amadey | 10f8fdb6c418db38657f0555e7f849b06669ad006ea3c57d25a48dd14eabee6b

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe
Size

1.0MB
MD5

5ab493e8263fdc603cd5d6379781370c
SHA1

92e0ff46ecd086e0e030e9ccb0d9b12a5b0716b4
SHA256

cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343
SHA512

eb3faa8f0129453676b637739b3b4813ea6975bf88bf1c566588c8250aac67a50163a921482d0b5491df19b8e4a78bffd5c1e1ee9d64c73152c165cbfb6d933f
SSDEEP

12288:/Mrjy90Pqd4U96S5aY50+IprbrXcGhJb3pJmaiqorbP0XHG4ioCk88AVKMCT6C:gybdfDg+INrxhhHmdrbP4mDoJANu3

Score

10^/10

amadey aurora raccoon redline 301867536c206e3dae52e6d17c16cc9b fort sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

fort

193.233.20.33:4125

Attributes

auth_value
5ea5673154a804d8c80f565f7276f720

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

raccoon

Botnet

301867536c206e3dae52e6d17c16cc9b

http://213.226.100.108/

rc4.plain

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz3801.exev6837xU.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz3801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v6837xU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v6837xU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v6837xU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz3801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz3801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz3801.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v6837xU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v6837xU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v6837xU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz3801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz3801.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3440-214-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-215-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-217-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-219-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-221-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-223-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-225-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-227-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-229-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-231-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-233-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-235-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-237-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-239-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-241-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-243-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-245-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline
behavioral2/memory/3440-247-0x0000000007710000-0x000000000774E000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y69Lh26.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	y69Lh26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 13 IoCs

Processes:

zap7146.exezap9018.exezap1202.exetz3801.exev6837xU.exew38dM76.exexXdsh93.exey69Lh26.exelegenda.exe2.exe2023.exelegenda.exelegenda.exe

pid	process
4576	zap7146.exe
1764	zap9018.exe
1504	zap1202.exe
3960	tz3801.exe
4880	v6837xU.exe
3440	w38dM76.exe
4972	xXdsh93.exe
3620	y69Lh26.exe
2724	legenda.exe
4660	2.exe
5036	2023.exe
860	legenda.exe
4520	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3900 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3900	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz3801.exev6837xU.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz3801.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v6837xU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v6837xU.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exezap7146.exezap9018.exezap1202.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7146.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9018.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap9018.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1202.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1696 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz3801.exev6837xU.exew38dM76.exexXdsh93.exe

pid process

3960 tz3801.exe
3960 tz3801.exe
4880 v6837xU.exe
4880 v6837xU.exe
3440 w38dM76.exe
3440 w38dM76.exe
4972 xXdsh93.exe
4972 xXdsh93.exe

pid	process
1696	schtasks.exe

pid	process
3960	tz3801.exe
3960	tz3801.exe
4880	v6837xU.exe
4880	v6837xU.exe
3440	w38dM76.exe
3440	w38dM76.exe
4972	xXdsh93.exe
4972	xXdsh93.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz3801.exev6837xU.exew38dM76.exexXdsh93.exe

description	pid	process
Token: SeDebugPrivilege	3960	tz3801.exe
Token: SeDebugPrivilege	4880	v6837xU.exe
Token: SeDebugPrivilege	3440	w38dM76.exe
Token: SeDebugPrivilege	4972	xXdsh93.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exezap7146.exezap9018.exezap1202.exey69Lh26.exelegenda.execmd.exe

