9kQ6LPJgowGg:ifNrl2UqsrVwB1fJgowG

Score

10^/10

amadey aurora redline nado rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

nado

176.113.115.145:4125

Attributes

auth_value
a648e365d8e0df895a84152ad68ffc56

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz6951.exev1325Je.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz6951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v1325Je.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v1325Je.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz6951.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz6951.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz6951.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v1325Je.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v1325Je.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v1325Je.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz6951.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz6951.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v1325Je.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4888-213-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-214-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-216-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-218-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-220-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-222-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-224-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-226-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-228-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-230-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-232-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-234-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-236-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-238-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-240-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-242-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-244-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline
behavioral1/memory/4888-246-0x00000000071A0000-0x00000000071DF000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y82IQ68.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	y82IQ68.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 13 IoCs

Processes:

zap6379.exezap8168.exezap4021.exetz6951.exev1325Je.exew63Vj57.exexlKYE35.exey82IQ68.exelegenda.exe2023.exew.exelegenda.exelegenda.exe

pid	process
960	zap6379.exe
3852	zap8168.exe
4604	zap4021.exe
1728	tz6951.exe
4644	v1325Je.exe
4888	w63Vj57.exe
3332	xlKYE35.exe
1016	y82IQ68.exe
464	legenda.exe
400	2023.exe
4656	w.exe
1724	legenda.exe
964	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5060 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5060	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz6951.exev1325Je.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz6951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v1325Je.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v1325Je.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap6379.exezap8168.exew.exe8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exezap4021.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6379.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6379.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8168.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\Run	w.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Updater.exe"	w.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8168.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4021.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap4021.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4492 4644 WerFault.exe v1325Je.exe
3764 4888 WerFault.exe w63Vj57.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2244 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz6951.exev1325Je.exew63Vj57.exexlKYE35.exe

pid process

1728 tz6951.exe
1728 tz6951.exe
4644 v1325Je.exe
4644 v1325Je.exe
4888 w63Vj57.exe
4888 w63Vj57.exe
3332 xlKYE35.exe
3332 xlKYE35.exe

pid	pid_target	process	target process
4492	4644	WerFault.exe	v1325Je.exe
3764	4888	WerFault.exe	w63Vj57.exe

pid	process
2244	schtasks.exe

pid	process
1728	tz6951.exe
1728	tz6951.exe
4644	v1325Je.exe
4644	v1325Je.exe
4888	w63Vj57.exe
4888	w63Vj57.exe
3332	xlKYE35.exe
3332	xlKYE35.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz6951.exev1325Je.exew63Vj57.exexlKYE35.exe

description	pid	process
Token: SeDebugPrivilege	1728	tz6951.exe
Token: SeDebugPrivilege	4644	v1325Je.exe
Token: SeDebugPrivilege	4888	w63Vj57.exe
Token: SeDebugPrivilege	3332	xlKYE35.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

w.exe

pid process

4656 w.exe

pid	process
4656	w.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exezap6379.exezap8168.exezap4021.exey82IQ68.exelegenda.execmd.exe

