loaderbot | 7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5

Analysis

max time kernel
110s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2023 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5.exe
Size

1020KB
MD5

f7c4d6a935778a6036124478bf61d1f6
SHA1

45eb891375580d1416fcaee8f00c0ebd4ef0b5a8
SHA256

7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5
SHA512

30b49da187449200195f1eaadd5ce6d76bf104995cfb3b577486dfc54476220442d563b3b288cad8625ee9c47d7aa8a5c0a85b671cf762ea4f0e86f94df60420
SSDEEP

24576:oy3ACF89qxuitkervTv60x/ZkKaJbWMvd:vhJxupev60nkKaJd

Score

10^/10

loaderbot redline xmrig lupa discovery evasion infostealer loader miner persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

83.97.73.122:19062

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o3187117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o3187117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o3187117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o3187117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o3187117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o3187117.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

resource	yara_rule
behavioral1/memory/384-210-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-209-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-212-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-214-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-216-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-218-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-220-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-222-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-224-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-226-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-228-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-230-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-232-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-234-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-236-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-238-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-240-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-242-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-244-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/384-264-0x0000000002440000-0x0000000002450000-memory.dmp	family_redline
behavioral1/memory/384-266-0x0000000002440000-0x0000000002450000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral1/memory/4612-1200-0x0000000000400000-0x00000000007FE000-memory.dmp	loaderbot

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/4912-1214-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/4912-1218-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	s6954583.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	full_min_cr.exe

