redline | 12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038.exe
Size

1.1MB
MD5

c8c1b0a361c5bdc17816c99a4e003067
SHA1

91591dfa0a7f561565a9295bd29374f9a791334f
SHA256

12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038
SHA512

8f9affe7d56e3a1874d6fca526a1e7652a53cc7d771b25b92bb6ec8736f72ea4edf0407a70aece63b1801414932141aa8e52600daa54566582b1c58fea4631ad
SSDEEP

24576:CynVlgxkPApFsCrYd+2nan6DSlK9v8yOVmnOQh3Ra3H83l:pVlgqPAj98d+2an6DRvkCDh3Ra3Y

Score

10^/10

redline vjw0rm wshrat luka terra discovery evasion infostealer persistence spyware stealer trojan worm

Malware Config

Extracted

Family

redline

Botnet

luka

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Extracted

Family

redline

Botnet

terra

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Extracted

Family

vjw0rm

http://vj7974.duckdns.org:7974

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o5080586.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o5080586.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o5080586.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o5080586.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o5080586.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o5080586.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023154-276.dat	family_wshrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
36	1348	wscript.exe
37	1348	wscript.exe
40	2264	WScript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	s5961069.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 17 IoCs

pid	Process
1500	z3530251.exe
2660	z4939112.exe
1244	o5080586.exe
3204	p6201249.exe
1468	r5221550.exe
896	r5221550.exe
3372	s5961069.exe
1960	s5961069.exe
1088	legends.exe
4980	legends.exe
1956	legends.exe
772	server.exe
1748	legends.exe
440	legends.exe
3312	legends.exe
3756	legends.exe
3856	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o5080586.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o5080586.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4939112.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JoGjo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JoGjo.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3530251.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3530251.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4939112.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JoGjo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JoGjo.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BN3XGO1HFO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.js\""	WScript.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 896	1468	r5221550.exe	93
PID 3372 set thread context of 1960	3372	s5961069.exe	96
PID 1088 set thread context of 1956	1088	legends.exe	99
PID 1748 set thread context of 440	1748	legends.exe	115
PID 3312 set thread context of 3856	3312	legends.exe	119

