loaderbot | a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2023 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736.exe
Size

1020KB
MD5

4aeda6e2b1f51a375f3393735a6ee9c2
SHA1

ec7ce670cbd33ddda0dd983e71838548c8a4f9c5
SHA256

a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736
SHA512

4fa369dc07157f0ac02252c11a6624a0c688990cbd97316b67aeae13313ed7234fde120a2422fea59a13f628254f264410f3dc87b9739fde273ba785f5e87d85
SSDEEP

24576:+yS/nq8KH/wgrvIHJYH5WRwpFaFisnlr4wyD0F5sdF:NS/nqPw7HKYRSsFiqkB6

Score

10^/10

loaderbot redline xmrig lupa discovery evasion infostealer loader miner persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

83.97.73.122:19062

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o1180672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o1180672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o1180672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o1180672.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o1180672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o1180672.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/444-211-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-210-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-213-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-220-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-216-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-222-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-224-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-226-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-228-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-230-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-232-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-234-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-236-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-238-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-240-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-242-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-244-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-246-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-248-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/444-1123-0x00000000049F0000-0x0000000004A00000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral1/memory/4740-1204-0x0000000000400000-0x00000000007FE000-memory.dmp	loaderbot

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/1512-1218-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1512-1241-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	s7130642.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	full_min_cr.exe

