gurcu | c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

Resubmissions

10-04-2024 02:41

240410-c6hmmsfd7z 10

10-04-2024 02:41

10-04-2024 02:41

10-04-2024 02:41

14-10-2023 01:33

Analysis

max time kernel
1196s
max time network
1203s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x19a4f9f3d16fcc9779ba8ea79bf7.exe
Size

392KB
MD5

2299a17350433284e58bd0fcc10edf41
SHA1

d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256

c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512

123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1
SSDEEP

6144:5cJGLvLE5hu6Me646G0D1ecme1x9b31v4n:uUvLr6k9b5ecmed1v4

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6193093056:AAHzyNGUGS9aUG6CCx6ENLoXpCFLzEQywIQ/sendMessage?chat_id=1098292643

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 22 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Executes dropped EXE 42 IoCs

pid	Process
2088	x19a4f9f3d16fcc9779ba8ea79bf7.exe
3076	tor.exe
5584	x19a4f9f3d16fcc9779ba8ea79bf7.exe
5680	tor.exe
5416	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4568	tor.exe
2340	x19a4f9f3d16fcc9779ba8ea79bf7.exe
5940	tor.exe
5788	x19a4f9f3d16fcc9779ba8ea79bf7.exe
5728	tor.exe
3276	x19a4f9f3d16fcc9779ba8ea79bf7.exe
3628	tor.exe
780	x19a4f9f3d16fcc9779ba8ea79bf7.exe
5288	tor.exe
5956	x19a4f9f3d16fcc9779ba8ea79bf7.exe
5140	tor.exe
1876	x19a4f9f3d16fcc9779ba8ea79bf7.exe
3392	tor.exe
6096	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4288	tor.exe
1436	x19a4f9f3d16fcc9779ba8ea79bf7.exe
5036	tor.exe
4020	x19a4f9f3d16fcc9779ba8ea79bf7.exe
312	tor.exe
5940	x19a4f9f3d16fcc9779ba8ea79bf7.exe
5604	tor.exe
5900	x19a4f9f3d16fcc9779ba8ea79bf7.exe
5424	tor.exe
4160	x19a4f9f3d16fcc9779ba8ea79bf7.exe
5620	tor.exe
3160	x19a4f9f3d16fcc9779ba8ea79bf7.exe
1076	tor.exe
5280	x19a4f9f3d16fcc9779ba8ea79bf7.exe
1188	tor.exe
4024	x19a4f9f3d16fcc9779ba8ea79bf7.exe
2024	tor.exe
4736	x19a4f9f3d16fcc9779ba8ea79bf7.exe
5900	tor.exe
2508	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4808	tor.exe
3692	x19a4f9f3d16fcc9779ba8ea79bf7.exe
1360	tor.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
142	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3580	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
484	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2088	x19a4f9f3d16fcc9779ba8ea79bf7.exe
2088	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2088	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	5584	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	5416	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2340	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	5788	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	3276	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	780	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	5956	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	1876	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	6096	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	1436	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	4020	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	5940	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	5900	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	4160	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	3160	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	5280	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	4024	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	4736	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2508	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	3692	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4408	1920	x19a4f9f3d16fcc9779ba8ea79bf7.exe	93
PID 1920 wrote to memory of 4408	1920	x19a4f9f3d16fcc9779ba8ea79bf7.exe	93
