amadey | 2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6993ec4efe8c5c7cb57cb14ad2d228b.exe
Size

1.1MB
MD5

b6993ec4efe8c5c7cb57cb14ad2d228b
SHA1

8ca71391f2dbc6cb03927f66c9fc67faea4d6166
SHA256

2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c
SHA512

82830e3cc9167125d3c59a10bb44af340f8bb0ee20a42e84092920f64164c2790b54fa60661b8c5c44dd74d0b3c48a8f02fedc97be164e16ea0bbf241c74b23b
SSDEEP

24576:tyouCM/s7ZlZW63sUiGEKn+bb4GN8PXwoaVjpLjM4z3U6Um:IpCC68Up+pRo6jMsU6U

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/980-43-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/980-45-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/980-47-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/980-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/400-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u2915663.exelegota.exet4904189.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	u2915663.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	t4904189.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 16 IoCs

Processes:

z9609135.exez7246784.exez1462459.exez9564647.exeq3729767.exer7975677.exes7915035.exet4904189.exeexplothe.exeu2915663.exelegota.exew1769106.exeexplothe.exelegota.exeexplothe.exelegota.exe

pid	process
3452	z9609135.exe
4428	z7246784.exe
3912	z1462459.exe
3120	z9564647.exe
4260	q3729767.exe
2860	r7975677.exe
3052	s7915035.exe
1764	t4904189.exe
4912	explothe.exe
456	u2915663.exe
1484	legota.exe
4856	w1769106.exe
2172	explothe.exe
400	legota.exe
4616	explothe.exe
3916	legota.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4652 rundll32.exe

pid	process
4652	rundll32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z1462459.exez9564647.exeb6993ec4efe8c5c7cb57cb14ad2d228b.exez9609135.exez7246784.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1462459.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9564647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b6993ec4efe8c5c7cb57cb14ad2d228b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9609135.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7246784.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q3729767.exer7975677.exes7915035.exe

description	pid	process	target process
PID 4260 set thread context of 400	4260	q3729767.exe	AppLaunch.exe
PID 2860 set thread context of 980	2860	r7975677.exe	AppLaunch.exe
PID 3052 set thread context of 2288	3052	s7915035.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4796	4260	WerFault.exe	q3729767.exe
3972	2860	WerFault.exe	r7975677.exe
2600	980	WerFault.exe	AppLaunch.exe
1344	3052	WerFault.exe	s7915035.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4700 schtasks.exe
4356 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

400 AppLaunch.exe
400 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 400 AppLaunch.exe

pid	process
4700	schtasks.exe
4356	schtasks.exe

pid	process
400	AppLaunch.exe
400	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	400	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b6993ec4efe8c5c7cb57cb14ad2d228b.exez9609135.exez7246784.exez1462459.exez9564647.exeq3729767.exer7975677.exes7915035.exet4904189.execmd.exeu2915663.exe