Executes dropped EXE 17 IoCs

pid	Process
2624	z5727042.exe
4596	z4471660.exe
4336	o1180672.exe
3680	p1807088.exe
444	r0168738.exe
1368	s7130642.exe
3964	s7130642.exe
4616	s7130642.exe
3756	legends.exe
1808	legends.exe
4312	full_min_cr.exe
3152	legends.exe
1692	legends.exe
2196	legends.exe
4740	full_min_cr.exe
1512	Driver.exe
3252	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
4436	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o1180672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o1180672.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5727042.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5727042.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4471660.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4471660.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 4616	1368	s7130642.exe	92
PID 3756 set thread context of 1808	3756	legends.exe	94
PID 3152 set thread context of 2196	3152	legends.exe	108
PID 4312 set thread context of 4740	4312	full_min_cr.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4336	o1180672.exe
4336	o1180672.exe
3680	p1807088.exe
3680	p1807088.exe
444	r0168738.exe
444	r0168738.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe
4740	full_min_cr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4336	o1180672.exe
Token: SeDebugPrivilege	3680	p1807088.exe
Token: SeDebugPrivilege	444	r0168738.exe
Token: SeDebugPrivilege	1368	s7130642.exe
Token: SeDebugPrivilege	3756	legends.exe
Token: SeDebugPrivilege	3152	legends.exe
Token: SeDebugPrivilege	4740	full_min_cr.exe
Token: SeLockMemoryPrivilege	1512	Driver.exe
Token: SeLockMemoryPrivilege	1512	Driver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4616	s7130642.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2624	2868	a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736.exe	84
PID 2868 wrote to memory of 2624	2868	a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736.exe	84
PID 2868 wrote to memory of 2624	2868	a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736.exe	84
PID 2624 wrote to memory of 4596	2624	z5727042.exe	85
PID 2624 wrote to memory of 4596	2624	z5727042.exe	85
PID 2624 wrote to memory of 4596	2624	z5727042.exe	85
PID 4596 wrote to memory of 4336	4596	z4471660.exe	86
PID 4596 wrote to memory of 4336	4596	z4471660.exe	86
PID 4596 wrote to memory of 4336	4596	z4471660.exe	86
PID 4596 wrote to memory of 3680	4596	z4471660.exe	87
PID 4596 wrote to memory of 3680	4596	z4471660.exe	87
PID 4596 wrote to memory of 3680	4596	z4471660.exe	87
PID 2624 wrote to memory of 444	2624	z5727042.exe	89
PID 2624 wrote to memory of 444	2624	z5727042.exe	89
PID 2624 wrote to memory of 444	2624	z5727042.exe	89
PID 2868 wrote to memory of 1368	2868	a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736.exe	90
PID 2868 wrote to memory of 1368	2868	a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736.exe	90
PID 2868 wrote to memory of 1368	2868	a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736.exe	90
PID 1368 wrote to memory of 3964	1368	s7130642.exe	91
PID 1368 wrote to memory of 3964	1368	s7130642.exe	91
PID 1368 wrote to memory of 3964	1368	s7130642.exe	91
PID 1368 wrote to memory of 3964	1368	s7130642.exe	91
PID 1368 wrote to memory of 4616	1368	s7130642.exe	92
PID 1368 wrote to memory of 4616	1368	s7130642.exe	92
PID 1368 wrote to memory of 4616	1368	s7130642.exe	92
PID 1368 wrote to memory of 4616	1368	s7130642.exe	92
PID 1368 wrote to memory of 4616	1368	s7130642.exe	92
PID 1368 wrote to memory of 4616	1368	s7130642.exe	92
PID 1368 wrote to memory of 4616	1368	s7130642.exe	92
PID 1368 wrote to memory of 4616	1368	s7130642.exe	92
PID 1368 wrote to memory of 4616	1368	s7130642.exe	92
PID 1368 wrote to memory of 4616	1368	s7130642.exe	92
PID 4616 wrote to memory of 3756	4616	s7130642.exe	93
PID 4616 wrote to memory of 3756	4616	s7130642.exe	93
PID 4616 wrote to memory of 3756	4616	s7130642.exe	93
PID 3756 wrote to memory of 1808	3756	legends.exe	94
PID 3756 wrote to memory of 1808	3756	legends.exe	94
PID 3756 wrote to memory of 1808	3756	legends.exe	94
PID 3756 wrote to memory of 1808	3756	legends.exe	94
PID 3756 wrote to memory of 1808	3756	legends.exe	94
PID 3756 wrote to memory of 1808	3756	legends.exe	94
PID 3756 wrote to memory of 1808	3756	legends.exe	94
PID 3756 wrote to memory of 1808	3756	legends.exe	94
PID 3756 wrote to memory of 1808	3756	legends.exe	94
PID 3756 wrote to memory of 1808	3756	legends.exe	94
PID 1808 wrote to memory of 460	1808	legends.exe	95
PID 1808 wrote to memory of 460	1808	legends.exe	95
PID 1808 wrote to memory of 460	1808	legends.exe	95
PID 1808 wrote to memory of 2296	1808	legends.exe	97
PID 1808 wrote to memory of 2296	1808	legends.exe	97
PID 1808 wrote to memory of 2296	1808	legends.exe	97
PID 2296 wrote to memory of 1244	2296	cmd.exe	99
PID 2296 wrote to memory of 1244	2296	cmd.exe	99
PID 2296 wrote to memory of 1244	2296	cmd.exe	99
PID 2296 wrote to memory of 4600	2296	cmd.exe	100
PID 2296 wrote to memory of 4600	2296	cmd.exe	100
PID 2296 wrote to memory of 4600	2296	cmd.exe	100
PID 2296 wrote to memory of 4936	2296	cmd.exe	101
PID 2296 wrote to memory of 4936	2296	cmd.exe	101
PID 2296 wrote to memory of 4936	2296	cmd.exe	101
PID 2296 wrote to memory of 4492	2296	cmd.exe	102
PID 2296 wrote to memory of 4492	2296	cmd.exe	102
PID 2296 wrote to memory of 4492	2296	cmd.exe	102
PID 2296 wrote to memory of 4488	2296	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736.exe
"C:\Users\Admin\AppData\Local\Temp\a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5727042.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5727042.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4471660.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4471660.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1180672.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1180672.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1807088.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1807088.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0168738.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0168738.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7130642.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7130642.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7130642.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7130642.exe
    3⤵
    - Executes dropped EXE
    PID:3964
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7130642.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7130642.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:460
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:1264
      - C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe
        
        "{path}"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4436

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3152
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:2196

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
PID:3252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\full_min_cr.exe.log

