amadey | 0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exe
Size

1.0MB
MD5

ddf265655af8bba24e4a56d5f10c521b
SHA1

b126dc49805711175d29ac66adffe6910a55aae0
SHA256

0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667
SHA512

c30551f826da5b44bde7b438383234229f656db0ecc24e1bc845a40cff36cb279c24344780bc1c0116bb639f009ec55bc9687f8888a002b5b2b7ed9025f0789d
SSDEEP

24576:bydX03fVUwwbwhOxKQzrfFvUAWY76TvEiw/nddZPM0nCE0KVM6lxF6p:OO3fewrhObPfFxWY76jEiw/dd/CTp6V

Score

10^/10

amadey aurora redline nado rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

nado

176.113.115.145:4125

Attributes

auth_value
a648e365d8e0df895a84152ad68ffc56

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v8888yb.exetz8564.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v8888yb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v8888yb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v8888yb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v8888yb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8564.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v8888yb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v8888yb.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1032-212-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-213-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-215-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-217-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-219-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-221-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-223-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-225-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-227-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-229-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-231-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-233-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-235-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-237-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-239-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-241-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-243-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-246-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/1032-244-0x0000000004AE0000-0x0000000004AF0000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y55IA45.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	y55IA45.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 13 IoCs

Processes:

zap4455.exezap9368.exezap1600.exetz8564.exev8888yb.exew17bu89.exexMquX32.exey55IA45.exelegenda.exe2023.exew.exelegenda.exelegenda.exe

pid	process
1516	zap4455.exe
4676	zap9368.exe
3276	zap1600.exe
4276	tz8564.exe
5000	v8888yb.exe
1032	w17bu89.exe
5032	xMquX32.exe
4184	y55IA45.exe
3232	legenda.exe
1436	2023.exe
2192	w.exe
1504	legenda.exe
4464	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

888 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
888	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v8888yb.exetz8564.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v8888yb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8564.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v8888yb.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap1600.exew.exe0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exezap9368.exezap4455.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1600.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	w.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Updater.exe"	w.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap9368.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1600.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9368.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap4455.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4448 5000 WerFault.exe v8888yb.exe
4840 1032 WerFault.exe w17bu89.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3616 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz8564.exev8888yb.exew17bu89.exexMquX32.exe

pid process

4276 tz8564.exe
4276 tz8564.exe
5000 v8888yb.exe
5000 v8888yb.exe
1032 w17bu89.exe
1032 w17bu89.exe
5032 xMquX32.exe
5032 xMquX32.exe

pid	pid_target	process	target process
4448	5000	WerFault.exe	v8888yb.exe
4840	1032	WerFault.exe	w17bu89.exe

pid	process
3616	schtasks.exe

pid	process
4276	tz8564.exe
4276	tz8564.exe
5000	v8888yb.exe
5000	v8888yb.exe
1032	w17bu89.exe
1032	w17bu89.exe
5032	xMquX32.exe
5032	xMquX32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz8564.exev8888yb.exew17bu89.exexMquX32.exe

description	pid	process
Token: SeDebugPrivilege	4276	tz8564.exe
Token: SeDebugPrivilege	5000	v8888yb.exe
Token: SeDebugPrivilege	1032	w17bu89.exe
Token: SeDebugPrivilege	5032	xMquX32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

w.exe

pid process

2192 w.exe

pid	process
2192	w.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exezap4455.exezap9368.exezap1600.exey55IA45.exelegenda.execmd.exe

