amadey | 5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d

Analysis

max time kernel
139s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2023, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d.exe
Size

977KB
MD5

aa94c837aaac604b01383e813336c0e4
SHA1

29dacaad50ac310c5774ca638520cc3aae0ce09f
SHA256

5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d
SHA512

3be421797d94040e733ae7f12c10c48750bed3949f4dec41d6dc87faa1d2a3a6bb89a97e3e393c22736a20009a6d7b01bae0ac6355f4c8efdae14de6aecff7b8
SSDEEP

24576:fy3m27ZPmmMSRIQVLZ0w5jBrY3YdoXcKfsPNVGXM:q3RFPmmMSpLZ0wRBrY3iosKUPNVi

Score

10^/10

amadey redline @dridexxsupport nado rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

nado

176.113.115.145:4125

Attributes

auth_value
a648e365d8e0df895a84152ad68ffc56

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

83.217.11.28:30827

Attributes

auth_value
2b0f3dc1f2266e50326d5210b0ebf9a3

Extracted

Family

redline

Botnet

@DridexxSupport

188.212.124.133:16312

Attributes

auth_value
e5a22ab56ec9b2f984d6e4504915843a

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5025rK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5025rK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz4450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz4450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz4450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz4450.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v5025rK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz4450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz4450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5025rK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5025rK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5025rK.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/4564-215-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-217-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-214-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-219-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-221-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-223-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-225-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-227-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-229-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-231-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-233-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-235-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-237-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-239-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-241-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-243-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-245-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/4564-247-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y81uN49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Spfteysaad.exe

Executes dropped EXE 14 IoCs

pid	Process
1324	zap8775.exe
1508	zap0147.exe
4348	zap7619.exe
4408	tz4450.exe
3908	v5025rK.exe
4564	w98Kz39.exe
5080	xvmhj37.exe
2812	y81uN49.exe
912	legenda.exe
1020	Spfteysaad.exe
4052	BTC_coldwal_extrc.exe
1524	legenda.exe
4812	Spfteysaad.exe
2776	legenda.exe

Loads dropped DLL 1 IoCs

pid	Process
2936	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz4450.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5025rK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5025rK.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8775.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0147.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xlhsemudcu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zvkscdmjuiy\\Xlhsemudcu.exe\""	Spfteysaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap8775.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap0147.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7619.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7619.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4052 set thread context of 4088	4052	BTC_coldwal_extrc.exe	120
PID 1020 set thread context of 4812	1020	Spfteysaad.exe	126

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2900	3908	WerFault.exe	94
832	4564	WerFault.exe	97
860	4052	WerFault.exe	119

