redline | 9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2023, 17:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917.exe
Size

1020KB
MD5

71fd65dbba0527ed47c586687bd2a1a3
SHA1

d8aa0b24ec5f199e51f81a459174677de36bcfe5
SHA256

9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917
SHA512

54002bcc3ba0ded27b0cbd38a3d75f5a09a5f0b80f044fbd1825094d6bd5c3ecc3b8a658517ec789a8634fe378d1f94fd903fcae7f69ca8ec2e07f9065fa1a5e
SSDEEP

24576:Iy53NQ/ty7BLOAivsnTCFw327whLYmvG/RQNIOc:PVCIpOaTI7wRYWG

Score

10^/10

redline lupa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

83.97.73.122:19062

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o4879446.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o4879446.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o4879446.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o4879446.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o4879446.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o4879446.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/1460-212-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-213-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-215-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-217-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-219-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-221-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-223-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-225-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-227-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-229-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-231-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-233-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-235-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-237-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-239-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-241-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-243-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-245-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline
behavioral1/memory/1460-247-0x00000000049A0000-0x00000000049DC000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s8087291.exe

Executes dropped EXE 15 IoCs

pid	Process
3740	z9819191.exe
3080	z1013972.exe
4536	o4879446.exe
328	p6915666.exe
1460	r2094453.exe
4840	s8087291.exe
4392	s8087291.exe
4368	s8087291.exe
1376	legends.exe
3716	legends.exe
4560	kds7uq5kknv.exe
1920	legends.exe
4412	legends.exe
3780	legends.exe
5096	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
4748	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o4879446.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o4879446.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9819191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9819191.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1013972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1013972.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4640	RegSvcs.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 4368	4840	s8087291.exe	93
PID 1376 set thread context of 3716	1376	legends.exe	95
PID 4560 set thread context of 4640	4560	kds7uq5kknv.exe	108
PID 1920 set thread context of 4412	1920	legends.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4472	4560	WerFault.exe	106

