amadey | 0b5f7c1ef438e6e7166c64a1ce4d750357427e7b5224f129d51402d8054d4578

Analysis

max time kernel
139s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e8d304019c52d789a04dcd2116bb8f0.exe
Size

736KB
MD5

2e8d304019c52d789a04dcd2116bb8f0
SHA1

e4657ba14c62d3a1e20239090cab0e887f9778ad
SHA256

0b5f7c1ef438e6e7166c64a1ce4d750357427e7b5224f129d51402d8054d4578
SHA512

da30005d30699d8ebd3c002523155a24e7ee5f6923b058ece512cc6b8a01b8d6c6570f88e50c2e874138e3ebb3f93940f52fc894d92f2e07f52c47a8cbf03fb7
SSDEEP

12288:Fyj0dbhk6UaS5MYBgAcxVQWiasbJkJCO0wRE9vqqxQhv/YNv+Tja/vuqvVhUvGLL:FyjgSdN5VGyWfsbJYCOJRE9CqxQV/KvJ

Score

10^/10

amadey raccoon redline rhadamanthys ef0d247d8b1fe318a7366ceff90b173d mucha collection discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mucha

83.97.73.131:19071

Attributes

auth_value
5d76e123341992ecf110010eb89456f0

Extracted

Family

amadey

Version

3.81

95.214.27.98/cronus/index.php

Extracted

Family

raccoon

Botnet

ef0d247d8b1fe318a7366ceff90b173d

http://79.137.207.76:80/

xor.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1424-248-0x0000000002350000-0x0000000002750000-memory.dmp	family_rhadamanthys
behavioral2/memory/1424-249-0x0000000002350000-0x0000000002750000-memory.dmp	family_rhadamanthys

Detects Healer an antivirus disabler dropper 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/564-161-0x00000000001F0000-0x00000000001FA000-memory.dmp	healer
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r2546584.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r2546584.exe	healer
behavioral2/memory/1120-170-0x0000000000250000-0x000000000025A000-memory.dmp	healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

p5877378.exer2546584.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p5877378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p5877378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p5877378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p5877378.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	r2546584.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r2546584.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	p5877378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p5877378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r2546584.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r2546584.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r2546584.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r2546584.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4432-240-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral2/memory/4432-245-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral2/memory/4216-246-0x0000000000120000-0x0000000000217000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rh1.exe

description pid process target process

PID 1424 created 3240 1424 rh1.exe Explorer.EXE
Downloads MZ/PE file

description	pid	process	target process
PID 1424 created 3240	1424	rh1.exe	Explorer.EXE

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

t6738340.exelegends.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	t6738340.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 11 IoCs

Processes:

z7841743.exez8566209.exep5877378.exer2546584.exes2109098.exet6738340.exelegends.exerh1.exelwg67u9jwvf.exelegends.exelegends.exe

pid	process
1416	z7841743.exe
5048	z8566209.exe
564	p5877378.exe
1120	r2546584.exe
2004	s2109098.exe
784	t6738340.exe
2452	legends.exe
1424	rh1.exe
4216	lwg67u9jwvf.exe
4852	legends.exe
2352	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2968 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2968	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

p5877378.exer2546584.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	p5877378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	p5877378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	r2546584.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2e8d304019c52d789a04dcd2116bb8f0.exez7841743.exez8566209.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2e8d304019c52d789a04dcd2116bb8f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e8d304019c52d789a04dcd2116bb8f0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7841743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7841743.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8566209.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8566209.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

lwg67u9jwvf.exe

description pid process target process

PID 4216 set thread context of 4432 4216 lwg67u9jwvf.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2236 4216 WerFault.exe lwg67u9jwvf.exe

description	pid	process	target process
PID 4216 set thread context of 4432	4216	lwg67u9jwvf.exe	AppLaunch.exe

pid	pid_target	process	target process
2236	4216	WerFault.exe	lwg67u9jwvf.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2628 schtasks.exe

pid	process
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

p5877378.exer2546584.exes2109098.exerh1.execertreq.exe

pid	process
564	p5877378.exe
564	p5877378.exe
1120	r2546584.exe
1120	r2546584.exe
2004	s2109098.exe
2004	s2109098.exe
1424	rh1.exe
1424	rh1.exe
1424	rh1.exe
1424	rh1.exe
2808	certreq.exe
2808	certreq.exe
2808	certreq.exe
2808	certreq.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