description	pid	process	target process
PID 4412 wrote to memory of 1516	4412	0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exe	zap4455.exe
PID 4412 wrote to memory of 1516	4412	0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exe	zap4455.exe
PID 4412 wrote to memory of 1516	4412	0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exe	zap4455.exe
PID 1516 wrote to memory of 4676	1516	zap4455.exe	zap9368.exe
PID 1516 wrote to memory of 4676	1516	zap4455.exe	zap9368.exe
PID 1516 wrote to memory of 4676	1516	zap4455.exe	zap9368.exe
PID 4676 wrote to memory of 3276	4676	zap9368.exe	zap1600.exe
PID 4676 wrote to memory of 3276	4676	zap9368.exe	zap1600.exe
PID 4676 wrote to memory of 3276	4676	zap9368.exe	zap1600.exe
PID 3276 wrote to memory of 4276	3276	zap1600.exe	tz8564.exe
PID 3276 wrote to memory of 4276	3276	zap1600.exe	tz8564.exe
PID 3276 wrote to memory of 5000	3276	zap1600.exe	v8888yb.exe
PID 3276 wrote to memory of 5000	3276	zap1600.exe	v8888yb.exe
PID 3276 wrote to memory of 5000	3276	zap1600.exe	v8888yb.exe
PID 4676 wrote to memory of 1032	4676	zap9368.exe	w17bu89.exe
PID 4676 wrote to memory of 1032	4676	zap9368.exe	w17bu89.exe
PID 4676 wrote to memory of 1032	4676	zap9368.exe	w17bu89.exe
PID 1516 wrote to memory of 5032	1516	zap4455.exe	xMquX32.exe
PID 1516 wrote to memory of 5032	1516	zap4455.exe	xMquX32.exe
PID 1516 wrote to memory of 5032	1516	zap4455.exe	xMquX32.exe
PID 4412 wrote to memory of 4184	4412	0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exe	y55IA45.exe
PID 4412 wrote to memory of 4184	4412	0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exe	y55IA45.exe
PID 4412 wrote to memory of 4184	4412	0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exe	y55IA45.exe
PID 4184 wrote to memory of 3232	4184	y55IA45.exe	legenda.exe
PID 4184 wrote to memory of 3232	4184	y55IA45.exe	legenda.exe
PID 4184 wrote to memory of 3232	4184	y55IA45.exe	legenda.exe
PID 3232 wrote to memory of 3616	3232	legenda.exe	schtasks.exe
PID 3232 wrote to memory of 3616	3232	legenda.exe	schtasks.exe
PID 3232 wrote to memory of 3616	3232	legenda.exe	schtasks.exe
PID 3232 wrote to memory of 2108	3232	legenda.exe	cmd.exe
PID 3232 wrote to memory of 2108	3232	legenda.exe	cmd.exe
PID 3232 wrote to memory of 2108	3232	legenda.exe	cmd.exe
PID 2108 wrote to memory of 4556	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 4556	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 4556	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 4944	2108	cmd.exe	cacls.exe
PID 2108 wrote to memory of 4944	2108	cmd.exe	cacls.exe
PID 2108 wrote to memory of 4944	2108	cmd.exe	cacls.exe
PID 2108 wrote to memory of 5008	2108	cmd.exe	cacls.exe
PID 2108 wrote to memory of 5008	2108	cmd.exe	cacls.exe
PID 2108 wrote to memory of 5008	2108	cmd.exe	cacls.exe
PID 2108 wrote to memory of 5060	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 5060	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 5060	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 4408	2108	cmd.exe	cacls.exe
PID 2108 wrote to memory of 4408	2108	cmd.exe	cacls.exe
PID 2108 wrote to memory of 4408	2108	cmd.exe	cacls.exe
PID 2108 wrote to memory of 488	2108	cmd.exe	cacls.exe
PID 2108 wrote to memory of 488	2108	cmd.exe	cacls.exe
PID 2108 wrote to memory of 488	2108	cmd.exe	cacls.exe
PID 3232 wrote to memory of 1436	3232	legenda.exe	2023.exe
PID 3232 wrote to memory of 1436	3232	legenda.exe	2023.exe
PID 3232 wrote to memory of 1436	3232	legenda.exe	2023.exe
PID 3232 wrote to memory of 2192	3232	legenda.exe	w.exe
PID 3232 wrote to memory of 2192	3232	legenda.exe	w.exe
PID 3232 wrote to memory of 2192	3232	legenda.exe	w.exe
PID 3232 wrote to memory of 888	3232	legenda.exe	rundll32.exe
PID 3232 wrote to memory of 888	3232	legenda.exe	rundll32.exe
PID 3232 wrote to memory of 888	3232	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exe
"C:\Users\Admin\AppData\Local\Temp\0b350a56927c8c36450a7301dee92d98a5960b14a684fd4b00de72c8f3b0a667.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4412

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4455.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4455.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9368.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9368.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4676

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1600.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1600.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3276

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8564.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8564.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8888yb.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8888yb.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1084
6⤵
- Program crash
PID:4448

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17bu89.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17bu89.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1472
5⤵
- Program crash
PID:4840

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xMquX32.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xMquX32.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y55IA45.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y55IA45.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4556

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4944

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5060

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4408

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
"C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe"
4⤵
- Executes dropped EXE
PID:1436