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4408	tz4450.exe
4408	tz4450.exe
3908	v5025rK.exe
3908	v5025rK.exe
4564	w98Kz39.exe
4564	w98Kz39.exe
5080	xvmhj37.exe
5080	xvmhj37.exe
1616	powershell.exe
1616	powershell.exe
4088	RegSvcs.exe
4088	RegSvcs.exe
4812	Spfteysaad.exe
4812	Spfteysaad.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4408	tz4450.exe
Token: SeDebugPrivilege	3908	v5025rK.exe
Token: SeDebugPrivilege	4564	w98Kz39.exe
Token: SeDebugPrivilege	5080	xvmhj37.exe
Token: SeDebugPrivilege	1020	Spfteysaad.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	4088	RegSvcs.exe
Token: SeDebugPrivilege	4812	Spfteysaad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 1324	5036	5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d.exe	85
PID 5036 wrote to memory of 1324	5036	5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d.exe	85
PID 5036 wrote to memory of 1324	5036	5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d.exe	85
PID 1324 wrote to memory of 1508	1324	zap8775.exe	86
PID 1324 wrote to memory of 1508	1324	zap8775.exe	86
PID 1324 wrote to memory of 1508	1324	zap8775.exe	86
PID 1508 wrote to memory of 4348	1508	zap0147.exe	87
PID 1508 wrote to memory of 4348	1508	zap0147.exe	87
PID 1508 wrote to memory of 4348	1508	zap0147.exe	87
PID 4348 wrote to memory of 4408	4348	zap7619.exe	88
PID 4348 wrote to memory of 4408	4348	zap7619.exe	88
PID 4348 wrote to memory of 3908	4348	zap7619.exe	94
PID 4348 wrote to memory of 3908	4348	zap7619.exe	94
PID 4348 wrote to memory of 3908	4348	zap7619.exe	94
PID 1508 wrote to memory of 4564	1508	zap0147.exe	97
PID 1508 wrote to memory of 4564	1508	zap0147.exe	97
PID 1508 wrote to memory of 4564	1508	zap0147.exe	97
PID 1324 wrote to memory of 5080	1324	zap8775.exe	105
PID 1324 wrote to memory of 5080	1324	zap8775.exe	105
PID 1324 wrote to memory of 5080	1324	zap8775.exe	105
PID 5036 wrote to memory of 2812	5036	5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d.exe	106
PID 5036 wrote to memory of 2812	5036	5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d.exe	106
PID 5036 wrote to memory of 2812	5036	5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d.exe	106
PID 2812 wrote to memory of 912	2812	y81uN49.exe	107
PID 2812 wrote to memory of 912	2812	y81uN49.exe	107
PID 2812 wrote to memory of 912	2812	y81uN49.exe	107
PID 912 wrote to memory of 1700	912	legenda.exe	108
PID 912 wrote to memory of 1700	912	legenda.exe	108
PID 912 wrote to memory of 1700	912	legenda.exe	108
PID 912 wrote to memory of 2604	912	legenda.exe	110
PID 912 wrote to memory of 2604	912	legenda.exe	110
PID 912 wrote to memory of 2604	912	legenda.exe	110
PID 2604 wrote to memory of 4516	2604	cmd.exe	112
PID 2604 wrote to memory of 4516	2604	cmd.exe	112
PID 2604 wrote to memory of 4516	2604	cmd.exe	112
PID 2604 wrote to memory of 4744	2604	cmd.exe	113
PID 2604 wrote to memory of 4744	2604	cmd.exe	113
PID 2604 wrote to memory of 4744	2604	cmd.exe	113
PID 2604 wrote to memory of 1456	2604	cmd.exe	114
PID 2604 wrote to memory of 1456	2604	cmd.exe	114
PID 2604 wrote to memory of 1456	2604	cmd.exe	114
PID 2604 wrote to memory of 2856	2604	cmd.exe	115
PID 2604 wrote to memory of 2856	2604	cmd.exe	115
PID 2604 wrote to memory of 2856	2604	cmd.exe	115
PID 2604 wrote to memory of 2796	2604	cmd.exe	116
PID 2604 wrote to memory of 2796	2604	cmd.exe	116
PID 2604 wrote to memory of 2796	2604	cmd.exe	116
PID 2604 wrote to memory of 1576	2604	cmd.exe	117
PID 2604 wrote to memory of 1576	2604	cmd.exe	117
PID 2604 wrote to memory of 1576	2604	cmd.exe	117
PID 912 wrote to memory of 1020	912	legenda.exe	118
PID 912 wrote to memory of 1020	912	legenda.exe	118
PID 912 wrote to memory of 1020	912	legenda.exe	118
PID 912 wrote to memory of 4052	912	legenda.exe	119
PID 912 wrote to memory of 4052	912	legenda.exe	119
PID 912 wrote to memory of 4052	912	legenda.exe	119
PID 4052 wrote to memory of 4088	4052	BTC_coldwal_extrc.exe	120
PID 4052 wrote to memory of 4088	4052	BTC_coldwal_extrc.exe	120
PID 4052 wrote to memory of 4088	4052	BTC_coldwal_extrc.exe	120
PID 4052 wrote to memory of 4088	4052	BTC_coldwal_extrc.exe	120
PID 4052 wrote to memory of 4088	4052	BTC_coldwal_extrc.exe	120
PID 1020 wrote to memory of 1616	1020	Spfteysaad.exe	123
PID 1020 wrote to memory of 1616	1020	Spfteysaad.exe	123
PID 1020 wrote to memory of 1616	1020	Spfteysaad.exe	123