p5877378.exer2546584.exes2109098.exe

description pid process

Token: SeDebugPrivilege 564 p5877378.exe
Token: SeDebugPrivilege 1120 r2546584.exe
Token: SeDebugPrivilege 2004 s2109098.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

t6738340.exe

pid process

784 t6738340.exe

description	pid	process
Token: SeDebugPrivilege	564	p5877378.exe
Token: SeDebugPrivilege	1120	r2546584.exe
Token: SeDebugPrivilege	2004	s2109098.exe

pid	process
784	t6738340.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

2e8d304019c52d789a04dcd2116bb8f0.exez7841743.exez8566209.exet6738340.exelegends.execmd.exelwg67u9jwvf.exerh1.exe

description	pid	process	target process
PID 752 wrote to memory of 1416	752	2e8d304019c52d789a04dcd2116bb8f0.exe	z7841743.exe
PID 752 wrote to memory of 1416	752	2e8d304019c52d789a04dcd2116bb8f0.exe	z7841743.exe
PID 752 wrote to memory of 1416	752	2e8d304019c52d789a04dcd2116bb8f0.exe	z7841743.exe
PID 1416 wrote to memory of 5048	1416	z7841743.exe	z8566209.exe
PID 1416 wrote to memory of 5048	1416	z7841743.exe	z8566209.exe
PID 1416 wrote to memory of 5048	1416	z7841743.exe	z8566209.exe
PID 5048 wrote to memory of 564	5048	z8566209.exe	p5877378.exe
PID 5048 wrote to memory of 564	5048	z8566209.exe	p5877378.exe
PID 5048 wrote to memory of 564	5048	z8566209.exe	p5877378.exe
PID 5048 wrote to memory of 1120	5048	z8566209.exe	r2546584.exe
PID 5048 wrote to memory of 1120	5048	z8566209.exe	r2546584.exe
PID 1416 wrote to memory of 2004	1416	z7841743.exe	s2109098.exe
PID 1416 wrote to memory of 2004	1416	z7841743.exe	s2109098.exe
PID 1416 wrote to memory of 2004	1416	z7841743.exe	s2109098.exe
PID 752 wrote to memory of 784	752	2e8d304019c52d789a04dcd2116bb8f0.exe	t6738340.exe
PID 752 wrote to memory of 784	752	2e8d304019c52d789a04dcd2116bb8f0.exe	t6738340.exe
PID 752 wrote to memory of 784	752	2e8d304019c52d789a04dcd2116bb8f0.exe	t6738340.exe
PID 784 wrote to memory of 2452	784	t6738340.exe	legends.exe
PID 784 wrote to memory of 2452	784	t6738340.exe	legends.exe
PID 784 wrote to memory of 2452	784	t6738340.exe	legends.exe
PID 2452 wrote to memory of 2628	2452	legends.exe	schtasks.exe
PID 2452 wrote to memory of 2628	2452	legends.exe	schtasks.exe
PID 2452 wrote to memory of 2628	2452	legends.exe	schtasks.exe
PID 2452 wrote to memory of 2008	2452	legends.exe	cmd.exe
PID 2452 wrote to memory of 2008	2452	legends.exe	cmd.exe
PID 2452 wrote to memory of 2008	2452	legends.exe	cmd.exe
PID 2008 wrote to memory of 760	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 760	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 760	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 4908	2008	cmd.exe	cacls.exe
PID 2008 wrote to memory of 4908	2008	cmd.exe	cacls.exe
PID 2008 wrote to memory of 4908	2008	cmd.exe	cacls.exe
PID 2008 wrote to memory of 1940	2008	cmd.exe	cacls.exe
PID 2008 wrote to memory of 1940	2008	cmd.exe	cacls.exe
PID 2008 wrote to memory of 1940	2008	cmd.exe	cacls.exe
PID 2008 wrote to memory of 3412	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 3412	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 3412	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 3596	2008	cmd.exe	cacls.exe
PID 2008 wrote to memory of 3596	2008	cmd.exe	cacls.exe
PID 2008 wrote to memory of 3596	2008	cmd.exe	cacls.exe
PID 2008 wrote to memory of 3948	2008	cmd.exe	cacls.exe
PID 2008 wrote to memory of 3948	2008	cmd.exe	cacls.exe
PID 2008 wrote to memory of 3948	2008	cmd.exe	cacls.exe
PID 2452 wrote to memory of 1424	2452	legends.exe	rh1.exe
PID 2452 wrote to memory of 1424	2452	legends.exe	rh1.exe
PID 2452 wrote to memory of 1424	2452	legends.exe	rh1.exe
PID 2452 wrote to memory of 4216	2452	legends.exe	lwg67u9jwvf.exe
PID 2452 wrote to memory of 4216	2452	legends.exe	lwg67u9jwvf.exe
PID 2452 wrote to memory of 4216	2452	legends.exe	lwg67u9jwvf.exe
PID 4216 wrote to memory of 4432	4216	lwg67u9jwvf.exe	AppLaunch.exe
PID 4216 wrote to memory of 4432	4216	lwg67u9jwvf.exe	AppLaunch.exe
PID 4216 wrote to memory of 4432	4216	lwg67u9jwvf.exe	AppLaunch.exe
PID 4216 wrote to memory of 4432	4216	lwg67u9jwvf.exe	AppLaunch.exe
PID 4216 wrote to memory of 4432	4216	lwg67u9jwvf.exe	AppLaunch.exe
PID 1424 wrote to memory of 2808	1424	rh1.exe	certreq.exe
PID 1424 wrote to memory of 2808	1424	rh1.exe	certreq.exe
PID 1424 wrote to memory of 2808	1424	rh1.exe	certreq.exe
PID 1424 wrote to memory of 2808	1424	rh1.exe	certreq.exe
PID 2452 wrote to memory of 2968	2452	legends.exe	rundll32.exe
PID 2452 wrote to memory of 2968	2452	legends.exe	rundll32.exe
PID 2452 wrote to memory of 2968	2452	legends.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3240
- C:\Users\Admin\AppData\Local\Temp\2e8d304019c52d789a04dcd2116bb8f0.exe
  "C:\Users\Admin\AppData\Local\Temp\2e8d304019c52d789a04dcd2116bb8f0.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7841743.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7841743.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8566209.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8566209.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5877378.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5877378.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r2546584.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r2546584.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s2109098.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s2109098.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6738340.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6738340.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:760
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        6⤵
        