C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
"C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5000 -ip 5000
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1032 -ip 1032
1⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y55IA45.exe
Filesize
235KB

MD5
783da7712bc2d2420a3e044bb82290a2

SHA1
3bdda533e4623c9f1fae740c764fa8ea24fab090

SHA256
e6ad2739b2e4bfca66d329518afba15353def8f7fd8f01e792b7c596c93ab366

SHA512
bafc5461ae89c721a7c9f4fae52e521880ed92e7e1de4b40e17b4c3593d235036fc21ef69287f91cc1a1219562b95ce0a9b8e2bcbc88293ce87dd3552455ce98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y55IA45.exe
Filesize
235KB

MD5
783da7712bc2d2420a3e044bb82290a2

SHA1
3bdda533e4623c9f1fae740c764fa8ea24fab090

SHA256
e6ad2739b2e4bfca66d329518afba15353def8f7fd8f01e792b7c596c93ab366

SHA512
bafc5461ae89c721a7c9f4fae52e521880ed92e7e1de4b40e17b4c3593d235036fc21ef69287f91cc1a1219562b95ce0a9b8e2bcbc88293ce87dd3552455ce98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4455.exe
Filesize
872KB

MD5
49b5d6f66f911248ec768d62f8cb75cd

SHA1
a90ba339990d39727eb233584e06b91edb702077

SHA256
e2582d954d1ea84d811e57d2f586eeec44c72a9f72c9512cff64428c0d195a64

SHA512
07bde73be397907ec03485d2c044c50f6783f782c8982a482324b873c924c2648e423274ef6911ce54dacbd9ae162bea5c0a7f430f1c00b24fa32a528143df08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4455.exe
Filesize
872KB

MD5
49b5d6f66f911248ec768d62f8cb75cd

SHA1
a90ba339990d39727eb233584e06b91edb702077

SHA256
e2582d954d1ea84d811e57d2f586eeec44c72a9f72c9512cff64428c0d195a64

SHA512
07bde73be397907ec03485d2c044c50f6783f782c8982a482324b873c924c2648e423274ef6911ce54dacbd9ae162bea5c0a7f430f1c00b24fa32a528143df08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xMquX32.exe
Filesize
175KB

MD5
c977edb0e762e501de224ffaca30a61f

SHA1
4853cece80db0aa0801e098596f1c3e007ea1243

SHA256
e0320e0300ffb5cb494205c2493b63ba9b46c0a9aeaeffa84ed06f6a79d14d92

SHA512
f562b35e7ea08f92d64433562a94d77e8bfc2dc2c86d6ed2250b90f43bf0f9f83ba26d5f36626cdc952ab3c43b4804b5e86b630c1ecb8c342476dfc810064bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xMquX32.exe
Filesize
175KB

MD5
c977edb0e762e501de224ffaca30a61f

SHA1
4853cece80db0aa0801e098596f1c3e007ea1243

SHA256
e0320e0300ffb5cb494205c2493b63ba9b46c0a9aeaeffa84ed06f6a79d14d92

SHA512
f562b35e7ea08f92d64433562a94d77e8bfc2dc2c86d6ed2250b90f43bf0f9f83ba26d5f36626cdc952ab3c43b4804b5e86b630c1ecb8c342476dfc810064bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9368.exe
Filesize
729KB

MD5
017962672856b81fbd3ad21049c89bdc

SHA1
d565677ebe723f1f2fd77726b966f9af747b99ce

SHA256
948da50bd9b8cda4438f63d938c9c8ed185aba56d8cd9fa94368c2dafe7cc7c3

SHA512
cbef53b9015568a951024fe9202a1cda9deba8721216eceb82f9dd17ef0552f8ad2272235c89aace8d755394c9b6ad983fdc190e2258ea612ac4d6991214302f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9368.exe
Filesize
729KB

MD5
017962672856b81fbd3ad21049c89bdc

SHA1
d565677ebe723f1f2fd77726b966f9af747b99ce

SHA256
948da50bd9b8cda4438f63d938c9c8ed185aba56d8cd9fa94368c2dafe7cc7c3

SHA512
cbef53b9015568a951024fe9202a1cda9deba8721216eceb82f9dd17ef0552f8ad2272235c89aace8d755394c9b6ad983fdc190e2258ea612ac4d6991214302f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17bu89.exe
Filesize
403KB