description	pid	process	target process
PID 4840 wrote to memory of 4576	4840	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	zap7146.exe
PID 4840 wrote to memory of 4576	4840	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	zap7146.exe
PID 4840 wrote to memory of 4576	4840	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	zap7146.exe
PID 4576 wrote to memory of 1764	4576	zap7146.exe	zap9018.exe
PID 4576 wrote to memory of 1764	4576	zap7146.exe	zap9018.exe
PID 4576 wrote to memory of 1764	4576	zap7146.exe	zap9018.exe
PID 1764 wrote to memory of 1504	1764	zap9018.exe	zap1202.exe
PID 1764 wrote to memory of 1504	1764	zap9018.exe	zap1202.exe
PID 1764 wrote to memory of 1504	1764	zap9018.exe	zap1202.exe
PID 1504 wrote to memory of 3960	1504	zap1202.exe	tz3801.exe
PID 1504 wrote to memory of 3960	1504	zap1202.exe	tz3801.exe
PID 1504 wrote to memory of 4880	1504	zap1202.exe	v6837xU.exe
PID 1504 wrote to memory of 4880	1504	zap1202.exe	v6837xU.exe
PID 1504 wrote to memory of 4880	1504	zap1202.exe	v6837xU.exe
PID 1764 wrote to memory of 3440	1764	zap9018.exe	w38dM76.exe
PID 1764 wrote to memory of 3440	1764	zap9018.exe	w38dM76.exe
PID 1764 wrote to memory of 3440	1764	zap9018.exe	w38dM76.exe
PID 4576 wrote to memory of 4972	4576	zap7146.exe	xXdsh93.exe
PID 4576 wrote to memory of 4972	4576	zap7146.exe	xXdsh93.exe
PID 4576 wrote to memory of 4972	4576	zap7146.exe	xXdsh93.exe
PID 4840 wrote to memory of 3620	4840	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	y69Lh26.exe
PID 4840 wrote to memory of 3620	4840	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	y69Lh26.exe
PID 4840 wrote to memory of 3620	4840	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	y69Lh26.exe
PID 3620 wrote to memory of 2724	3620	y69Lh26.exe	legenda.exe
PID 3620 wrote to memory of 2724	3620	y69Lh26.exe	legenda.exe
PID 3620 wrote to memory of 2724	3620	y69Lh26.exe	legenda.exe
PID 2724 wrote to memory of 1696	2724	legenda.exe	schtasks.exe
PID 2724 wrote to memory of 1696	2724	legenda.exe	schtasks.exe
PID 2724 wrote to memory of 1696	2724	legenda.exe	schtasks.exe
PID 2724 wrote to memory of 1848	2724	legenda.exe	cmd.exe
PID 2724 wrote to memory of 1848	2724	legenda.exe	cmd.exe
PID 2724 wrote to memory of 1848	2724	legenda.exe	cmd.exe
PID 1848 wrote to memory of 4848	1848	cmd.exe	cmd.exe
PID 1848 wrote to memory of 4848	1848	cmd.exe	cmd.exe
PID 1848 wrote to memory of 4848	1848	cmd.exe	cmd.exe
PID 1848 wrote to memory of 2144	1848	cmd.exe	cacls.exe
PID 1848 wrote to memory of 2144	1848	cmd.exe	cacls.exe
PID 1848 wrote to memory of 2144	1848	cmd.exe	cacls.exe
PID 1848 wrote to memory of 3876	1848	cmd.exe	cacls.exe
PID 1848 wrote to memory of 3876	1848	cmd.exe	cacls.exe
PID 1848 wrote to memory of 3876	1848	cmd.exe	cacls.exe
PID 1848 wrote to memory of 3972	1848	cmd.exe	cmd.exe
PID 1848 wrote to memory of 3972	1848	cmd.exe	cmd.exe
PID 1848 wrote to memory of 3972	1848	cmd.exe	cmd.exe
PID 1848 wrote to memory of 4584	1848	cmd.exe	cacls.exe
PID 1848 wrote to memory of 4584	1848	cmd.exe	cacls.exe
PID 1848 wrote to memory of 4584	1848	cmd.exe	cacls.exe
PID 1848 wrote to memory of 4044	1848	cmd.exe	cacls.exe
PID 1848 wrote to memory of 4044	1848	cmd.exe	cacls.exe
PID 1848 wrote to memory of 4044	1848	cmd.exe	cacls.exe
PID 2724 wrote to memory of 4660	2724	legenda.exe	2.exe
PID 2724 wrote to memory of 4660	2724	legenda.exe	2.exe
PID 2724 wrote to memory of 4660	2724	legenda.exe	2.exe
PID 2724 wrote to memory of 5036	2724	legenda.exe	2023.exe
PID 2724 wrote to memory of 5036	2724	legenda.exe	2023.exe
PID 2724 wrote to memory of 5036	2724	legenda.exe	2023.exe
PID 2724 wrote to memory of 3900	2724	legenda.exe	rundll32.exe
PID 2724 wrote to memory of 3900	2724	legenda.exe	rundll32.exe
PID 2724 wrote to memory of 3900	2724	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe
"C:\Users\Admin\AppData\Local\Temp\cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7146.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7146.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9018.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9018.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1202.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1202.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3801.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3801.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6837xU.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6837xU.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w38dM76.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w38dM76.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXdsh93.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXdsh93.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y69Lh26.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y69Lh26.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
    "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4848
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:N"
        5⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:R" /E
        5⤵
        