Executes dropped EXE 15 IoCs

pid	Process
2992	z1781812.exe
5024	z7874043.exe
4940	o3187117.exe
632	p6310784.exe
384	r0218357.exe
3536	s6954583.exe
4052	s6954583.exe
3696	s6954583.exe
1752	legends.exe
2560	legends.exe
4892	full_min_cr.exe
1052	legends.exe
1284	legends.exe
4612	full_min_cr.exe
4912	Driver.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o3187117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o3187117.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1781812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1781812.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7874043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7874043.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3536 set thread context of 3696	3536	s6954583.exe	92
PID 1752 set thread context of 2560	1752	legends.exe	94
PID 1052 set thread context of 1284	1052	legends.exe	107
PID 4892 set thread context of 4612	4892	full_min_cr.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4940	o3187117.exe
4940	o3187117.exe
632	p6310784.exe
632	p6310784.exe
384	r0218357.exe
384	r0218357.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe
4612	full_min_cr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	o3187117.exe
Token: SeDebugPrivilege	632	p6310784.exe
Token: SeDebugPrivilege	384	r0218357.exe
Token: SeDebugPrivilege	3536	s6954583.exe
Token: SeDebugPrivilege	1752	legends.exe
Token: SeDebugPrivilege	1052	legends.exe
Token: SeDebugPrivilege	4612	full_min_cr.exe
Token: SeLockMemoryPrivilege	4912	Driver.exe
Token: SeLockMemoryPrivilege	4912	Driver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3696	s6954583.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 2992	4680	7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5.exe	84
PID 4680 wrote to memory of 2992	4680	7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5.exe	84
PID 4680 wrote to memory of 2992	4680	7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5.exe	84
PID 2992 wrote to memory of 5024	2992	z1781812.exe	85
PID 2992 wrote to memory of 5024	2992	z1781812.exe	85
PID 2992 wrote to memory of 5024	2992	z1781812.exe	85
PID 5024 wrote to memory of 4940	5024	z7874043.exe	86
PID 5024 wrote to memory of 4940	5024	z7874043.exe	86
PID 5024 wrote to memory of 4940	5024	z7874043.exe	86
PID 5024 wrote to memory of 632	5024	z7874043.exe	87
PID 5024 wrote to memory of 632	5024	z7874043.exe	87
PID 5024 wrote to memory of 632	5024	z7874043.exe	87
PID 2992 wrote to memory of 384	2992	z1781812.exe	88
PID 2992 wrote to memory of 384	2992	z1781812.exe	88
PID 2992 wrote to memory of 384	2992	z1781812.exe	88
PID 4680 wrote to memory of 3536	4680	7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5.exe	90
PID 4680 wrote to memory of 3536	4680	7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5.exe	90
PID 4680 wrote to memory of 3536	4680	7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5.exe	90
PID 3536 wrote to memory of 4052	3536	s6954583.exe	91
PID 3536 wrote to memory of 4052	3536	s6954583.exe	91
PID 3536 wrote to memory of 4052	3536	s6954583.exe	91
PID 3536 wrote to memory of 4052	3536	s6954583.exe	91
PID 3536 wrote to memory of 3696	3536	s6954583.exe	92
PID 3536 wrote to memory of 3696	3536	s6954583.exe	92
PID 3536 wrote to memory of 3696	3536	s6954583.exe	92
PID 3536 wrote to memory of 3696	3536	s6954583.exe	92
PID 3536 wrote to memory of 3696	3536	s6954583.exe	92
PID 3536 wrote to memory of 3696	3536	s6954583.exe	92
PID 3536 wrote to memory of 3696	3536	s6954583.exe	92
PID 3536 wrote to memory of 3696	3536	s6954583.exe	92
PID 3536 wrote to memory of 3696	3536	s6954583.exe	92
PID 3536 wrote to memory of 3696	3536	s6954583.exe	92
PID 3696 wrote to memory of 1752	3696	s6954583.exe	93
PID 3696 wrote to memory of 1752	3696	s6954583.exe	93
PID 3696 wrote to memory of 1752	3696	s6954583.exe	93
PID 1752 wrote to memory of 2560	1752	legends.exe	94
PID 1752 wrote to memory of 2560	1752	legends.exe	94
PID 1752 wrote to memory of 2560	1752	legends.exe	94
PID 1752 wrote to memory of 2560	1752	legends.exe	94
PID 1752 wrote to memory of 2560	1752	legends.exe	94
PID 1752 wrote to memory of 2560	1752	legends.exe	94
PID 1752 wrote to memory of 2560	1752	legends.exe	94
PID 1752 wrote to memory of 2560	1752	legends.exe	94
PID 1752 wrote to memory of 2560	1752	legends.exe	94
PID 1752 wrote to memory of 2560	1752	legends.exe	94
PID 2560 wrote to memory of 3320	2560	legends.exe	95
PID 2560 wrote to memory of 3320	2560	legends.exe	95
PID 2560 wrote to memory of 3320	2560	legends.exe	95
PID 2560 wrote to memory of 3960	2560	legends.exe	97
PID 2560 wrote to memory of 3960	2560	legends.exe	97
PID 2560 wrote to memory of 3960	2560	legends.exe	97
PID 3960 wrote to memory of 4520	3960	cmd.exe	99
PID 3960 wrote to memory of 4520	3960	cmd.exe	99
PID 3960 wrote to memory of 4520	3960	cmd.exe	99
PID 3960 wrote to memory of 4272	3960	cmd.exe	100
PID 3960 wrote to memory of 4272	3960	cmd.exe	100
PID 3960 wrote to memory of 4272	3960	cmd.exe	100
PID 3960 wrote to memory of 4984	3960	cmd.exe	101
PID 3960 wrote to memory of 4984	3960	cmd.exe	101
PID 3960 wrote to memory of 4984	3960	cmd.exe	101
PID 3960 wrote to memory of 2504	3960	cmd.exe	102
PID 3960 wrote to memory of 2504	3960	cmd.exe	102
PID 3960 wrote to memory of 2504	3960	cmd.exe	102
PID 3960 wrote to memory of 2148	3960	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5.exe
"C:\Users\Admin\AppData\Local\Temp\7693f8297ae791efa6461c2acb749f666d71cb8d78cd3efc27a2fe7ae347dbb5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1781812.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1781812.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7874043.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7874043.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3187117.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3187117.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6310784.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6310784.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0218357.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0218357.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6954583.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6954583.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6954583.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6954583.exe
    3⤵
    - Executes dropped EXE
    PID:4052
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6954583.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6954583.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3320
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:1192
      - C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe
        