MD5
e22627d3fad202538e82b26897e822bf

SHA1
d3b4553146e16dc8d0bda7e07d2cf8ff59212288

SHA256
683552d22885a3dde047565348ac6315124c040d02cf0d11ce9fa8f232cb6af9

SHA512
8327caaa2abff9dcdfcd58e5af399e647f7ea6a5089d9505ad4d2fe839138ba3a153cb4b4afab419978f227016490296552c3c05bcf2d7da8919f42e5450e427

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17bu89.exe
Filesize
403KB

MD5
e22627d3fad202538e82b26897e822bf

SHA1
d3b4553146e16dc8d0bda7e07d2cf8ff59212288

SHA256
683552d22885a3dde047565348ac6315124c040d02cf0d11ce9fa8f232cb6af9

SHA512
8327caaa2abff9dcdfcd58e5af399e647f7ea6a5089d9505ad4d2fe839138ba3a153cb4b4afab419978f227016490296552c3c05bcf2d7da8919f42e5450e427

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1600.exe
Filesize
362KB

MD5
d5094dba8e8bfb1aaae8e1c4bccec52e

SHA1
62b8bff47f51cc2928716e5ea7c7b5e945afaaf3

SHA256
cb8902e9ec03523467a3e8e7c4f1981cefc02e3ce434b3cbd7c8f91882369659

SHA512
a12d1f030a4236b50538b032435f5d952d8cf81706c6f948d44ca94bf01fe23cd649ce54515b667cb75f188362072a88fd5aa7fc8b75df90db65f3e71a759fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1600.exe
Filesize
362KB

MD5
d5094dba8e8bfb1aaae8e1c4bccec52e

SHA1
62b8bff47f51cc2928716e5ea7c7b5e945afaaf3

SHA256
cb8902e9ec03523467a3e8e7c4f1981cefc02e3ce434b3cbd7c8f91882369659

SHA512
a12d1f030a4236b50538b032435f5d952d8cf81706c6f948d44ca94bf01fe23cd649ce54515b667cb75f188362072a88fd5aa7fc8b75df90db65f3e71a759fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8564.exe
Filesize
12KB

MD5
30ab1fbd2c7c68db00c314a5d6eade3f

SHA1
a57f0acdbea0138ed430da5a4dbd58ebd78726fc

SHA256
e7983d84dad34767c572944f8141706692c81d2d0d0e247bdf2936bbeb810595

SHA512
689717eaa7162a42da5c11588c4cba01e2fd0431150e13a7114da17eb50a2a3b466fb1391a423aee1122346a5e89054ff103d1c91ebda575704a649f0b092183

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8564.exe
Filesize
12KB

MD5
30ab1fbd2c7c68db00c314a5d6eade3f

SHA1
a57f0acdbea0138ed430da5a4dbd58ebd78726fc

SHA256
e7983d84dad34767c572944f8141706692c81d2d0d0e247bdf2936bbeb810595

SHA512
689717eaa7162a42da5c11588c4cba01e2fd0431150e13a7114da17eb50a2a3b466fb1391a423aee1122346a5e89054ff103d1c91ebda575704a649f0b092183

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8888yb.exe
Filesize
345KB

MD5
50db4ee17b5e80e074cbbc6d10ef783a

SHA1
69847b80b46fb9886c840b66394167f3e7de7abd

SHA256
d6e7593b932cd03b7514e7dffb0abdf9434c0eef3a1977cfb70eaf041b168693

SHA512
fb2f6e00d368756ee3a95df2681697e30f800097fa014cde3263075c4503f8d84cf9e5244eb9fcaeb36b30badc373242b092192d64180b067415182ca5e0dfbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8888yb.exe
Filesize
345KB

MD5
50db4ee17b5e80e074cbbc6d10ef783a

SHA1
69847b80b46fb9886c840b66394167f3e7de7abd

SHA256
d6e7593b932cd03b7514e7dffb0abdf9434c0eef3a1977cfb70eaf041b168693

SHA512
fb2f6e00d368756ee3a95df2681697e30f800097fa014cde3263075c4503f8d84cf9e5244eb9fcaeb36b30badc373242b092192d64180b067415182ca5e0dfbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
783da7712bc2d2420a3e044bb82290a2

SHA1
3bdda533e4623c9f1fae740c764fa8ea24fab090

SHA256
e6ad2739b2e4bfca66d329518afba15353def8f7fd8f01e792b7c596c93ab366

SHA512
bafc5461ae89c721a7c9f4fae52e521880ed92e7e1de4b40e17b4c3593d235036fc21ef69287f91cc1a1219562b95ce0a9b8e2bcbc88293ce87dd3552455ce98