description	pid	process	target process
PID 3968 wrote to memory of 3452	3968	b6993ec4efe8c5c7cb57cb14ad2d228b.exe	z9609135.exe
PID 3968 wrote to memory of 3452	3968	b6993ec4efe8c5c7cb57cb14ad2d228b.exe	z9609135.exe
PID 3968 wrote to memory of 3452	3968	b6993ec4efe8c5c7cb57cb14ad2d228b.exe	z9609135.exe
PID 3452 wrote to memory of 4428	3452	z9609135.exe	z7246784.exe
PID 3452 wrote to memory of 4428	3452	z9609135.exe	z7246784.exe
PID 3452 wrote to memory of 4428	3452	z9609135.exe	z7246784.exe
PID 4428 wrote to memory of 3912	4428	z7246784.exe	z1462459.exe
PID 4428 wrote to memory of 3912	4428	z7246784.exe	z1462459.exe
PID 4428 wrote to memory of 3912	4428	z7246784.exe	z1462459.exe
PID 3912 wrote to memory of 3120	3912	z1462459.exe	z9564647.exe
PID 3912 wrote to memory of 3120	3912	z1462459.exe	z9564647.exe
PID 3912 wrote to memory of 3120	3912	z1462459.exe	z9564647.exe
PID 3120 wrote to memory of 4260	3120	z9564647.exe	q3729767.exe
PID 3120 wrote to memory of 4260	3120	z9564647.exe	q3729767.exe
PID 3120 wrote to memory of 4260	3120	z9564647.exe	q3729767.exe
PID 4260 wrote to memory of 400	4260	q3729767.exe	AppLaunch.exe
PID 4260 wrote to memory of 400	4260	q3729767.exe	AppLaunch.exe
PID 4260 wrote to memory of 400	4260	q3729767.exe	AppLaunch.exe
PID 4260 wrote to memory of 400	4260	q3729767.exe	AppLaunch.exe
PID 4260 wrote to memory of 400	4260	q3729767.exe	AppLaunch.exe
PID 4260 wrote to memory of 400	4260	q3729767.exe	AppLaunch.exe
PID 4260 wrote to memory of 400	4260	q3729767.exe	AppLaunch.exe
PID 4260 wrote to memory of 400	4260	q3729767.exe	AppLaunch.exe
PID 3120 wrote to memory of 2860	3120	z9564647.exe	r7975677.exe
PID 3120 wrote to memory of 2860	3120	z9564647.exe	r7975677.exe
PID 3120 wrote to memory of 2860	3120	z9564647.exe	r7975677.exe
PID 2860 wrote to memory of 1964	2860	r7975677.exe	AppLaunch.exe
PID 2860 wrote to memory of 1964	2860	r7975677.exe	AppLaunch.exe
PID 2860 wrote to memory of 1964	2860	r7975677.exe	AppLaunch.exe
PID 2860 wrote to memory of 980	2860	r7975677.exe	AppLaunch.exe
PID 2860 wrote to memory of 980	2860	r7975677.exe	AppLaunch.exe
PID 2860 wrote to memory of 980	2860	r7975677.exe	AppLaunch.exe
PID 2860 wrote to memory of 980	2860	r7975677.exe	AppLaunch.exe
PID 2860 wrote to memory of 980	2860	r7975677.exe	AppLaunch.exe
PID 2860 wrote to memory of 980	2860	r7975677.exe	AppLaunch.exe
PID 2860 wrote to memory of 980	2860	r7975677.exe	AppLaunch.exe
PID 2860 wrote to memory of 980	2860	r7975677.exe	AppLaunch.exe
PID 2860 wrote to memory of 980	2860	r7975677.exe	AppLaunch.exe
PID 2860 wrote to memory of 980	2860	r7975677.exe	AppLaunch.exe
PID 3912 wrote to memory of 3052	3912	z1462459.exe	s7915035.exe
PID 3912 wrote to memory of 3052	3912	z1462459.exe	s7915035.exe
PID 3912 wrote to memory of 3052	3912	z1462459.exe	s7915035.exe
PID 3052 wrote to memory of 2288	3052	s7915035.exe	AppLaunch.exe
PID 3052 wrote to memory of 2288	3052	s7915035.exe	AppLaunch.exe
PID 3052 wrote to memory of 2288	3052	s7915035.exe	AppLaunch.exe
PID 3052 wrote to memory of 2288	3052	s7915035.exe	AppLaunch.exe
PID 3052 wrote to memory of 2288	3052	s7915035.exe	AppLaunch.exe
PID 3052 wrote to memory of 2288	3052	s7915035.exe	AppLaunch.exe
PID 3052 wrote to memory of 2288	3052	s7915035.exe	AppLaunch.exe
PID 3052 wrote to memory of 2288	3052	s7915035.exe	AppLaunch.exe
PID 4428 wrote to memory of 1764	4428	z7246784.exe	t4904189.exe
PID 4428 wrote to memory of 1764	4428	z7246784.exe	t4904189.exe
PID 4428 wrote to memory of 1764	4428	z7246784.exe	t4904189.exe
PID 1764 wrote to memory of 4912	1764	t4904189.exe	explothe.exe
PID 1764 wrote to memory of 4912	1764	t4904189.exe	explothe.exe
PID 1764 wrote to memory of 4912	1764	t4904189.exe	explothe.exe
PID 3452 wrote to memory of 456	3452	z9609135.exe	u2915663.exe
PID 3452 wrote to memory of 456	3452	z9609135.exe	u2915663.exe
PID 3452 wrote to memory of 456	3452	z9609135.exe	u2915663.exe
PID 4268 wrote to memory of 1184	4268	cmd.exe	cmd.exe
PID 4268 wrote to memory of 1184	4268	cmd.exe	cmd.exe
PID 4268 wrote to memory of 1184	4268	cmd.exe	cmd.exe
PID 456 wrote to memory of 1484	456	u2915663.exe	legota.exe
PID 456 wrote to memory of 1484	456	u2915663.exe	legota.exe