        "{path}"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
        
        C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:2384

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1052
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:1284

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe

Filesize
2.7MB

MD5
e7bf9f0c2c1977ddd8e139c13c27be0d

SHA1
e91aff3d9a8c7cef0e9543350864971e4ad93f82

SHA256
a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba

SHA512
d9961824b178944aec2411c1bb29a5ef4b487ce0c251fe381e2841c6abe00f29ecf895ab1baf93e49442af07a14acdcf9d882519d39beb5c4d4902db2db2560f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe

Filesize
2.7MB

MD5
e7bf9f0c2c1977ddd8e139c13c27be0d

SHA1
e91aff3d9a8c7cef0e9543350864971e4ad93f82

SHA256
a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba

SHA512
d9961824b178944aec2411c1bb29a5ef4b487ce0c251fe381e2841c6abe00f29ecf895ab1baf93e49442af07a14acdcf9d882519d39beb5c4d4902db2db2560f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe

Filesize
2.7MB

MD5
e7bf9f0c2c1977ddd8e139c13c27be0d

SHA1
e91aff3d9a8c7cef0e9543350864971e4ad93f82

SHA256
a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba

SHA512
d9961824b178944aec2411c1bb29a5ef4b487ce0c251fe381e2841c6abe00f29ecf895ab1baf93e49442af07a14acdcf9d882519d39beb5c4d4902db2db2560f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe

Filesize
2.7MB

MD5
e7bf9f0c2c1977ddd8e139c13c27be0d

SHA1
e91aff3d9a8c7cef0e9543350864971e4ad93f82

SHA256
a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba

SHA512
d9961824b178944aec2411c1bb29a5ef4b487ce0c251fe381e2841c6abe00f29ecf895ab1baf93e49442af07a14acdcf9d882519d39beb5c4d4902db2db2560f

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
a336543063d612190de703085df75c75

SHA1
a841c3a0f7a11893266a976f3febe1e126a7ff1e

SHA256
7957eb3cdd38b6ef12b7a7d3e4c4ba84e93821d1fe2348ba3aea51ce7a69c0f1

SHA512
aa9a96bf09e5eb071d091a0ca0f9df35f1edc8a170fbc4411a0ad5a247ed83a08e51e6cdd83271c50fb7ab1a9edf8576eebc72d6f8c84ebe479b238df367dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
a336543063d612190de703085df75c75

SHA1
a841c3a0f7a11893266a976f3febe1e126a7ff1e

SHA256
7957eb3cdd38b6ef12b7a7d3e4c4ba84e93821d1fe2348ba3aea51ce7a69c0f1

SHA512
aa9a96bf09e5eb071d091a0ca0f9df35f1edc8a170fbc4411a0ad5a247ed83a08e51e6cdd83271c50fb7ab1a9edf8576eebc72d6f8c84ebe479b238df367dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
a336543063d612190de703085df75c75

SHA1
a841c3a0f7a11893266a976f3febe1e126a7ff1e

SHA256
7957eb3cdd38b6ef12b7a7d3e4c4ba84e93821d1fe2348ba3aea51ce7a69c0f1

SHA512
aa9a96bf09e5eb071d091a0ca0f9df35f1edc8a170fbc4411a0ad5a247ed83a08e51e6cdd83271c50fb7ab1a9edf8576eebc72d6f8c84ebe479b238df367dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
a336543063d612190de703085df75c75

SHA1
a841c3a0f7a11893266a976f3febe1e126a7ff1e

SHA256
7957eb3cdd38b6ef12b7a7d3e4c4ba84e93821d1fe2348ba3aea51ce7a69c0f1

SHA512
aa9a96bf09e5eb071d091a0ca0f9df35f1edc8a170fbc4411a0ad5a247ed83a08e51e6cdd83271c50fb7ab1a9edf8576eebc72d6f8c84ebe479b238df367dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
a336543063d612190de703085df75c75

