gurcu | d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74

Analysis

max time kernel
102s
max time network
145s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25/05/2023, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74.exe
Size

1.0MB
MD5

722c34a4459eb58e1e8676adf5777501
SHA1

918049a58ca7ef8a2365d3fc50afe9f36307ff0a
SHA256

d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74
SHA512

a3812de188e725c6cbfbf5e9a8cdd3894cd1208a655fb0ae37145c10c8e40007f8067c20a5f6e2b0620cc150b24a596c088b446d952b283988cd883dd6d1e228
SSDEEP

24576:gyVZyJ464u5O2FKphJ1+b3jWXu11ftzwSJYlAoBA:nV+4Fu5O2FKXJU3aufp5Y/

Score

10^/10

gurcu redline fash lina collection discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lina

83.97.73.122:19062

Attributes

auth_value
13523aee5d194d7716b22eeab7de10ad

Extracted

Family

redline

Botnet

fash

83.97.73.122:19062

Attributes

auth_value
dd7165bcd22b0ed3df426d944e12f136

Extracted

Family

gurcu

https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 17 IoCs

pid	Process
1604	z0087688.exe
1852	z9066082.exe
2092	o4221521.exe
328	p5520941.exe
3928	r6839496.exe
3092	s3789937.exe
4848	s3789937.exe
1188	s3789937.exe
784	legends.exe
4320	legends.exe
600	k2.exe
1580	k2.exe
328	k2.exe
2016	legends.exe
3820	legends.exe
5072	legends.exe
5088	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
4808	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0087688.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9066082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9066082.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0087688.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 2348	2092	o4221521.exe	70
PID 3928 set thread context of 3480	3928	r6839496.exe	75
PID 3092 set thread context of 1188	3092	s3789937.exe	78
PID 784 set thread context of 4320	784	legends.exe	80
PID 2016 set thread context of 3820	2016	legends.exe	100
PID 5072 set thread context of 5088	5072	legends.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3248	1580	WerFault.exe	97
4940	328	WerFault.exe	99