        PID:3876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3972
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:N"
        5⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:R" /E
        5⤵
        
        PID:4044
  - - C:\Users\Admin\AppData\Local\Temp\1000188001\2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000188001\2.exe"
      4⤵
      Executes dropped EXE
      PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\1000191001\2023.exe
      "C:\Users\Admin\AppData\Local\Temp\1000191001\2023.exe"
      4⤵
      Executes dropped EXE
      PID:5036
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3900

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:860

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000188001\2.exe

Filesize
110KB

MD5
bc338e23e5411697561306eabb29bd9c

SHA1
2503a1d824af32214f3102d6e0d2e52d439b91f8

SHA256
fc89f7167628e95935070f6a72c859da69a91655e72c4d8c8e31fbac73c2d379

SHA512
f5fa3d4f0d611225393f9ff33de6657c1c47c89e11695b44fd35c840ea6ed0545c7b1da7ce4009d8cca76cf9587cb1c4586c992cb646d4cbeb816ef72e8c9254

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000188001\2.exe

Filesize
110KB

MD5
bc338e23e5411697561306eabb29bd9c

SHA1
2503a1d824af32214f3102d6e0d2e52d439b91f8

SHA256
fc89f7167628e95935070f6a72c859da69a91655e72c4d8c8e31fbac73c2d379

SHA512
f5fa3d4f0d611225393f9ff33de6657c1c47c89e11695b44fd35c840ea6ed0545c7b1da7ce4009d8cca76cf9587cb1c4586c992cb646d4cbeb816ef72e8c9254

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000188001\2.exe

Filesize
110KB

MD5
bc338e23e5411697561306eabb29bd9c

SHA1
2503a1d824af32214f3102d6e0d2e52d439b91f8

SHA256
fc89f7167628e95935070f6a72c859da69a91655e72c4d8c8e31fbac73c2d379

SHA512
f5fa3d4f0d611225393f9ff33de6657c1c47c89e11695b44fd35c840ea6ed0545c7b1da7ce4009d8cca76cf9587cb1c4586c992cb646d4cbeb816ef72e8c9254

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000191001\2023.exe

Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000191001\2023.exe

Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000191001\2023.exe

Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y69Lh26.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y69Lh26.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7146.exe

Filesize
846KB

MD5
5317c4e1a8c51a1464d2d4bb0dce0b36

SHA1
3cdae911225bdb81900477c136a5ab091afc9d81

SHA256
4f5346c8e163d2433f152db3db4590122f85da8a1f5f8436acb070fc2d00d749

SHA512
47bb8d4177925c521a3bc71208b8e0aec584ada9355b28a5baf556d70214f0403e986ffa8e84484379fda71c312785f59f3f3c6fdfa73d2b0765729ee50f34d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7146.exe

Filesize
846KB

MD5
5317c4e1a8c51a1464d2d4bb0dce0b36

SHA1
3cdae911225bdb81900477c136a5ab091afc9d81

SHA256
4f5346c8e163d2433f152db3db4590122f85da8a1f5f8436acb070fc2d00d749

SHA512
47bb8d4177925c521a3bc71208b8e0aec584ada9355b28a5baf556d70214f0403e986ffa8e84484379fda71c312785f59f3f3c6fdfa73d2b0765729ee50f34d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXdsh93.exe

Filesize
175KB

MD5
61e94f59f33c69cc82d12e186cb7995f

SHA1
218f44f70e692e0a5371eae8774dd7d74a1ca416

SHA256
4fac93d65ffdf72d8c6daa48e86d5ccf0d039171676b401347ee254da38bb035

SHA512
c9bdb611cd610d5cb62be5b08673b10b59c734edc10b28ad8c7026c896fe8c1de2530e91cf59c6f0401edde4de8d347333933273168d73e2a03d328e632af5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXdsh93.exe