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4536	o4879446.exe
4536	o4879446.exe
328	p6915666.exe
328	p6915666.exe
1460	r2094453.exe
1460	r2094453.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	o4879446.exe
Token: SeDebugPrivilege	328	p6915666.exe
Token: SeDebugPrivilege	1460	r2094453.exe
Token: SeDebugPrivilege	4840	s8087291.exe
Token: SeDebugPrivilege	1376	legends.exe
Token: SeLoadDriverPrivilege	4640	RegSvcs.exe
Token: SeDebugPrivilege	1920	legends.exe
Token: SeDebugPrivilege	3780	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4368	s8087291.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3740	4896	9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917.exe	85
PID 4896 wrote to memory of 3740	4896	9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917.exe	85
PID 4896 wrote to memory of 3740	4896	9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917.exe	85
PID 3740 wrote to memory of 3080	3740	z9819191.exe	86
PID 3740 wrote to memory of 3080	3740	z9819191.exe	86
PID 3740 wrote to memory of 3080	3740	z9819191.exe	86
PID 3080 wrote to memory of 4536	3080	z1013972.exe	87
PID 3080 wrote to memory of 4536	3080	z1013972.exe	87
PID 3080 wrote to memory of 4536	3080	z1013972.exe	87
PID 3080 wrote to memory of 328	3080	z1013972.exe	88
PID 3080 wrote to memory of 328	3080	z1013972.exe	88
PID 3080 wrote to memory of 328	3080	z1013972.exe	88
PID 3740 wrote to memory of 1460	3740	z9819191.exe	89
PID 3740 wrote to memory of 1460	3740	z9819191.exe	89
PID 3740 wrote to memory of 1460	3740	z9819191.exe	89
PID 4896 wrote to memory of 4840	4896	9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917.exe	91
PID 4896 wrote to memory of 4840	4896	9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917.exe	91
PID 4896 wrote to memory of 4840	4896	9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917.exe	91
PID 4840 wrote to memory of 4392	4840	s8087291.exe	92
PID 4840 wrote to memory of 4392	4840	s8087291.exe	92
PID 4840 wrote to memory of 4392	4840	s8087291.exe	92
PID 4840 wrote to memory of 4392	4840	s8087291.exe	92
PID 4840 wrote to memory of 4368	4840	s8087291.exe	93
PID 4840 wrote to memory of 4368	4840	s8087291.exe	93
PID 4840 wrote to memory of 4368	4840	s8087291.exe	93
PID 4840 wrote to memory of 4368	4840	s8087291.exe	93
PID 4840 wrote to memory of 4368	4840	s8087291.exe	93
PID 4840 wrote to memory of 4368	4840	s8087291.exe	93
PID 4840 wrote to memory of 4368	4840	s8087291.exe	93
PID 4840 wrote to memory of 4368	4840	s8087291.exe	93
PID 4840 wrote to memory of 4368	4840	s8087291.exe	93
PID 4840 wrote to memory of 4368	4840	s8087291.exe	93
PID 4368 wrote to memory of 1376	4368	s8087291.exe	94
PID 4368 wrote to memory of 1376	4368	s8087291.exe	94
PID 4368 wrote to memory of 1376	4368	s8087291.exe	94
PID 1376 wrote to memory of 3716	1376	legends.exe	95
PID 1376 wrote to memory of 3716	1376	legends.exe	95
PID 1376 wrote to memory of 3716	1376	legends.exe	95
PID 1376 wrote to memory of 3716	1376	legends.exe	95
PID 1376 wrote to memory of 3716	1376	legends.exe	95
PID 1376 wrote to memory of 3716	1376	legends.exe	95
PID 1376 wrote to memory of 3716	1376	legends.exe	95
PID 1376 wrote to memory of 3716	1376	legends.exe	95
PID 1376 wrote to memory of 3716	1376	legends.exe	95
PID 1376 wrote to memory of 3716	1376	legends.exe	95
PID 3716 wrote to memory of 4328	3716	legends.exe	96
PID 3716 wrote to memory of 4328	3716	legends.exe	96
PID 3716 wrote to memory of 4328	3716	legends.exe	96
PID 3716 wrote to memory of 1616	3716	legends.exe	98
PID 3716 wrote to memory of 1616	3716	legends.exe	98
PID 3716 wrote to memory of 1616	3716	legends.exe	98
PID 1616 wrote to memory of 1516	1616	cmd.exe	100
PID 1616 wrote to memory of 1516	1616	cmd.exe	100
PID 1616 wrote to memory of 1516	1616	cmd.exe	100
PID 1616 wrote to memory of 2708	1616	cmd.exe	101
PID 1616 wrote to memory of 2708	1616	cmd.exe	101
PID 1616 wrote to memory of 2708	1616	cmd.exe	101
PID 1616 wrote to memory of 3784	1616	cmd.exe	102
PID 1616 wrote to memory of 3784	1616	cmd.exe	102
PID 1616 wrote to memory of 3784	1616	cmd.exe	102
PID 1616 wrote to memory of 3380	1616	cmd.exe	103
PID 1616 wrote to memory of 3380	1616	cmd.exe	103
PID 1616 wrote to memory of 3380	1616	cmd.exe	103
PID 1616 wrote to memory of 3476	1616	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917.exe
"C:\Users\Admin\AppData\Local\Temp\9e33b9594d659cf1f6e97ee8eb60a814dc4dfb9dcbf89c1ec6e808d7d6fd8917.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9819191.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9819191.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1013972.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1013972.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4879446.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4879446.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6915666.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6915666.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2094453.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2094453.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8087291.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8087291.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8087291.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8087291.exe
    3⤵
    - Executes dropped EXE
    PID:4392
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8087291.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8087291.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:4052
      - C:\Users\Admin\AppData\Local\Temp\1000028001\kds7uq5kknv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000028001\kds7uq5kknv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 568
        7⤵
        Program crash
        