description	pid	process	target process
PID 5076 wrote to memory of 960	5076	8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exe	zap6379.exe
PID 5076 wrote to memory of 960	5076	8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exe	zap6379.exe
PID 5076 wrote to memory of 960	5076	8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exe	zap6379.exe
PID 960 wrote to memory of 3852	960	zap6379.exe	zap8168.exe
PID 960 wrote to memory of 3852	960	zap6379.exe	zap8168.exe
PID 960 wrote to memory of 3852	960	zap6379.exe	zap8168.exe
PID 3852 wrote to memory of 4604	3852	zap8168.exe	zap4021.exe
PID 3852 wrote to memory of 4604	3852	zap8168.exe	zap4021.exe
PID 3852 wrote to memory of 4604	3852	zap8168.exe	zap4021.exe
PID 4604 wrote to memory of 1728	4604	zap4021.exe	tz6951.exe
PID 4604 wrote to memory of 1728	4604	zap4021.exe	tz6951.exe
PID 4604 wrote to memory of 4644	4604	zap4021.exe	v1325Je.exe
PID 4604 wrote to memory of 4644	4604	zap4021.exe	v1325Je.exe
PID 4604 wrote to memory of 4644	4604	zap4021.exe	v1325Je.exe
PID 3852 wrote to memory of 4888	3852	zap8168.exe	w63Vj57.exe
PID 3852 wrote to memory of 4888	3852	zap8168.exe	w63Vj57.exe
PID 3852 wrote to memory of 4888	3852	zap8168.exe	w63Vj57.exe
PID 960 wrote to memory of 3332	960	zap6379.exe	xlKYE35.exe
PID 960 wrote to memory of 3332	960	zap6379.exe	xlKYE35.exe
PID 960 wrote to memory of 3332	960	zap6379.exe	xlKYE35.exe
PID 5076 wrote to memory of 1016	5076	8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exe	y82IQ68.exe
PID 5076 wrote to memory of 1016	5076	8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exe	y82IQ68.exe
PID 5076 wrote to memory of 1016	5076	8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exe	y82IQ68.exe
PID 1016 wrote to memory of 464	1016	y82IQ68.exe	legenda.exe
PID 1016 wrote to memory of 464	1016	y82IQ68.exe	legenda.exe
PID 1016 wrote to memory of 464	1016	y82IQ68.exe	legenda.exe
PID 464 wrote to memory of 2244	464	legenda.exe	schtasks.exe
PID 464 wrote to memory of 2244	464	legenda.exe	schtasks.exe
PID 464 wrote to memory of 2244	464	legenda.exe	schtasks.exe
PID 464 wrote to memory of 1256	464	legenda.exe	cmd.exe
PID 464 wrote to memory of 1256	464	legenda.exe	cmd.exe
PID 464 wrote to memory of 1256	464	legenda.exe	cmd.exe
PID 1256 wrote to memory of 828	1256	cmd.exe	cmd.exe
PID 1256 wrote to memory of 828	1256	cmd.exe	cmd.exe
PID 1256 wrote to memory of 828	1256	cmd.exe	cmd.exe
PID 1256 wrote to memory of 3140	1256	cmd.exe	cacls.exe
PID 1256 wrote to memory of 3140	1256	cmd.exe	cacls.exe
PID 1256 wrote to memory of 3140	1256	cmd.exe	cacls.exe
PID 1256 wrote to memory of 740	1256	cmd.exe	cacls.exe
PID 1256 wrote to memory of 740	1256	cmd.exe	cacls.exe
PID 1256 wrote to memory of 740	1256	cmd.exe	cacls.exe
PID 1256 wrote to memory of 3264	1256	cmd.exe	cmd.exe
PID 1256 wrote to memory of 3264	1256	cmd.exe	cmd.exe
PID 1256 wrote to memory of 3264	1256	cmd.exe	cmd.exe
PID 1256 wrote to memory of 4764	1256	cmd.exe	cacls.exe
PID 1256 wrote to memory of 4764	1256	cmd.exe	cacls.exe
PID 1256 wrote to memory of 4764	1256	cmd.exe	cacls.exe
PID 1256 wrote to memory of 3084	1256	cmd.exe	cacls.exe
PID 1256 wrote to memory of 3084	1256	cmd.exe	cacls.exe
PID 1256 wrote to memory of 3084	1256	cmd.exe	cacls.exe
PID 464 wrote to memory of 400	464	legenda.exe	2023.exe
PID 464 wrote to memory of 400	464	legenda.exe	2023.exe
PID 464 wrote to memory of 400	464	legenda.exe	2023.exe
PID 464 wrote to memory of 4656	464	legenda.exe	w.exe
PID 464 wrote to memory of 4656	464	legenda.exe	w.exe
PID 464 wrote to memory of 4656	464	legenda.exe	w.exe
PID 464 wrote to memory of 5060	464	legenda.exe	rundll32.exe
PID 464 wrote to memory of 5060	464	legenda.exe	rundll32.exe
PID 464 wrote to memory of 5060	464	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exe
"C:\Users\Admin\AppData\Local\Temp\8cdecadf8039f1816af72be6557b09d18fc59cad7087ddaee1d68d697c143249.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5076

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6379.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6379.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8168.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8168.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4021.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4021.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6951.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6951.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1325Je.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1325Je.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1080
6⤵
- Program crash
PID:4492

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w63Vj57.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w63Vj57.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1328
5⤵
- Program crash
PID:3764

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xlKYE35.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xlKYE35.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82IQ68.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82IQ68.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:2244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:828

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:3140

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3264

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4764

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
"C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe"
4⤵
- Executes dropped EXE
PID:400

C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
"C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4644 -ip 4644
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4888 -ip 4888
1⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82IQ68.exe
Filesize
235KB