SHA1
a841c3a0f7a11893266a976f3febe1e126a7ff1e

SHA256
7957eb3cdd38b6ef12b7a7d3e4c4ba84e93821d1fe2348ba3aea51ce7a69c0f1

SHA512
aa9a96bf09e5eb071d091a0ca0f9df35f1edc8a170fbc4411a0ad5a247ed83a08e51e6cdd83271c50fb7ab1a9edf8576eebc72d6f8c84ebe479b238df367dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
a336543063d612190de703085df75c75

SHA1
a841c3a0f7a11893266a976f3febe1e126a7ff1e

SHA256
7957eb3cdd38b6ef12b7a7d3e4c4ba84e93821d1fe2348ba3aea51ce7a69c0f1

SHA512
aa9a96bf09e5eb071d091a0ca0f9df35f1edc8a170fbc4411a0ad5a247ed83a08e51e6cdd83271c50fb7ab1a9edf8576eebc72d6f8c84ebe479b238df367dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
a336543063d612190de703085df75c75

SHA1
a841c3a0f7a11893266a976f3febe1e126a7ff1e

SHA256
7957eb3cdd38b6ef12b7a7d3e4c4ba84e93821d1fe2348ba3aea51ce7a69c0f1

SHA512
aa9a96bf09e5eb071d091a0ca0f9df35f1edc8a170fbc4411a0ad5a247ed83a08e51e6cdd83271c50fb7ab1a9edf8576eebc72d6f8c84ebe479b238df367dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6954583.exe

Filesize
963KB

MD5
a336543063d612190de703085df75c75

SHA1
a841c3a0f7a11893266a976f3febe1e126a7ff1e

SHA256
7957eb3cdd38b6ef12b7a7d3e4c4ba84e93821d1fe2348ba3aea51ce7a69c0f1

SHA512
aa9a96bf09e5eb071d091a0ca0f9df35f1edc8a170fbc4411a0ad5a247ed83a08e51e6cdd83271c50fb7ab1a9edf8576eebc72d6f8c84ebe479b238df367dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6954583.exe

Filesize
963KB

MD5
a336543063d612190de703085df75c75

SHA1
a841c3a0f7a11893266a976f3febe1e126a7ff1e

SHA256
7957eb3cdd38b6ef12b7a7d3e4c4ba84e93821d1fe2348ba3aea51ce7a69c0f1

SHA512
aa9a96bf09e5eb071d091a0ca0f9df35f1edc8a170fbc4411a0ad5a247ed83a08e51e6cdd83271c50fb7ab1a9edf8576eebc72d6f8c84ebe479b238df367dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6954583.exe

Filesize
963KB

MD5
a336543063d612190de703085df75c75

SHA1
a841c3a0f7a11893266a976f3febe1e126a7ff1e

SHA256
7957eb3cdd38b6ef12b7a7d3e4c4ba84e93821d1fe2348ba3aea51ce7a69c0f1

SHA512
aa9a96bf09e5eb071d091a0ca0f9df35f1edc8a170fbc4411a0ad5a247ed83a08e51e6cdd83271c50fb7ab1a9edf8576eebc72d6f8c84ebe479b238df367dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6954583.exe

Filesize
963KB

MD5
a336543063d612190de703085df75c75

SHA1
a841c3a0f7a11893266a976f3febe1e126a7ff1e

SHA256
7957eb3cdd38b6ef12b7a7d3e4c4ba84e93821d1fe2348ba3aea51ce7a69c0f1

SHA512
aa9a96bf09e5eb071d091a0ca0f9df35f1edc8a170fbc4411a0ad5a247ed83a08e51e6cdd83271c50fb7ab1a9edf8576eebc72d6f8c84ebe479b238df367dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1781812.exe

Filesize
575KB

MD5
10ac550b2a2381cbc1e458d7cbf11dcd

SHA1
69c2dfdc1243b8dbf5a69114916d1145b1679ab8

SHA256
70017c389f5afad69c7ebb311065241e45d0bd35d2e313def29c71dddf78372c

SHA512
a8a12563050f2559255dc35907cc2371c5b7bd783e30cf316786f1eaa2492646d3169e6215c369f97b31e488855e05219ebc63feb0c2eaa83d6e948dcbf6a6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1781812.exe