C:\Users\Admin\AppData\Local\Temp\5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d.exe
"C:\Users\Admin\AppData\Local\Temp\5fe327111a51129fa96bcd1a4caffbb2ee95534e3c90415cb00e4884b663787d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8775.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8775.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0147.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0147.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7619.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7619.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4450.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4450.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5025rK.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5025rK.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1080
        6⤵
        Program crash
        
        PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w98Kz39.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w98Kz39.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4564
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1520
        5⤵
        Program crash
        
        PID:832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvmhj37.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvmhj37.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81uN49.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81uN49.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
    "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4516
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:N"
        5⤵
        
        PID:4744
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:R" /E
        5⤵
        
        PID:1456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:N"
        5⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:R" /E
        5⤵
        
        PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\1000217001\Spfteysaad.exe
      "C:\Users\Admin\AppData\Local\Temp\1000217001\Spfteysaad.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\1000217001\Spfteysaad.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000217001\Spfteysaad.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\1000218001\BTC_coldwal_extrc.exe
      "C:\Users\Admin\AppData\Local\Temp\1000218001\BTC_coldwal_extrc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 572
        5⤵
        Program crash
        
        PID:860
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3908 -ip 3908
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4564 -ip 4564
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4052 -ip 4052
1⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:2776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Spfteysaad.exe.log

Filesize
1KB

MD5
777c191192611ccd3ad42445d9b4fbff

SHA1
7102e6210880506e7d72644490c653f0d63bef69

SHA256
c2c03dac7c91dd00f36b854abf0f004c5ac1b21a6799fe3d5c36c778c11ecec7

SHA512
1a153ac56d3d6c76df88da46a13062ce2ff2849926756ec4e58b11ff1090807e16c32092d9f6a432b721a4b1930d838fcf4404c91480c6c830b07ca18f38f324

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000217001\Spfteysaad.exe

Filesize
2.3MB

MD5
8f3e8fa1ba9c4c10680a9135a2ab6724

SHA1
40786bac389dcd6b175f9973b81e706cdb9806cf

SHA256
9c1cee20e92c68a18b34672ff0a8ba4c931e90a18b47ffca826cb2053cb2ee1a

SHA512
851aa6b4c91a3d7ffa1ca93c7b1b651e2df0537679d564d0b4868acd1b8757eb0e3dca05b8752706717d96b1526049cb85a44427d9bbd425d0c1ec783cda5836

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000217001\Spfteysaad.exe

Filesize
2.3MB

MD5
8f3e8fa1ba9c4c10680a9135a2ab6724

SHA1
40786bac389dcd6b175f9973b81e706cdb9806cf

SHA256
9c1cee20e92c68a18b34672ff0a8ba4c931e90a18b47ffca826cb2053cb2ee1a

SHA512
851aa6b4c91a3d7ffa1ca93c7b1b651e2df0537679d564d0b4868acd1b8757eb0e3dca05b8752706717d96b1526049cb85a44427d9bbd425d0c1ec783cda5836

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000217001\Spfteysaad.exe

Filesize
2.3MB

MD5
8f3e8fa1ba9c4c10680a9135a2ab6724

SHA1
40786bac389dcd6b175f9973b81e706cdb9806cf

SHA256
9c1cee20e92c68a18b34672ff0a8ba4c931e90a18b47ffca826cb2053cb2ee1a

SHA512
851aa6b4c91a3d7ffa1ca93c7b1b651e2df0537679d564d0b4868acd1b8757eb0e3dca05b8752706717d96b1526049cb85a44427d9bbd425d0c1ec783cda5836

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000217001\Spfteysaad.exe

Filesize
2.3MB

MD5
8f3e8fa1ba9c4c10680a9135a2ab6724

SHA1
40786bac389dcd6b175f9973b81e706cdb9806cf

SHA256
9c1cee20e92c68a18b34672ff0a8ba4c931e90a18b47ffca826cb2053cb2ee1a

SHA512
851aa6b4c91a3d7ffa1ca93c7b1b651e2df0537679d564d0b4868acd1b8757eb0e3dca05b8752706717d96b1526049cb85a44427d9bbd425d0c1ec783cda5836

