redline | 29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109

Resubmissions

28-05-2023 16:42

230528-t7smnsga7w 10

28-05-2023 16:33

230528-t2rs7aga6s 10

Analysis

max time kernel
148s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2023 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe
Size

1.1MB
MD5

701c559b105166088198d4934cf50504
SHA1

333298acff8117f6fa45e08aaad03fd8c50614f9
SHA256

29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109
SHA512

6a46a05a15dc8e6dce183ffa1e0344492d05e3acddfaae7eefc1956553acf91d1b93b105485e32097b35490c01bd1efcd3e05d7ec77b8020469c3e37894cfe6d
SSDEEP

24576:hybsA+oyrENtJUBNzBmqxL7THqBBkjWmLkC/hO4X3PbsRcok6o:U4V4NtJg3mq1qLkjWmIShVXacF6

Score

10^/10

redline liza metro redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

liza

83.97.73.127:19045

Attributes

auth_value
198e3e9b188d6cfab0a2b0fb100bb7c5

Extracted

Family

redline

Botnet

metro

83.97.73.127:19045

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Extracted

Family

redline

Botnet

Redline

85.31.54.183:18435

Attributes

auth_value
50837656cba6e4dd56bfbb4a61dadb63

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s6263004.exelegends.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	s6263004.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 17 IoCs

Processes:

z3630711.exez7725606.exeo6178286.exep5072287.exer1957265.exes6263004.exes6263004.exelegends.exelegends.exelegends.exeredline.exelegends.exelegends.exelegends.exelegends.exelegends.exelegends.exe

pid	process
4616	z3630711.exe
1384	z7725606.exe
3312	o6178286.exe
4528	p5072287.exe
3120	r1957265.exe
368	s6263004.exe
1516	s6263004.exe
1472	legends.exe
3300	legends.exe
3320	legends.exe
4680	redline.exe
2220	legends.exe
2816	legends.exe
1880	legends.exe
544	legends.exe
4476	legends.exe
3980	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2512 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2512	rundll32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z7725606.exe29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exez3630711.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7725606.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7725606.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3630711.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3630711.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

o6178286.exer1957265.exes6263004.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 3312 set thread context of 2708	3312	o6178286.exe	AppLaunch.exe
PID 3120 set thread context of 3128	3120	r1957265.exe	AppLaunch.exe
PID 368 set thread context of 1516	368	s6263004.exe	s6263004.exe
PID 1472 set thread context of 3320	1472	legends.exe	legends.exe
PID 2220 set thread context of 1880	2220	legends.exe	legends.exe
PID 544 set thread context of 4476	544	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

348 4528 WerFault.exe p5072287.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3444 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

AppLaunch.exeAppLaunch.exeredline.exe

pid process

2708 AppLaunch.exe
2708 AppLaunch.exe
3128 AppLaunch.exe
3128 AppLaunch.exe
4680 redline.exe
4680 redline.exe

pid	pid_target	process	target process
348	4528	WerFault.exe	p5072287.exe

pid	process
3444	schtasks.exe

pid	process
2708	AppLaunch.exe
2708	AppLaunch.exe
3128	AppLaunch.exe
3128	AppLaunch.exe
4680	redline.exe
4680	redline.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AppLaunch.exes6263004.exelegends.exeAppLaunch.exeredline.exelegends.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	2708	AppLaunch.exe
Token: SeDebugPrivilege	368	s6263004.exe
Token: SeDebugPrivilege	1472	legends.exe
Token: SeDebugPrivilege	3128	AppLaunch.exe
Token: SeDebugPrivilege	4680	redline.exe
Token: SeDebugPrivilege	2220	legends.exe
Token: SeDebugPrivilege	544	legends.exe
Token: SeDebugPrivilege	3980	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s6263004.exe