Filesize
575KB

MD5
10ac550b2a2381cbc1e458d7cbf11dcd

SHA1
69c2dfdc1243b8dbf5a69114916d1145b1679ab8

SHA256
70017c389f5afad69c7ebb311065241e45d0bd35d2e313def29c71dddf78372c

SHA512
a8a12563050f2559255dc35907cc2371c5b7bd783e30cf316786f1eaa2492646d3169e6215c369f97b31e488855e05219ebc63feb0c2eaa83d6e948dcbf6a6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0218357.exe

Filesize
284KB

MD5
36ba68f149e74945016bccafbb8265cf

SHA1
0f852a01bac4a17bd6e4882a6c4adfc05c914e9e

SHA256
5127c3b1e2762228fbd325db6ff066642cf89f82e0828cc916ec0e38689f3b48

SHA512
1a3b1b90a9060cb8bab598205acd2201286060859be0c977c7ddda8986de2a25317f1e50b88460a6253b42b86c7ef049e10f3c506991c4412df285eb42500c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0218357.exe

Filesize
284KB

MD5
36ba68f149e74945016bccafbb8265cf

SHA1
0f852a01bac4a17bd6e4882a6c4adfc05c914e9e

SHA256
5127c3b1e2762228fbd325db6ff066642cf89f82e0828cc916ec0e38689f3b48

SHA512
1a3b1b90a9060cb8bab598205acd2201286060859be0c977c7ddda8986de2a25317f1e50b88460a6253b42b86c7ef049e10f3c506991c4412df285eb42500c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7874043.exe

Filesize
304KB

MD5
c96d352b3cc62dea5d60f122cab94d63

SHA1
55fddb32a24374af0d572085565a578296ab3d29

SHA256
1b18938e3237aaf1ddf3b8d15b648da07f4ca00b17e9077ee102c787ce0787a1

SHA512
7cb98594fc8c7073b1a69651a02cb5afc44a9e2df97b05f47ae6eb6a2d6e9a97c2ab27296110cbbcd00093eba967597fcf664e99d3dcf160df1954edf8bba174

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7874043.exe

Filesize
304KB

MD5
c96d352b3cc62dea5d60f122cab94d63

SHA1
55fddb32a24374af0d572085565a578296ab3d29

SHA256
1b18938e3237aaf1ddf3b8d15b648da07f4ca00b17e9077ee102c787ce0787a1

SHA512
7cb98594fc8c7073b1a69651a02cb5afc44a9e2df97b05f47ae6eb6a2d6e9a97c2ab27296110cbbcd00093eba967597fcf664e99d3dcf160df1954edf8bba174

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3187117.exe

Filesize
185KB

MD5
c3438bdadc9f9032df91a2ec8ff4524a

SHA1
526c5c9bca886d0428e306308cd4478be2ed87fc

SHA256
daf251a84ace2608691681c44b178380f24ee044e3a06f90bf78f00a2aeda11d

SHA512
5ef899cf7342c74a4322c435babe2021a1a82cd56e6cc27972ebea90c17c8a74dad02ae138ae3efdf4c7ded6ac20c386919509925d22b0bd7f9769f899d7694f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3187117.exe

Filesize
185KB

MD5
c3438bdadc9f9032df91a2ec8ff4524a

SHA1
526c5c9bca886d0428e306308cd4478be2ed87fc

SHA256
daf251a84ace2608691681c44b178380f24ee044e3a06f90bf78f00a2aeda11d

SHA512
5ef899cf7342c74a4322c435babe2021a1a82cd56e6cc27972ebea90c17c8a74dad02ae138ae3efdf4c7ded6ac20c386919509925d22b0bd7f9769f899d7694f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6310784.exe