C:\Users\Admin\AppData\Local\Temp\b6993ec4efe8c5c7cb57cb14ad2d228b.exe
"C:\Users\Admin\AppData\Local\Temp\b6993ec4efe8c5c7cb57cb14ad2d228b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9609135.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9609135.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7246784.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7246784.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1462459.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1462459.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9564647.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9564647.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3120
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3729767.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3729767.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 584
        7⤵
        Program crash
        
        PID:4796
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7975677.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7975677.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 552
        8⤵
        Program crash
        
        PID:2600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 148
        7⤵
        Program crash
        
        PID:3972
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7915035.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7915035.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2288
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 152
        6⤵
        Program crash
        
        PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4904189.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4904189.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4912
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4700
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:3944
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        6⤵
        
        PID:3980
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2915663.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2915663.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1484
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4356
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2636
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:2736
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:3456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4144
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:3736
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:4172
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4652
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1769106.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1769106.exe
  2⤵
  - Executes dropped EXE
  PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4260 -ip 4260
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2860 -ip 2860
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 980 -ip 980
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3052 -ip 3052
1⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:400

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1769106.exe

Filesize
23KB

MD5
bf69433c9b766a9b160a14653ca80d48

SHA1
621e4c6017cabf899dcb5d4552e9144beb4063a7

SHA256
338017c50863f50902e00335d47bb0561d79a111aaa7cda9d06f7fcfbc41f6b4

SHA512
e35bad754949d3f5fe332cfad54e219ec7c91a7f3441cc5775d47177592d40ffcf029f2c1c781ca85f87103bea033f6967700bdb7e3944a5d9dae8268dec757e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1769106.exe

Filesize
23KB

MD5
bf69433c9b766a9b160a14653ca80d48

SHA1
621e4c6017cabf899dcb5d4552e9144beb4063a7

SHA256
338017c50863f50902e00335d47bb0561d79a111aaa7cda9d06f7fcfbc41f6b4

SHA512
e35bad754949d3f5fe332cfad54e219ec7c91a7f3441cc5775d47177592d40ffcf029f2c1c781ca85f87103bea033f6967700bdb7e3944a5d9dae8268dec757e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9609135.exe

Filesize
981KB

MD5
3d2c446c9ae466b22727740e698f9f01

SHA1
cb1ff4695ff558ada26d24737e67d54b599b6f64

SHA256
d38caf8d6d8da5ac132c633d60ba933b0945f56ed8932939132c1003b786cdea

SHA512
908f12ba82229aa184d992bd19d16664bb2719f7a5c29ea88dad60be44b7d7bee166f4bc03b458b43e60f403aececcb3ae1c7c9b5aa8bf2067a72c0e339144f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9609135.exe