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3448	schtasks.exe
3948	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4052	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2348	AppLaunch.exe
2348	AppLaunch.exe
328	p5520941.exe
328	p5520941.exe
3480	AppLaunch.exe
3480	AppLaunch.exe
1580	k2.exe
328	k2.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	AppLaunch.exe
Token: SeDebugPrivilege	328	p5520941.exe
Token: SeDebugPrivilege	3092	s3789937.exe
Token: SeDebugPrivilege	3480	AppLaunch.exe
Token: SeDebugPrivilege	784	legends.exe
Token: SeDebugPrivilege	600	k2.exe
Token: SeDebugPrivilege	1580	k2.exe
Token: SeDebugPrivilege	328	k2.exe
Token: SeDebugPrivilege	2016	legends.exe
Token: SeDebugPrivilege	5072	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1188	s3789937.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1604	1308	d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74.exe	66
PID 1308 wrote to memory of 1604	1308	d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74.exe	66
PID 1308 wrote to memory of 1604	1308	d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74.exe	66
PID 1604 wrote to memory of 1852	1604	z0087688.exe	67
PID 1604 wrote to memory of 1852	1604	z0087688.exe	67
PID 1604 wrote to memory of 1852	1604	z0087688.exe	67
PID 1852 wrote to memory of 2092	1852	z9066082.exe	68
PID 1852 wrote to memory of 2092	1852	z9066082.exe	68
PID 1852 wrote to memory of 2092	1852	z9066082.exe	68
PID 2092 wrote to memory of 2348	2092	o4221521.exe	70
PID 2092 wrote to memory of 2348	2092	o4221521.exe	70
PID 2092 wrote to memory of 2348	2092	o4221521.exe	70
PID 2092 wrote to memory of 2348	2092	o4221521.exe	70
PID 2092 wrote to memory of 2348	2092	o4221521.exe	70
PID 1852 wrote to memory of 328	1852	z9066082.exe	71
PID 1852 wrote to memory of 328	1852	z9066082.exe	71
PID 1852 wrote to memory of 328	1852	z9066082.exe	71
PID 1604 wrote to memory of 3928	1604	z0087688.exe	73
PID 1604 wrote to memory of 3928	1604	z0087688.exe	73
PID 1604 wrote to memory of 3928	1604	z0087688.exe	73
PID 3928 wrote to memory of 3480	3928	r6839496.exe	75
PID 3928 wrote to memory of 3480	3928	r6839496.exe	75
PID 3928 wrote to memory of 3480	3928	r6839496.exe	75
PID 3928 wrote to memory of 3480	3928	r6839496.exe	75
PID 3928 wrote to memory of 3480	3928	r6839496.exe	75
PID 1308 wrote to memory of 3092	1308	d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74.exe	76
PID 1308 wrote to memory of 3092	1308	d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74.exe	76
PID 1308 wrote to memory of 3092	1308	d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74.exe	76
PID 3092 wrote to memory of 4848	3092	s3789937.exe	77
PID 3092 wrote to memory of 4848	3092	s3789937.exe	77
PID 3092 wrote to memory of 4848	3092	s3789937.exe	77
PID 3092 wrote to memory of 4848	3092	s3789937.exe	77
PID 3092 wrote to memory of 1188	3092	s3789937.exe	78
PID 3092 wrote to memory of 1188	3092	s3789937.exe	78
PID 3092 wrote to memory of 1188	3092	s3789937.exe	78
PID 3092 wrote to memory of 1188	3092	s3789937.exe	78
PID 3092 wrote to memory of 1188	3092	s3789937.exe	78
PID 3092 wrote to memory of 1188	3092	s3789937.exe	78
PID 3092 wrote to memory of 1188	3092	s3789937.exe	78
PID 3092 wrote to memory of 1188	3092	s3789937.exe	78
PID 3092 wrote to memory of 1188	3092	s3789937.exe	78
PID 3092 wrote to memory of 1188	3092	s3789937.exe	78
PID 1188 wrote to memory of 784	1188	s3789937.exe	79
PID 1188 wrote to memory of 784	1188	s3789937.exe	79
PID 1188 wrote to memory of 784	1188	s3789937.exe	79
PID 784 wrote to memory of 4320	784	legends.exe	80
PID 784 wrote to memory of 4320	784	legends.exe	80
PID 784 wrote to memory of 4320	784	legends.exe	80
PID 784 wrote to memory of 4320	784	legends.exe	80
PID 784 wrote to memory of 4320	784	legends.exe	80
PID 784 wrote to memory of 4320	784	legends.exe	80
PID 784 wrote to memory of 4320	784	legends.exe	80
PID 784 wrote to memory of 4320	784	legends.exe	80
PID 784 wrote to memory of 4320	784	legends.exe	80
PID 784 wrote to memory of 4320	784	legends.exe	80
PID 4320 wrote to memory of 3448	4320	legends.exe	81
PID 4320 wrote to memory of 3448	4320	legends.exe	81
PID 4320 wrote to memory of 3448	4320	legends.exe	81
PID 4320 wrote to memory of 4048	4320	legends.exe	83
PID 4320 wrote to memory of 4048	4320	legends.exe	83
PID 4320 wrote to memory of 4048	4320	legends.exe	83
PID 4048 wrote to memory of 3508	4048	cmd.exe	85
PID 4048 wrote to memory of 3508	4048	cmd.exe	85
PID 4048 wrote to memory of 3508	4048	cmd.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

C:\Users\Admin\AppData\Local\Temp\d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74.exe
"C:\Users\Admin\AppData\Local\Temp\d9b9152c963368c39ea2bd4518e2e572ce0a3200653dce5db41de5d84a70de74.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0087688.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0087688.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9066082.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9066082.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4221521.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4221521.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5520941.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5520941.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6839496.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6839496.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3789937.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3789937.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3789937.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3789937.exe
    3⤵
    - Executes dropped EXE
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3789937.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3789937.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:784
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3448
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:196
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:2220
      - C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        7⤵
        
        PID:1172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:864
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1
        8⤵
        Runs ping.exe
        
        PID:4052
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
        
        "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        8⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1580 -s 3424
        9⤵
        Program crash
        
        PID:3248
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4808

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2016
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:3820

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:328
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 328 -s 3180
  2⤵
  - Program crash
  PID:4940

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5072
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k2.exe.log

Filesize
1KB

MD5
d51a38b0538aafbb39cd4743767cf2a3

SHA1
ec819ad7959110e2244b2978e4a60e4c5e99961d

SHA256
8678df64deb4a7203a8ac3eaa5af8b767111e753385d286f9e1c121d45830e22

SHA512
51ffb0c793f034843cf749716680bb6dd81c840bbe22f6426c8d14ffd62a7b4fab974325aa978e62ba57575b836aff4e00a810688818749021f658b623fd41f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
6802b6d61a7ee6a21d86c4863538572c

SHA1
54cb5494c7a732770c262f362183eaa7b691a9a6

SHA256
f7a33f0aa95ec65060191e93ca408ede670f823721fad52c6a509422c89414ed

SHA512
ac6d14067d174a93346daea7b68d13563ce5ed4fbe419927148b05f136bfa0e2e77a6add801bd20d83b878d55e330a62a13631228dfd39339d45242c2f277221