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000218001\BTC_coldwal_extrc.exe

Filesize
1.1MB

MD5
35c4dd09a4b5af6a852a27e85ae0c462

SHA1
a0fdd51b1e5718e26223f50960b95e2e4082ed91

SHA256
ad8e1b53dd81ce9a9ca730a8503cc17095dc8ce0e3c559b13bf36ca679115799

SHA512
eaa27c343aabbeaa6e33fa7bdb4ae2bd9048420a7a2adbba245e84201e280e5982760bed9a3dd7012c2c9875d244a196d68d756ee16cb7fc4197bc3e616a823a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000218001\BTC_coldwal_extrc.exe

Filesize
1.1MB

MD5
35c4dd09a4b5af6a852a27e85ae0c462

SHA1
a0fdd51b1e5718e26223f50960b95e2e4082ed91

SHA256
ad8e1b53dd81ce9a9ca730a8503cc17095dc8ce0e3c559b13bf36ca679115799

SHA512
eaa27c343aabbeaa6e33fa7bdb4ae2bd9048420a7a2adbba245e84201e280e5982760bed9a3dd7012c2c9875d244a196d68d756ee16cb7fc4197bc3e616a823a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000218001\BTC_coldwal_extrc.exe

Filesize
1.1MB

MD5
35c4dd09a4b5af6a852a27e85ae0c462

SHA1
a0fdd51b1e5718e26223f50960b95e2e4082ed91

SHA256
ad8e1b53dd81ce9a9ca730a8503cc17095dc8ce0e3c559b13bf36ca679115799

SHA512
eaa27c343aabbeaa6e33fa7bdb4ae2bd9048420a7a2adbba245e84201e280e5982760bed9a3dd7012c2c9875d244a196d68d756ee16cb7fc4197bc3e616a823a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81uN49.exe

Filesize
235KB

MD5
912c769fa0e6b04ce4afa80689a5629d

SHA1
a2de29f768a964d7f4a4e067312b0dc2266ae136

SHA256
13958a8fbf512d5fa1537286b4ebc5192d04dcbd888f80ac608d1763b6b93e44

SHA512
13b39b90db0d457647b6ed45a5c5c26052f2d4934eb088461c6955e2a4e2d69bd5d7ef7f449a7580b54e30ef9fbb9b622cce5d047cb3be273c3790af06f04c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81uN49.exe

Filesize
235KB

MD5
912c769fa0e6b04ce4afa80689a5629d

SHA1
a2de29f768a964d7f4a4e067312b0dc2266ae136

SHA256
13958a8fbf512d5fa1537286b4ebc5192d04dcbd888f80ac608d1763b6b93e44

SHA512
13b39b90db0d457647b6ed45a5c5c26052f2d4934eb088461c6955e2a4e2d69bd5d7ef7f449a7580b54e30ef9fbb9b622cce5d047cb3be273c3790af06f04c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8775.exe

Filesize
805KB

MD5
5cd24f55d8b3eafb1d3d12a0b837f237

SHA1
bd97df24944353c131f2e69bbf1ae16f6f0d2e0f

SHA256
36b6d7015966a00f241a2778ace5ec230b5e67a89e961e92311b4d66d324e9b3

SHA512
2c26cf50b04d5a158f69fe0fdebadb7b8d5e7068ac23b78f028278077a6371a967d26a7424450a134175cfc509476d5f196bc5a924c740905051e49b3ffb868b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8775.exe

Filesize
805KB

MD5
5cd24f55d8b3eafb1d3d12a0b837f237

SHA1
bd97df24944353c131f2e69bbf1ae16f6f0d2e0f

SHA256
36b6d7015966a00f241a2778ace5ec230b5e67a89e961e92311b4d66d324e9b3

SHA512
2c26cf50b04d5a158f69fe0fdebadb7b8d5e7068ac23b78f028278077a6371a967d26a7424450a134175cfc509476d5f196bc5a924c740905051e49b3ffb868b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvmhj37.exe