PID 4408 wrote to memory of 4828	4408	cmd.exe	95
PID 4408 wrote to memory of 4828	4408	cmd.exe	95
PID 4408 wrote to memory of 484	4408	cmd.exe	96
PID 4408 wrote to memory of 484	4408	cmd.exe	96
PID 4408 wrote to memory of 3580	4408	cmd.exe	104
PID 4408 wrote to memory of 3580	4408	cmd.exe	104
PID 4408 wrote to memory of 2088	4408	cmd.exe	105
PID 4408 wrote to memory of 2088	4408	cmd.exe	105
PID 2088 wrote to memory of 1712	2088	x19a4f9f3d16fcc9779ba8ea79bf7.exe	109
PID 2088 wrote to memory of 1712	2088	x19a4f9f3d16fcc9779ba8ea79bf7.exe	109
PID 2088 wrote to memory of 3076	2088	x19a4f9f3d16fcc9779ba8ea79bf7.exe	111
PID 2088 wrote to memory of 3076	2088	x19a4f9f3d16fcc9779ba8ea79bf7.exe	111
PID 5584 wrote to memory of 5680	5584	x19a4f9f3d16fcc9779ba8ea79bf7.exe	116
PID 5584 wrote to memory of 5680	5584	x19a4f9f3d16fcc9779ba8ea79bf7.exe	116
PID 5416 wrote to memory of 4568	5416	x19a4f9f3d16fcc9779ba8ea79bf7.exe	125
PID 5416 wrote to memory of 4568	5416	x19a4f9f3d16fcc9779ba8ea79bf7.exe	125
PID 2340 wrote to memory of 5940	2340	x19a4f9f3d16fcc9779ba8ea79bf7.exe	137
PID 2340 wrote to memory of 5940	2340	x19a4f9f3d16fcc9779ba8ea79bf7.exe	137
PID 5788 wrote to memory of 5728	5788	x19a4f9f3d16fcc9779ba8ea79bf7.exe	145
PID 5788 wrote to memory of 5728	5788	x19a4f9f3d16fcc9779ba8ea79bf7.exe	145
PID 3276 wrote to memory of 3628	3276	x19a4f9f3d16fcc9779ba8ea79bf7.exe	150
PID 3276 wrote to memory of 3628	3276	x19a4f9f3d16fcc9779ba8ea79bf7.exe	150
PID 780 wrote to memory of 5288	780	x19a4f9f3d16fcc9779ba8ea79bf7.exe	155
PID 780 wrote to memory of 5288	780	x19a4f9f3d16fcc9779ba8ea79bf7.exe	155
PID 5956 wrote to memory of 5140	5956	x19a4f9f3d16fcc9779ba8ea79bf7.exe	160
PID 5956 wrote to memory of 5140	5956	x19a4f9f3d16fcc9779ba8ea79bf7.exe	160
PID 1876 wrote to memory of 3392	1876	x19a4f9f3d16fcc9779ba8ea79bf7.exe	165
PID 1876 wrote to memory of 3392	1876	x19a4f9f3d16fcc9779ba8ea79bf7.exe	165
PID 6096 wrote to memory of 4288	6096	x19a4f9f3d16fcc9779ba8ea79bf7.exe	171
PID 6096 wrote to memory of 4288	6096	x19a4f9f3d16fcc9779ba8ea79bf7.exe	171
PID 1436 wrote to memory of 5036	1436	x19a4f9f3d16fcc9779ba8ea79bf7.exe	176
PID 1436 wrote to memory of 5036	1436	x19a4f9f3d16fcc9779ba8ea79bf7.exe	176
PID 4020 wrote to memory of 312	4020	x19a4f9f3d16fcc9779ba8ea79bf7.exe	181
PID 4020 wrote to memory of 312	4020	x19a4f9f3d16fcc9779ba8ea79bf7.exe	181
PID 5940 wrote to memory of 5604	5940	x19a4f9f3d16fcc9779ba8ea79bf7.exe	186
PID 5940 wrote to memory of 5604	5940	x19a4f9f3d16fcc9779ba8ea79bf7.exe	186
PID 5900 wrote to memory of 5424	5900	x19a4f9f3d16fcc9779ba8ea79bf7.exe	191
PID 5900 wrote to memory of 5424	5900	x19a4f9f3d16fcc9779ba8ea79bf7.exe	191
PID 4160 wrote to memory of 5620	4160	x19a4f9f3d16fcc9779ba8ea79bf7.exe	197
PID 4160 wrote to memory of 5620	4160	x19a4f9f3d16fcc9779ba8ea79bf7.exe	197
PID 3160 wrote to memory of 1076	3160	x19a4f9f3d16fcc9779ba8ea79bf7.exe	202
PID 3160 wrote to memory of 1076	3160	x19a4f9f3d16fcc9779ba8ea79bf7.exe	202
PID 5280 wrote to memory of 1188	5280	x19a4f9f3d16fcc9779ba8ea79bf7.exe	207
PID 5280 wrote to memory of 1188	5280	x19a4f9f3d16fcc9779ba8ea79bf7.exe	207
PID 4024 wrote to memory of 2024	4024	x19a4f9f3d16fcc9779ba8ea79bf7.exe	212
PID 4024 wrote to memory of 2024	4024	x19a4f9f3d16fcc9779ba8ea79bf7.exe	212
PID 4736 wrote to memory of 5900	4736	x19a4f9f3d16fcc9779ba8ea79bf7.exe	217
PID 4736 wrote to memory of 5900	4736	x19a4f9f3d16fcc9779ba8ea79bf7.exe	217
PID 2508 wrote to memory of 4808	2508	x19a4f9f3d16fcc9779ba8ea79bf7.exe	222
PID 2508 wrote to memory of 4808	2508	x19a4f9f3d16fcc9779ba8ea79bf7.exe	222
PID 3692 wrote to memory of 1360	3692	x19a4f9f3d16fcc9779ba8ea79bf7.exe	227
PID 3692 wrote to memory of 1360	3692	x19a4f9f3d16fcc9779ba8ea79bf7.exe	227

