Malware Analysis Report

2024-10-23 19:17

Sample ID 230526-t8tw5agh4v
Target 65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58
SHA256 65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58
Tags
gurcu redline goga lisa collection discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58

Threat Level: Known bad

The file 65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58 was found to be: Known bad.

Malicious Activity Summary

gurcu redline goga lisa collection discovery evasion infostealer persistence spyware stealer trojan

Gurcu, WhiteSnake

Modifies Windows Defender Real-time Protection settings

RedLine

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-26 16:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-26 16:44

Reported

2023-05-26 16:46

Platform

win10v2004-20230220-en

Max time kernel

70s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5650480.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4112 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe
PID 4112 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe
PID 4112 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe
PID 4560 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe
PID 4560 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe
PID 4560 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe
PID 3480 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0598416.exe
PID 3480 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0598416.exe
PID 3480 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0598416.exe
PID 1860 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0598416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1860 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0598416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1860 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0598416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1860 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0598416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1860 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0598416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3480 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5650480.exe
PID 3480 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5650480.exe
PID 3480 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5650480.exe
PID 4560 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2820518.exe
PID 4560 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2820518.exe
PID 4560 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2820518.exe
PID 3384 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2820518.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3384 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2820518.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3384 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2820518.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3384 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2820518.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3384 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2820518.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4112 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 4112 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 4112 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 1312 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 1312 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 1312 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 1312 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 1312 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 1312 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 1312 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 1312 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 1312 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 1312 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe
PID 3648 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 3648 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 3648 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 2536 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 2536 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 2536 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 2536 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 2536 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 2536 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 2536 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 2536 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 2536 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 2536 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 960 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Windows\SysWOW64\schtasks.exe
PID 960 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Windows\SysWOW64\schtasks.exe
PID 960 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Windows\SysWOW64\schtasks.exe
PID 960 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4816 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4816 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4816 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58.exe

"C:\Users\Admin\AppData\Local\Temp\65711cb0f3baca62e491743186b9d294b8a5e68bf132cacc5697c2210ac42a58.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0598416.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0598416.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5650480.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5650480.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2820518.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2820518.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legends.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legends.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\41bde21dc7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\41bde21dc7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

"C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe"

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

"C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe"

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

"C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe"

Network

Country Destination Domain Proto
US 40.77.2.164:443 tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 83.97.73.122:19062 tcp
US 8.8.8.8:53 122.73.97.83.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
N/A 83.97.73.122:19062 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 38.146.190.20.in-addr.arpa udp
US 95.214.27.98:80 95.214.27.98 tcp
US 8.8.8.8:53 98.27.214.95.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 20.50.201.200:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 8.238.21.126:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 cyware.com udp
US 15.197.166.200:80 cyware.com tcp
US 8.8.8.8:53 google.kz udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe

MD5 6e90e931a5c5d91fc6b1b252e68085e4
SHA1 fa14b3fc7287f1305a1735a5e9a12f8bf3f8146a
SHA256 b42b6e0585079b0b4ab280bd7e18556fae0b3a1fd46e9eef5799d69080739fd5
SHA512 dbfcadaf9e6ad9ef2f6fcd56e8da121f9a243687bf9e4eafac6489e97f6c7790831b15a74c233170e99ca131525af9fbedb3943c5bee6a1b27521608de7e0810

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5102581.exe

MD5 6e90e931a5c5d91fc6b1b252e68085e4
SHA1 fa14b3fc7287f1305a1735a5e9a12f8bf3f8146a
SHA256 b42b6e0585079b0b4ab280bd7e18556fae0b3a1fd46e9eef5799d69080739fd5
SHA512 dbfcadaf9e6ad9ef2f6fcd56e8da121f9a243687bf9e4eafac6489e97f6c7790831b15a74c233170e99ca131525af9fbedb3943c5bee6a1b27521608de7e0810