Filesize
175KB

MD5
19041144b80c7eba3acefd12733a8738

SHA1
3cb71c81a2986c6318cc73444195b4620be5bfdc

SHA256
43a51352554de3ce80dd9a59f6e26777d6d5e58bb0d0807b15765e549653ffdd

SHA512
dc80726a13425ff0ada91f73b6e7c81ab028fdf299cbae3653832db50f8cc6665a2165851be66366022d5ee1d7b8821335368bebdaabba66f50189108a264aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvmhj37.exe

Filesize
175KB

MD5
19041144b80c7eba3acefd12733a8738

SHA1
3cb71c81a2986c6318cc73444195b4620be5bfdc

SHA256
43a51352554de3ce80dd9a59f6e26777d6d5e58bb0d0807b15765e549653ffdd

SHA512
dc80726a13425ff0ada91f73b6e7c81ab028fdf299cbae3653832db50f8cc6665a2165851be66366022d5ee1d7b8821335368bebdaabba66f50189108a264aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0147.exe

Filesize
663KB

MD5
848bc2a4f7704f53e24763a18d7b755c

SHA1
4a2ad071659b645dc765323dfa5f2afee63a9758

SHA256
3382a5ff05993fcaf87a7cdeb268375aa9cf14eb11639b34af175f4f8ac34526

SHA512
f4e0ee28dda617b87cb5f5db2ff5d3b6d171852d792ec1bd9849ff26d8291d5d4706cfebabd6896e605a8a629f9dacf111536684a3a0a464d6ebdaed6c8a4a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0147.exe

Filesize
663KB

MD5
848bc2a4f7704f53e24763a18d7b755c

SHA1
4a2ad071659b645dc765323dfa5f2afee63a9758

SHA256
3382a5ff05993fcaf87a7cdeb268375aa9cf14eb11639b34af175f4f8ac34526

SHA512
f4e0ee28dda617b87cb5f5db2ff5d3b6d171852d792ec1bd9849ff26d8291d5d4706cfebabd6896e605a8a629f9dacf111536684a3a0a464d6ebdaed6c8a4a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w98Kz39.exe

Filesize
333KB

MD5
98cb773c8d03ddc2e31ddd30afffc4d7

SHA1
c2293f8373665a6b345206fddbd8cf0f21a20a96

SHA256
fe64620cf5781a60996ad63be3bf148cd5a0a9872bd5bf8fe322b5bb5808dbc1

SHA512
562e3e9236c8646d96866fe61ca1b95ad12d093d969196575376c53e1377244513f55e159603cb0c86e2990337c88522acd900f99ff6ad1e87dd38a5ab60438b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w98Kz39.exe

Filesize
333KB

MD5
98cb773c8d03ddc2e31ddd30afffc4d7

SHA1
c2293f8373665a6b345206fddbd8cf0f21a20a96

SHA256
fe64620cf5781a60996ad63be3bf148cd5a0a9872bd5bf8fe322b5bb5808dbc1

SHA512
562e3e9236c8646d96866fe61ca1b95ad12d093d969196575376c53e1377244513f55e159603cb0c86e2990337c88522acd900f99ff6ad1e87dd38a5ab60438b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7619.exe

Filesize
328KB

MD5
7b1b0c4c31cfa4e3588b4a43268d1484

SHA1
c7d733490e1c681a17160fcac995db7229717ae5

SHA256
254909fb7040543e88719b5333fc6c48267519737f582a532300f8815ea3f233

SHA512
25c8ee7241fd2ab0e1358e0012d53e84f9573a5250b7ea443235b85951745a7ea25708a614cde9ccf7e24aec887572d37df766acff63ad5c989be8347725b2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7619.exe

Filesize
328KB

MD5
7b1b0c4c31cfa4e3588b4a43268d1484

SHA1
c7d733490e1c681a17160fcac995db7229717ae5

SHA256
254909fb7040543e88719b5333fc6c48267519737f582a532300f8815ea3f233

SHA512
25c8ee7241fd2ab0e1358e0012d53e84f9573a5250b7ea443235b85951745a7ea25708a614cde9ccf7e24aec887572d37df766acff63ad5c989be8347725b2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4450.exe