        PID:4472
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4560 -ip 4560
1⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1920
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4412

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000028001\kds7uq5kknv.exe

Filesize
2.0MB

MD5
433dbed8a7afbf15bfee967c63a50769

SHA1
858e1279c2f6a47051eb963012099d11d60a881d

SHA256
6c5cff00451680070af8daca0a59ee6a6f467f6b3152f60de6cec6cdcb9cf601

SHA512
06c6af80a5ccc79bcabc64c217289eb3aeaca0fddbe9f1bd60de9927690a77dfd850edcfe0a1f2523e10f0074ae8bcb61076a9feb38d0113d38aff0121a36c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000028001\kds7uq5kknv.exe

Filesize
2.0MB

MD5
433dbed8a7afbf15bfee967c63a50769

SHA1
858e1279c2f6a47051eb963012099d11d60a881d

SHA256
6c5cff00451680070af8daca0a59ee6a6f467f6b3152f60de6cec6cdcb9cf601

SHA512
06c6af80a5ccc79bcabc64c217289eb3aeaca0fddbe9f1bd60de9927690a77dfd850edcfe0a1f2523e10f0074ae8bcb61076a9feb38d0113d38aff0121a36c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000028001\kds7uq5kknv.exe

Filesize
2.0MB

MD5
433dbed8a7afbf15bfee967c63a50769

SHA1
858e1279c2f6a47051eb963012099d11d60a881d

SHA256
6c5cff00451680070af8daca0a59ee6a6f467f6b3152f60de6cec6cdcb9cf601

SHA512
06c6af80a5ccc79bcabc64c217289eb3aeaca0fddbe9f1bd60de9927690a77dfd850edcfe0a1f2523e10f0074ae8bcb61076a9feb38d0113d38aff0121a36c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
296806a56be91bb39f5c1f56b7175bbf

SHA1
cf39e5758d4d88f79d9de51f04375f80f1ed183e

SHA256
c8e65cb5ae54da0b61e28a41536763fc6fb15e99e930620a75e458e00dc81e44

SHA512
82f0e3728cc26548081b726e152d87d3ce38ef9dad29a2734aee2c6a56e959ef65ef931edaf2d37499baf44eb7124b8f664d43f16efb25aaf2b9b7bfde561328

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
296806a56be91bb39f5c1f56b7175bbf

SHA1
cf39e5758d4d88f79d9de51f04375f80f1ed183e

SHA256
c8e65cb5ae54da0b61e28a41536763fc6fb15e99e930620a75e458e00dc81e44

SHA512
82f0e3728cc26548081b726e152d87d3ce38ef9dad29a2734aee2c6a56e959ef65ef931edaf2d37499baf44eb7124b8f664d43f16efb25aaf2b9b7bfde561328

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
296806a56be91bb39f5c1f56b7175bbf

SHA1
cf39e5758d4d88f79d9de51f04375f80f1ed183e

SHA256
c8e65cb5ae54da0b61e28a41536763fc6fb15e99e930620a75e458e00dc81e44

SHA512
82f0e3728cc26548081b726e152d87d3ce38ef9dad29a2734aee2c6a56e959ef65ef931edaf2d37499baf44eb7124b8f664d43f16efb25aaf2b9b7bfde561328

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
296806a56be91bb39f5c1f56b7175bbf

SHA1
cf39e5758d4d88f79d9de51f04375f80f1ed183e

SHA256
c8e65cb5ae54da0b61e28a41536763fc6fb15e99e930620a75e458e00dc81e44

SHA512
82f0e3728cc26548081b726e152d87d3ce38ef9dad29a2734aee2c6a56e959ef65ef931edaf2d37499baf44eb7124b8f664d43f16efb25aaf2b9b7bfde561328

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
296806a56be91bb39f5c1f56b7175bbf