MD5
b037b9a478ad4cec3b322c0281fbc0de

SHA1
d5ea90be1c6c926fa266f964a70d09bd3aebefa5

SHA256
c741ab72a60952aec6f1597dd07093977938eb57960a8a91b051ac3aa9ce523d

SHA512
9a47b4d186385fceea8622ccfe0992ce3089271a618ea6c4d553f602859658153b748b7e39664f00d6213a0dd3dbe9ad1224952add2826894b21e2d5d7a8343b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82IQ68.exe
Filesize
235KB

MD5
b037b9a478ad4cec3b322c0281fbc0de

SHA1
d5ea90be1c6c926fa266f964a70d09bd3aebefa5

SHA256
c741ab72a60952aec6f1597dd07093977938eb57960a8a91b051ac3aa9ce523d

SHA512
9a47b4d186385fceea8622ccfe0992ce3089271a618ea6c4d553f602859658153b748b7e39664f00d6213a0dd3dbe9ad1224952add2826894b21e2d5d7a8343b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6379.exe
Filesize
874KB

MD5
6f2d61dd5195b086ba54b1df4c81f7c4

SHA1
c67bc5a8ff264718f2b0033c8a02aa7f9144c2da

SHA256
c3eed875961c60b4f84bc2a777c388def02da5ea5ab5087bc08777733d7780e6

SHA512
05e760a0ca92eae765176963e2adbeffed5ef8ad2b20cd615f62d600831c97a1c18cdef34b25c99beb063d3d72d318497f10b718f6d37c39dd1b06b05ca35692

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6379.exe
Filesize
874KB

MD5
6f2d61dd5195b086ba54b1df4c81f7c4

SHA1
c67bc5a8ff264718f2b0033c8a02aa7f9144c2da

SHA256
c3eed875961c60b4f84bc2a777c388def02da5ea5ab5087bc08777733d7780e6

SHA512
05e760a0ca92eae765176963e2adbeffed5ef8ad2b20cd615f62d600831c97a1c18cdef34b25c99beb063d3d72d318497f10b718f6d37c39dd1b06b05ca35692

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xlKYE35.exe
Filesize
175KB

MD5
9ce6494f5ee2d7f60635233f36ff51bc

SHA1
e6717082f3befb0d9a55c413bb85f232e44013a0

SHA256
95c9b4f6c1651f2305b96b753cf70d73a494ebc3dee6d660d75cf5a5f0db156a

SHA512
3dbde55710e15e1796dde370d705870a27280e797ab66c3d43cd8fc51a62ffa0a252342bd76ace741f2b5525d1065d7485bd6b39a07da5a1ea2e2664240c72a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xlKYE35.exe
Filesize
175KB

MD5
9ce6494f5ee2d7f60635233f36ff51bc

SHA1
e6717082f3befb0d9a55c413bb85f232e44013a0

SHA256
95c9b4f6c1651f2305b96b753cf70d73a494ebc3dee6d660d75cf5a5f0db156a

SHA512
3dbde55710e15e1796dde370d705870a27280e797ab66c3d43cd8fc51a62ffa0a252342bd76ace741f2b5525d1065d7485bd6b39a07da5a1ea2e2664240c72a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8168.exe
Filesize
732KB

MD5
cb5fd83f23c42b4ecfdda82641e6a370

SHA1
b6f1d43ca19a57e0b33629c8b55dce4d793604e5

SHA256
533c143b0814dd7aa79591a2cde5bfda7b9fd05b85885b3f680e7d76116fde14

SHA512
69b6f6c192e44ac62eb3a55a024e3cf7ac98d0e853de217853c7087971e1f25fdb3d953eefc17faf4ab48c1711f0acbb78206de1a558b776487a2e158bc72c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8168.exe
Filesize
732KB

MD5
cb5fd83f23c42b4ecfdda82641e6a370

SHA1
b6f1d43ca19a57e0b33629c8b55dce4d793604e5

SHA256
533c143b0814dd7aa79591a2cde5bfda7b9fd05b85885b3f680e7d76116fde14

SHA512
69b6f6c192e44ac62eb3a55a024e3cf7ac98d0e853de217853c7087971e1f25fdb3d953eefc17faf4ab48c1711f0acbb78206de1a558b776487a2e158bc72c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w63Vj57.exe
Filesize
403KB

