redline | 8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d.exe
Size

1.1MB
MD5

acc073fb57f33a425de1bec4299ac585
SHA1

382a7584c6cbf3c25a8e229d7b69b71763082a69
SHA256

8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d
SHA512

f14c1731aaba091be52dc5f60b10930d1b78703372cfd10a3a7076e7e2b7ed3c191acdb9344cb0507d23ff1ac35ce444ec05eb71a3cded1043e615fae97c8685
SSDEEP

24576:IySiJtVJt/6Uv8KwgGt6JHEcMoYUdZaFofUADXzDPmsAWH:Prtt6U9w7IRLjZaKfU4XzjmsA

Score

10^/10

redline vjw0rm wshrat luka terra discovery evasion infostealer persistence spyware stealer trojan worm

Malware Config

Extracted

Family

redline

Botnet

luka

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Extracted

Family

redline

Botnet

terra

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Extracted

Family

vjw0rm

http://vj7974.duckdns.org:7974

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o9253150.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o9253150.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o9253150.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o9253150.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o9253150.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o9253150.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000001e41f-271.dat	family_wshrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
38	5096	wscript.exe
39	5096	wscript.exe
42	4996	WScript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s1146608.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 18 IoCs

pid	Process
4844	z5643197.exe
4820	z6802044.exe
820	o9253150.exe
3516	p3371399.exe
4004	r7142895.exe
1748	r7142895.exe
1328	s1146608.exe
1712	s1146608.exe
3408	legends.exe
2488	legends.exe
4036	server.exe
4228	legends.exe
4908	legends.exe
3344	legends.exe
1664	legends.exe
2848	legends.exe
1544	legends.exe
1572	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
3196	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o9253150.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o9253150.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5643197.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5643197.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6802044.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JoGjo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JoGjo.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6802044.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JoGjo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JoGjo.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BN3XGO1HFO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.js\""	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4004 set thread context of 1748	4004	r7142895.exe	94
PID 1328 set thread context of 1712	1328	s1146608.exe	97
PID 3408 set thread context of 2488	3408	legends.exe	99
PID 4228 set thread context of 1664	4228	legends.exe	121
PID 2848 set thread context of 1572	2848	legends.exe	125

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3916	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2136	3516	WerFault.exe	89