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
6802b6d61a7ee6a21d86c4863538572c

SHA1
54cb5494c7a732770c262f362183eaa7b691a9a6

SHA256
f7a33f0aa95ec65060191e93ca408ede670f823721fad52c6a509422c89414ed

SHA512
ac6d14067d174a93346daea7b68d13563ce5ed4fbe419927148b05f136bfa0e2e77a6add801bd20d83b878d55e330a62a13631228dfd39339d45242c2f277221

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
6802b6d61a7ee6a21d86c4863538572c

SHA1
54cb5494c7a732770c262f362183eaa7b691a9a6

SHA256
f7a33f0aa95ec65060191e93ca408ede670f823721fad52c6a509422c89414ed

SHA512
ac6d14067d174a93346daea7b68d13563ce5ed4fbe419927148b05f136bfa0e2e77a6add801bd20d83b878d55e330a62a13631228dfd39339d45242c2f277221

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
6802b6d61a7ee6a21d86c4863538572c

SHA1
54cb5494c7a732770c262f362183eaa7b691a9a6

SHA256
f7a33f0aa95ec65060191e93ca408ede670f823721fad52c6a509422c89414ed

SHA512
ac6d14067d174a93346daea7b68d13563ce5ed4fbe419927148b05f136bfa0e2e77a6add801bd20d83b878d55e330a62a13631228dfd39339d45242c2f277221

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
6802b6d61a7ee6a21d86c4863538572c

SHA1
54cb5494c7a732770c262f362183eaa7b691a9a6

SHA256
f7a33f0aa95ec65060191e93ca408ede670f823721fad52c6a509422c89414ed

SHA512
ac6d14067d174a93346daea7b68d13563ce5ed4fbe419927148b05f136bfa0e2e77a6add801bd20d83b878d55e330a62a13631228dfd39339d45242c2f277221

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
6802b6d61a7ee6a21d86c4863538572c

SHA1
54cb5494c7a732770c262f362183eaa7b691a9a6

SHA256
f7a33f0aa95ec65060191e93ca408ede670f823721fad52c6a509422c89414ed

SHA512
ac6d14067d174a93346daea7b68d13563ce5ed4fbe419927148b05f136bfa0e2e77a6add801bd20d83b878d55e330a62a13631228dfd39339d45242c2f277221

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
6802b6d61a7ee6a21d86c4863538572c

SHA1
54cb5494c7a732770c262f362183eaa7b691a9a6

SHA256
f7a33f0aa95ec65060191e93ca408ede670f823721fad52c6a509422c89414ed

SHA512
ac6d14067d174a93346daea7b68d13563ce5ed4fbe419927148b05f136bfa0e2e77a6add801bd20d83b878d55e330a62a13631228dfd39339d45242c2f277221

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
6802b6d61a7ee6a21d86c4863538572c

SHA1
54cb5494c7a732770c262f362183eaa7b691a9a6

SHA256
f7a33f0aa95ec65060191e93ca408ede670f823721fad52c6a509422c89414ed

SHA512
ac6d14067d174a93346daea7b68d13563ce5ed4fbe419927148b05f136bfa0e2e77a6add801bd20d83b878d55e330a62a13631228dfd39339d45242c2f277221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3789937.exe

Filesize
962KB

MD5
6802b6d61a7ee6a21d86c4863538572c

SHA1
54cb5494c7a732770c262f362183eaa7b691a9a6

SHA256
f7a33f0aa95ec65060191e93ca408ede670f823721fad52c6a509422c89414ed

SHA512
ac6d14067d174a93346daea7b68d13563ce5ed4fbe419927148b05f136bfa0e2e77a6add801bd20d83b878d55e330a62a13631228dfd39339d45242c2f277221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3789937.exe

Filesize
962KB

MD5
6802b6d61a7ee6a21d86c4863538572c

SHA1
54cb5494c7a732770c262f362183eaa7b691a9a6

SHA256
f7a33f0aa95ec65060191e93ca408ede670f823721fad52c6a509422c89414ed

SHA512
ac6d14067d174a93346daea7b68d13563ce5ed4fbe419927148b05f136bfa0e2e77a6add801bd20d83b878d55e330a62a13631228dfd39339d45242c2f277221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3789937.exe

Filesize
962KB

MD5
6802b6d61a7ee6a21d86c4863538572c

SHA1
54cb5494c7a732770c262f362183eaa7b691a9a6

SHA256
f7a33f0aa95ec65060191e93ca408ede670f823721fad52c6a509422c89414ed

SHA512
ac6d14067d174a93346daea7b68d13563ce5ed4fbe419927148b05f136bfa0e2e77a6add801bd20d83b878d55e330a62a13631228dfd39339d45242c2f277221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3789937.exe