Filesize
981KB

MD5
3d2c446c9ae466b22727740e698f9f01

SHA1
cb1ff4695ff558ada26d24737e67d54b599b6f64

SHA256
d38caf8d6d8da5ac132c633d60ba933b0945f56ed8932939132c1003b786cdea

SHA512
908f12ba82229aa184d992bd19d16664bb2719f7a5c29ea88dad60be44b7d7bee166f4bc03b458b43e60f403aececcb3ae1c7c9b5aa8bf2067a72c0e339144f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2915663.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2915663.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7246784.exe

Filesize
799KB

MD5
ed4128a7b0b824e1f8d0212a6ea27d43

SHA1
d1a1010682bf8d1be13efdd57adad3d80425cddd

SHA256
63902c0e786d2266100a13f5778ec1c53161333b843d024db1e5f82df133f7e3

SHA512
43228d8924572a1cf3f5134b1147dcbd1ac3ec9dca76476583bad65818023f32bdf862efbf73df8681f57102e8b202d2d566ee0469608923ebde99b5e2c6fee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7246784.exe

Filesize
799KB

MD5
ed4128a7b0b824e1f8d0212a6ea27d43

SHA1
d1a1010682bf8d1be13efdd57adad3d80425cddd

SHA256
63902c0e786d2266100a13f5778ec1c53161333b843d024db1e5f82df133f7e3

SHA512
43228d8924572a1cf3f5134b1147dcbd1ac3ec9dca76476583bad65818023f32bdf862efbf73df8681f57102e8b202d2d566ee0469608923ebde99b5e2c6fee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4904189.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4904189.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1462459.exe

Filesize
616KB

MD5
165084f946f2567081ee5853613b0392

SHA1
26cda3b1137181ec15e65e66ae0aae08af168af9

SHA256
a736a634a6682aee4d408becd9757b6ae98c73bdb6a5516fae011dbf26a330f5

SHA512
2b2ea1de81a52771a794042e7c0ef7891435c78876e0b3b8e32bea7c443c7a0abda8c4aeb7beeac0daa22cb61c724d613ac74a63935637e3a8059ebe4d859f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1462459.exe

Filesize
616KB

MD5
165084f946f2567081ee5853613b0392

SHA1
26cda3b1137181ec15e65e66ae0aae08af168af9

SHA256
a736a634a6682aee4d408becd9757b6ae98c73bdb6a5516fae011dbf26a330f5

SHA512
2b2ea1de81a52771a794042e7c0ef7891435c78876e0b3b8e32bea7c443c7a0abda8c4aeb7beeac0daa22cb61c724d613ac74a63935637e3a8059ebe4d859f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7915035.exe

Filesize
390KB

MD5
306a6f1a237c67b7d1092f0e57ffb113

SHA1
bee17f7ee614ce93c4503a99beded8b223933076

SHA256
7b5c21b2c978d2a3a4952b569903e114c420cbf26f9def9a1bd93ff462e82421

SHA512
3b550d30e80d046e44476d157cb2be573d92f3b77c9b12fd4508453a26a1e80650fe4e90da0652bc9f9e91080b9009e08a8d59771e510ff1598bc3423e01c5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7915035.exe

Filesize
390KB

MD5
306a6f1a237c67b7d1092f0e57ffb113

SHA1
bee17f7ee614ce93c4503a99beded8b223933076

SHA256
7b5c21b2c978d2a3a4952b569903e114c420cbf26f9def9a1bd93ff462e82421

SHA512
3b550d30e80d046e44476d157cb2be573d92f3b77c9b12fd4508453a26a1e80650fe4e90da0652bc9f9e91080b9009e08a8d59771e510ff1598bc3423e01c5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9564647.exe

Filesize
346KB

MD5
34d5bc93cdd736157324ef5e05f552b9

SHA1
181c21206817fdcf3e6c1ef87a388fb228885f77

SHA256
32019428d6015fae23ba18a91f83442ab67dcbf0d2b3832e8c7de84557e1044b

SHA512
c69d30f2fe45eeb8657e43eb525168e7b980eeb584abbf53d031dd07c0224bc5795269611874b891320850e33da84dff246c23300c4c48931eeb07725a49ffe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9564647.exe