pid process

1516 s6263004.exe

pid	process
1516	s6263004.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exez3630711.exez7725606.exeo6178286.exer1957265.exes6263004.exes6263004.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 2212 wrote to memory of 4616	2212	29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe	z3630711.exe
PID 2212 wrote to memory of 4616	2212	29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe	z3630711.exe
PID 2212 wrote to memory of 4616	2212	29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe	z3630711.exe
PID 4616 wrote to memory of 1384	4616	z3630711.exe	z7725606.exe
PID 4616 wrote to memory of 1384	4616	z3630711.exe	z7725606.exe
PID 4616 wrote to memory of 1384	4616	z3630711.exe	z7725606.exe
PID 1384 wrote to memory of 3312	1384	z7725606.exe	o6178286.exe
PID 1384 wrote to memory of 3312	1384	z7725606.exe	o6178286.exe
PID 1384 wrote to memory of 3312	1384	z7725606.exe	o6178286.exe
PID 3312 wrote to memory of 2708	3312	o6178286.exe	AppLaunch.exe
PID 3312 wrote to memory of 2708	3312	o6178286.exe	AppLaunch.exe
PID 3312 wrote to memory of 2708	3312	o6178286.exe	AppLaunch.exe
PID 3312 wrote to memory of 2708	3312	o6178286.exe	AppLaunch.exe
PID 3312 wrote to memory of 2708	3312	o6178286.exe	AppLaunch.exe
PID 1384 wrote to memory of 4528	1384	z7725606.exe	p5072287.exe
PID 1384 wrote to memory of 4528	1384	z7725606.exe	p5072287.exe
PID 1384 wrote to memory of 4528	1384	z7725606.exe	p5072287.exe
PID 4616 wrote to memory of 3120	4616	z3630711.exe	r1957265.exe
PID 4616 wrote to memory of 3120	4616	z3630711.exe	r1957265.exe
PID 4616 wrote to memory of 3120	4616	z3630711.exe	r1957265.exe
PID 3120 wrote to memory of 3128	3120	r1957265.exe	AppLaunch.exe
PID 3120 wrote to memory of 3128	3120	r1957265.exe	AppLaunch.exe
PID 3120 wrote to memory of 3128	3120	r1957265.exe	AppLaunch.exe
PID 3120 wrote to memory of 3128	3120	r1957265.exe	AppLaunch.exe
PID 3120 wrote to memory of 3128	3120	r1957265.exe	AppLaunch.exe
PID 2212 wrote to memory of 368	2212	29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe	s6263004.exe
PID 2212 wrote to memory of 368	2212	29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe	s6263004.exe
PID 2212 wrote to memory of 368	2212	29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe	s6263004.exe
PID 368 wrote to memory of 1516	368	s6263004.exe	s6263004.exe
PID 368 wrote to memory of 1516	368	s6263004.exe	s6263004.exe
PID 368 wrote to memory of 1516	368	s6263004.exe	s6263004.exe
PID 368 wrote to memory of 1516	368	s6263004.exe	s6263004.exe
PID 368 wrote to memory of 1516	368	s6263004.exe	s6263004.exe
PID 368 wrote to memory of 1516	368	s6263004.exe	s6263004.exe
PID 368 wrote to memory of 1516	368	s6263004.exe	s6263004.exe
PID 368 wrote to memory of 1516	368	s6263004.exe	s6263004.exe
PID 368 wrote to memory of 1516	368	s6263004.exe	s6263004.exe
PID 368 wrote to memory of 1516	368	s6263004.exe	s6263004.exe
PID 1516 wrote to memory of 1472	1516	s6263004.exe	legends.exe
PID 1516 wrote to memory of 1472	1516	s6263004.exe	legends.exe
PID 1516 wrote to memory of 1472	1516	s6263004.exe	legends.exe
PID 1472 wrote to memory of 3300	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3300	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3300	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3300	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3320	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3320	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3320	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3320	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3320	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3320	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3320	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3320	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3320	1472	legends.exe	legends.exe
PID 1472 wrote to memory of 3320	1472	legends.exe	legends.exe
PID 3320 wrote to memory of 3444	3320	legends.exe	schtasks.exe
PID 3320 wrote to memory of 3444	3320	legends.exe	schtasks.exe
PID 3320 wrote to memory of 3444	3320	legends.exe	schtasks.exe
PID 3320 wrote to memory of 3428	3320	legends.exe	cmd.exe
PID 3320 wrote to memory of 3428	3320	legends.exe	cmd.exe
PID 3320 wrote to memory of 3428	3320	legends.exe	cmd.exe
PID 3428 wrote to memory of 1680	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 1680	3428	cmd.exe	cmd.exe
PID 3428 wrote to memory of 1680	3428	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe
"C:\Users\Admin\AppData\Local\Temp\29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3630711.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3630711.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7725606.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7725606.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6178286.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6178286.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5072287.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5072287.exe
4⤵
- Executes dropped EXE
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 928
5⤵
- Program crash
PID:348