MD5
3c82ca69850193e4ea8a4f38d97e5d64

SHA1
8e40faf2eb551239605ab0f7b08a2bef75810a64

SHA256
3683004f66167125bf884dde830f5255c4d0c6e38836861d2094238cad0ff532

SHA512
bdb99d81ccddbe70f764efb5516d9aabada9f387620a859ef4d7ab6b287175f947ac3d0b5bbfff334e81a8325ebc20d6b27dec687e64c63ae168204832976d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w63Vj57.exe
Filesize
403KB

MD5
3c82ca69850193e4ea8a4f38d97e5d64

SHA1
8e40faf2eb551239605ab0f7b08a2bef75810a64

SHA256
3683004f66167125bf884dde830f5255c4d0c6e38836861d2094238cad0ff532

SHA512
bdb99d81ccddbe70f764efb5516d9aabada9f387620a859ef4d7ab6b287175f947ac3d0b5bbfff334e81a8325ebc20d6b27dec687e64c63ae168204832976d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4021.exe
Filesize
362KB

MD5
9d9b7124fde8b50adfab9f0744970f07

SHA1
7d61a3a351f24d921b2610edd24768786fd61fcf

SHA256
4478e626aa0a8a2a34fb8cc60e2f6ce7320eb54056b0bc953ceb7b0145571ff0

SHA512
9aabab7b1127b906a6833500cf9d2c94a71c44032390487746a7dd722ea4ec4f584d6dc01d9f6627d1f56656252e07bd2696327e663f55d6c404be96a72c1d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4021.exe
Filesize
362KB

MD5
9d9b7124fde8b50adfab9f0744970f07

SHA1
7d61a3a351f24d921b2610edd24768786fd61fcf

SHA256
4478e626aa0a8a2a34fb8cc60e2f6ce7320eb54056b0bc953ceb7b0145571ff0

SHA512
9aabab7b1127b906a6833500cf9d2c94a71c44032390487746a7dd722ea4ec4f584d6dc01d9f6627d1f56656252e07bd2696327e663f55d6c404be96a72c1d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6951.exe
Filesize
12KB

MD5
f37bfe7f930341fad9b68d937158fa09

SHA1
e375456ea5b7f465eb3f054cef55ea52313e7a55

SHA256
0f9f21aa0376607b5e79b8ff640d3ecc8421f405132940fceec637c2bf8e4fe4

SHA512
c8bcf7d204adcf590703212d716c4afc1cee4a6e9db606c6c9788d0d5ef45e8556aa04a531a06b4337381b4a63025ffd46859f69f9139cb780712f3456354790

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6951.exe
Filesize
12KB

MD5
f37bfe7f930341fad9b68d937158fa09

SHA1
e375456ea5b7f465eb3f054cef55ea52313e7a55

SHA256
0f9f21aa0376607b5e79b8ff640d3ecc8421f405132940fceec637c2bf8e4fe4

SHA512
c8bcf7d204adcf590703212d716c4afc1cee4a6e9db606c6c9788d0d5ef45e8556aa04a531a06b4337381b4a63025ffd46859f69f9139cb780712f3456354790

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1325Je.exe
Filesize
345KB

MD5
a9cc3051799c5cecf7c2cdb557ff0e11

SHA1
8f75b3b0db24bb9bdaaffd5c891ffd4d7d4daf44

SHA256
61fea3770562565db3e2f072748a7d1b010d169c774709131e493c20f3e7503d

SHA512
ca3e12f9ece573a2dd7f136bdfe690920ae0a578b933be1bb88750d71dc470ae6563c17e68a3169109d8c0fe642704816bd17819bc2a97c29c2289553ca8d02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1325Je.exe
Filesize
345KB

MD5
a9cc3051799c5cecf7c2cdb557ff0e11

SHA1
8f75b3b0db24bb9bdaaffd5c891ffd4d7d4daf44

SHA256
61fea3770562565db3e2f072748a7d1b010d169c774709131e493c20f3e7503d

SHA512
ca3e12f9ece573a2dd7f136bdfe690920ae0a578b933be1bb88750d71dc470ae6563c17e68a3169109d8c0fe642704816bd17819bc2a97c29c2289553ca8d02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
b037b9a478ad4cec3b322c0281fbc0de

