amadey | 7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7

Analysis

max time kernel
144s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea88c359faaa4fd8219c7bcaad838749.exe
Size

992KB
MD5

ea88c359faaa4fd8219c7bcaad838749
SHA1

4ba3527b280719563bc7d61f49617a50d507b8f4
SHA256

7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7
SHA512

901399ae2d5e359ab56f7a37884d783ada23ecda1097b5abf94dac1db54ec30150027b23b7e499c511ed5869539e2644e712176fc27b8dcc35154e5b4ee6a105
SSDEEP

12288:vMr2y90QfLCxbfINNmuWlHih5mSLFl9GJe4ltbwSQHmiNST24zYUUz8QGkpWQVec:lyND6EQP8AimPCz8xkQke+RLtuUOs

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3816-42-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3816-43-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3816-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3816-46-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe	healer
behavioral2/memory/1488-35-0x00000000000F0000-0x00000000000FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

q4793251.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q4793251.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q4793251.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q4793251.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q4793251.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q4793251.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q4793251.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

t1186371.exeu9462835.exeexplothe.exelegota.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	t1186371.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	u9462835.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 14 IoCs

Processes:

z5563570.exez5169793.exez5426192.exez7193855.exeq4793251.exer2918283.exes6239913.exet1186371.exeexplothe.exeu9462835.exelegota.exew5765354.exeexplothe.exelegota.exe

pid	process
1660	z5563570.exe
3356	z5169793.exe
1300	z5426192.exe
3688	z7193855.exe
1488	q4793251.exe
1104	r2918283.exe
4240	s6239913.exe
1956	t1186371.exe
4540	explothe.exe
2168	u9462835.exe
1800	legota.exe
1040	w5765354.exe
1956	explothe.exe
4604	legota.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1960 rundll32.exe
5048 rundll32.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

q4793251.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q4793251.exe

pid	process
1960	rundll32.exe
5048	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q4793251.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ea88c359faaa4fd8219c7bcaad838749.exez5563570.exez5169793.exez5426192.exez7193855.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ea88c359faaa4fd8219c7bcaad838749.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5563570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5169793.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5426192.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z7193855.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

r2918283.exes6239913.exe

description	pid	process	target process
PID 1104 set thread context of 3816	1104	r2918283.exe	AppLaunch.exe
PID 4240 set thread context of 4716	4240	s6239913.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4160 3816 WerFault.exe AppLaunch.exe
2500 1104 WerFault.exe r2918283.exe
4300 4240 WerFault.exe s6239913.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2244 schtasks.exe
2556 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

q4793251.exe

pid process

1488 q4793251.exe
1488 q4793251.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

q4793251.exe

description pid process

Token: SeDebugPrivilege 1488 q4793251.exe

pid	pid_target	process	target process
4160	3816	WerFault.exe	AppLaunch.exe
2500	1104	WerFault.exe	r2918283.exe
4300	4240	WerFault.exe	s6239913.exe

pid	process
2244	schtasks.exe
2556	schtasks.exe

pid	process
1488	q4793251.exe
1488	q4793251.exe

description	pid	process
Token: SeDebugPrivilege	1488	q4793251.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ea88c359faaa4fd8219c7bcaad838749.exez5563570.exez5169793.exez5426192.exez7193855.exer2918283.exes6239913.exet1186371.exeu9462835.exeexplothe.exelegota.exe