        PID:4908
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        6⤵
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3412
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        6⤵
        
        PID:3596
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        6⤵
        
        PID:3948
    - - C:\Users\Admin\AppData\Local\Temp\1000129001\rh1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000129001\rh1.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1424
    - - C:\Users\Admin\AppData\Local\Temp\1000130001\lwg67u9jwvf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000130001\lwg67u9jwvf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 280
        6⤵
        Program crash
        
        PID:2236
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:2968
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4216 -ip 4216
1⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000129001\rh1.exe

Filesize
444KB

MD5
af1efddb3afaf3bf4d121a9d4c7e7d68

SHA1
f9943a72ca72fd7a7a3495d039cf37a0decb3998

SHA256
7d2102bb62f4eb41eac647e66f4f37eabce90eece6e0589603108b03ebfe300c

SHA512
efe933bb51b5abc0a8799dc0dd28f35c9ccaa7a8d09083649645640eb8015e594a46bc6cf2c721787e47b6239fafebb766832de98b770f087005a3f50612f710

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000129001\rh1.exe

Filesize
444KB

MD5
af1efddb3afaf3bf4d121a9d4c7e7d68

SHA1
f9943a72ca72fd7a7a3495d039cf37a0decb3998

SHA256
7d2102bb62f4eb41eac647e66f4f37eabce90eece6e0589603108b03ebfe300c

SHA512
efe933bb51b5abc0a8799dc0dd28f35c9ccaa7a8d09083649645640eb8015e594a46bc6cf2c721787e47b6239fafebb766832de98b770f087005a3f50612f710

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000129001\rh1.exe

Filesize
444KB

MD5
af1efddb3afaf3bf4d121a9d4c7e7d68

SHA1
f9943a72ca72fd7a7a3495d039cf37a0decb3998

SHA256
7d2102bb62f4eb41eac647e66f4f37eabce90eece6e0589603108b03ebfe300c

SHA512
efe933bb51b5abc0a8799dc0dd28f35c9ccaa7a8d09083649645640eb8015e594a46bc6cf2c721787e47b6239fafebb766832de98b770f087005a3f50612f710