Filesize
12KB

MD5
739a9954a33f1fdb1388474767971a4e

SHA1
11470742fa3234500ec21ba8f20e75e4b1d6a206

SHA256
0fe3a07b20f219342da0f3a4d7cfd39debc3b6e90b6fc7c4e0c589061d8a6cb5

SHA512
6f20f170c2839218114ffc8ef28336a937974070176530ab1becaf617dd82e6f74713546c2cd40fa79224bef65d8a73194c38a85a53ee783084d9b5e27d4c9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4450.exe

Filesize
12KB

MD5
739a9954a33f1fdb1388474767971a4e

SHA1
11470742fa3234500ec21ba8f20e75e4b1d6a206

SHA256
0fe3a07b20f219342da0f3a4d7cfd39debc3b6e90b6fc7c4e0c589061d8a6cb5

SHA512
6f20f170c2839218114ffc8ef28336a937974070176530ab1becaf617dd82e6f74713546c2cd40fa79224bef65d8a73194c38a85a53ee783084d9b5e27d4c9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5025rK.exe

Filesize
275KB

MD5
a6c745c28868c314f008919aa7822c04

SHA1
d3f038116c6194aa55bee26e598783b2e9ed4c63

SHA256
a941ea66bd46e37ed11ef43947119569c7c1e87eda758dd8920fcb2b49d28022

SHA512
c4107eebdb85333209053be96aa8d17f35b285cf9f965dd4dcbc4cd0872e466b7ca27f2651a77f812b89962c9ae2d41cebafe047b952cf94b3302608310852a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5025rK.exe

Filesize
275KB

MD5
a6c745c28868c314f008919aa7822c04

SHA1
d3f038116c6194aa55bee26e598783b2e9ed4c63

SHA256
a941ea66bd46e37ed11ef43947119569c7c1e87eda758dd8920fcb2b49d28022

SHA512
c4107eebdb85333209053be96aa8d17f35b285cf9f965dd4dcbc4cd0872e466b7ca27f2651a77f812b89962c9ae2d41cebafe047b952cf94b3302608310852a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfe2emf1.svj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
912c769fa0e6b04ce4afa80689a5629d

SHA1
a2de29f768a964d7f4a4e067312b0dc2266ae136

SHA256
13958a8fbf512d5fa1537286b4ebc5192d04dcbd888f80ac608d1763b6b93e44

SHA512
13b39b90db0d457647b6ed45a5c5c26052f2d4934eb088461c6955e2a4e2d69bd5d7ef7f449a7580b54e30ef9fbb9b622cce5d047cb3be273c3790af06f04c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
912c769fa0e6b04ce4afa80689a5629d

SHA1
a2de29f768a964d7f4a4e067312b0dc2266ae136

SHA256
13958a8fbf512d5fa1537286b4ebc5192d04dcbd888f80ac608d1763b6b93e44

SHA512
13b39b90db0d457647b6ed45a5c5c26052f2d4934eb088461c6955e2a4e2d69bd5d7ef7f449a7580b54e30ef9fbb9b622cce5d047cb3be273c3790af06f04c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
912c769fa0e6b04ce4afa80689a5629d

SHA1
a2de29f768a964d7f4a4e067312b0dc2266ae136

SHA256
13958a8fbf512d5fa1537286b4ebc5192d04dcbd888f80ac608d1763b6b93e44

SHA512
13b39b90db0d457647b6ed45a5c5c26052f2d4934eb088461c6955e2a4e2d69bd5d7ef7f449a7580b54e30ef9fbb9b622cce5d047cb3be273c3790af06f04c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
912c769fa0e6b04ce4afa80689a5629d

SHA1
a2de29f768a964d7f4a4e067312b0dc2266ae136

SHA256
13958a8fbf512d5fa1537286b4ebc5192d04dcbd888f80ac608d1763b6b93e44

SHA512
13b39b90db0d457647b6ed45a5c5c26052f2d4934eb088461c6955e2a4e2d69bd5d7ef7f449a7580b54e30ef9fbb9b622cce5d047cb3be273c3790af06f04c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
912c769fa0e6b04ce4afa80689a5629d

