redline | ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3.exe
Size

1.1MB
MD5

386c3e6c81dbcc80ec9a0e390ccedf79
SHA1

429036ce06c315dde498eacc49c8d563e400e0bf
SHA256

ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3
SHA512

26629a34553a8f622e110149f4176aea68ba59b91dcd4f4b488aa5b06dfde78c38e924dc8f4770a29377af9f52190ad26a9697a87a4464a6b9208937d40ac329
SSDEEP

24576:uyMJDdmefAdokW8BWSHHPx8OE1uJf5CKDmYjjm:987kJWMWSnp8tuXCKDJ

Score

10^/10

redline vjw0rm wshrat luka terra discovery evasion infostealer persistence spyware stealer trojan worm

Malware Config

Extracted

Family

redline

Botnet

luka

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Extracted

Family

redline

Botnet

terra

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Extracted

Family

vjw0rm

http://vj7974.duckdns.org:7974

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o2946611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o2946611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o2946611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o2946611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o2946611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o2946611.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023142-273.dat	family_wshrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
21	480	wscript.exe
22	480	wscript.exe
25	4432	WScript.exe
46	4432	WScript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	s7315675.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 16 IoCs

pid	Process
3704	z6746504.exe
1208	z7187950.exe
4808	o2946611.exe
752	p2559708.exe
4612	r6841301.exe
1628	r6841301.exe
4704	s7315675.exe
1620	s7315675.exe
3008	s7315675.exe
4740	legends.exe
916	legends.exe
2056	server.exe
4588	legends.exe
1800	legends.exe
2180	legends.exe
2652	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
3536	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o2946611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o2946611.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BN3XGO1HFO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.js\""	WScript.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6746504.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7187950.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JoGjo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JoGjo.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6746504.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7187950.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JoGjo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JoGjo.vbs\""	wscript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4612 set thread context of 1628	4612	r6841301.exe	93
PID 4704 set thread context of 3008	4704	s7315675.exe	96
PID 4740 set thread context of 916	4740	legends.exe	98
PID 4588 set thread context of 1800	4588	legends.exe	118
PID 2180 set thread context of 2652	2180	legends.exe	121