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe

MD5 f96755a792f45e288a585fdb30cd0720
SHA1 2dd10d6971feab9ab5bdb463f3c479b85ef81f54
SHA256 7d24ff1877aac3ff28e3b7e5adc3015960ceda60cad3ce8f9ce11538428d3f00
SHA512 2511e9af1c406f36b406dbd908f052865eb0595918ecda6e641cb53fec2edd3c8e25ab27a1a7035e30453620bd11dab5e3240edb6e4651a9040188de421dea37

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6847990.exe

MD5 f96755a792f45e288a585fdb30cd0720
SHA1 2dd10d6971feab9ab5bdb463f3c479b85ef81f54
SHA256 7d24ff1877aac3ff28e3b7e5adc3015960ceda60cad3ce8f9ce11538428d3f00
SHA512 2511e9af1c406f36b406dbd908f052865eb0595918ecda6e641cb53fec2edd3c8e25ab27a1a7035e30453620bd11dab5e3240edb6e4651a9040188de421dea37

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0598416.exe

MD5 56851279f1ebb812d9470f55e0230f7a
SHA1 891e92907277c16b32283770bcef2691ac95c257
SHA256 965ed2ef0d37d500f838622dc841bb0c0f3d8f066a370d49fccfb6b609049124
SHA512 d7c3568c01a449a34253246f0380fcb9617e6ae9ec9ebfcf059223b9d2ab163d4aac11e9cb85d01290645e7a581382fd120a914de2d9d02ad576d50b945344c5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0598416.exe

MD5 56851279f1ebb812d9470f55e0230f7a
SHA1 891e92907277c16b32283770bcef2691ac95c257
SHA256 965ed2ef0d37d500f838622dc841bb0c0f3d8f066a370d49fccfb6b609049124
SHA512 d7c3568c01a449a34253246f0380fcb9617e6ae9ec9ebfcf059223b9d2ab163d4aac11e9cb85d01290645e7a581382fd120a914de2d9d02ad576d50b945344c5

memory/1820-155-0x00000000007B0000-0x00000000007BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5650480.exe

MD5 c3bf9758505bdc14698142b6c182a6c4
SHA1 0361a7245e1b1740b809372290be042882399e64
SHA256 9d8a5557592e56f0b6902b4da737e3cb11c07da20637c94fbcdee11993b1cf6a
SHA512 412144482d8c9bc8fded9be3a288fcebe7c108b1f2ed0c910e893e3d7defb79bcecc76a52ba3e529dcf6b7dc00e42e49266a175a476b5addad68db307ddf8fd7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5650480.exe

MD5 c3bf9758505bdc14698142b6c182a6c4
SHA1 0361a7245e1b1740b809372290be042882399e64
SHA256 9d8a5557592e56f0b6902b4da737e3cb11c07da20637c94fbcdee11993b1cf6a
SHA512 412144482d8c9bc8fded9be3a288fcebe7c108b1f2ed0c910e893e3d7defb79bcecc76a52ba3e529dcf6b7dc00e42e49266a175a476b5addad68db307ddf8fd7

memory/1228-163-0x00000000000C0000-0x00000000000EA000-memory.dmp

memory/1228-164-0x0000000005000000-0x0000000005618000-memory.dmp

memory/1228-165-0x0000000004B60000-0x0000000004C6A000-memory.dmp

memory/1228-166-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1228-167-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/1228-168-0x0000000004B10000-0x0000000004B4C000-memory.dmp

memory/1228-169-0x0000000004E30000-0x0000000004EC2000-memory.dmp

memory/1228-170-0x0000000005BD0000-0x0000000006174000-memory.dmp

memory/1228-171-0x0000000004ED0000-0x0000000004F36000-memory.dmp

memory/1228-173-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/1228-174-0x0000000006350000-0x0000000006512000-memory.dmp

memory/1228-175-0x0000000006A50000-0x0000000006F7C000-memory.dmp

memory/1228-176-0x0000000006520000-0x0000000006596000-memory.dmp

memory/1228-177-0x00000000062D0000-0x0000000006320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2820518.exe