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\lwg67u9jwvf.exe

Filesize
800KB

MD5
972abf3179291dfac99397b5ae996365

SHA1
8272904cb904a2c2103106023c039ee8515721e0

SHA256
03e96c022c76316f6b1db47895edb89666072c1b7104b863a9d229ea74b2ef0a

SHA512
c4d778f594de65974e53069a79660d7dc1073d2bceea76bcdf1b9037a5e9d6c5cf013b8b45723a255d9a288fb5edb17d110a8b5fef7818b44b1126135c409c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\lwg67u9jwvf.exe

Filesize
800KB

MD5
972abf3179291dfac99397b5ae996365

SHA1
8272904cb904a2c2103106023c039ee8515721e0

SHA256
03e96c022c76316f6b1db47895edb89666072c1b7104b863a9d229ea74b2ef0a

SHA512
c4d778f594de65974e53069a79660d7dc1073d2bceea76bcdf1b9037a5e9d6c5cf013b8b45723a255d9a288fb5edb17d110a8b5fef7818b44b1126135c409c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\lwg67u9jwvf.exe

Filesize
800KB

MD5
972abf3179291dfac99397b5ae996365

SHA1
8272904cb904a2c2103106023c039ee8515721e0

SHA256
03e96c022c76316f6b1db47895edb89666072c1b7104b863a9d229ea74b2ef0a

SHA512
c4d778f594de65974e53069a79660d7dc1073d2bceea76bcdf1b9037a5e9d6c5cf013b8b45723a255d9a288fb5edb17d110a8b5fef7818b44b1126135c409c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
204KB

MD5
a432cf58e51cf13a386812ca12ed2a7b

SHA1
4d4dbaa7bb7b9a6d8d223d4ad38d9cd2d4f7483c

SHA256
b68b279219dccff847cd432c07ed6f5a3158191661dd0907c64faf7888e2e173

SHA512
7bf3cae2f2918fda6eaf2fbb741591ef015730cbbf24d414ff3a83fdd5af5fce5589a99baa2a707aef7abadea64dfcff09520a67cfacc932e0acd2d52d76daae

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
204KB

MD5
a432cf58e51cf13a386812ca12ed2a7b

SHA1
4d4dbaa7bb7b9a6d8d223d4ad38d9cd2d4f7483c

SHA256
b68b279219dccff847cd432c07ed6f5a3158191661dd0907c64faf7888e2e173

SHA512
7bf3cae2f2918fda6eaf2fbb741591ef015730cbbf24d414ff3a83fdd5af5fce5589a99baa2a707aef7abadea64dfcff09520a67cfacc932e0acd2d52d76daae

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
204KB

MD5
a432cf58e51cf13a386812ca12ed2a7b

SHA1
4d4dbaa7bb7b9a6d8d223d4ad38d9cd2d4f7483c

SHA256
b68b279219dccff847cd432c07ed6f5a3158191661dd0907c64faf7888e2e173

SHA512
7bf3cae2f2918fda6eaf2fbb741591ef015730cbbf24d414ff3a83fdd5af5fce5589a99baa2a707aef7abadea64dfcff09520a67cfacc932e0acd2d52d76daae

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
204KB

MD5
a432cf58e51cf13a386812ca12ed2a7b

SHA1
4d4dbaa7bb7b9a6d8d223d4ad38d9cd2d4f7483c

SHA256
b68b279219dccff847cd432c07ed6f5a3158191661dd0907c64faf7888e2e173

SHA512
7bf3cae2f2918fda6eaf2fbb741591ef015730cbbf24d414ff3a83fdd5af5fce5589a99baa2a707aef7abadea64dfcff09520a67cfacc932e0acd2d52d76daae

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
204KB

MD5
a432cf58e51cf13a386812ca12ed2a7b

SHA1
4d4dbaa7bb7b9a6d8d223d4ad38d9cd2d4f7483c

SHA256
b68b279219dccff847cd432c07ed6f5a3158191661dd0907c64faf7888e2e173

SHA512
7bf3cae2f2918fda6eaf2fbb741591ef015730cbbf24d414ff3a83fdd5af5fce5589a99baa2a707aef7abadea64dfcff09520a67cfacc932e0acd2d52d76daae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6738340.exe