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3700	3204	WerFault.exe	86

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5004	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	wscript.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1244	o5080586.exe
1244	o5080586.exe
896	r5221550.exe
896	r5221550.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	o5080586.exe
Token: SeDebugPrivilege	1468	r5221550.exe
Token: SeDebugPrivilege	3372	s5961069.exe
Token: SeDebugPrivilege	1088	legends.exe
Token: SeDebugPrivilege	896	r5221550.exe
Token: SeDebugPrivilege	1748	legends.exe
Token: SeDebugPrivilege	3312	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1960	s5961069.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1500	1260	12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038.exe	77
PID 1260 wrote to memory of 1500	1260	12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038.exe	77
PID 1260 wrote to memory of 1500	1260	12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038.exe	77
PID 1500 wrote to memory of 2660	1500	z3530251.exe	78
PID 1500 wrote to memory of 2660	1500	z3530251.exe	78
PID 1500 wrote to memory of 2660	1500	z3530251.exe	78
PID 2660 wrote to memory of 1244	2660	z4939112.exe	79
PID 2660 wrote to memory of 1244	2660	z4939112.exe	79
PID 2660 wrote to memory of 1244	2660	z4939112.exe	79
PID 2660 wrote to memory of 3204	2660	z4939112.exe	86
PID 2660 wrote to memory of 3204	2660	z4939112.exe	86
PID 2660 wrote to memory of 3204	2660	z4939112.exe	86
PID 1500 wrote to memory of 1468	1500	z3530251.exe	92
PID 1500 wrote to memory of 1468	1500	z3530251.exe	92
PID 1500 wrote to memory of 1468	1500	z3530251.exe	92
PID 1468 wrote to memory of 896	1468	r5221550.exe	93
PID 1468 wrote to memory of 896	1468	r5221550.exe	93
PID 1468 wrote to memory of 896	1468	r5221550.exe	93
PID 1468 wrote to memory of 896	1468	r5221550.exe	93
PID 1468 wrote to memory of 896	1468	r5221550.exe	93
PID 1468 wrote to memory of 896	1468	r5221550.exe	93
PID 1468 wrote to memory of 896	1468	r5221550.exe	93
PID 1468 wrote to memory of 896	1468	r5221550.exe	93
PID 1260 wrote to memory of 3372	1260	12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038.exe	95
PID 1260 wrote to memory of 3372	1260	12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038.exe	95
PID 1260 wrote to memory of 3372	1260	12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038.exe	95
PID 3372 wrote to memory of 1960	3372	s5961069.exe	96
PID 3372 wrote to memory of 1960	3372	s5961069.exe	96
PID 3372 wrote to memory of 1960	3372	s5961069.exe	96
PID 3372 wrote to memory of 1960	3372	s5961069.exe	96
PID 3372 wrote to memory of 1960	3372	s5961069.exe	96
PID 3372 wrote to memory of 1960	3372	s5961069.exe	96
PID 3372 wrote to memory of 1960	3372	s5961069.exe	96
PID 3372 wrote to memory of 1960	3372	s5961069.exe	96
PID 3372 wrote to memory of 1960	3372	s5961069.exe	96
PID 3372 wrote to memory of 1960	3372	s5961069.exe	96
PID 1960 wrote to memory of 1088	1960	s5961069.exe	97
PID 1960 wrote to memory of 1088	1960	s5961069.exe	97
PID 1960 wrote to memory of 1088	1960	s5961069.exe	97
PID 1088 wrote to memory of 4980	1088	legends.exe	98
PID 1088 wrote to memory of 4980	1088	legends.exe	98
PID 1088 wrote to memory of 4980	1088	legends.exe	98
PID 1088 wrote to memory of 4980	1088	legends.exe	98
PID 1088 wrote to memory of 1956	1088	legends.exe	99
PID 1088 wrote to memory of 1956	1088	legends.exe	99
PID 1088 wrote to memory of 1956	1088	legends.exe	99
PID 1088 wrote to memory of 1956	1088	legends.exe	99
PID 1088 wrote to memory of 1956	1088	legends.exe	99
PID 1088 wrote to memory of 1956	1088	legends.exe	99
PID 1088 wrote to memory of 1956	1088	legends.exe	99
PID 1088 wrote to memory of 1956	1088	legends.exe	99
PID 1088 wrote to memory of 1956	1088	legends.exe	99
PID 1088 wrote to memory of 1956	1088	legends.exe	99
PID 1956 wrote to memory of 5004	1956	legends.exe	101
PID 1956 wrote to memory of 5004	1956	legends.exe	101
PID 1956 wrote to memory of 5004	1956	legends.exe	101
PID 1956 wrote to memory of 1408	1956	legends.exe	103
PID 1956 wrote to memory of 1408	1956	legends.exe	103
PID 1956 wrote to memory of 1408	1956	legends.exe	103
PID 1408 wrote to memory of 4320	1408	cmd.exe	105
PID 1408 wrote to memory of 4320	1408	cmd.exe	105
PID 1408 wrote to memory of 4320	1408	cmd.exe	105
PID 1408 wrote to memory of 4700	1408	cmd.exe	106
PID 1408 wrote to memory of 4700	1408	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038.exe
"C:\Users\Admin\AppData\Local\Temp\12fc5712e71d5e38048b4b94133cb0b3a98cafc54dc8ca24f3826a95da7a5038.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3530251.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3530251.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4939112.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4939112.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5080586.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5080586.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6201249.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6201249.exe
      4⤵
      Executes dropped EXE
      PID:3204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 928
        5⤵
        Program crash
        
        PID:3700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5221550.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5221550.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5221550.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5221550.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5961069.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5961069.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5961069.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5961069.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Executes dropped EXE
        
        PID:4980
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:5004
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:4004
      - C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\JoGjo.vbs"
        7⤵
        Blocklisted process makes network request
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\windows.js"
        8⤵
        Blocklisted process makes network request
        Adds Run key to start application
        
        PID:2264
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3204 -ip 3204
1⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1748
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:440

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3312
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:3856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r5221550.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe

Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe

Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe

Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5961069.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5961069.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5961069.exe

Filesize
961KB

MD5
f16594bb75a78916514ddff84431a641

SHA1
6d6dc9a75a20dbd1c75a4f88d545842593d2c313

SHA256
120b72a80d092e04b33e61b4077b502027f8104a42e54f0e593e4ddee39f832a

SHA512
81c910e610b8b0ad006bbf15341aa036e77b372bbb20b2a7584d2dadabea754149e3daa180aa6df1130694ed6306682ee062c923aceb64f0096722ca0f737d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3530251.exe

Filesize
702KB

MD5
80473a9158cbb915ccd39ed8fc61540a

SHA1
bbc9ed19db5a10361b5572f552fc41cd1a02960a

SHA256
92e7a3747bbd5914a6deab54b9d41a63284cf021f4ea0785e56d75d4218117c4

SHA512
7a83d0ec8b6f24c117a69cde862bbdcfd1ed8576db2253d57f968f496b71714a851b66973e76d8eaca67ce59f29638d4aa588f9ce34f1cb7727b9b5d9a8a286c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3530251.exe