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1672	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	wscript.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	39	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
820	o9253150.exe
820	o9253150.exe
1748	r7142895.exe
1748	r7142895.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	820	o9253150.exe
Token: SeDebugPrivilege	4004	r7142895.exe
Token: SeDebugPrivilege	1328	s1146608.exe
Token: SeDebugPrivilege	3408	legends.exe
Token: SeDebugPrivilege	1748	r7142895.exe
Token: SeDebugPrivilege	4228	legends.exe
Token: SeDebugPrivilege	2848	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1712	s1146608.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4844	4968	8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d.exe	83
PID 4968 wrote to memory of 4844	4968	8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d.exe	83
PID 4968 wrote to memory of 4844	4968	8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d.exe	83
PID 4844 wrote to memory of 4820	4844	z5643197.exe	84
PID 4844 wrote to memory of 4820	4844	z5643197.exe	84
PID 4844 wrote to memory of 4820	4844	z5643197.exe	84
PID 4820 wrote to memory of 820	4820	z6802044.exe	85
PID 4820 wrote to memory of 820	4820	z6802044.exe	85
PID 4820 wrote to memory of 820	4820	z6802044.exe	85
PID 4820 wrote to memory of 3516	4820	z6802044.exe	89
PID 4820 wrote to memory of 3516	4820	z6802044.exe	89
PID 4820 wrote to memory of 3516	4820	z6802044.exe	89
PID 4844 wrote to memory of 4004	4844	z5643197.exe	93
PID 4844 wrote to memory of 4004	4844	z5643197.exe	93
PID 4844 wrote to memory of 4004	4844	z5643197.exe	93
PID 4004 wrote to memory of 1748	4004	r7142895.exe	94
PID 4004 wrote to memory of 1748	4004	r7142895.exe	94
PID 4004 wrote to memory of 1748	4004	r7142895.exe	94
PID 4004 wrote to memory of 1748	4004	r7142895.exe	94
PID 4004 wrote to memory of 1748	4004	r7142895.exe	94
PID 4004 wrote to memory of 1748	4004	r7142895.exe	94
PID 4004 wrote to memory of 1748	4004	r7142895.exe	94
PID 4004 wrote to memory of 1748	4004	r7142895.exe	94
PID 4968 wrote to memory of 1328	4968	8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d.exe	96
PID 4968 wrote to memory of 1328	4968	8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d.exe	96
PID 4968 wrote to memory of 1328	4968	8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d.exe	96
PID 1328 wrote to memory of 1712	1328	s1146608.exe	97
PID 1328 wrote to memory of 1712	1328	s1146608.exe	97
PID 1328 wrote to memory of 1712	1328	s1146608.exe	97
PID 1328 wrote to memory of 1712	1328	s1146608.exe	97
PID 1328 wrote to memory of 1712	1328	s1146608.exe	97
PID 1328 wrote to memory of 1712	1328	s1146608.exe	97
PID 1328 wrote to memory of 1712	1328	s1146608.exe	97
PID 1328 wrote to memory of 1712	1328	s1146608.exe	97
PID 1328 wrote to memory of 1712	1328	s1146608.exe	97
PID 1328 wrote to memory of 1712	1328	s1146608.exe	97
PID 1712 wrote to memory of 3408	1712	s1146608.exe	98
PID 1712 wrote to memory of 3408	1712	s1146608.exe	98
PID 1712 wrote to memory of 3408	1712	s1146608.exe	98
PID 3408 wrote to memory of 2488	3408	legends.exe	99
PID 3408 wrote to memory of 2488	3408	legends.exe	99
PID 3408 wrote to memory of 2488	3408	legends.exe	99
PID 3408 wrote to memory of 2488	3408	legends.exe	99
PID 3408 wrote to memory of 2488	3408	legends.exe	99
PID 3408 wrote to memory of 2488	3408	legends.exe	99
PID 3408 wrote to memory of 2488	3408	legends.exe	99
PID 3408 wrote to memory of 2488	3408	legends.exe	99
PID 3408 wrote to memory of 2488	3408	legends.exe	99
PID 3408 wrote to memory of 2488	3408	legends.exe	99
PID 2488 wrote to memory of 1672	2488	legends.exe	100
PID 2488 wrote to memory of 1672	2488	legends.exe	100
PID 2488 wrote to memory of 1672	2488	legends.exe	100
PID 2488 wrote to memory of 4068	2488	legends.exe	102
PID 2488 wrote to memory of 4068	2488	legends.exe	102
PID 2488 wrote to memory of 4068	2488	legends.exe	102
PID 4068 wrote to memory of 2216	4068	cmd.exe	104
PID 4068 wrote to memory of 2216	4068	cmd.exe	104
PID 4068 wrote to memory of 2216	4068	cmd.exe	104
PID 4068 wrote to memory of 5024	4068	cmd.exe	105
PID 4068 wrote to memory of 5024	4068	cmd.exe	105
PID 4068 wrote to memory of 5024	4068	cmd.exe	105
PID 4068 wrote to memory of 2652	4068	cmd.exe	106
PID 4068 wrote to memory of 2652	4068	cmd.exe	106
PID 4068 wrote to memory of 2652	4068	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d.exe
"C:\Users\Admin\AppData\Local\Temp\8463b6cbb3b7cd05f0d29149c61767e6477bcab7bccf1c4a9f315033a9722d9d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5643197.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5643197.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6802044.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6802044.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9253150.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9253150.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:820
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3371399.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3371399.exe
      4⤵
      Executes dropped EXE
      PID:3516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 928
        5⤵
        Program crash
        
        PID:2136
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7142895.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7142895.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7142895.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7142895.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1146608.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1146608.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1146608.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1146608.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1672
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:1136
      - C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\JoGjo.vbs"
        7⤵
        Blocklisted process makes network request
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\windows.js"
        8⤵
        Blocklisted process makes network request
        Adds Run key to start application
        
        PID:4996
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3516 -ip 3516
1⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4228
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:1664

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2848
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:1572

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r7142895.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe

Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe

Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe

Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1146608.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1146608.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1146608.exe

Filesize
961KB

MD5
421843ae73b38162687ebda60cd20c37

SHA1
8a6d6832612d2171d421fea2ec8d95a4db1e48ae

SHA256
45e209de276260289f5ab6dd4f67bd74d5c184c9bc5e94cb431e4a4932cc300f

SHA512
ddfbf1145b13b38fc22cf45a893e99a816b9075664c15842a3a32120ea0f698d1780c832bdc3095b89ec81ff5ec60ad438dc427bc5f06e38881e8b0713f904a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5643197.exe