SHA1
a2de29f768a964d7f4a4e067312b0dc2266ae136

SHA256
13958a8fbf512d5fa1537286b4ebc5192d04dcbd888f80ac608d1763b6b93e44

SHA512
13b39b90db0d457647b6ed45a5c5c26052f2d4934eb088461c6955e2a4e2d69bd5d7ef7f449a7580b54e30ef9fbb9b622cce5d047cb3be273c3790af06f04c91

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1020-1220-0x0000000005B60000-0x0000000005B70000-memory.dmp

Filesize
64KB

Download
memory/1020-1194-0x00000000068F0000-0x0000000006912000-memory.dmp

Filesize
136KB

Download
memory/1020-1188-0x0000000005B60000-0x0000000005B70000-memory.dmp

Filesize
64KB

Download
memory/1020-1175-0x0000000000E20000-0x000000000107E000-memory.dmp

Filesize
2.4MB

Download
memory/1020-1185-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/1616-1215-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/1616-1205-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/1616-1216-0x00000000078E0000-0x0000000007F5A000-memory.dmp

Filesize
6.5MB

Download
memory/1616-1217-0x0000000006790000-0x00000000067AA000-memory.dmp

Filesize
104KB

Download
memory/1616-1218-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1616-1204-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1616-1221-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1616-1222-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1616-1223-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1616-1202-0x0000000005410000-0x0000000005A38000-memory.dmp

Filesize
6.2MB

Download
memory/1616-1201-0x00000000028C0000-0x00000000028F6000-memory.dmp

Filesize
216KB

Download
memory/3908-199-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-181-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-203-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3908-167-0x0000000007370000-0x0000000007914000-memory.dmp

Filesize
5.6MB

Download
memory/3908-170-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3908-169-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3908-171-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3908-168-0x0000000002CF0000-0x0000000002D1D000-memory.dmp

Filesize
180KB

Download
memory/3908-172-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-173-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-175-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-177-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-179-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-205-0x0000000000400000-0x0000000002B73000-memory.dmp

Filesize
39.4MB

Download
memory/3908-183-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-185-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-187-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-189-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-191-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-193-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-195-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-202-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3908-197-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3908-200-0x0000000000400000-0x0000000002B73000-memory.dmp

Filesize
39.4MB

Download
memory/3908-201-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/4088-1200-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4088-1203-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/4408-161-0x0000000000010000-0x000000000001A000-memory.dmp

Filesize
40KB

Download
memory/4564-1128-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/4564-1130-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/4564-223-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-221-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-219-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-214-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-217-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-215-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-212-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/4564-213-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/4564-211-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/4564-210-0x0000000002D80000-0x0000000002DCB000-memory.dmp

Filesize
300KB

Download
memory/4564-233-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-235-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-227-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-229-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-1135-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/4564-1134-0x0000000008E30000-0x000000000935C000-memory.dmp

Filesize
5.2MB

Download
memory/4564-1133-0x0000000008C60000-0x0000000008E22000-memory.dmp

Filesize
1.8MB

Download
memory/4564-1132-0x0000000008BB0000-0x0000000008C00000-memory.dmp

Filesize
320KB

Download
memory/4564-1131-0x0000000008B30000-0x0000000008BA6000-memory.dmp

Filesize
472KB

Download
memory/4564-225-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-231-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-1129-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/4564-1127-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/4564-1126-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/4564-1124-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/4564-1123-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/4564-1122-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4564-1121-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/4564-1120-0x0000000007790000-0x0000000007DA8000-memory.dmp

Filesize
6.1MB

Download
memory/4564-247-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-245-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-237-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-243-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-239-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4564-241-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/4812-1235-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/4812-1234-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/4812-1233-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5080-1141-0x0000000000300000-0x0000000000332000-memory.dmp

Filesize
200KB

Download
memory/5080-1142-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download