Filesize
1KB

MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe

Filesize
2.7MB

MD5
e7bf9f0c2c1977ddd8e139c13c27be0d

SHA1
e91aff3d9a8c7cef0e9543350864971e4ad93f82

SHA256
a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba

SHA512
d9961824b178944aec2411c1bb29a5ef4b487ce0c251fe381e2841c6abe00f29ecf895ab1baf93e49442af07a14acdcf9d882519d39beb5c4d4902db2db2560f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe

Filesize
2.7MB

MD5
e7bf9f0c2c1977ddd8e139c13c27be0d

SHA1
e91aff3d9a8c7cef0e9543350864971e4ad93f82

SHA256
a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba

SHA512
d9961824b178944aec2411c1bb29a5ef4b487ce0c251fe381e2841c6abe00f29ecf895ab1baf93e49442af07a14acdcf9d882519d39beb5c4d4902db2db2560f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe

Filesize
2.7MB

MD5
e7bf9f0c2c1977ddd8e139c13c27be0d

SHA1
e91aff3d9a8c7cef0e9543350864971e4ad93f82

SHA256
a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba

SHA512
d9961824b178944aec2411c1bb29a5ef4b487ce0c251fe381e2841c6abe00f29ecf895ab1baf93e49442af07a14acdcf9d882519d39beb5c4d4902db2db2560f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\full_min_cr.exe

Filesize
2.7MB

MD5
e7bf9f0c2c1977ddd8e139c13c27be0d

SHA1
e91aff3d9a8c7cef0e9543350864971e4ad93f82

SHA256
a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba

SHA512
d9961824b178944aec2411c1bb29a5ef4b487ce0c251fe381e2841c6abe00f29ecf895ab1baf93e49442af07a14acdcf9d882519d39beb5c4d4902db2db2560f

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
18d5d24c7814bf6a8a328c11c6dc38ab

SHA1
9c8fde15977606942ccc38e3d82063ea74db6d90

SHA256
4821c90152d4d23405c4923214de5285caab6192b228a400ce2057f43e014823

SHA512
ed3b3c61ffce8f8838b13e6e952100590243558878d5d55d096421ff3a86b75114c7a1fd3ee0b2a79b51f029a7db3d5604111e3b62e22ef78e082e856063a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
18d5d24c7814bf6a8a328c11c6dc38ab

SHA1
9c8fde15977606942ccc38e3d82063ea74db6d90

SHA256
4821c90152d4d23405c4923214de5285caab6192b228a400ce2057f43e014823

SHA512
ed3b3c61ffce8f8838b13e6e952100590243558878d5d55d096421ff3a86b75114c7a1fd3ee0b2a79b51f029a7db3d5604111e3b62e22ef78e082e856063a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
18d5d24c7814bf6a8a328c11c6dc38ab

SHA1
9c8fde15977606942ccc38e3d82063ea74db6d90

SHA256
4821c90152d4d23405c4923214de5285caab6192b228a400ce2057f43e014823

SHA512
ed3b3c61ffce8f8838b13e6e952100590243558878d5d55d096421ff3a86b75114c7a1fd3ee0b2a79b51f029a7db3d5604111e3b62e22ef78e082e856063a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
18d5d24c7814bf6a8a328c11c6dc38ab

SHA1
9c8fde15977606942ccc38e3d82063ea74db6d90

SHA256
4821c90152d4d23405c4923214de5285caab6192b228a400ce2057f43e014823

SHA512
ed3b3c61ffce8f8838b13e6e952100590243558878d5d55d096421ff3a86b75114c7a1fd3ee0b2a79b51f029a7db3d5604111e3b62e22ef78e082e856063a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
18d5d24c7814bf6a8a328c11c6dc38ab

SHA1
9c8fde15977606942ccc38e3d82063ea74db6d90

SHA256
4821c90152d4d23405c4923214de5285caab6192b228a400ce2057f43e014823

SHA512
ed3b3c61ffce8f8838b13e6e952100590243558878d5d55d096421ff3a86b75114c7a1fd3ee0b2a79b51f029a7db3d5604111e3b62e22ef78e082e856063a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
18d5d24c7814bf6a8a328c11c6dc38ab