Filesize
702KB

MD5
80473a9158cbb915ccd39ed8fc61540a

SHA1
bbc9ed19db5a10361b5572f552fc41cd1a02960a

SHA256
92e7a3747bbd5914a6deab54b9d41a63284cf021f4ea0785e56d75d4218117c4

SHA512
7a83d0ec8b6f24c117a69cde862bbdcfd1ed8576db2253d57f968f496b71714a851b66973e76d8eaca67ce59f29638d4aa588f9ce34f1cb7727b9b5d9a8a286c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5221550.exe

Filesize
904KB

MD5
47243a35d9943a83dfa241c1ef36c628

SHA1
7ed4f175c80dff6358d78fd1dd0a7d2ba88a2fac

SHA256
e12e167a71c1ff9ca163433cc70963f309b5506e422cb9aecd15f8a6e16188e8

SHA512
2ffb03eccd4b828d13acf430c450000cfed8f6aff6881b5e5dc8d97d896b02170cf59ecb840af553602ad66f79c4858eb13a941de733e11ad299477545c1aacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5221550.exe

Filesize
904KB

MD5
47243a35d9943a83dfa241c1ef36c628

SHA1
7ed4f175c80dff6358d78fd1dd0a7d2ba88a2fac

SHA256
e12e167a71c1ff9ca163433cc70963f309b5506e422cb9aecd15f8a6e16188e8

SHA512
2ffb03eccd4b828d13acf430c450000cfed8f6aff6881b5e5dc8d97d896b02170cf59ecb840af553602ad66f79c4858eb13a941de733e11ad299477545c1aacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5221550.exe

Filesize
904KB

MD5
47243a35d9943a83dfa241c1ef36c628

SHA1
7ed4f175c80dff6358d78fd1dd0a7d2ba88a2fac

SHA256
e12e167a71c1ff9ca163433cc70963f309b5506e422cb9aecd15f8a6e16188e8

SHA512
2ffb03eccd4b828d13acf430c450000cfed8f6aff6881b5e5dc8d97d896b02170cf59ecb840af553602ad66f79c4858eb13a941de733e11ad299477545c1aacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4939112.exe

Filesize
306KB

MD5
a6cc3e3045ba3da52a663cad85483380

SHA1
259f22824ad61cd26171e9a81482e48260ecfcfe

SHA256
79510c9e99c4bac8d9641a80410f0503ecc4f88a4d31442a4dfee849cc05cebd

SHA512
54d5f9a7473e939f612715b851b47d9f0347129c3a51cbb6bdf23380339634e28f60cdc0b5d3cc7917c1680bb26e506dd26cc01c67a94f1939c5938bbfffcd5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4939112.exe

Filesize
306KB

MD5
a6cc3e3045ba3da52a663cad85483380

SHA1
259f22824ad61cd26171e9a81482e48260ecfcfe

SHA256
79510c9e99c4bac8d9641a80410f0503ecc4f88a4d31442a4dfee849cc05cebd

SHA512
54d5f9a7473e939f612715b851b47d9f0347129c3a51cbb6bdf23380339634e28f60cdc0b5d3cc7917c1680bb26e506dd26cc01c67a94f1939c5938bbfffcd5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5080586.exe

Filesize
185KB

MD5
bdfc0f95d8715f100d7f33970cfc9533

SHA1
f71102295f31440800ec312fa36e3ef211615744

SHA256
0db650df1768cf529fbc15ed1ceb264ec8475735bf4cdb2189fd842fa72a53f9

SHA512
4afcc12cfbbd5a6296750fc0a6b4fb0f2f72079ebeba5c54d677441935bed908abed6902e98d08645bc4d3f5fc5bb00cc236f44e3093f1847fec4140a55de8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5080586.exe

Filesize
185KB

MD5
bdfc0f95d8715f100d7f33970cfc9533

SHA1
f71102295f31440800ec312fa36e3ef211615744

SHA256
0db650df1768cf529fbc15ed1ceb264ec8475735bf4cdb2189fd842fa72a53f9

SHA512
4afcc12cfbbd5a6296750fc0a6b4fb0f2f72079ebeba5c54d677441935bed908abed6902e98d08645bc4d3f5fc5bb00cc236f44e3093f1847fec4140a55de8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6201249.exe