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1957265.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1957265.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6263004.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6263004.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6263004.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6263004.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Executes dropped EXE
PID:3300

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:3444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1680

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:2044

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1288

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:1344

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4528 -ip 4528
1⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:2816

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:1880

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6263004.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6263004.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6263004.exe
Filesize
963KB

MD5
f24d7b7523a3359d0ca4e3d7f70f0e67

SHA1
498316410fce0a4782e2b2c6c963381a6c06e8c3

SHA256
74cf8e160f6807f36a0bab4488e1e6206593368b89dd3edb5c301717c05477a5

SHA512
e4b6a34a2f8b0b3ddfb0d47a6772858d7c098c9fefdf19f85c17e7032df7cebcba4b53d4148c996db1c2810b3b3d1541e58c95ad44fc8721bfbf73741d8f8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3630711.exe
Filesize
633KB

MD5
b81f5a9b769e4e2e1716f5b3078f4ae2

SHA1
0f58a1d8dc262ff88fe078ad0e7d067af78a3170

SHA256
3dfca8e0913c2d0c0212f004f7dfdb575cc586309300649d0975d169a4e3732b

SHA512
96b58478a9c8cca6a2de2bc2644527e0a45e421578e2c045128cfa580b7ca29d468ce5a1137a93a4ac958996011ffb80a93c718269e5dedaf47f5bec09c00e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3630711.exe
Filesize
633KB

MD5
b81f5a9b769e4e2e1716f5b3078f4ae2

SHA1
0f58a1d8dc262ff88fe078ad0e7d067af78a3170

SHA256
3dfca8e0913c2d0c0212f004f7dfdb575cc586309300649d0975d169a4e3732b

SHA512
96b58478a9c8cca6a2de2bc2644527e0a45e421578e2c045128cfa580b7ca29d468ce5a1137a93a4ac958996011ffb80a93c718269e5dedaf47f5bec09c00e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1957265.exe
Filesize
349KB

MD5
cf83833f1d8355fda49a2227a5edb686

SHA1
c7b9e4260193ba5efa9983725da921fc74c09dfe

SHA256
34feb94ea0dc8ac8e61f5ccf084f2b1c83d07c688e8c4cfb5d6f6a653d61be0f

SHA512
a764e8e0b9d1e5ea51c36511f95bde0a3a06517264cf95562e79e84ee35e5ea1f6b6edf522e96949f1de133d8eccfce947dc063c59d8d331921725b943fb3064

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1957265.exe
Filesize
349KB

MD5
cf83833f1d8355fda49a2227a5edb686

SHA1
c7b9e4260193ba5efa9983725da921fc74c09dfe

SHA256
34feb94ea0dc8ac8e61f5ccf084f2b1c83d07c688e8c4cfb5d6f6a653d61be0f

SHA512
a764e8e0b9d1e5ea51c36511f95bde0a3a06517264cf95562e79e84ee35e5ea1f6b6edf522e96949f1de133d8eccfce947dc063c59d8d331921725b943fb3064

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7725606.exe
Filesize
290KB

MD5
1c4e2e3195d7a7cb7613be69f056e41e

SHA1
83b6dcf1ada3094c44eb2bf07ff78c477037457d

SHA256
e5fabe55b2a19b40d20cad9dbad233edc963bafd6bfd9d01c6005693b7f424c0

SHA512
9282978567b701207d3c3372c5252a13e1da88f5494d6216fd2dc9534e8da7a0137e20a5d0e14221be7cb6095701a80d1ed94c76bf96da083b50be4edbb435bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7725606.exe
Filesize
290KB

MD5
1c4e2e3195d7a7cb7613be69f056e41e

SHA1
83b6dcf1ada3094c44eb2bf07ff78c477037457d

SHA256
e5fabe55b2a19b40d20cad9dbad233edc963bafd6bfd9d01c6005693b7f424c0

SHA512
9282978567b701207d3c3372c5252a13e1da88f5494d6216fd2dc9534e8da7a0137e20a5d0e14221be7cb6095701a80d1ed94c76bf96da083b50be4edbb435bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6178286.exe
Filesize
193KB