SHA1
9c8fde15977606942ccc38e3d82063ea74db6d90

SHA256
4821c90152d4d23405c4923214de5285caab6192b228a400ce2057f43e014823

SHA512
ed3b3c61ffce8f8838b13e6e952100590243558878d5d55d096421ff3a86b75114c7a1fd3ee0b2a79b51f029a7db3d5604111e3b62e22ef78e082e856063a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
18d5d24c7814bf6a8a328c11c6dc38ab

SHA1
9c8fde15977606942ccc38e3d82063ea74db6d90

SHA256
4821c90152d4d23405c4923214de5285caab6192b228a400ce2057f43e014823

SHA512
ed3b3c61ffce8f8838b13e6e952100590243558878d5d55d096421ff3a86b75114c7a1fd3ee0b2a79b51f029a7db3d5604111e3b62e22ef78e082e856063a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
18d5d24c7814bf6a8a328c11c6dc38ab

SHA1
9c8fde15977606942ccc38e3d82063ea74db6d90

SHA256
4821c90152d4d23405c4923214de5285caab6192b228a400ce2057f43e014823

SHA512
ed3b3c61ffce8f8838b13e6e952100590243558878d5d55d096421ff3a86b75114c7a1fd3ee0b2a79b51f029a7db3d5604111e3b62e22ef78e082e856063a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7130642.exe

Filesize
963KB

MD5
18d5d24c7814bf6a8a328c11c6dc38ab

SHA1
9c8fde15977606942ccc38e3d82063ea74db6d90

SHA256
4821c90152d4d23405c4923214de5285caab6192b228a400ce2057f43e014823

SHA512
ed3b3c61ffce8f8838b13e6e952100590243558878d5d55d096421ff3a86b75114c7a1fd3ee0b2a79b51f029a7db3d5604111e3b62e22ef78e082e856063a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7130642.exe

Filesize
963KB

MD5
18d5d24c7814bf6a8a328c11c6dc38ab

SHA1
9c8fde15977606942ccc38e3d82063ea74db6d90

SHA256
4821c90152d4d23405c4923214de5285caab6192b228a400ce2057f43e014823

SHA512
ed3b3c61ffce8f8838b13e6e952100590243558878d5d55d096421ff3a86b75114c7a1fd3ee0b2a79b51f029a7db3d5604111e3b62e22ef78e082e856063a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7130642.exe

Filesize
963KB

MD5
18d5d24c7814bf6a8a328c11c6dc38ab

SHA1
9c8fde15977606942ccc38e3d82063ea74db6d90

SHA256
4821c90152d4d23405c4923214de5285caab6192b228a400ce2057f43e014823

SHA512
ed3b3c61ffce8f8838b13e6e952100590243558878d5d55d096421ff3a86b75114c7a1fd3ee0b2a79b51f029a7db3d5604111e3b62e22ef78e082e856063a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7130642.exe

Filesize
963KB

MD5
18d5d24c7814bf6a8a328c11c6dc38ab

SHA1
9c8fde15977606942ccc38e3d82063ea74db6d90

SHA256
4821c90152d4d23405c4923214de5285caab6192b228a400ce2057f43e014823

SHA512
ed3b3c61ffce8f8838b13e6e952100590243558878d5d55d096421ff3a86b75114c7a1fd3ee0b2a79b51f029a7db3d5604111e3b62e22ef78e082e856063a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5727042.exe

Filesize
575KB

MD5
721a6b27559378070c2e78996ea3af61

SHA1
0ef9efbb05411c51c5543d7a21770c92cc22de1d

SHA256
14c7c3e2ddcbe3da17148b57f7a28b5c977c12b491e47e10bac09a8ba0944ede

SHA512
5ff9f55efea971f130a50b50f52c30c579f9261e430fe621a974948a3014f96e8e24734ff84fb9d7c9fd414bdeb2b54f20a18db4b7b08e034dd32df1c4ba6aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5727042.exe