SHA1
d5ea90be1c6c926fa266f964a70d09bd3aebefa5

SHA256
c741ab72a60952aec6f1597dd07093977938eb57960a8a91b051ac3aa9ce523d

SHA512
9a47b4d186385fceea8622ccfe0992ce3089271a618ea6c4d553f602859658153b748b7e39664f00d6213a0dd3dbe9ad1224952add2826894b21e2d5d7a8343b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
b037b9a478ad4cec3b322c0281fbc0de

SHA1
d5ea90be1c6c926fa266f964a70d09bd3aebefa5

SHA256
c741ab72a60952aec6f1597dd07093977938eb57960a8a91b051ac3aa9ce523d

SHA512
9a47b4d186385fceea8622ccfe0992ce3089271a618ea6c4d553f602859658153b748b7e39664f00d6213a0dd3dbe9ad1224952add2826894b21e2d5d7a8343b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
b037b9a478ad4cec3b322c0281fbc0de

SHA1
d5ea90be1c6c926fa266f964a70d09bd3aebefa5

SHA256
c741ab72a60952aec6f1597dd07093977938eb57960a8a91b051ac3aa9ce523d

SHA512
9a47b4d186385fceea8622ccfe0992ce3089271a618ea6c4d553f602859658153b748b7e39664f00d6213a0dd3dbe9ad1224952add2826894b21e2d5d7a8343b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
b037b9a478ad4cec3b322c0281fbc0de

SHA1
d5ea90be1c6c926fa266f964a70d09bd3aebefa5

SHA256
c741ab72a60952aec6f1597dd07093977938eb57960a8a91b051ac3aa9ce523d

SHA512
9a47b4d186385fceea8622ccfe0992ce3089271a618ea6c4d553f602859658153b748b7e39664f00d6213a0dd3dbe9ad1224952add2826894b21e2d5d7a8343b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
b037b9a478ad4cec3b322c0281fbc0de

SHA1
d5ea90be1c6c926fa266f964a70d09bd3aebefa5

SHA256
c741ab72a60952aec6f1597dd07093977938eb57960a8a91b051ac3aa9ce523d

SHA512
9a47b4d186385fceea8622ccfe0992ce3089271a618ea6c4d553f602859658153b748b7e39664f00d6213a0dd3dbe9ad1224952add2826894b21e2d5d7a8343b

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1728-161-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/3332-1140-0x0000000000E90000-0x0000000000EC2000-memory.dmp

Filesize
200KB

Download
memory/3332-1141-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/3332-1142-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/4644-184-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-180-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-202-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4644-204-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/4644-194-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-192-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-190-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-188-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-186-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-196-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-182-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-200-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4644-178-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-176-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-174-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-172-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-171-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4644-170-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4644-169-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4644-168-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

Filesize
180KB

Download
memory/4644-167-0x00000000070D0000-0x0000000007674000-memory.dmp

Filesize
5.6MB

Download
memory/4644-201-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4644-199-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/4644-198-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4888-218-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-246-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-1119-0x00000000078E0000-0x0000000007EF8000-memory.dmp

Filesize
6.1MB

Download
memory/4888-1120-0x0000000007F80000-0x000000000808A000-memory.dmp

Filesize
1.0MB

Download
memory/4888-1121-0x00000000080C0000-0x00000000080D2000-memory.dmp

Filesize
72KB

Download
memory/4888-1122-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/4888-1123-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/4888-1125-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/4888-1126-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/4888-1127-0x00000000083D0000-0x0000000008436000-memory.dmp

Filesize
408KB

Download
memory/4888-1128-0x0000000008A90000-0x0000000008B22000-memory.dmp

Filesize
584KB

Download
memory/4888-1129-0x0000000008B90000-0x0000000008C06000-memory.dmp

Filesize
472KB

Download
memory/4888-1130-0x0000000008C10000-0x0000000008C60000-memory.dmp

Filesize
320KB

Download
memory/4888-1131-0x0000000008D80000-0x0000000008F42000-memory.dmp

Filesize
1.8MB

Download
memory/4888-244-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-242-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-240-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-238-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-236-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-234-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-232-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-230-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-228-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-226-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-224-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-222-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-220-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-216-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-214-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-213-0x00000000071A0000-0x00000000071DF000-memory.dmp

Filesize
252KB

Download
memory/4888-211-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/4888-212-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/4888-210-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/4888-209-0x0000000002CC0000-0x0000000002D0B000-memory.dmp

Filesize
300KB

Download
memory/4888-1132-0x0000000008F50000-0x000000000947C000-memory.dmp

Filesize
5.2MB

Download
memory/4888-1133-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download