Filesize
702KB

MD5
9be4636a6e4a4c983366be67098ae7d5

SHA1
11725a42de6e54d2b9114c188acc023fe7a4babc

SHA256
728113778f37654af77b20a5cedd3b5e4de9fd130df5e21e2620f86fec7f68a9

SHA512
14b6de09d927590813f06031a4281fa7503761956cc95be147c248fb086d2c51a3c62c7b47a0059045a813cc497160daf8cafe0deb1981cc1c8f119307d5eda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5643197.exe

Filesize
702KB

MD5
9be4636a6e4a4c983366be67098ae7d5

SHA1
11725a42de6e54d2b9114c188acc023fe7a4babc

SHA256
728113778f37654af77b20a5cedd3b5e4de9fd130df5e21e2620f86fec7f68a9

SHA512
14b6de09d927590813f06031a4281fa7503761956cc95be147c248fb086d2c51a3c62c7b47a0059045a813cc497160daf8cafe0deb1981cc1c8f119307d5eda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7142895.exe

Filesize
904KB

MD5
b1c1f7d861f906970adaf3c8f9bf1c30

SHA1
17b5008bec7b695a9969833053998d0bc0681981

SHA256
bd375b42aa91e30d01cdab84360171178199e29c0d7e0d1f20728fbb9d8455bd

SHA512
0a95a6200e1bcc5ed5fdb9ee35da721a486e280a8801febe382f7e0a91ccc52883fccb962ff8e0153e9e74ab6044e4b08fbc8c4ebc3f24f1413a6fa8628e60fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7142895.exe

Filesize
904KB

MD5
b1c1f7d861f906970adaf3c8f9bf1c30

SHA1
17b5008bec7b695a9969833053998d0bc0681981

SHA256
bd375b42aa91e30d01cdab84360171178199e29c0d7e0d1f20728fbb9d8455bd

SHA512
0a95a6200e1bcc5ed5fdb9ee35da721a486e280a8801febe382f7e0a91ccc52883fccb962ff8e0153e9e74ab6044e4b08fbc8c4ebc3f24f1413a6fa8628e60fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7142895.exe

Filesize
904KB

MD5
b1c1f7d861f906970adaf3c8f9bf1c30

SHA1
17b5008bec7b695a9969833053998d0bc0681981

SHA256
bd375b42aa91e30d01cdab84360171178199e29c0d7e0d1f20728fbb9d8455bd

SHA512
0a95a6200e1bcc5ed5fdb9ee35da721a486e280a8801febe382f7e0a91ccc52883fccb962ff8e0153e9e74ab6044e4b08fbc8c4ebc3f24f1413a6fa8628e60fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6802044.exe

Filesize
306KB

MD5
7316a0e3b3c6aac4de8d5921cbaf5f81

SHA1
6090d55fb087db9ade2c5e04637ecf2e62fd3baa

SHA256
81e31e0d3464e201e6d87f49f8675ffb69ef6657cadda943407ef8b3863e6fa0

SHA512
5f5969e5ce0b1c6c974ced25bc91335bf08f7a2c695279f594c5fa03c08bec38654300e4e6b55ab6dd3238bed690386c029cbab7550ae75f145ccbd38e32cfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6802044.exe

Filesize
306KB

MD5
7316a0e3b3c6aac4de8d5921cbaf5f81

SHA1
6090d55fb087db9ade2c5e04637ecf2e62fd3baa

SHA256
81e31e0d3464e201e6d87f49f8675ffb69ef6657cadda943407ef8b3863e6fa0

SHA512
5f5969e5ce0b1c6c974ced25bc91335bf08f7a2c695279f594c5fa03c08bec38654300e4e6b55ab6dd3238bed690386c029cbab7550ae75f145ccbd38e32cfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9253150.exe

Filesize
185KB

MD5
0e33956211e9def4e80567ffe57f2916

SHA1
2e02c9c04030c4b00095e04eca50b105c4c4a903

SHA256
e4e65e444cd1289752a1f9433fc3ca49b03ad3d7f26e2d83e6d1ca898b270c11

SHA512
a0a8f3e71153dba6e6f6e52b86ea4d6ccf58d03b0e650499bd93b27e273a712b046b48a30191670384a93790e3566739e1b947f446f3f3f7f28fd13d2198d036

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9253150.exe

Filesize
185KB

MD5
0e33956211e9def4e80567ffe57f2916

SHA1
2e02c9c04030c4b00095e04eca50b105c4c4a903

SHA256
e4e65e444cd1289752a1f9433fc3ca49b03ad3d7f26e2d83e6d1ca898b270c11

SHA512
a0a8f3e71153dba6e6f6e52b86ea4d6ccf58d03b0e650499bd93b27e273a712b046b48a30191670384a93790e3566739e1b947f446f3f3f7f28fd13d2198d036