Filesize
575KB

MD5
721a6b27559378070c2e78996ea3af61

SHA1
0ef9efbb05411c51c5543d7a21770c92cc22de1d

SHA256
14c7c3e2ddcbe3da17148b57f7a28b5c977c12b491e47e10bac09a8ba0944ede

SHA512
5ff9f55efea971f130a50b50f52c30c579f9261e430fe621a974948a3014f96e8e24734ff84fb9d7c9fd414bdeb2b54f20a18db4b7b08e034dd32df1c4ba6aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0168738.exe

Filesize
284KB

MD5
e57efdcf7753c87884b536baaad977be

SHA1
e5e8c234470db9b7bc22bc2f9e2c09f062b9a118

SHA256
8237ceedee5f5891ea244519a54237563710839dc4f2fa0a2cd5b0092d8e6621

SHA512
8e1f045f52424fe262be8bd24e1ae895d60a20b982aa7f300efac86a66f3f551a14f9416ea1e598b98a28e6dd82bdc7a831e6f0f3303e4e40db11a31c8f941bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0168738.exe

Filesize
284KB

MD5
e57efdcf7753c87884b536baaad977be

SHA1
e5e8c234470db9b7bc22bc2f9e2c09f062b9a118

SHA256
8237ceedee5f5891ea244519a54237563710839dc4f2fa0a2cd5b0092d8e6621

SHA512
8e1f045f52424fe262be8bd24e1ae895d60a20b982aa7f300efac86a66f3f551a14f9416ea1e598b98a28e6dd82bdc7a831e6f0f3303e4e40db11a31c8f941bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4471660.exe

Filesize
304KB

MD5
0938a8f3d4089fb006b5dc1edcf42a24

SHA1
af246eb44a6be8f875c55ad8a6dac975ab8c8372

SHA256
83bccbc0adb326606384875e6726d2107510ac1766726e7c76b78f1836b06dab

SHA512
45b5d55d332f15022140f8d2b242f6659f90614ac1dbd866f69e832d7d87cd9cbd6033aff71f939209e4b24a107b4ba5d902954896859b82a03ef92c00e3c54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4471660.exe

Filesize
304KB

MD5
0938a8f3d4089fb006b5dc1edcf42a24

SHA1
af246eb44a6be8f875c55ad8a6dac975ab8c8372

SHA256
83bccbc0adb326606384875e6726d2107510ac1766726e7c76b78f1836b06dab

SHA512
45b5d55d332f15022140f8d2b242f6659f90614ac1dbd866f69e832d7d87cd9cbd6033aff71f939209e4b24a107b4ba5d902954896859b82a03ef92c00e3c54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1180672.exe

Filesize
185KB

MD5
fe15a006c95ec7fcafefe728927d5e27

SHA1
12fbc3bfb6c5aba7f374fd2431000f029932b7e0

SHA256
72309fe94bd4044948812f520f01f0eacbfea3040306058c5dc285ac582368d3

SHA512
317b22f4b4ab9b7366bab2f6939f84dc80e1ea170c7e49ea99470b5edc26f03e916082122bfceb2bc87cb9cda536e6ae0d15a2e580304d912660c21614f7f515

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1180672.exe

Filesize
185KB

MD5
fe15a006c95ec7fcafefe728927d5e27

SHA1
12fbc3bfb6c5aba7f374fd2431000f029932b7e0

SHA256
72309fe94bd4044948812f520f01f0eacbfea3040306058c5dc285ac582368d3

SHA512
317b22f4b4ab9b7366bab2f6939f84dc80e1ea170c7e49ea99470b5edc26f03e916082122bfceb2bc87cb9cda536e6ae0d15a2e580304d912660c21614f7f515

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1807088.exe

Filesize
145KB

MD5
913ec71e3e383bad8613b0dd05d6c5a0

SHA1
f3b24a1dee257fa93e90c8b1faaa20624a2e89e0

SHA256
8d0c3c55a480be4418c2ee07170d356a84b3f05bd41aa61ea902242fffc20a29

SHA512
977164d4c29abd0a42ae141c013f68e8b7a1deb3f5ed3ca700dc6a7febd901c4bd0cf7f7324f29c3714a6e92bba5d5ab51a82d491aa20eb081968a2fe7e1ff04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1807088.exe