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3780	752	WerFault.exe	89

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2144	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	wscript.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4808	o2946611.exe
4808	o2946611.exe
1628	r6841301.exe
1628	r6841301.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	o2946611.exe
Token: SeDebugPrivilege	4612	r6841301.exe
Token: SeDebugPrivilege	4704	s7315675.exe
Token: SeDebugPrivilege	4740	legends.exe
Token: SeDebugPrivilege	1628	r6841301.exe
Token: SeDebugPrivilege	4588	legends.exe
Token: SeDebugPrivilege	2180	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3008	s7315675.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 3704	1880	ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3.exe	83
PID 1880 wrote to memory of 3704	1880	ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3.exe	83
PID 1880 wrote to memory of 3704	1880	ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3.exe	83
PID 3704 wrote to memory of 1208	3704	z6746504.exe	84
PID 3704 wrote to memory of 1208	3704	z6746504.exe	84
PID 3704 wrote to memory of 1208	3704	z6746504.exe	84
PID 1208 wrote to memory of 4808	1208	z7187950.exe	85
PID 1208 wrote to memory of 4808	1208	z7187950.exe	85
PID 1208 wrote to memory of 4808	1208	z7187950.exe	85
PID 1208 wrote to memory of 752	1208	z7187950.exe	89
PID 1208 wrote to memory of 752	1208	z7187950.exe	89
PID 1208 wrote to memory of 752	1208	z7187950.exe	89
PID 3704 wrote to memory of 4612	3704	z6746504.exe	92
PID 3704 wrote to memory of 4612	3704	z6746504.exe	92
PID 3704 wrote to memory of 4612	3704	z6746504.exe	92
PID 4612 wrote to memory of 1628	4612	r6841301.exe	93
PID 4612 wrote to memory of 1628	4612	r6841301.exe	93
PID 4612 wrote to memory of 1628	4612	r6841301.exe	93
PID 4612 wrote to memory of 1628	4612	r6841301.exe	93
PID 4612 wrote to memory of 1628	4612	r6841301.exe	93
PID 4612 wrote to memory of 1628	4612	r6841301.exe	93
PID 4612 wrote to memory of 1628	4612	r6841301.exe	93
PID 4612 wrote to memory of 1628	4612	r6841301.exe	93
PID 1880 wrote to memory of 4704	1880	ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3.exe	94
PID 1880 wrote to memory of 4704	1880	ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3.exe	94
PID 1880 wrote to memory of 4704	1880	ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3.exe	94
PID 4704 wrote to memory of 1620	4704	s7315675.exe	95
PID 4704 wrote to memory of 1620	4704	s7315675.exe	95
PID 4704 wrote to memory of 1620	4704	s7315675.exe	95
PID 4704 wrote to memory of 1620	4704	s7315675.exe	95
PID 4704 wrote to memory of 3008	4704	s7315675.exe	96
PID 4704 wrote to memory of 3008	4704	s7315675.exe	96
PID 4704 wrote to memory of 3008	4704	s7315675.exe	96
PID 4704 wrote to memory of 3008	4704	s7315675.exe	96
PID 4704 wrote to memory of 3008	4704	s7315675.exe	96
PID 4704 wrote to memory of 3008	4704	s7315675.exe	96
PID 4704 wrote to memory of 3008	4704	s7315675.exe	96
PID 4704 wrote to memory of 3008	4704	s7315675.exe	96
PID 4704 wrote to memory of 3008	4704	s7315675.exe	96
PID 4704 wrote to memory of 3008	4704	s7315675.exe	96
PID 3008 wrote to memory of 4740	3008	s7315675.exe	97
PID 3008 wrote to memory of 4740	3008	s7315675.exe	97
PID 3008 wrote to memory of 4740	3008	s7315675.exe	97
PID 4740 wrote to memory of 916	4740	legends.exe	98
PID 4740 wrote to memory of 916	4740	legends.exe	98
PID 4740 wrote to memory of 916	4740	legends.exe	98
PID 4740 wrote to memory of 916	4740	legends.exe	98
PID 4740 wrote to memory of 916	4740	legends.exe	98
PID 4740 wrote to memory of 916	4740	legends.exe	98
PID 4740 wrote to memory of 916	4740	legends.exe	98
PID 4740 wrote to memory of 916	4740	legends.exe	98
PID 4740 wrote to memory of 916	4740	legends.exe	98
PID 4740 wrote to memory of 916	4740	legends.exe	98
PID 916 wrote to memory of 2144	916	legends.exe	100
PID 916 wrote to memory of 2144	916	legends.exe	100
PID 916 wrote to memory of 2144	916	legends.exe	100
PID 916 wrote to memory of 2080	916	legends.exe	101
PID 916 wrote to memory of 2080	916	legends.exe	101
PID 916 wrote to memory of 2080	916	legends.exe	101
PID 2080 wrote to memory of 4176	2080	cmd.exe	104
PID 2080 wrote to memory of 4176	2080	cmd.exe	104
PID 2080 wrote to memory of 4176	2080	cmd.exe	104
PID 2080 wrote to memory of 4972	2080	cmd.exe	105
PID 2080 wrote to memory of 4972	2080	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3.exe
"C:\Users\Admin\AppData\Local\Temp\ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6746504.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6746504.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7187950.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7187950.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2946611.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2946611.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2559708.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2559708.exe
      4⤵
      Executes dropped EXE
      PID:752
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 928
        5⤵
        Program crash
        
        PID:3780
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6841301.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6841301.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6841301.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6841301.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7315675.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7315675.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7315675.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7315675.exe
    3⤵
    - Executes dropped EXE
    PID:1620
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7315675.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7315675.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2144
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:4420
      - C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\JoGjo.vbs"
        7⤵
        Blocklisted process makes network request
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\windows.js"
        8⤵
        Blocklisted process makes network request
        Adds Run key to start application
        