Filesize
962KB

MD5
6802b6d61a7ee6a21d86c4863538572c

SHA1
54cb5494c7a732770c262f362183eaa7b691a9a6

SHA256
f7a33f0aa95ec65060191e93ca408ede670f823721fad52c6a509422c89414ed

SHA512
ac6d14067d174a93346daea7b68d13563ce5ed4fbe419927148b05f136bfa0e2e77a6add801bd20d83b878d55e330a62a13631228dfd39339d45242c2f277221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0087688.exe

Filesize
595KB

MD5
811c62c2cc68ff497e9249016bd8de29

SHA1
051adbc41e9b7d1403acf1e03b8c5d94f73af559

SHA256
a2410cd84709230bc77509a419a44d171cb1d97bc805461ae3b348afdcc86f70

SHA512
63ce60dc5b0dd07b5aba4f933f818435e713167b51ee3dc4b4569fef92b02516d9cd11becc1aa68cc99fe486eb59cd40895e60db3f0c0cbed099d8a59be1335e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0087688.exe

Filesize
595KB

MD5
811c62c2cc68ff497e9249016bd8de29

SHA1
051adbc41e9b7d1403acf1e03b8c5d94f73af559

SHA256
a2410cd84709230bc77509a419a44d171cb1d97bc805461ae3b348afdcc86f70

SHA512
63ce60dc5b0dd07b5aba4f933f818435e713167b51ee3dc4b4569fef92b02516d9cd11becc1aa68cc99fe486eb59cd40895e60db3f0c0cbed099d8a59be1335e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6839496.exe

Filesize
323KB

MD5
e0f76a2dd14be93316ee352ac709d432

SHA1
86b52a1baa087f69f56c04a1740bcfb85aa79dee

SHA256
4ce611199199653fdf55745ceb099ee236a776f663c7565bc6f4439609c661c6

SHA512
0bf9d8930dfefe33cf7e2d310b49484b46a8ae32d0d87a1fa7704e1d00dc24d17394deb5f2191e47bb029b4a992bc9a7b967aa749a4e4d814110fdf96e488a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6839496.exe

Filesize
323KB

MD5
e0f76a2dd14be93316ee352ac709d432

SHA1
86b52a1baa087f69f56c04a1740bcfb85aa79dee

SHA256
4ce611199199653fdf55745ceb099ee236a776f663c7565bc6f4439609c661c6

SHA512
0bf9d8930dfefe33cf7e2d310b49484b46a8ae32d0d87a1fa7704e1d00dc24d17394deb5f2191e47bb029b4a992bc9a7b967aa749a4e4d814110fdf96e488a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9066082.exe

Filesize
277KB

MD5
2984adc58b83ad07dca526e303662b25

SHA1
f577d0623181190e47b5519fd406b299dd7c65ae

SHA256
8f367126b305291a86326af5507cdb8b05e34c86c511e6d48d98cfae687474c8

SHA512
17f43f31b6ed6948ea6aad9fa732679c394626a2c783f216549a3138c50cad9519d6d45cdad0d8590d1ed9ed8e4363da07553456a18f16162a04830b333cf2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9066082.exe

Filesize
277KB

MD5
2984adc58b83ad07dca526e303662b25

SHA1
f577d0623181190e47b5519fd406b299dd7c65ae

SHA256
8f367126b305291a86326af5507cdb8b05e34c86c511e6d48d98cfae687474c8

SHA512
17f43f31b6ed6948ea6aad9fa732679c394626a2c783f216549a3138c50cad9519d6d45cdad0d8590d1ed9ed8e4363da07553456a18f16162a04830b333cf2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4221521.exe

Filesize
188KB

MD5
a5a6ef5e90fc55a9301426c2aed1a4ae

SHA1
af5eda4969228affc59fc08794a945e0403d20e1

SHA256
39e578e866c248a3c643bd89a96d129e79686ee3301626dfb365266e1e593112

SHA512
93d61f0d1e2736372affb8b491accfe23a887700ae0526707bb4870a7b3cb0cbe6e19a4c543539179a2a69062943e1b0c3100ab99c8df2a52b033b562f8a84d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4221521.exe

Filesize
188KB

MD5
a5a6ef5e90fc55a9301426c2aed1a4ae

SHA1
af5eda4969228affc59fc08794a945e0403d20e1

SHA256
39e578e866c248a3c643bd89a96d129e79686ee3301626dfb365266e1e593112

SHA512
93d61f0d1e2736372affb8b491accfe23a887700ae0526707bb4870a7b3cb0cbe6e19a4c543539179a2a69062943e1b0c3100ab99c8df2a52b033b562f8a84d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5520941.exe