Filesize
204KB

MD5
a432cf58e51cf13a386812ca12ed2a7b

SHA1
4d4dbaa7bb7b9a6d8d223d4ad38d9cd2d4f7483c

SHA256
b68b279219dccff847cd432c07ed6f5a3158191661dd0907c64faf7888e2e173

SHA512
7bf3cae2f2918fda6eaf2fbb741591ef015730cbbf24d414ff3a83fdd5af5fce5589a99baa2a707aef7abadea64dfcff09520a67cfacc932e0acd2d52d76daae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6738340.exe

Filesize
204KB

MD5
a432cf58e51cf13a386812ca12ed2a7b

SHA1
4d4dbaa7bb7b9a6d8d223d4ad38d9cd2d4f7483c

SHA256
b68b279219dccff847cd432c07ed6f5a3158191661dd0907c64faf7888e2e173

SHA512
7bf3cae2f2918fda6eaf2fbb741591ef015730cbbf24d414ff3a83fdd5af5fce5589a99baa2a707aef7abadea64dfcff09520a67cfacc932e0acd2d52d76daae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7841743.exe

Filesize
440KB

MD5
bb07122037f2a1f6930a532f5f6d3385

SHA1
6acf64a432ddb979955aacffcc2efb371f7408fc

SHA256
4d8e1170fbb291a15613d528a5debbdc1d5521276e964697e6ee21574f452b28

SHA512
dacb22686d70441faec0ac6a796b76808f12ec233411cb1c3a1eb78980698752c936d8afc74fcde716c8379fcdc9d60ba6d8fdc3355b6b8861a2b315f1c19c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7841743.exe

Filesize
440KB

MD5
bb07122037f2a1f6930a532f5f6d3385

SHA1
6acf64a432ddb979955aacffcc2efb371f7408fc

SHA256
4d8e1170fbb291a15613d528a5debbdc1d5521276e964697e6ee21574f452b28

SHA512
dacb22686d70441faec0ac6a796b76808f12ec233411cb1c3a1eb78980698752c936d8afc74fcde716c8379fcdc9d60ba6d8fdc3355b6b8861a2b315f1c19c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s2109098.exe

Filesize
296KB

MD5
0245655c08b57f537d3f93252b0fb435

SHA1
187474b9629de3928a7b91e753b30014046d35b1

SHA256
2183b5fd48cd71c203730b9d2f81ead4060be722eefd2aaf71b638d06fa77aa4

SHA512
22f85d1a17522efc23d9e6a9e61d11314b0f07c6e3ee6c69f7e3148f34cd9ef0342ec7461c30a09dcb0f8bbd870b71e97d9463d9992a3f838d7b7966fdf00b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s2109098.exe

Filesize
296KB

MD5
0245655c08b57f537d3f93252b0fb435

SHA1
187474b9629de3928a7b91e753b30014046d35b1

SHA256
2183b5fd48cd71c203730b9d2f81ead4060be722eefd2aaf71b638d06fa77aa4

SHA512
22f85d1a17522efc23d9e6a9e61d11314b0f07c6e3ee6c69f7e3148f34cd9ef0342ec7461c30a09dcb0f8bbd870b71e97d9463d9992a3f838d7b7966fdf00b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8566209.exe

Filesize
227KB

MD5
ad78c3ee938962c4df4747fcbf8870b5

SHA1
45af76569e6696de60754f21a74f388bd82c9411

SHA256
e6e52d24f81ddbee9096349aeb5eb365c317851884efff5ecd28ca800014baff

SHA512
470f897d4cfa12d0cf415a51ec6db86d62133871e516cd8a3cb6ea661db20a2a192706757f31114abda171d9b208c252bbf046517a727fd58fbeb1f295dca1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8566209.exe

Filesize
227KB

MD5
ad78c3ee938962c4df4747fcbf8870b5

SHA1
45af76569e6696de60754f21a74f388bd82c9411

SHA256
e6e52d24f81ddbee9096349aeb5eb365c317851884efff5ecd28ca800014baff

SHA512
470f897d4cfa12d0cf415a51ec6db86d62133871e516cd8a3cb6ea661db20a2a192706757f31114abda171d9b208c252bbf046517a727fd58fbeb1f295dca1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5877378.exe