        PID:4432
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 752 -ip 752
1⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4588
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:1800

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2180
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r6841301.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe

Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe

Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe

Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
3b44d9056dd7b0e779cf6bf2818e30f8

SHA1
9808ee8e58b884239163672f3b6823cf53049cf8

SHA256
3454d0cc80133ea4a697190606125b81daa35d604b35a4fbcc8e7549fd46c4cb

SHA512
8c82c1ea8640768d6255836de44fbf5e2dedb9657e630e439a4a1146eb8f4160458a5611d7e975bf0ffe1608854ca606379ff6d1b7da8189bdbb4e8546582437

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
3b44d9056dd7b0e779cf6bf2818e30f8

SHA1
9808ee8e58b884239163672f3b6823cf53049cf8

SHA256
3454d0cc80133ea4a697190606125b81daa35d604b35a4fbcc8e7549fd46c4cb

SHA512
8c82c1ea8640768d6255836de44fbf5e2dedb9657e630e439a4a1146eb8f4160458a5611d7e975bf0ffe1608854ca606379ff6d1b7da8189bdbb4e8546582437

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
3b44d9056dd7b0e779cf6bf2818e30f8

SHA1
9808ee8e58b884239163672f3b6823cf53049cf8

SHA256
3454d0cc80133ea4a697190606125b81daa35d604b35a4fbcc8e7549fd46c4cb

SHA512
8c82c1ea8640768d6255836de44fbf5e2dedb9657e630e439a4a1146eb8f4160458a5611d7e975bf0ffe1608854ca606379ff6d1b7da8189bdbb4e8546582437

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
3b44d9056dd7b0e779cf6bf2818e30f8

SHA1
9808ee8e58b884239163672f3b6823cf53049cf8

SHA256
3454d0cc80133ea4a697190606125b81daa35d604b35a4fbcc8e7549fd46c4cb

SHA512
8c82c1ea8640768d6255836de44fbf5e2dedb9657e630e439a4a1146eb8f4160458a5611d7e975bf0ffe1608854ca606379ff6d1b7da8189bdbb4e8546582437

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
3b44d9056dd7b0e779cf6bf2818e30f8

SHA1
9808ee8e58b884239163672f3b6823cf53049cf8

SHA256
3454d0cc80133ea4a697190606125b81daa35d604b35a4fbcc8e7549fd46c4cb

SHA512
8c82c1ea8640768d6255836de44fbf5e2dedb9657e630e439a4a1146eb8f4160458a5611d7e975bf0ffe1608854ca606379ff6d1b7da8189bdbb4e8546582437

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
3b44d9056dd7b0e779cf6bf2818e30f8

SHA1
9808ee8e58b884239163672f3b6823cf53049cf8

SHA256
3454d0cc80133ea4a697190606125b81daa35d604b35a4fbcc8e7549fd46c4cb

SHA512
8c82c1ea8640768d6255836de44fbf5e2dedb9657e630e439a4a1146eb8f4160458a5611d7e975bf0ffe1608854ca606379ff6d1b7da8189bdbb4e8546582437

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
3b44d9056dd7b0e779cf6bf2818e30f8

SHA1
9808ee8e58b884239163672f3b6823cf53049cf8

SHA256
3454d0cc80133ea4a697190606125b81daa35d604b35a4fbcc8e7549fd46c4cb

SHA512
8c82c1ea8640768d6255836de44fbf5e2dedb9657e630e439a4a1146eb8f4160458a5611d7e975bf0ffe1608854ca606379ff6d1b7da8189bdbb4e8546582437

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
3b44d9056dd7b0e779cf6bf2818e30f8