Filesize
175KB

MD5
61e94f59f33c69cc82d12e186cb7995f

SHA1
218f44f70e692e0a5371eae8774dd7d74a1ca416

SHA256
4fac93d65ffdf72d8c6daa48e86d5ccf0d039171676b401347ee254da38bb035

SHA512
c9bdb611cd610d5cb62be5b08673b10b59c734edc10b28ad8c7026c896fe8c1de2530e91cf59c6f0401edde4de8d347333933273168d73e2a03d328e632af5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9018.exe

Filesize
704KB

MD5
59824d893af57cd4f4dd333b33322367

SHA1
c94f5bc82cbfb69adeb1ab662e179f7957cc5890

SHA256
0acd37ec594ac1db83dbd6eaac2e66e145777d2791d23cf404a61ab833b0c1a0

SHA512
405518e858075ee06d684fa29345aa9879d666fa19703cb4c2ed1f84b1376d41590ed47d95c90aa893aeba8305769f63620379ff35f6644cfb74eeb4299df2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9018.exe

Filesize
704KB

MD5
59824d893af57cd4f4dd333b33322367

SHA1
c94f5bc82cbfb69adeb1ab662e179f7957cc5890

SHA256
0acd37ec594ac1db83dbd6eaac2e66e145777d2791d23cf404a61ab833b0c1a0

SHA512
405518e858075ee06d684fa29345aa9879d666fa19703cb4c2ed1f84b1376d41590ed47d95c90aa893aeba8305769f63620379ff35f6644cfb74eeb4299df2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w38dM76.exe

Filesize
379KB

MD5
eca25aec9008d892ccda5b7932200b99

SHA1
b7c557e00eeb0e2c5443c987f6c8cefc5c6638da

SHA256
77e22b2ef9a250e95d3cf22a7d72880ec12e7e7b893fac5b78c2d958eeb22ed5

SHA512
6a3e68f7dcfc96d603fed6fd639bf33999a6f1475d643b7c8386eeee62748674a5ee1aed760fe2bd6851b8318656739df45a8f0255dd5ba27696d6b128148421

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w38dM76.exe

Filesize
379KB

MD5
eca25aec9008d892ccda5b7932200b99

SHA1
b7c557e00eeb0e2c5443c987f6c8cefc5c6638da

SHA256
77e22b2ef9a250e95d3cf22a7d72880ec12e7e7b893fac5b78c2d958eeb22ed5

SHA512
6a3e68f7dcfc96d603fed6fd639bf33999a6f1475d643b7c8386eeee62748674a5ee1aed760fe2bd6851b8318656739df45a8f0255dd5ba27696d6b128148421

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1202.exe

Filesize
349KB

MD5
b684967277b44899337eb466e687f8a3

SHA1
20b979cf6b3852feabe8e420fbd2c0701caed366

SHA256
102c23a20ce74c8859950279d0de4a91091e8912877a332c0e8d5c90473c6c0f

SHA512
95362d952449aa4e424b975f7415e43d15dc4e893425679afce9b1a066e0bcc25355a8794dc633cb9d699b55cead039b37761c2ebd9ae978c8bb45dd8b8a075a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1202.exe

Filesize
349KB

MD5
b684967277b44899337eb466e687f8a3

SHA1
20b979cf6b3852feabe8e420fbd2c0701caed366

SHA256
102c23a20ce74c8859950279d0de4a91091e8912877a332c0e8d5c90473c6c0f

SHA512
95362d952449aa4e424b975f7415e43d15dc4e893425679afce9b1a066e0bcc25355a8794dc633cb9d699b55cead039b37761c2ebd9ae978c8bb45dd8b8a075a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3801.exe

Filesize
12KB

MD5
f7e156712232cb4e5dce14b7f1961e75

SHA1
5c2aa13a04926a376cedaea5069df2cc4bfeb53f

SHA256
6d24b108886b08672e33415999a500a65a235fd6e39e5aa9b2bcb338b18aa680

SHA512
ec51e38433a7ec37947b00f7da98bd58a5a27a90c50b1592e273cc54895c0d1c70640e74c4d1575577e16251decc0aba663c280786eaadffb949632c8d5a9a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3801.exe