Filesize
176KB

MD5
211a06e9ae68ced1234252a48696431b

SHA1
69950e2ee2fafd177d1a295836713bfd8d18df9c

SHA256
0bdca9c84103454e329cfde4e69dc41a0ec0196c078c8fc195b0fa739d2f905d

SHA512
b1643ba376075619335b4bdf0d7610aece13b7c9db60eecb508465f97ef3e6a9d5297f9ac8529886efa052cdd8814ac7d4eeab44812f797a1b2dc5fa967ee7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5877378.exe

Filesize
176KB

MD5
211a06e9ae68ced1234252a48696431b

SHA1
69950e2ee2fafd177d1a295836713bfd8d18df9c

SHA256
0bdca9c84103454e329cfde4e69dc41a0ec0196c078c8fc195b0fa739d2f905d

SHA512
b1643ba376075619335b4bdf0d7610aece13b7c9db60eecb508465f97ef3e6a9d5297f9ac8529886efa052cdd8814ac7d4eeab44812f797a1b2dc5fa967ee7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r2546584.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r2546584.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/564-161-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/564-160-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/752-133-0x0000000002100000-0x000000000219E000-memory.dmp

Filesize
632KB

Download
memory/752-207-0x0000000002100000-0x000000000219E000-memory.dmp

Filesize
632KB

Download
memory/1120-170-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/1424-247-0x0000000000550000-0x0000000000557000-memory.dmp

Filesize
28KB

Download
memory/1424-257-0x00000000030F0000-0x0000000003126000-memory.dmp

Filesize
216KB

Download
memory/1424-248-0x0000000002350000-0x0000000002750000-memory.dmp

Filesize
4.0MB

Download
memory/1424-251-0x00000000030F0000-0x0000000003126000-memory.dmp

Filesize
216KB

Download
memory/1424-249-0x0000000002350000-0x0000000002750000-memory.dmp

Filesize
4.0MB

Download
memory/2004-181-0x0000000004D10000-0x0000000004D22000-memory.dmp

Filesize
72KB

Download
memory/2004-191-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/2004-190-0x00000000066B0000-0x0000000006BDC000-memory.dmp

Filesize
5.2MB

Download
memory/2004-175-0x0000000000450000-0x0000000000480000-memory.dmp

Filesize
192KB

Download
memory/2004-179-0x0000000005220000-0x0000000005838000-memory.dmp

Filesize
6.1MB

Download
memory/2004-180-0x0000000004C00000-0x0000000004D0A000-memory.dmp

Filesize
1.0MB

Download
memory/2004-189-0x00000000064E0000-0x00000000066A2000-memory.dmp

Filesize
1.8MB

Download
memory/2004-188-0x0000000005A80000-0x0000000005AD0000-memory.dmp

Filesize
320KB

Download
memory/2004-187-0x00000000050A0000-0x0000000005106000-memory.dmp

Filesize
408KB

Download
memory/2004-182-0x0000000004D30000-0x0000000004D6C000-memory.dmp

Filesize
240KB

Download
memory/2004-186-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/2004-185-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/2004-184-0x0000000004F10000-0x0000000004F86000-memory.dmp

Filesize
472KB

Download
memory/2004-183-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/2808-261-0x00007FF4A5520000-0x00007FF4A564D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-270-0x00007FF4A5520000-0x00007FF4A564D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-262-0x00007FF4A5520000-0x00007FF4A564D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-263-0x00007FF4A5520000-0x00007FF4A564D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-264-0x00007FF4A5520000-0x00007FF4A564D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-265-0x00007FF4A5520000-0x00007FF4A564D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-267-0x00007FF4A5520000-0x00007FF4A564D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-268-0x00007FF4A5520000-0x00007FF4A564D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-269-0x00007FF4A5520000-0x00007FF4A564D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-260-0x000002BA415E0000-0x000002BA415E7000-memory.dmp

Filesize
28KB

Download
memory/2808-271-0x00007FF4A5520000-0x00007FF4A564D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-272-0x00007FF4A5520000-0x00007FF4A564D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-259-0x000002BA41480000-0x000002BA41483000-memory.dmp

Filesize
12KB

Download
memory/2808-250-0x000002BA41480000-0x000002BA41483000-memory.dmp

Filesize
12KB

Download
memory/4216-246-0x0000000000120000-0x0000000000217000-memory.dmp

Filesize
988KB

Download
memory/4432-245-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4432-240-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download