Filesize
145KB

MD5
911503a38a26de7d6de6d4d74bdb71c5

SHA1
c18b7752a5d1a675b8cea8d6837b10ce8d955210

SHA256
bdc52c2a61b1335efd34d10b09b6d4b632f7e44ea00184ea8914df70ed90b050

SHA512
687545010d3e5ace79fd524b51a392bd8e58a2e501acc64f764451d8cab87f988ef6a38c38d3960597be43c82fe6c65d636947f1917ef8a9032847a1e52c5505

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6201249.exe

Filesize
145KB

MD5
911503a38a26de7d6de6d4d74bdb71c5

SHA1
c18b7752a5d1a675b8cea8d6837b10ce8d955210

SHA256
bdc52c2a61b1335efd34d10b09b6d4b632f7e44ea00184ea8914df70ed90b050

SHA512
687545010d3e5ace79fd524b51a392bd8e58a2e501acc64f764451d8cab87f988ef6a38c38d3960597be43c82fe6c65d636947f1917ef8a9032847a1e52c5505

Download Submit
C:\Users\Admin\AppData\Roaming\JoGjo.vbs

Filesize
185KB

MD5
5fdb28050429d9ddc907cc28fad15bcb

SHA1
12fe8bd3740ff532dc032a346de5b3912005ad6a

SHA256
a9145aa1c58fde87e443867e8d028756421044253b464e99295202137690b79c

SHA512
e822ec6892bdc9c1597e82d14cd6d79f8aaaf11f9df8191a7b0482fadf4f6040ebb579b4fb386689ba284e1a5b8e33e691223efb57db222a25e000aae35d4884

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\windows.js

Filesize
3KB

MD5
71794d6c84de81241335e20d992066e9

SHA1
193e4c443ecbdeafe30c720fdff9c7bd2d05d225

SHA256
f1e487f803ac783a06fc25f033c60429663dd1af6bd64c1dca549d2e6eaeaba5

SHA512
0b0c436416c62b7ae23e9bef56de2409580799e710312725b15cb81eda59c1633faeae4ade0979fef5e1b700b7cbb646cb81a935f383330a230cbab701956254

Download Submit
memory/440-289-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/440-288-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/440-287-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/772-273-0x0000000000AE0000-0x0000000000B6C000-memory.dmp

Filesize
560KB

Download
memory/896-238-0x0000000007080000-0x0000000007242000-memory.dmp

Filesize
1.8MB

Download
memory/896-212-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/896-207-0x0000000005BF0000-0x0000000006208000-memory.dmp

Filesize
6.1MB

Download
memory/896-208-0x0000000005770000-0x000000000587A000-memory.dmp

Filesize
1.0MB

Download
memory/896-249-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/896-210-0x00000000056A0000-0x00000000056B2000-memory.dmp

Filesize
72KB

Download
memory/896-211-0x0000000005700000-0x000000000573C000-memory.dmp

Filesize
240KB

Download
memory/896-199-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/896-236-0x0000000006600000-0x0000000006692000-memory.dmp

Filesize
584KB

Download
memory/896-247-0x00000000069F0000-0x0000000006A40000-memory.dmp

Filesize
320KB

Download
memory/896-235-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/896-239-0x0000000007780000-0x0000000007CAC000-memory.dmp

Filesize
5.2MB

Download
memory/896-246-0x0000000006970000-0x00000000069E6000-memory.dmp

Filesize
472KB

Download
memory/1088-234-0x0000000007AD0000-0x0000000007AE0000-memory.dmp

Filesize
64KB

Download
memory/1244-185-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-188-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1244-154-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/1244-155-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1244-156-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1244-157-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1244-158-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-159-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-175-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-177-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-161-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-163-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-165-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-173-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-187-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1244-167-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-169-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-186-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1244-179-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-183-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-181-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1244-171-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1468-197-0x0000000000A70000-0x0000000000B58000-memory.dmp

Filesize
928KB

Download
memory/1468-198-0x0000000007810000-0x0000000007820000-memory.dmp

Filesize
64KB

Download
memory/1748-284-0x0000000007B10000-0x0000000007B20000-memory.dmp

Filesize
64KB

Download
memory/1956-244-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-243-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-248-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-270-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-307-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1960-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1960-219-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1960-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1960-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1960-233-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3204-193-0x0000000000860000-0x000000000088A000-memory.dmp

Filesize
168KB

Download
memory/3372-206-0x0000000000880000-0x0000000000976000-memory.dmp

Filesize
984KB

Download
memory/3372-209-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/3856-314-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3856-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3856-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download