SHA1
cf39e5758d4d88f79d9de51f04375f80f1ed183e

SHA256
c8e65cb5ae54da0b61e28a41536763fc6fb15e99e930620a75e458e00dc81e44

SHA512
82f0e3728cc26548081b726e152d87d3ce38ef9dad29a2734aee2c6a56e959ef65ef931edaf2d37499baf44eb7124b8f664d43f16efb25aaf2b9b7bfde561328

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
296806a56be91bb39f5c1f56b7175bbf

SHA1
cf39e5758d4d88f79d9de51f04375f80f1ed183e

SHA256
c8e65cb5ae54da0b61e28a41536763fc6fb15e99e930620a75e458e00dc81e44

SHA512
82f0e3728cc26548081b726e152d87d3ce38ef9dad29a2734aee2c6a56e959ef65ef931edaf2d37499baf44eb7124b8f664d43f16efb25aaf2b9b7bfde561328

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
296806a56be91bb39f5c1f56b7175bbf

SHA1
cf39e5758d4d88f79d9de51f04375f80f1ed183e

SHA256
c8e65cb5ae54da0b61e28a41536763fc6fb15e99e930620a75e458e00dc81e44

SHA512
82f0e3728cc26548081b726e152d87d3ce38ef9dad29a2734aee2c6a56e959ef65ef931edaf2d37499baf44eb7124b8f664d43f16efb25aaf2b9b7bfde561328

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
296806a56be91bb39f5c1f56b7175bbf

SHA1
cf39e5758d4d88f79d9de51f04375f80f1ed183e

SHA256
c8e65cb5ae54da0b61e28a41536763fc6fb15e99e930620a75e458e00dc81e44

SHA512
82f0e3728cc26548081b726e152d87d3ce38ef9dad29a2734aee2c6a56e959ef65ef931edaf2d37499baf44eb7124b8f664d43f16efb25aaf2b9b7bfde561328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8087291.exe

Filesize
963KB

MD5
296806a56be91bb39f5c1f56b7175bbf

SHA1
cf39e5758d4d88f79d9de51f04375f80f1ed183e

SHA256
c8e65cb5ae54da0b61e28a41536763fc6fb15e99e930620a75e458e00dc81e44

SHA512
82f0e3728cc26548081b726e152d87d3ce38ef9dad29a2734aee2c6a56e959ef65ef931edaf2d37499baf44eb7124b8f664d43f16efb25aaf2b9b7bfde561328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8087291.exe

Filesize
963KB

MD5
296806a56be91bb39f5c1f56b7175bbf

SHA1
cf39e5758d4d88f79d9de51f04375f80f1ed183e

SHA256
c8e65cb5ae54da0b61e28a41536763fc6fb15e99e930620a75e458e00dc81e44

SHA512
82f0e3728cc26548081b726e152d87d3ce38ef9dad29a2734aee2c6a56e959ef65ef931edaf2d37499baf44eb7124b8f664d43f16efb25aaf2b9b7bfde561328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8087291.exe

Filesize
963KB

MD5
296806a56be91bb39f5c1f56b7175bbf

SHA1
cf39e5758d4d88f79d9de51f04375f80f1ed183e

SHA256
c8e65cb5ae54da0b61e28a41536763fc6fb15e99e930620a75e458e00dc81e44

SHA512
82f0e3728cc26548081b726e152d87d3ce38ef9dad29a2734aee2c6a56e959ef65ef931edaf2d37499baf44eb7124b8f664d43f16efb25aaf2b9b7bfde561328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8087291.exe

Filesize
963KB

MD5
296806a56be91bb39f5c1f56b7175bbf

SHA1
cf39e5758d4d88f79d9de51f04375f80f1ed183e

SHA256
c8e65cb5ae54da0b61e28a41536763fc6fb15e99e930620a75e458e00dc81e44

SHA512
82f0e3728cc26548081b726e152d87d3ce38ef9dad29a2734aee2c6a56e959ef65ef931edaf2d37499baf44eb7124b8f664d43f16efb25aaf2b9b7bfde561328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9819191.exe