Filesize
145KB

MD5
1f0dcdbd5f61636f6c638f29ef491f7a

SHA1
e2bd632f045be20f3cf5e7512282ea3a22da0479

SHA256
a8ead616dabdf9f56d29cb078a7fd7bf6e2d55b05f18cb423903a8203e0c5cac

SHA512
f75a1ffca62ea9a35671191d2605e366e9b72cb8345bf636a283d881993e2af3f61ad28e946152c34b06cd6fbedf1f12993361ac7609367f5f5811cc44b953ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6310784.exe

Filesize
145KB

MD5
1f0dcdbd5f61636f6c638f29ef491f7a

SHA1
e2bd632f045be20f3cf5e7512282ea3a22da0479

SHA256
a8ead616dabdf9f56d29cb078a7fd7bf6e2d55b05f18cb423903a8203e0c5cac

SHA512
f75a1ffca62ea9a35671191d2605e366e9b72cb8345bf636a283d881993e2af3f61ad28e946152c34b06cd6fbedf1f12993361ac7609367f5f5811cc44b953ae

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/384-262-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/384-212-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-1120-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/384-266-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/384-264-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/384-1122-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/384-244-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-242-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-240-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-1123-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/384-238-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-210-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-209-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-1121-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/384-214-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-216-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-218-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-220-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-222-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-224-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-226-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-228-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-230-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-232-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-234-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/384-236-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/632-192-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/632-194-0x0000000004D50000-0x0000000004E5A000-memory.dmp

Filesize
1.0MB

Download
memory/632-203-0x0000000006DB0000-0x00000000072DC000-memory.dmp

Filesize
5.2MB

Download
memory/632-202-0x00000000066B0000-0x0000000006872000-memory.dmp

Filesize
1.8MB

Download
memory/632-201-0x0000000005D20000-0x0000000005D70000-memory.dmp

Filesize
320KB

Download
memory/632-200-0x0000000005CA0000-0x0000000005D16000-memory.dmp

Filesize
472KB

Download
memory/632-199-0x00000000051C0000-0x0000000005226000-memory.dmp

Filesize
408KB

Download
memory/632-198-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/632-197-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/632-196-0x0000000004CC0000-0x0000000004CFC000-memory.dmp

Filesize
240KB

Download
memory/632-195-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/632-204-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/632-193-0x0000000005260000-0x0000000005878000-memory.dmp

Filesize
6.1MB

Download
memory/1284-1196-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1752-1152-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/2560-1159-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2560-1188-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3536-1128-0x0000000000E00000-0x0000000000EF8000-memory.dmp

Filesize
992KB

Download
memory/3536-1129-0x0000000007D50000-0x0000000007D60000-memory.dmp

Filesize
64KB

Download
memory/3696-1137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3696-1151-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4612-1200-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4612-1213-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4612-1217-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4892-1183-0x0000000000490000-0x000000000074C000-memory.dmp

Filesize
2.7MB

Download
memory/4892-1184-0x0000000004F90000-0x000000000502C000-memory.dmp

Filesize
624KB

Download
memory/4892-1185-0x0000000005060000-0x000000000506A000-memory.dmp

Filesize
40KB

Download
memory/4892-1186-0x00000000052F0000-0x0000000005346000-memory.dmp

Filesize
344KB

Download
memory/4892-1187-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4892-1191-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4912-1218-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4912-1215-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/4912-1214-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4912-1241-0x0000000002100000-0x0000000002120000-memory.dmp

Filesize
128KB

Download
memory/4912-1240-0x0000000000440000-0x0000000000460000-memory.dmp

Filesize
128KB

Download
memory/4912-1244-0x0000000002100000-0x0000000002120000-memory.dmp

Filesize
128KB

Download
memory/4912-1243-0x0000000000440000-0x0000000000460000-memory.dmp

Filesize
128KB

Download
memory/4940-187-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4940-167-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-165-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-169-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-163-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-161-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-159-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-171-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-173-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-175-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-177-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-179-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-158-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-157-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/4940-156-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4940-155-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4940-181-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-183-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-185-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4940-186-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4940-154-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download