Filesize
346KB

MD5
34d5bc93cdd736157324ef5e05f552b9

SHA1
181c21206817fdcf3e6c1ef87a388fb228885f77

SHA256
32019428d6015fae23ba18a91f83442ab67dcbf0d2b3832e8c7de84557e1044b

SHA512
c69d30f2fe45eeb8657e43eb525168e7b980eeb584abbf53d031dd07c0224bc5795269611874b891320850e33da84dff246c23300c4c48931eeb07725a49ffe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3729767.exe

Filesize
227KB

MD5
de78addc1e228ffbb8f8e08cb320baa6

SHA1
7cd6c24a3de9165225951a8107aaaca05f58e95d

SHA256
3498aef634918e63a7ceda3d5a314d021a2ddadbfa935ebfd3729f91f6438752

SHA512
39b58a283bcc6b2d2e51aa7f95d62990a3e82c36686a5d84f970bc3c2a612d5bf6ca4076d57e73316340322d5d223b9529cd58e25b3fed8ecb45e6d6d39598d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3729767.exe

Filesize
227KB

MD5
de78addc1e228ffbb8f8e08cb320baa6

SHA1
7cd6c24a3de9165225951a8107aaaca05f58e95d

SHA256
3498aef634918e63a7ceda3d5a314d021a2ddadbfa935ebfd3729f91f6438752

SHA512
39b58a283bcc6b2d2e51aa7f95d62990a3e82c36686a5d84f970bc3c2a612d5bf6ca4076d57e73316340322d5d223b9529cd58e25b3fed8ecb45e6d6d39598d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7975677.exe

Filesize
356KB

MD5
ed86ec2a5af1ec907d39fc317903b52a

SHA1
6848ee6095c9f0f30a7f1670fe26086d5f2a487e

SHA256
1bdd29aba3919f7f18c07918964aa82c6d91af0db6b489d813d36822c30f344b

SHA512
760ae6a6387385c58f99ff143f40573d32ba5bc2299252a03bd6bd26e4defa1eb52aa18ec0fff8b82abea0e376585aaa2808009e1912604a3b519bd513594042

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7975677.exe

Filesize
356KB

MD5
ed86ec2a5af1ec907d39fc317903b52a

SHA1
6848ee6095c9f0f30a7f1670fe26086d5f2a487e

SHA256
1bdd29aba3919f7f18c07918964aa82c6d91af0db6b489d813d36822c30f344b

SHA512
760ae6a6387385c58f99ff143f40573d32ba5bc2299252a03bd6bd26e4defa1eb52aa18ec0fff8b82abea0e376585aaa2808009e1912604a3b519bd513594042

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
273B

MD5
6d5040418450624fef735b49ec6bffe9

SHA1
5fff6a1a620a5c4522aead8dbd0a5a52570e8773

SHA256
dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

SHA512
bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

Download Submit
memory/400-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/400-39-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/400-36-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/400-37-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/980-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/980-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/980-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/980-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2288-76-0x0000000005700000-0x000000000574C000-memory.dmp

Filesize
304KB

Download
memory/2288-88-0x0000000072F90000-0x0000000073740000-memory.dmp

Filesize
7.7MB

Download
memory/2288-89-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/2288-54-0x0000000002DD0000-0x0000000002DD6000-memory.dmp

Filesize
24KB

Download
memory/2288-68-0x00000000056B0000-0x00000000056EC000-memory.dmp

Filesize
240KB

Download
memory/2288-63-0x0000000005640000-0x0000000005652000-memory.dmp

Filesize
72KB

Download
memory/2288-64-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/2288-61-0x00000000057C0000-0x00000000058CA000-memory.dmp

Filesize
1.0MB

Download
memory/2288-60-0x0000000005CD0000-0x00000000062E8000-memory.dmp

Filesize
6.1MB

Download
memory/2288-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2288-53-0x0000000072F90000-0x0000000073740000-memory.dmp

Filesize
7.7MB

Download