Filesize
12KB

MD5
f7e156712232cb4e5dce14b7f1961e75

SHA1
5c2aa13a04926a376cedaea5069df2cc4bfeb53f

SHA256
6d24b108886b08672e33415999a500a65a235fd6e39e5aa9b2bcb338b18aa680

SHA512
ec51e38433a7ec37947b00f7da98bd58a5a27a90c50b1592e273cc54895c0d1c70640e74c4d1575577e16251decc0aba663c280786eaadffb949632c8d5a9a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6837xU.exe

Filesize
322KB

MD5
42b9a6e3f8858547b2ad9cc8ccc8b2fb

SHA1
e4efab917132d1629e798849b5e34bee26997d16

SHA256
457c3fae1725e061c26db68d5d4a3616942606368979feb998457411e228c311

SHA512
e912818a002c08f68ee69a72f3bef839a6a8a9d62fe20833767e9092570c5a1ae0108c09bfedcda46972299958e0819529753c1ff930353c3eb800cb173ddf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6837xU.exe

Filesize
322KB

MD5
42b9a6e3f8858547b2ad9cc8ccc8b2fb

SHA1
e4efab917132d1629e798849b5e34bee26997d16

SHA256
457c3fae1725e061c26db68d5d4a3616942606368979feb998457411e228c311

SHA512
e912818a002c08f68ee69a72f3bef839a6a8a9d62fe20833767e9092570c5a1ae0108c09bfedcda46972299958e0819529753c1ff930353c3eb800cb173ddf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/3440-1133-0x0000000008C40000-0x0000000008E02000-memory.dmp

Filesize
1.8MB

Download
memory/3440-1124-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/3440-1137-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/3440-1134-0x0000000008E10000-0x000000000933C000-memory.dmp

Filesize
5.2MB

Download
memory/3440-1132-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/3440-1131-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/3440-1130-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/3440-210-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/3440-211-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/3440-213-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/3440-212-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/3440-214-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-215-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-217-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-219-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-221-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-223-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-225-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-227-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-229-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-231-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-233-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-235-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-237-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-239-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-241-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-243-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-245-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-247-0x0000000007710000-0x000000000774E000-memory.dmp

Filesize
248KB

Download
memory/3440-1120-0x0000000007790000-0x0000000007DA8000-memory.dmp

Filesize
6.1MB

Download
memory/3440-1121-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/3440-1122-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/3440-1123-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/3440-1129-0x0000000008AB0000-0x0000000008B00000-memory.dmp

Filesize
320KB

Download
memory/3440-1126-0x0000000008280000-0x00000000082E6000-memory.dmp

Filesize
408KB

Download
memory/3440-1127-0x0000000008930000-0x00000000089C2000-memory.dmp

Filesize
584KB

Download
memory/3440-1128-0x0000000008A20000-0x0000000008A96000-memory.dmp

Filesize
472KB

Download
memory/3960-161-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

Filesize
40KB

Download
memory/4880-188-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-199-0x00000000070C0000-0x00000000070D0000-memory.dmp

Filesize
64KB

Download
memory/4880-190-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-198-0x00000000070C0000-0x00000000070D0000-memory.dmp

Filesize
64KB

Download
memory/4880-205-0x00000000070C0000-0x00000000070D0000-memory.dmp

Filesize
64KB

Download
memory/4880-203-0x00000000070C0000-0x00000000070D0000-memory.dmp

Filesize
64KB

Download
memory/4880-197-0x00000000070C0000-0x00000000070D0000-memory.dmp

Filesize
64KB

Download
memory/4880-196-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-201-0x00000000070C0000-0x00000000070D0000-memory.dmp

Filesize
64KB

Download
memory/4880-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4880-194-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-192-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-204-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4880-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4880-172-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-184-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-182-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-180-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-178-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-176-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-174-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-186-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-170-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-169-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/4880-168-0x00000000070D0000-0x0000000007674000-memory.dmp

Filesize
5.6MB

Download
memory/4972-1142-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4972-1141-0x0000000000110000-0x0000000000142000-memory.dmp

Filesize
200KB

Download