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
783da7712bc2d2420a3e044bb82290a2

SHA1
3bdda533e4623c9f1fae740c764fa8ea24fab090

SHA256
e6ad2739b2e4bfca66d329518afba15353def8f7fd8f01e792b7c596c93ab366

SHA512
bafc5461ae89c721a7c9f4fae52e521880ed92e7e1de4b40e17b4c3593d235036fc21ef69287f91cc1a1219562b95ce0a9b8e2bcbc88293ce87dd3552455ce98

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
783da7712bc2d2420a3e044bb82290a2

SHA1
3bdda533e4623c9f1fae740c764fa8ea24fab090

SHA256
e6ad2739b2e4bfca66d329518afba15353def8f7fd8f01e792b7c596c93ab366

SHA512
bafc5461ae89c721a7c9f4fae52e521880ed92e7e1de4b40e17b4c3593d235036fc21ef69287f91cc1a1219562b95ce0a9b8e2bcbc88293ce87dd3552455ce98

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
783da7712bc2d2420a3e044bb82290a2

SHA1
3bdda533e4623c9f1fae740c764fa8ea24fab090

SHA256
e6ad2739b2e4bfca66d329518afba15353def8f7fd8f01e792b7c596c93ab366

SHA512
bafc5461ae89c721a7c9f4fae52e521880ed92e7e1de4b40e17b4c3593d235036fc21ef69287f91cc1a1219562b95ce0a9b8e2bcbc88293ce87dd3552455ce98

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
783da7712bc2d2420a3e044bb82290a2

SHA1
3bdda533e4623c9f1fae740c764fa8ea24fab090

SHA256
e6ad2739b2e4bfca66d329518afba15353def8f7fd8f01e792b7c596c93ab366

SHA512
bafc5461ae89c721a7c9f4fae52e521880ed92e7e1de4b40e17b4c3593d235036fc21ef69287f91cc1a1219562b95ce0a9b8e2bcbc88293ce87dd3552455ce98

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1032-1130-0x0000000009D00000-0x0000000009D76000-memory.dmp

Filesize
472KB

Download
memory/1032-1122-0x0000000007FA0000-0x0000000007FDC000-memory.dmp

Filesize
240KB

Download
memory/1032-1134-0x000000000A0D0000-0x000000000A5FC000-memory.dmp

Filesize
5.2MB

Download
memory/1032-1133-0x0000000009EF0000-0x000000000A0B2000-memory.dmp

Filesize
1.8MB

Download
memory/1032-1132-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1032-1131-0x0000000009D90000-0x0000000009DE0000-memory.dmp

Filesize
320KB

Download
memory/1032-209-0x0000000002BA0000-0x0000000002BEB000-memory.dmp

Filesize
300KB

Download
memory/1032-210-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1032-211-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1032-212-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-213-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-215-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-217-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-219-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-221-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-223-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-225-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-227-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-229-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-231-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-233-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-235-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-237-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-239-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-241-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-243-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-246-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/1032-244-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1032-1119-0x00000000077A0000-0x0000000007DB8000-memory.dmp

Filesize
6.1MB

Download
memory/1032-1120-0x0000000007E40000-0x0000000007F4A000-memory.dmp

Filesize
1.0MB

Download
memory/1032-1121-0x0000000007F80000-0x0000000007F92000-memory.dmp

Filesize
72KB

Download
memory/1032-1129-0x0000000008940000-0x00000000089D2000-memory.dmp

Filesize
584KB

Download
memory/1032-1123-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1032-1125-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1032-1126-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1032-1127-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1032-1128-0x0000000008290000-0x00000000082F6000-memory.dmp

Filesize
408KB

Download
memory/4276-161-0x00000000009E0000-0x00000000009EA000-memory.dmp

Filesize
40KB

Download
memory/5000-189-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-173-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-185-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-183-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-203-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/5000-196-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-197-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/5000-187-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-167-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/5000-193-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-191-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-201-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/5000-199-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-200-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/5000-204-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/5000-181-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-179-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-177-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-175-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-195-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/5000-171-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-170-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5000-169-0x0000000007290000-0x0000000007834000-memory.dmp

Filesize
5.6MB

Download
memory/5000-168-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/5032-1142-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/5032-1141-0x0000000000A50000-0x0000000000A82000-memory.dmp

Filesize
200KB

Download