SHA1
9808ee8e58b884239163672f3b6823cf53049cf8

SHA256
3454d0cc80133ea4a697190606125b81daa35d604b35a4fbcc8e7549fd46c4cb

SHA512
8c82c1ea8640768d6255836de44fbf5e2dedb9657e630e439a4a1146eb8f4160458a5611d7e975bf0ffe1608854ca606379ff6d1b7da8189bdbb4e8546582437

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7315675.exe

Filesize
961KB

MD5
3b44d9056dd7b0e779cf6bf2818e30f8

SHA1
9808ee8e58b884239163672f3b6823cf53049cf8

SHA256
3454d0cc80133ea4a697190606125b81daa35d604b35a4fbcc8e7549fd46c4cb

SHA512
8c82c1ea8640768d6255836de44fbf5e2dedb9657e630e439a4a1146eb8f4160458a5611d7e975bf0ffe1608854ca606379ff6d1b7da8189bdbb4e8546582437

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7315675.exe

Filesize
961KB

MD5
3b44d9056dd7b0e779cf6bf2818e30f8

SHA1
9808ee8e58b884239163672f3b6823cf53049cf8

SHA256
3454d0cc80133ea4a697190606125b81daa35d604b35a4fbcc8e7549fd46c4cb

SHA512
8c82c1ea8640768d6255836de44fbf5e2dedb9657e630e439a4a1146eb8f4160458a5611d7e975bf0ffe1608854ca606379ff6d1b7da8189bdbb4e8546582437

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7315675.exe

Filesize
961KB

MD5
3b44d9056dd7b0e779cf6bf2818e30f8

SHA1
9808ee8e58b884239163672f3b6823cf53049cf8

SHA256
3454d0cc80133ea4a697190606125b81daa35d604b35a4fbcc8e7549fd46c4cb

SHA512
8c82c1ea8640768d6255836de44fbf5e2dedb9657e630e439a4a1146eb8f4160458a5611d7e975bf0ffe1608854ca606379ff6d1b7da8189bdbb4e8546582437

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7315675.exe

Filesize
961KB

MD5
3b44d9056dd7b0e779cf6bf2818e30f8

SHA1
9808ee8e58b884239163672f3b6823cf53049cf8

SHA256
3454d0cc80133ea4a697190606125b81daa35d604b35a4fbcc8e7549fd46c4cb

SHA512
8c82c1ea8640768d6255836de44fbf5e2dedb9657e630e439a4a1146eb8f4160458a5611d7e975bf0ffe1608854ca606379ff6d1b7da8189bdbb4e8546582437

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6746504.exe

Filesize
702KB

MD5
73253ade5ec0797b4fd585ea90ad0750

SHA1
43ce592b25a75d1e5f7a06196d3f3206e331d437

SHA256
c78b22c2956302cb1f8cb7966753f7da8337eac9099488c24314e7ceb76c5d0d

SHA512
bbe069574a4f4e5692c1a9b6d79fc8099ddffea7a4ab4999b651c9d79f97492feaa7e29f6a42112d1070a5675a572a8783042b42db68a1378ea9dd4863e227c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6746504.exe

Filesize
702KB

MD5
73253ade5ec0797b4fd585ea90ad0750

SHA1
43ce592b25a75d1e5f7a06196d3f3206e331d437

SHA256
c78b22c2956302cb1f8cb7966753f7da8337eac9099488c24314e7ceb76c5d0d

SHA512
bbe069574a4f4e5692c1a9b6d79fc8099ddffea7a4ab4999b651c9d79f97492feaa7e29f6a42112d1070a5675a572a8783042b42db68a1378ea9dd4863e227c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6841301.exe

Filesize
904KB

MD5
69aa386c35a5dd7cc1e8a0192e217d85

SHA1
17177f610921519e241a33973862adc88aa42a7e

SHA256
fd78abc3b26e9451c4d60bdf1d33ad522772c852bc14bc9d23ad61f63b1f583f

SHA512
8508f80c5efccb382013abc44525a6dae0a463d8f5cfb1a50b9402b47871f7311c1e222ff16e9c1f69e4f814a3110277ff21b406e3a08ddc9c30eba935d43472