MD5
b1189f1a2092b86e601314c326c26d1d

SHA1
fcfd6f49ba376b43d701a830d5371daaa56a6f53

SHA256
d2bf1ee84950b59cf9533a78a2cda72487ef85544f89826b850c25580802094c

SHA512
d546c2949fe394bd89eb974bf52c52f0343a4d79911600b5096f2d8665619e93cd9aea3f016c46b8a28de0336bbf1aca508d275fc6403d3f5fbd4c8743bc6187

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6178286.exe
Filesize
193KB

MD5
b1189f1a2092b86e601314c326c26d1d

SHA1
fcfd6f49ba376b43d701a830d5371daaa56a6f53

SHA256
d2bf1ee84950b59cf9533a78a2cda72487ef85544f89826b850c25580802094c

SHA512
d546c2949fe394bd89eb974bf52c52f0343a4d79911600b5096f2d8665619e93cd9aea3f016c46b8a28de0336bbf1aca508d275fc6403d3f5fbd4c8743bc6187

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5072287.exe
Filesize
168KB

MD5
84356a738ea53c3589d12337adbc67fd

SHA1
403c40466af39c00a9e81c94d0190b603b9c3a0b

SHA256
a44bf82bb541f3c17176913b963ad6eb84842b6b7eb11f6bab381652a35dd41d

SHA512
9c0200675ffcb7b903cecafed5f13a00a65c5029ad9054d39a6088fcda0c9c3db004fc897b0431d061d56029d958251646883be42476c1a359728cf91dcc5aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5072287.exe
Filesize
168KB

MD5
84356a738ea53c3589d12337adbc67fd

SHA1
403c40466af39c00a9e81c94d0190b603b9c3a0b

SHA256
a44bf82bb541f3c17176913b963ad6eb84842b6b7eb11f6bab381652a35dd41d

SHA512
9c0200675ffcb7b903cecafed5f13a00a65c5029ad9054d39a6088fcda0c9c3db004fc897b0431d061d56029d958251646883be42476c1a359728cf91dcc5aba

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/368-181-0x0000000007970000-0x0000000007980000-memory.dmp

Filesize
64KB

Download
memory/368-176-0x0000000000B30000-0x0000000000C28000-memory.dmp

Filesize
992KB

Download
memory/1472-203-0x0000000006FD0000-0x0000000006FE0000-memory.dmp

Filesize
64KB

Download
memory/1516-202-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1516-188-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1516-186-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1516-185-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1516-182-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1880-253-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1880-254-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1880-255-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2708-155-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/3128-206-0x000000000B280000-0x000000000B824000-memory.dmp

Filesize
5.6MB

Download
memory/3128-178-0x000000000A1A0000-0x000000000A2AA000-memory.dmp

Filesize
1.0MB

Download
memory/3128-168-0x00000000004D0000-0x00000000004FE000-memory.dmp

Filesize
184KB

Download
memory/3128-177-0x000000000A6B0000-0x000000000ACC8000-memory.dmp

Filesize
6.1MB

Download
memory/3128-179-0x000000000A0B0000-0x000000000A0C2000-memory.dmp

Filesize
72KB

Download
memory/3128-180-0x000000000A110000-0x000000000A14C000-memory.dmp

Filesize
240KB

Download
memory/3128-204-0x000000000A410000-0x000000000A486000-memory.dmp

Filesize
472KB

Download
memory/3128-205-0x000000000A530000-0x000000000A5C2000-memory.dmp

Filesize
584KB

Download
memory/3128-207-0x000000000A5D0000-0x000000000A636000-memory.dmp

Filesize
408KB

Download
memory/3128-210-0x000000000B830000-0x000000000B880000-memory.dmp

Filesize
320KB

Download
memory/3128-212-0x000000000C150000-0x000000000C67C000-memory.dmp

Filesize
5.2MB

Download
memory/3128-211-0x000000000BA50000-0x000000000BC12000-memory.dmp

Filesize
1.8MB

Download
memory/3320-241-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3320-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3320-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3320-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3320-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3320-273-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3320-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4476-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4476-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4476-281-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4528-163-0x0000000000330000-0x000000000035E000-memory.dmp

Filesize
184KB

Download
memory/4680-244-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/4680-245-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4680-246-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download