MD5 d1916eea70898370b7d6f2d1c6d3043a
SHA1 7f331dbc36e0d73e5dd1847190074aca15cf0fdc
SHA256 eaf5bc06f7d739caa58fe949efc10a679e4cdf0a427f559030bc7a9a0824993c
SHA512 31f405b5d55504e4e1214b7d4b23d931f7c1a91be46bcba851d726be2c76e645ce956bf118ee0a7b345958639f8df51ca672a75d1956c3e41b3693c74efcecbc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2820518.exe

MD5 d1916eea70898370b7d6f2d1c6d3043a
SHA1 7f331dbc36e0d73e5dd1847190074aca15cf0fdc
SHA256 eaf5bc06f7d739caa58fe949efc10a679e4cdf0a427f559030bc7a9a0824993c
SHA512 31f405b5d55504e4e1214b7d4b23d931f7c1a91be46bcba851d726be2c76e645ce956bf118ee0a7b345958639f8df51ca672a75d1956c3e41b3693c74efcecbc

memory/828-183-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe

MD5 3a60e126f72140f71dfe3f70432ba062
SHA1 eaa30620b2f0d42935cd58dd7780bdbba508199c
SHA256 f058aa9fcfbdf11a8c4e953e89de1cbfa83798238c7afdb06575b552634db314
SHA512 067808512f1e65517b4b73fd1dcee015f168aa1297d52922d799fc7b79fa4661b06373bdad32bad3c81f1ccc8fb58a8d5182e390ce4a2a638aaee68f0ae5d780

memory/1312-192-0x0000000000930000-0x0000000000A28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe

MD5 3a60e126f72140f71dfe3f70432ba062
SHA1 eaa30620b2f0d42935cd58dd7780bdbba508199c
SHA256 f058aa9fcfbdf11a8c4e953e89de1cbfa83798238c7afdb06575b552634db314
SHA512 067808512f1e65517b4b73fd1dcee015f168aa1297d52922d799fc7b79fa4661b06373bdad32bad3c81f1ccc8fb58a8d5182e390ce4a2a638aaee68f0ae5d780

memory/828-193-0x0000000005070000-0x0000000005080000-memory.dmp

memory/1312-194-0x0000000007690000-0x00000000076A0000-memory.dmp

memory/3648-195-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0385800.exe

MD5 3a60e126f72140f71dfe3f70432ba062
SHA1 eaa30620b2f0d42935cd58dd7780bdbba508199c
SHA256 f058aa9fcfbdf11a8c4e953e89de1cbfa83798238c7afdb06575b552634db314
SHA512 067808512f1e65517b4b73fd1dcee015f168aa1297d52922d799fc7b79fa4661b06373bdad32bad3c81f1ccc8fb58a8d5182e390ce4a2a638aaee68f0ae5d780

memory/3648-198-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3648-199-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3648-201-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 3a60e126f72140f71dfe3f70432ba062
SHA1 eaa30620b2f0d42935cd58dd7780bdbba508199c
SHA256 f058aa9fcfbdf11a8c4e953e89de1cbfa83798238c7afdb06575b552634db314
SHA512 067808512f1e65517b4b73fd1dcee015f168aa1297d52922d799fc7b79fa4661b06373bdad32bad3c81f1ccc8fb58a8d5182e390ce4a2a638aaee68f0ae5d780

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 3a60e126f72140f71dfe3f70432ba062
SHA1 eaa30620b2f0d42935cd58dd7780bdbba508199c
SHA256 f058aa9fcfbdf11a8c4e953e89de1cbfa83798238c7afdb06575b552634db314
SHA512 067808512f1e65517b4b73fd1dcee015f168aa1297d52922d799fc7b79fa4661b06373bdad32bad3c81f1ccc8fb58a8d5182e390ce4a2a638aaee68f0ae5d780