Filesize
575KB

MD5
12251c2ceb58f589079b5eba634cafd2

SHA1
8895058e6ecd74a53c750d32e74fc639999344fb

SHA256
5ce969605c9b4ba2e0762f972b13ad18c39d526036fe5b7ee88074576f9f3755

SHA512
19d8ed1cec7e8b24473c3509a0504d13ac4c0dc68ec91210c79b01ecfd64b3b936fe6a6e52a2f0683347159e37d3b22c8464c86394a157bee2a2496d52a5807c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9819191.exe

Filesize
575KB

MD5
12251c2ceb58f589079b5eba634cafd2

SHA1
8895058e6ecd74a53c750d32e74fc639999344fb

SHA256
5ce969605c9b4ba2e0762f972b13ad18c39d526036fe5b7ee88074576f9f3755

SHA512
19d8ed1cec7e8b24473c3509a0504d13ac4c0dc68ec91210c79b01ecfd64b3b936fe6a6e52a2f0683347159e37d3b22c8464c86394a157bee2a2496d52a5807c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2094453.exe

Filesize
284KB

MD5
259f9d20464ef243f84d234cce3d684a

SHA1
264919ce32b3b1af8e4d6c5111de8d782d5f812a

SHA256
2b1eacf25dd8b4bd11360f44601fdae49c1799c0f2576341205e63628cd44d2b

SHA512
db9e08e5b5fd6831d8fe8d7575a9c077b8c15ce1b9a352815f4ec1279f851e177349310ccb5b99f8c275b5f91ca3ffae20cdafb78e120f6f9e96280bf2d70903

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2094453.exe

Filesize
284KB

MD5
259f9d20464ef243f84d234cce3d684a

SHA1
264919ce32b3b1af8e4d6c5111de8d782d5f812a

SHA256
2b1eacf25dd8b4bd11360f44601fdae49c1799c0f2576341205e63628cd44d2b

SHA512
db9e08e5b5fd6831d8fe8d7575a9c077b8c15ce1b9a352815f4ec1279f851e177349310ccb5b99f8c275b5f91ca3ffae20cdafb78e120f6f9e96280bf2d70903

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1013972.exe

Filesize
304KB

MD5
27a8f3591bf24c40fb18b8e5a8a542e4

SHA1
a0293a8a15d25968c3b541f70670a95a60098da7

SHA256
73d44f072487fd10185b2b474a4dac012287b7511ea73739f3f5cc7ecb780077

SHA512
354717be69f58a95fc9002a3efde1ed1bf650cfdc5ab7dfe7da9aa999c73e499b4743e26cf642a7ad4c7ebb5dd90b52a87b8744d95d66bb7b1e88e30717c3a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1013972.exe

Filesize
304KB

MD5
27a8f3591bf24c40fb18b8e5a8a542e4

SHA1
a0293a8a15d25968c3b541f70670a95a60098da7

SHA256
73d44f072487fd10185b2b474a4dac012287b7511ea73739f3f5cc7ecb780077

SHA512
354717be69f58a95fc9002a3efde1ed1bf650cfdc5ab7dfe7da9aa999c73e499b4743e26cf642a7ad4c7ebb5dd90b52a87b8744d95d66bb7b1e88e30717c3a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4879446.exe

Filesize
185KB

MD5
be7c50ef773876ee01f0481f8437214e

SHA1
7d4f4a4693703c8e412af28226e5e3aaab8268f9

SHA256
aefc881ba67b1a2122621b4af2c91b17d7ac215494c0d7be389ae8745a71f503

SHA512
f8034ef5e0293fc34e6a586a2b6c92e343e8e372848a130ad76507359dac59b1b7f4743833a045dc03f9febe2e970138ec5b20c3e1d7ee96b29b644193483fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4879446.exe