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6841301.exe

Filesize
904KB

MD5
69aa386c35a5dd7cc1e8a0192e217d85

SHA1
17177f610921519e241a33973862adc88aa42a7e

SHA256
fd78abc3b26e9451c4d60bdf1d33ad522772c852bc14bc9d23ad61f63b1f583f

SHA512
8508f80c5efccb382013abc44525a6dae0a463d8f5cfb1a50b9402b47871f7311c1e222ff16e9c1f69e4f814a3110277ff21b406e3a08ddc9c30eba935d43472

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6841301.exe

Filesize
904KB

MD5
69aa386c35a5dd7cc1e8a0192e217d85

SHA1
17177f610921519e241a33973862adc88aa42a7e

SHA256
fd78abc3b26e9451c4d60bdf1d33ad522772c852bc14bc9d23ad61f63b1f583f

SHA512
8508f80c5efccb382013abc44525a6dae0a463d8f5cfb1a50b9402b47871f7311c1e222ff16e9c1f69e4f814a3110277ff21b406e3a08ddc9c30eba935d43472

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7187950.exe

Filesize
306KB

MD5
9cd7d9205c877e24bf383e9443bbba3d

SHA1
7bdac9413d3647476885bc8c4b3385513bd28cbc

SHA256
ec073f48ccd91725d917d4db9a82a4c8dd803f147d8d5a36ba1c83651de35349

SHA512
eba27956640ef2ecbcd17b097d8bbad2b8a1049d09323bbcddadc2377dc16f796f9aaf9e72c13cc4515ee4f67751f6eefca407ff8724150fb53b82740fafe4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7187950.exe

Filesize
306KB

MD5
9cd7d9205c877e24bf383e9443bbba3d

SHA1
7bdac9413d3647476885bc8c4b3385513bd28cbc

SHA256
ec073f48ccd91725d917d4db9a82a4c8dd803f147d8d5a36ba1c83651de35349

SHA512
eba27956640ef2ecbcd17b097d8bbad2b8a1049d09323bbcddadc2377dc16f796f9aaf9e72c13cc4515ee4f67751f6eefca407ff8724150fb53b82740fafe4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2946611.exe

Filesize
185KB

MD5
31c71c6ed841be569e98043669a24199

SHA1
8f6965d26f67c16d7aa017acfffaa9366f827a48

SHA256
b6c1c7f7f1eacdba3cdccb6d9370db6919e3c0628531c1d9076d818003ea8329

SHA512
90b17bb34560771edc64b95cec4ca601d65a564f9649c0e9f3d3c6979293aba63cbf9b39fdda35c6b1c784519014377ee63876c1ad7ceac874978566ea3e3278

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2946611.exe

Filesize
185KB

MD5
31c71c6ed841be569e98043669a24199

SHA1
8f6965d26f67c16d7aa017acfffaa9366f827a48

SHA256
b6c1c7f7f1eacdba3cdccb6d9370db6919e3c0628531c1d9076d818003ea8329

SHA512
90b17bb34560771edc64b95cec4ca601d65a564f9649c0e9f3d3c6979293aba63cbf9b39fdda35c6b1c784519014377ee63876c1ad7ceac874978566ea3e3278

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2559708.exe

Filesize
145KB

MD5
9f01da0fa5a18b85aeeb6079cc27c847

SHA1
2bfb679a82d2aa72a1d8e0301692bf260217b085

SHA256
9a8a6a99c3114ca139343a52845fa723315c320b6e1b1e89a46caaec82b3b482

SHA512
54f7ebab7554824e72f5f03ecc469e4db04fffdcc27a872f66e7764f6da828e1f839b0d66f2f5a50c30a28ced98448ca93e25f03ba1ec88a4aa48d5613644a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2559708.exe