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 3a60e126f72140f71dfe3f70432ba062
SHA1 eaa30620b2f0d42935cd58dd7780bdbba508199c
SHA256 f058aa9fcfbdf11a8c4e953e89de1cbfa83798238c7afdb06575b552634db314
SHA512 067808512f1e65517b4b73fd1dcee015f168aa1297d52922d799fc7b79fa4661b06373bdad32bad3c81f1ccc8fb58a8d5182e390ce4a2a638aaee68f0ae5d780

memory/3648-215-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2536-216-0x00000000077A0000-0x00000000077B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 3a60e126f72140f71dfe3f70432ba062
SHA1 eaa30620b2f0d42935cd58dd7780bdbba508199c
SHA256 f058aa9fcfbdf11a8c4e953e89de1cbfa83798238c7afdb06575b552634db314
SHA512 067808512f1e65517b4b73fd1dcee015f168aa1297d52922d799fc7b79fa4661b06373bdad32bad3c81f1ccc8fb58a8d5182e390ce4a2a638aaee68f0ae5d780

memory/960-220-0x0000000000400000-0x0000000000438000-memory.dmp

memory/960-221-0x0000000000400000-0x0000000000438000-memory.dmp

memory/960-223-0x0000000000400000-0x0000000000438000-memory.dmp

memory/960-224-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

memory/960-235-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

memory/960-245-0x0000000000400000-0x0000000000438000-memory.dmp

memory/628-247-0x00000000002C0000-0x0000000000396000-memory.dmp

memory/628-248-0x0000000004C60000-0x0000000004C6A000-memory.dmp

memory/628-249-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/628-250-0x0000000004F10000-0x0000000004F20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 3a60e126f72140f71dfe3f70432ba062
SHA1 eaa30620b2f0d42935cd58dd7780bdbba508199c
SHA256 f058aa9fcfbdf11a8c4e953e89de1cbfa83798238c7afdb06575b552634db314
SHA512 067808512f1e65517b4b73fd1dcee015f168aa1297d52922d799fc7b79fa4661b06373bdad32bad3c81f1ccc8fb58a8d5182e390ce4a2a638aaee68f0ae5d780

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/2040-253-0x0000000006DA0000-0x0000000006DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 3a60e126f72140f71dfe3f70432ba062
SHA1 eaa30620b2f0d42935cd58dd7780bdbba508199c
SHA256 f058aa9fcfbdf11a8c4e953e89de1cbfa83798238c7afdb06575b552634db314
SHA512 067808512f1e65517b4b73fd1dcee015f168aa1297d52922d799fc7b79fa4661b06373bdad32bad3c81f1ccc8fb58a8d5182e390ce4a2a638aaee68f0ae5d780

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 3a60e126f72140f71dfe3f70432ba062
SHA1 eaa30620b2f0d42935cd58dd7780bdbba508199c
SHA256 f058aa9fcfbdf11a8c4e953e89de1cbfa83798238c7afdb06575b552634db314
SHA512 067808512f1e65517b4b73fd1dcee015f168aa1297d52922d799fc7b79fa4661b06373bdad32bad3c81f1ccc8fb58a8d5182e390ce4a2a638aaee68f0ae5d780

memory/5020-257-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5020-258-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5020-259-0x0000000000400000-0x0000000000438000-memory.dmp

memory/628-260-0x0000000009090000-0x000000000912C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

memory/2084-262-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1232.exe.log

MD5 7cad59aef5a93f093b6ba494f13f796f
SHA1 3cef97b77939bfc06dfd3946fc1a8cd159f67100
SHA256 1e1b444fe2d8772f6709b22b94bb5b0aa7fa590f6a693705d9bf1f2f71267a55
SHA512 8cedd03efec34c6226a01fd6b4831a689be16545ea6b849cd96f775e0722bfefd4b47f3dd8401d2080d341d4319f75995ece60de44352a1f86a2e5dc01e6210b

memory/2084-266-0x0000000005600000-0x0000000005610000-memory.dmp