Filesize
185KB

MD5
be7c50ef773876ee01f0481f8437214e

SHA1
7d4f4a4693703c8e412af28226e5e3aaab8268f9

SHA256
aefc881ba67b1a2122621b4af2c91b17d7ac215494c0d7be389ae8745a71f503

SHA512
f8034ef5e0293fc34e6a586a2b6c92e343e8e372848a130ad76507359dac59b1b7f4743833a045dc03f9febe2e970138ec5b20c3e1d7ee96b29b644193483fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6915666.exe

Filesize
145KB

MD5
e2fe59de1db585d0e24f754235488611

SHA1
4437e17911a48d05232dfd2ffb0ed50092e76c9f

SHA256
3bbcbe774cf7809d0a7797c68f216a0972949716d838d1203ed0a65488ed696c

SHA512
81b95065fd2b3ce4ed6cf9f56128e1d92d1d7c04a4f3cf35d17768bf216cc4c2eb68b3090ef348101c48c936e68c769e4e6b86e97485d95c16719358f461a547

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6915666.exe

Filesize
145KB

MD5
e2fe59de1db585d0e24f754235488611

SHA1
4437e17911a48d05232dfd2ffb0ed50092e76c9f

SHA256
3bbcbe774cf7809d0a7797c68f216a0972949716d838d1203ed0a65488ed696c

SHA512
81b95065fd2b3ce4ed6cf9f56128e1d92d1d7c04a4f3cf35d17768bf216cc4c2eb68b3090ef348101c48c936e68c769e4e6b86e97485d95c16719358f461a547

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/328-201-0x0000000006FC0000-0x00000000074EC000-memory.dmp

Filesize
5.2MB

Download
memory/328-194-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/328-195-0x00000000050B0000-0x00000000050C2000-memory.dmp

Filesize
72KB

Download
memory/328-196-0x0000000005110000-0x000000000514C000-memory.dmp

Filesize
240KB

Download
memory/328-197-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/328-198-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/328-199-0x0000000006010000-0x00000000060A2000-memory.dmp

Filesize
584KB

Download
memory/328-200-0x0000000006280000-0x0000000006442000-memory.dmp

Filesize
1.8MB

Download
memory/328-193-0x0000000005610000-0x0000000005C28000-memory.dmp

Filesize
6.1MB

Download
memory/328-202-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/328-203-0x0000000006450000-0x00000000064C6000-memory.dmp

Filesize
472KB

Download
memory/328-204-0x0000000006220000-0x0000000006270000-memory.dmp

Filesize
320KB

Download
memory/328-192-0x00000000006D0000-0x00000000006FA000-memory.dmp

Filesize
168KB

Download
memory/1376-1151-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/1460-223-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-235-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-211-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1460-212-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-213-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-215-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-217-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-219-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-221-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-209-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1460-225-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-227-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-229-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-231-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-233-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-210-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1460-237-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-239-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-241-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-243-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-245-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-247-0x00000000049A0000-0x00000000049DC000-memory.dmp

Filesize
240KB

Download
memory/1460-1120-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1460-1121-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1460-1122-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1920-1191-0x00000000077E0000-0x00000000077F0000-memory.dmp

Filesize
64KB

Download
memory/3716-1158-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3716-1188-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3780-1218-0x0000000007B20000-0x0000000007B30000-memory.dmp

Filesize
64KB

Download
memory/4368-1150-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4368-1136-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4412-1196-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4536-185-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/4536-172-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-154-0x0000000004960000-0x0000000004F04000-memory.dmp

Filesize
5.6MB

Download
memory/4536-187-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/4536-186-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/4536-184-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-182-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-180-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-178-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-176-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-174-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-155-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/4536-170-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-168-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-166-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-162-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-164-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-160-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-158-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-157-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4536-156-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/4840-1128-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/4840-1127-0x00000000008B0000-0x00000000009A8000-memory.dmp

Filesize
992KB

Download