Filesize
145KB

MD5
9f01da0fa5a18b85aeeb6079cc27c847

SHA1
2bfb679a82d2aa72a1d8e0301692bf260217b085

SHA256
9a8a6a99c3114ca139343a52845fa723315c320b6e1b1e89a46caaec82b3b482

SHA512
54f7ebab7554824e72f5f03ecc469e4db04fffdcc27a872f66e7764f6da828e1f839b0d66f2f5a50c30a28ced98448ca93e25f03ba1ec88a4aa48d5613644a33

Download Submit
C:\Users\Admin\AppData\Roaming\JoGjo.vbs

Filesize
185KB

MD5
5fdb28050429d9ddc907cc28fad15bcb

SHA1
12fe8bd3740ff532dc032a346de5b3912005ad6a

SHA256
a9145aa1c58fde87e443867e8d028756421044253b464e99295202137690b79c

SHA512
e822ec6892bdc9c1597e82d14cd6d79f8aaaf11f9df8191a7b0482fadf4f6040ebb579b4fb386689ba284e1a5b8e33e691223efb57db222a25e000aae35d4884

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\windows.js

Filesize
3KB

MD5
71794d6c84de81241335e20d992066e9

SHA1
193e4c443ecbdeafe30c720fdff9c7bd2d05d225

SHA256
f1e487f803ac783a06fc25f033c60429663dd1af6bd64c1dca549d2e6eaeaba5

SHA512
0b0c436416c62b7ae23e9bef56de2409580799e710312725b15cb81eda59c1633faeae4ade0979fef5e1b700b7cbb646cb81a935f383330a230cbab701956254

Download Submit
memory/752-191-0x00000000005D0000-0x00000000005FA000-memory.dmp

Filesize
168KB

Download
memory/916-258-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/916-247-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/916-304-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/916-245-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/916-243-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/916-242-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/916-268-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1628-209-0x00000000055E0000-0x000000000561C000-memory.dmp

Filesize
240KB

Download
memory/1628-235-0x0000000006CD0000-0x0000000006D46000-memory.dmp

Filesize
472KB

Download
memory/1628-210-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/1628-197-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1628-246-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/1628-208-0x0000000005580000-0x0000000005592000-memory.dmp

Filesize
72KB

Download
memory/1628-205-0x0000000005AD0000-0x00000000060E8000-memory.dmp

Filesize
6.1MB

Download
memory/1628-238-0x0000000007620000-0x0000000007B4C000-memory.dmp

Filesize
5.2MB

Download
memory/1628-237-0x0000000006F20000-0x00000000070E2000-memory.dmp

Filesize
1.8MB

Download
memory/1628-220-0x00000000060F0000-0x0000000006182000-memory.dmp

Filesize
584KB

Download
memory/1628-222-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/1628-207-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/1628-236-0x0000000006C50000-0x0000000006CA0000-memory.dmp

Filesize
320KB

Download
memory/1800-284-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1800-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1800-285-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2056-270-0x0000000000B90000-0x0000000000C1C000-memory.dmp

Filesize
560KB

Download
memory/2652-312-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2652-311-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2652-310-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3008-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3008-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3008-212-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3008-233-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4588-281-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/4612-196-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download
memory/4612-195-0x0000000000A20000-0x0000000000B08000-memory.dmp

Filesize
928KB

Download
memory/4704-204-0x00000000009F0000-0x0000000000AE6000-memory.dmp

Filesize
984KB

Download
memory/4704-206-0x00000000078D0000-0x00000000078E0000-memory.dmp

Filesize
64KB

Download
memory/4740-234-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download
memory/4808-170-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-154-0x0000000004AF0000-0x0000000005094000-memory.dmp

Filesize
5.6MB

Download
memory/4808-155-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4808-156-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4808-158-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-160-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-157-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-162-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-164-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-166-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-168-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-172-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-186-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4808-185-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4808-184-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-182-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-180-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-178-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-176-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4808-174-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download