description	pid	process	target process
PID 4688 wrote to memory of 1660	4688	ea88c359faaa4fd8219c7bcaad838749.exe	z5563570.exe
PID 4688 wrote to memory of 1660	4688	ea88c359faaa4fd8219c7bcaad838749.exe	z5563570.exe
PID 4688 wrote to memory of 1660	4688	ea88c359faaa4fd8219c7bcaad838749.exe	z5563570.exe
PID 1660 wrote to memory of 3356	1660	z5563570.exe	z5169793.exe
PID 1660 wrote to memory of 3356	1660	z5563570.exe	z5169793.exe
PID 1660 wrote to memory of 3356	1660	z5563570.exe	z5169793.exe
PID 3356 wrote to memory of 1300	3356	z5169793.exe	z5426192.exe
PID 3356 wrote to memory of 1300	3356	z5169793.exe	z5426192.exe
PID 3356 wrote to memory of 1300	3356	z5169793.exe	z5426192.exe
PID 1300 wrote to memory of 3688	1300	z5426192.exe	z7193855.exe
PID 1300 wrote to memory of 3688	1300	z5426192.exe	z7193855.exe
PID 1300 wrote to memory of 3688	1300	z5426192.exe	z7193855.exe
PID 3688 wrote to memory of 1488	3688	z7193855.exe	q4793251.exe
PID 3688 wrote to memory of 1488	3688	z7193855.exe	q4793251.exe
PID 3688 wrote to memory of 1104	3688	z7193855.exe	r2918283.exe
PID 3688 wrote to memory of 1104	3688	z7193855.exe	r2918283.exe
PID 3688 wrote to memory of 1104	3688	z7193855.exe	r2918283.exe
PID 1104 wrote to memory of 3816	1104	r2918283.exe	AppLaunch.exe
PID 1104 wrote to memory of 3816	1104	r2918283.exe	AppLaunch.exe
PID 1104 wrote to memory of 3816	1104	r2918283.exe	AppLaunch.exe
PID 1104 wrote to memory of 3816	1104	r2918283.exe	AppLaunch.exe
PID 1104 wrote to memory of 3816	1104	r2918283.exe	AppLaunch.exe
PID 1104 wrote to memory of 3816	1104	r2918283.exe	AppLaunch.exe
PID 1104 wrote to memory of 3816	1104	r2918283.exe	AppLaunch.exe
PID 1104 wrote to memory of 3816	1104	r2918283.exe	AppLaunch.exe
PID 1104 wrote to memory of 3816	1104	r2918283.exe	AppLaunch.exe
PID 1104 wrote to memory of 3816	1104	r2918283.exe	AppLaunch.exe
PID 1300 wrote to memory of 4240	1300	z5426192.exe	s6239913.exe
PID 1300 wrote to memory of 4240	1300	z5426192.exe	s6239913.exe
PID 1300 wrote to memory of 4240	1300	z5426192.exe	s6239913.exe
PID 4240 wrote to memory of 4716	4240	s6239913.exe	AppLaunch.exe
PID 4240 wrote to memory of 4716	4240	s6239913.exe	AppLaunch.exe
PID 4240 wrote to memory of 4716	4240	s6239913.exe	AppLaunch.exe
PID 4240 wrote to memory of 4716	4240	s6239913.exe	AppLaunch.exe
PID 4240 wrote to memory of 4716	4240	s6239913.exe	AppLaunch.exe
PID 4240 wrote to memory of 4716	4240	s6239913.exe	AppLaunch.exe
PID 4240 wrote to memory of 4716	4240	s6239913.exe	AppLaunch.exe
PID 4240 wrote to memory of 4716	4240	s6239913.exe	AppLaunch.exe
PID 3356 wrote to memory of 1956	3356	z5169793.exe	t1186371.exe
PID 3356 wrote to memory of 1956	3356	z5169793.exe	t1186371.exe
PID 3356 wrote to memory of 1956	3356	z5169793.exe	t1186371.exe
PID 1956 wrote to memory of 4540	1956	t1186371.exe	explothe.exe
PID 1956 wrote to memory of 4540	1956	t1186371.exe	explothe.exe
PID 1956 wrote to memory of 4540	1956	t1186371.exe	explothe.exe
PID 1660 wrote to memory of 2168	1660	z5563570.exe	u9462835.exe
PID 1660 wrote to memory of 2168	1660	z5563570.exe	u9462835.exe
PID 1660 wrote to memory of 2168	1660	z5563570.exe	u9462835.exe
PID 2168 wrote to memory of 1800	2168	u9462835.exe	legota.exe
PID 2168 wrote to memory of 1800	2168	u9462835.exe	legota.exe
PID 2168 wrote to memory of 1800	2168	u9462835.exe	legota.exe
PID 4540 wrote to memory of 2244	4540	explothe.exe	schtasks.exe
PID 4540 wrote to memory of 2244	4540	explothe.exe	schtasks.exe
PID 4540 wrote to memory of 2244	4540	explothe.exe	schtasks.exe
PID 4688 wrote to memory of 1040	4688	ea88c359faaa4fd8219c7bcaad838749.exe	w5765354.exe
PID 4688 wrote to memory of 1040	4688	ea88c359faaa4fd8219c7bcaad838749.exe	w5765354.exe
PID 4688 wrote to memory of 1040	4688	ea88c359faaa4fd8219c7bcaad838749.exe	w5765354.exe
PID 1800 wrote to memory of 2556	1800	legota.exe	schtasks.exe
PID 1800 wrote to memory of 2556	1800	legota.exe	schtasks.exe
PID 1800 wrote to memory of 2556	1800	legota.exe	schtasks.exe
PID 4540 wrote to memory of 1928	4540	explothe.exe	cmd.exe
PID 4540 wrote to memory of 1928	4540	explothe.exe	cmd.exe
PID 4540 wrote to memory of 1928	4540	explothe.exe	cmd.exe
PID 1800 wrote to memory of 528	1800	legota.exe	cmd.exe
PID 1800 wrote to memory of 528	1800	legota.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ea88c359faaa4fd8219c7bcaad838749.exe
"C:\Users\Admin\AppData\Local\Temp\ea88c359faaa4fd8219c7bcaad838749.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3688
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 548
        8⤵
        Program crash
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 580
        7⤵
        Program crash
        
        PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4240
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 152
        6⤵
        Program crash
        
        PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2244
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:5060
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:5048
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2556
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1748
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:396
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:4704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2052
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:4480
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:4552
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:1960
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5765354.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5765354.exe
  2⤵
  - Executes dropped EXE
  PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1104 -ip 1104
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3816 -ip 3816
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4240 -ip 4240
1⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5765354.exe

Filesize
23KB

MD5
fb3d715fd08168dc30c7bad7a28b8dc8

SHA1
efb67040c29a26ba505c9b0c4011f63f77eb4022

SHA256
b6a2c2fb93a7ee376ab4bf007ccb773b08b4d7e3b8beffcfc64e8e4066c8045e

SHA512
c8802c6e48a477968696d38aa5321320aef63c98fa57d7dc4c3cdfa923903ec47e6dfcdfd7dc0fef715638c486dd7cb10304ac39aeb3d5ea39be769446cd4ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5765354.exe

Filesize
23KB

MD5
fb3d715fd08168dc30c7bad7a28b8dc8

SHA1
efb67040c29a26ba505c9b0c4011f63f77eb4022

SHA256
b6a2c2fb93a7ee376ab4bf007ccb773b08b4d7e3b8beffcfc64e8e4066c8045e

SHA512
c8802c6e48a477968696d38aa5321320aef63c98fa57d7dc4c3cdfa923903ec47e6dfcdfd7dc0fef715638c486dd7cb10304ac39aeb3d5ea39be769446cd4ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe

Filesize
890KB

MD5
d48c7284701ea98957a0aa1025020cfa

SHA1
c016bc6cc92cbfe381160ccaceb08baf3b7e622a

SHA256
c9bd5fdd6ae6efdfdbd36e9a15890884ec509406fc1d50823221d1de80c0c521

SHA512
5f674b67630cddae49eaa494353eab883debc2933190d455fed9b4f3f753298cd56d15cf9203e8f705378517eb689a5e2b1170f80674f8c63b0749549fbd9d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe

Filesize
890KB

MD5
d48c7284701ea98957a0aa1025020cfa

SHA1
c016bc6cc92cbfe381160ccaceb08baf3b7e622a

SHA256
c9bd5fdd6ae6efdfdbd36e9a15890884ec509406fc1d50823221d1de80c0c521

SHA512
5f674b67630cddae49eaa494353eab883debc2933190d455fed9b4f3f753298cd56d15cf9203e8f705378517eb689a5e2b1170f80674f8c63b0749549fbd9d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe

Filesize
709KB

MD5
b80e3189ca2d612605e5cb96c11420db

SHA1
f6892104b89ceea09fec22a009dfa055665f5f8a

SHA256
ee6ba14991249c53cd6974159ba562d63541549302e5ebd8280bfc7430bb6090

SHA512
be6443afa887877de687debc78d20ab59caed233012aae5ebac1c8843b93815f207b885cff35c959ec84379a84c2301ef5b316abe555ff9c114fbdb3251dae32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe

Filesize
709KB

MD5
b80e3189ca2d612605e5cb96c11420db

SHA1
f6892104b89ceea09fec22a009dfa055665f5f8a

SHA256
ee6ba14991249c53cd6974159ba562d63541549302e5ebd8280bfc7430bb6090

SHA512
be6443afa887877de687debc78d20ab59caed233012aae5ebac1c8843b93815f207b885cff35c959ec84379a84c2301ef5b316abe555ff9c114fbdb3251dae32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe

Filesize
526KB

MD5
c7108038186b4764606d32df3950ab2c

SHA1
317e36715b20d87505b5d5e3b3bd01c58aa461d1

SHA256
5c1b41412012d6dd94fb34bf6641374d59c28af8e8fdd07bc54cd7be785fc8dc

SHA512
a26639f41eddcc04a4b387d2e8fd7bfe97bc8aa16013bb370358930982f9c6c60eea391b13a2168d6f936b7db10bb21ca3a625e7f709e2bde3dda6a6b6a5baf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe

Filesize
526KB

MD5
c7108038186b4764606d32df3950ab2c

SHA1
317e36715b20d87505b5d5e3b3bd01c58aa461d1

SHA256
5c1b41412012d6dd94fb34bf6641374d59c28af8e8fdd07bc54cd7be785fc8dc

SHA512
a26639f41eddcc04a4b387d2e8fd7bfe97bc8aa16013bb370358930982f9c6c60eea391b13a2168d6f936b7db10bb21ca3a625e7f709e2bde3dda6a6b6a5baf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe

Filesize
310KB

MD5
490aba62f5371927f81bbb22b6084738

SHA1
331859ac1c034ec6ec6571ab091a424da5a29112

SHA256
2f5ad8bf0ef13ae1ffc967a876a04ff894e3972e5d2924e30c1514370746e502

SHA512
cacca025abdcee4f17d348d896729d22fddc4273ccc39e3564ace9ec81f72f3aea31d88de0c8f53703deb9f7f633120c5b2516509668fc185356bd2f2694f5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe

Filesize
310KB

MD5
490aba62f5371927f81bbb22b6084738

SHA1
331859ac1c034ec6ec6571ab091a424da5a29112

SHA256
2f5ad8bf0ef13ae1ffc967a876a04ff894e3972e5d2924e30c1514370746e502

SHA512
cacca025abdcee4f17d348d896729d22fddc4273ccc39e3564ace9ec81f72f3aea31d88de0c8f53703deb9f7f633120c5b2516509668fc185356bd2f2694f5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe

Filesize
296KB

MD5
6405f99a0e207aafb8d22f005388581a

SHA1
4570ab7dbb0bd2ef9e93668087a5e6e244934dc5

SHA256
1115152af0956ef4fdbdef3c04cb85bebf719ef4d60c83d9d923f6ce53b46c25

SHA512
635c0f0642a3344d36f7d7789b6aec3df0169978625fcdc905c5c33de87425befb2722a6ca13f07351a6a77b21a11516fdf8cc3fca3c295747f54a9a9223abbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe

Filesize
296KB

MD5
6405f99a0e207aafb8d22f005388581a

SHA1
4570ab7dbb0bd2ef9e93668087a5e6e244934dc5

SHA256
1115152af0956ef4fdbdef3c04cb85bebf719ef4d60c83d9d923f6ce53b46c25

SHA512
635c0f0642a3344d36f7d7789b6aec3df0169978625fcdc905c5c33de87425befb2722a6ca13f07351a6a77b21a11516fdf8cc3fca3c295747f54a9a9223abbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe

Filesize
11KB

MD5
4fd9c93c320ae8b1cce22919de97d7bc

SHA1
0cb9358cec7545e1b02411151db5b5aac490d202

SHA256
91304d353f0a65c5dec191baee663f640c6750750fdc17a0b46cc116c7983173

SHA512
35cc280be010bf92689a63c20c3ccc4eae4de33744c64d3a02bf562025d8567b222ffd0083098da74f10deff122d1a72d10451e140747b595a5bdcd616f525b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe

Filesize
11KB

MD5
4fd9c93c320ae8b1cce22919de97d7bc

SHA1
0cb9358cec7545e1b02411151db5b5aac490d202

SHA256
91304d353f0a65c5dec191baee663f640c6750750fdc17a0b46cc116c7983173

SHA512
35cc280be010bf92689a63c20c3ccc4eae4de33744c64d3a02bf562025d8567b222ffd0083098da74f10deff122d1a72d10451e140747b595a5bdcd616f525b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

Filesize
276KB

MD5
d09917a8f0525f1b4c1408f375923713

SHA1
3a6e07ad55843f6bac1bce9fb335ffa22e337cfa

SHA256
7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25

SHA512
c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

Filesize
276KB

MD5
d09917a8f0525f1b4c1408f375923713

SHA1
3a6e07ad55843f6bac1bce9fb335ffa22e337cfa

SHA256
7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25

SHA512
c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
273B

MD5
6d5040418450624fef735b49ec6bffe9

SHA1
5fff6a1a620a5c4522aead8dbd0a5a52570e8773

SHA256
dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

SHA512
bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

Download Submit
memory/1488-40-0x00007FFAE8770000-0x00007FFAE9231000-memory.dmp

Filesize
10.8MB

Download
memory/1488-36-0x00007FFAE8770000-0x00007FFAE9231000-memory.dmp

Filesize
10.8MB

Download
memory/1488-35-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/3816-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3816-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3816-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3816-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4716-78-0x0000000005780000-0x000000000588A000-memory.dmp

Filesize
1.0MB

Download
memory/4716-87-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4716-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4716-86-0x0000000073860000-0x0000000074010000-memory.dmp

Filesize
7.7MB

Download
memory/4716-85-0x0000000005710000-0x000000000575C000-memory.dmp

Filesize
304KB

Download
memory/4716-84-0x0000000005690000-0x00000000056CC000-memory.dmp

Filesize
240KB

Download
memory/4716-79-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/4716-80-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4716-57-0x0000000005500000-0x0000000005506000-memory.dmp

Filesize
24KB

Download
memory/4716-70-0x0000000005C90000-0x00000000062A8000-memory.dmp

Filesize
6.1MB

Download
memory/4716-56-0x0000000073860000-0x0000000074010000-memory.dmp

Filesize
7.7MB

Download