Filesize
145KB

MD5
7cd38c20366d1326db91293f87a13305

SHA1
de5012fd303bd69b95ebbd0a39ad16b4b65e4cae

SHA256
85e62605f0e016174feb240eb37b1f00e8cd75626b19e9b4c8498790460c05cf

SHA512
c927ab9918b893fc2fd26e1dee4090c4c20143f63dc63a769b9b91a07aba77f9899197a8a605010248e31cd2b9918ef7cb624dd4c207116a30b8ac3c10fd3d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5520941.exe

Filesize
145KB

MD5
7cd38c20366d1326db91293f87a13305

SHA1
de5012fd303bd69b95ebbd0a39ad16b4b65e4cae

SHA256
85e62605f0e016174feb240eb37b1f00e8cd75626b19e9b4c8498790460c05cf

SHA512
c927ab9918b893fc2fd26e1dee4090c4c20143f63dc63a769b9b91a07aba77f9899197a8a605010248e31cd2b9918ef7cb624dd4c207116a30b8ac3c10fd3d73

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\port.dat

Filesize
4B

MD5
f73a9f957962cd73fce51078b5b9614f

SHA1
1d29771d9cecc114fc00b25c11cd952a5585d535

SHA256
5972b901807fac6a70720fd1b4bf15bc9c00a41c1ffbf53d4038924c54cbcd2a

SHA512
4aed8ca855205c00a9a480b2d6c197ddf8a7c407a4927c8d73f4ac9dcf7f2fbc9215db28e2881d9bf7c67f6a2af663993f1d3d8ab02e188ac553cd105a37e6a9

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
memory/328-188-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/328-171-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/328-159-0x0000000005420000-0x000000000546B000-memory.dmp

Filesize
300KB

Download
memory/328-406-0x000001E7D7570000-0x000001E7D7580000-memory.dmp

Filesize
64KB

Download
memory/328-160-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/328-169-0x0000000006290000-0x000000000678E000-memory.dmp

Filesize
5.0MB

Download
memory/328-170-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/328-415-0x000001E7D7570000-0x000001E7D7580000-memory.dmp

Filesize
64KB

Download
memory/328-172-0x0000000006A60000-0x0000000006C22000-memory.dmp

Filesize
1.8MB

Download
memory/328-173-0x0000000007160000-0x000000000768C000-memory.dmp

Filesize
5.2MB

Download
memory/328-154-0x00000000009F0000-0x0000000000A1A000-memory.dmp

Filesize
168KB

Download
memory/328-155-0x0000000005780000-0x0000000005D86000-memory.dmp

Filesize
6.0MB

Download
memory/328-156-0x0000000005310000-0x000000000541A000-memory.dmp

Filesize
1.0MB

Download
memory/328-189-0x00000000069D0000-0x0000000006A46000-memory.dmp

Filesize
472KB

Download
memory/328-157-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/328-158-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/328-190-0x0000000006C30000-0x0000000006C80000-memory.dmp

Filesize
320KB

Download
memory/600-389-0x00000136C0050000-0x00000136C00EA000-memory.dmp

Filesize
616KB

Download
memory/600-390-0x00000136C0510000-0x00000136C0520000-memory.dmp

Filesize
64KB

Download
memory/784-233-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/1188-219-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1188-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1188-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1188-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1188-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1580-399-0x000001AFF1B90000-0x000001AFF1BA0000-memory.dmp

Filesize
64KB

Download
memory/1580-413-0x000001AFF1B90000-0x000001AFF1BA0000-memory.dmp

Filesize
64KB

Download
memory/2016-407-0x0000000006FB0000-0x0000000006FC0000-memory.dmp

Filesize
64KB

Download
memory/2348-143-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3092-213-0x0000000006EA0000-0x0000000006EB0000-memory.dmp

Filesize
64KB

Download
memory/3092-208-0x0000000000050000-0x0000000000148000-memory.dmp

Filesize
992KB

Download
memory/3480-214-0x0000000001230000-0x0000000001240000-memory.dmp

Filesize
64KB

Download
memory/3480-196-0x0000000000730000-0x000000000075A000-memory.dmp

Filesize
168KB

Download
memory/3820-412-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3820-411-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3820-410-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-372-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-386-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-383-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-433-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-400-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-371-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-369-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5072-437-0x00000000070A0000-0x00000000070B0000-memory.dmp

Filesize
64KB

Download
memory/5088-440-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5088-441-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5088-442-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download