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3371399.exe

Filesize
145KB

MD5
e836fa96224720f72f4b73915ff95cfe

SHA1
078805ef02df8c9c2faf07099aae41d809f35335

SHA256
5b22b5727401009da85aa7d8b6d97a33b8a87ff53e7e3d2489eacf49e5c8fe53

SHA512
1603d997388d72942ffc6e9a3c0480223e7d3635c1ad5bfe4c97e6b217cddfb252ef8b69164058c2fb777419bce72c0746d767fed40888315b2f3c2ea33cf41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3371399.exe

Filesize
145KB

MD5
e836fa96224720f72f4b73915ff95cfe

SHA1
078805ef02df8c9c2faf07099aae41d809f35335

SHA256
5b22b5727401009da85aa7d8b6d97a33b8a87ff53e7e3d2489eacf49e5c8fe53

SHA512
1603d997388d72942ffc6e9a3c0480223e7d3635c1ad5bfe4c97e6b217cddfb252ef8b69164058c2fb777419bce72c0746d767fed40888315b2f3c2ea33cf41a

Download Submit
C:\Users\Admin\AppData\Roaming\JoGjo.vbs

Filesize
185KB

MD5
5fdb28050429d9ddc907cc28fad15bcb

SHA1
12fe8bd3740ff532dc032a346de5b3912005ad6a

SHA256
a9145aa1c58fde87e443867e8d028756421044253b464e99295202137690b79c

SHA512
e822ec6892bdc9c1597e82d14cd6d79f8aaaf11f9df8191a7b0482fadf4f6040ebb579b4fb386689ba284e1a5b8e33e691223efb57db222a25e000aae35d4884

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\windows.js

Filesize
3KB

MD5
71794d6c84de81241335e20d992066e9

SHA1
193e4c443ecbdeafe30c720fdff9c7bd2d05d225

SHA256
f1e487f803ac783a06fc25f033c60429663dd1af6bd64c1dca549d2e6eaeaba5

SHA512
0b0c436416c62b7ae23e9bef56de2409580799e710312725b15cb81eda59c1633faeae4ade0979fef5e1b700b7cbb646cb81a935f383330a230cbab701956254

Download Submit
memory/820-170-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-166-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-154-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download
memory/820-155-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-156-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-158-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-185-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/820-184-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/820-183-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/820-182-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-180-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-160-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-178-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-162-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-174-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-176-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-164-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-172-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/820-168-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/1328-203-0x0000000000830000-0x0000000000926000-memory.dmp

Filesize
984KB

Download
memory/1328-204-0x00000000075E0000-0x00000000075F0000-memory.dmp

Filesize
64KB

Download
memory/1572-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1572-314-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1572-313-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1664-285-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1664-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1664-287-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1712-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1712-229-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1712-210-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1712-214-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1712-219-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1748-232-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/1748-207-0x00000000053B0000-0x00000000053C2000-memory.dmp

Filesize
72KB

Download
memory/1748-269-0x0000000006BD0000-0x0000000006C20000-memory.dmp

Filesize
320KB

Download
memory/1748-240-0x0000000007350000-0x000000000787C000-memory.dmp

Filesize
5.2MB

Download
memory/1748-272-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/1748-196-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1748-205-0x0000000005900000-0x0000000005F18000-memory.dmp

Filesize
6.1MB

Download
memory/1748-234-0x0000000006C50000-0x0000000006E12000-memory.dmp

Filesize
1.8MB

Download
memory/1748-206-0x0000000005480000-0x000000000558A000-memory.dmp

Filesize
1.0MB

Download
memory/1748-233-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/1748-268-0x0000000006E20000-0x0000000006E96000-memory.dmp

Filesize
472KB

Download
memory/1748-208-0x0000000005410000-0x000000000544C000-memory.dmp

Filesize
240KB

Download
memory/1748-209-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/2488-237-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2488-254-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2488-263-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2488-242-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2488-305-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2488-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2488-243-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2848-309-0x0000000007A10000-0x0000000007A20000-memory.dmp

Filesize
64KB

Download
memory/3408-231-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/3516-190-0x0000000000DA0000-0x0000000000DCA000-memory.dmp

Filesize
168KB

Download
memory/4004-195-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4004-194-0x0000000000230000-0x0000000000318000-memory.dmp

Filesize
928KB

Download
memory/4036-266-0x0000000000460000-0x00000000004EC000-memory.dmp

Filesize
560KB

Download
memory/4228-280-0x0000000007000000-0x0000000007010000-memory.dmp

Filesize
64KB

Download