Filesize
145KB

MD5
913ec71e3e383bad8613b0dd05d6c5a0

SHA1
f3b24a1dee257fa93e90c8b1faaa20624a2e89e0

SHA256
8d0c3c55a480be4418c2ee07170d356a84b3f05bd41aa61ea902242fffc20a29

SHA512
977164d4c29abd0a42ae141c013f68e8b7a1deb3f5ed3ca700dc6a7febd901c4bd0cf7f7324f29c3714a6e92bba5d5ab51a82d491aa20eb081968a2fe7e1ff04

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/444-238-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-1122-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/444-222-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-1124-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/444-1123-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/444-224-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-1121-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/444-248-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-246-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-244-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-211-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-210-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-213-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-226-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-217-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/444-220-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-219-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/444-216-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-242-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-240-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-215-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/444-228-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-230-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-232-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-234-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/444-236-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1368-1129-0x0000000000520000-0x0000000000618000-memory.dmp

Filesize
992KB

Download
memory/1368-1130-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/1512-1248-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/1512-1249-0x0000000000750000-0x0000000000770000-memory.dmp

Filesize
128KB

Download
memory/1512-1245-0x0000000000750000-0x0000000000770000-memory.dmp

Filesize
128KB

Download
memory/1512-1244-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/1512-1219-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/1512-1241-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1512-1218-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1808-1193-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1808-1160-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2196-1198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3152-1191-0x0000000007D20000-0x0000000007D30000-memory.dmp

Filesize
64KB

Download
memory/3680-193-0x0000000000010000-0x000000000003A000-memory.dmp

Filesize
168KB

Download
memory/3680-200-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/3680-204-0x00000000069E0000-0x0000000006F0C000-memory.dmp

Filesize
5.2MB

Download
memory/3680-195-0x0000000004970000-0x0000000004A7A000-memory.dmp

Filesize
1.0MB

Download
memory/3680-203-0x00000000062E0000-0x00000000064A2000-memory.dmp

Filesize
1.8MB

Download
memory/3680-202-0x0000000005940000-0x0000000005990000-memory.dmp

Filesize
320KB

Download
memory/3680-201-0x00000000058C0000-0x0000000005936000-memory.dmp

Filesize
472KB

Download
memory/3680-205-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3680-196-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/3680-194-0x0000000004DF0000-0x0000000005408000-memory.dmp

Filesize
6.1MB

Download
memory/3680-199-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/3680-198-0x0000000004900000-0x000000000493C000-memory.dmp

Filesize
240KB

Download
memory/3680-197-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3756-1153-0x0000000007990000-0x00000000079A0000-memory.dmp

Filesize
64KB

Download
memory/4312-1184-0x0000000000FB0000-0x000000000126C000-memory.dmp

Filesize
2.7MB

Download
memory/4312-1185-0x0000000005A80000-0x0000000005B1C000-memory.dmp

Filesize
624KB

Download
memory/4312-1186-0x0000000005DB0000-0x0000000005DC0000-memory.dmp

Filesize
64KB

Download
memory/4312-1187-0x0000000005BA0000-0x0000000005BAA000-memory.dmp

Filesize
40KB

Download
memory/4312-1188-0x0000000005E20000-0x0000000005E76000-memory.dmp

Filesize
344KB

Download
memory/4312-1199-0x0000000005DB0000-0x0000000005DC0000-memory.dmp

Filesize
64KB

Download
memory/4336-186-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4336-163-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-187-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4336-154-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/4336-183-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-185-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-155-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4336-177-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-179-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-156-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4336-181-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-171-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-173-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-157-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4336-175-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-169-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-167-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-165-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-158-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-188-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4336-161-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4336-159-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4616-1138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4616-1152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4740-1238-0x00000000014C0000-0x00000000014D0000-memory.dmp

Filesize
64KB

Download
memory/4740-1216-0x00000000014C0000-0x00000000014D0000-memory.dmp

Filesize
64KB

Download
memory/4740-1204-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download