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe
"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4828
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:484
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3580
- - C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
    "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:2088
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp9059.tmp" -C "C:\Users\Admin\AppData\Local\xtioxntk7k"
      4⤵
      PID:1712
  - - C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
      "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:3076

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5584
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
1⤵
PID:4404

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5416
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4568

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5940

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5788
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5728

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3628

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5288

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5956
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5140

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5108 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
1⤵
PID:216

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6096
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4288

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5036

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:312

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5940
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5604

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5900
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5424

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5620

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1076

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5280
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1188

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2024

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5900

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4808

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x19a4f9f3d16fcc9779ba8ea79bf7.exe.log

Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

Filesize
392KB

MD5
2299a17350433284e58bd0fcc10edf41

SHA1
d477f1cd55365db00ca77cc5459afabe1ffc80b3

SHA256
c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

SHA512
123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9059.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
a0db8a87f7b723266c8b04255da46b06

SHA1
4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf

SHA256
60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3

SHA512
41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-microdescs.new

Filesize
8.1MB

MD5
ec98fbf91d51bc8bb3f42e55ec1d8507

SHA1
d1f16ee570081561947a5a3c51ec3fbaec36708c

SHA256
a3af7dff2364e90eb3500815e0fbc00a243af3b14534b1b299cb72c507003ba5

SHA512
2a54f40f6f51d0586f318abe1408e4db3213f2b43efa0dc58dd6cf1d11140b074f61484762e7b62e8950d18fdd8da57abb92239daa4a5bc860ad6f35fde6faa0

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\host\hostname

Filesize
64B

MD5
5d92a368434f582497a089373fa54acb

SHA1
11867637e496d3fd7bf478da8e994303f088e2bd

SHA256
ef70f1729027bee843076ee38b3d7c5b2dafd1f42fde6c7817057cb6cf1a1184

SHA512
4c557bfbe6234cbaee158f31cdef41533605c682ce1b73d86706c9a89184ac9ef5b090e1e163ba1c6cd56bff11827502ec389e44e211c651114cdc3325c70828

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\port.dat

Filesize
4B

MD5
f40438b554cc0e3d96ee6064c5798f55

SHA1
e3d09d110ffd832db5c5683ac611ac8562dff28d

SHA256
a51baee973742433352aef2a7d0206026abe4c804c3f8bbbafd92a740ab78386

SHA512
16657accccfce59d627b1723db5c30bc8b3248bccecaceafcc0d65df1e1ba361e839aea091103cbf8661f4787a5f7903f23cd03fdea0c378fc9888f8e403cc50

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt

Filesize
218B

MD5
7b4f5dfebae302c53c8ea07a84964195

SHA1
e4cbb6ebaa41e76327430ce89486311ddda3f256

SHA256
eb7d33350e664151202b8c653132aa0d7eb92811318ba30c59ff0488e3f264ee

SHA512
4b446c902c73fc630e1fea5686b11f83b3b62b6772f0ce0e57124304cee33500771f03901845e4b3229fe420ae9a3c915a2d6d3d2e85ad4ada5252f9b1389ccd

Download Submit
memory/780-126-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/780-128-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/1436-164-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/1436-162-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/1876-140-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/1876-138-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/1920-1-0x00007FFE395D0000-0x00007FFE3A091000-memory.dmp

Filesize
10.8MB

Download
memory/1920-0-0x000002F549A00000-0x000002F549A68000-memory.dmp

Filesize
416KB

Download
memory/1920-6-0x00007FFE395D0000-0x00007FFE3A091000-memory.dmp

Filesize
10.8MB

Download
memory/1920-4-0x000002F563FC0000-0x000002F563FD0000-memory.dmp

Filesize
64KB

Download
memory/2088-67-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/2088-75-0x000001F991580000-0x000001F991590000-memory.dmp

Filesize
64KB

Download
memory/2088-11-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/2088-12-0x000001F991580000-0x000001F991590000-memory.dmp

Filesize
64KB

Download
memory/2340-98-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/2340-100-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/2508-261-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/2508-255-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/3160-216-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/3160-214-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/3276-112-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/3276-110-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/3692-271-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/3692-273-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/4020-172-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/4020-170-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/4024-235-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/4024-237-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/4160-204-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/4160-202-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/4736-249-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/4736-247-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5280-227-0x000001CA786F0000-0x000001CA78700000-memory.dmp

Filesize
64KB

Download
memory/5280-229-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5280-226-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5416-89-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5416-90-0x0000014256E50000-0x0000014256E60000-memory.dmp

Filesize
64KB

Download
memory/5416-92-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5584-53-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5584-54-0x00000244B2D30000-0x00000244B2D40000-memory.dmp

Filesize
64KB

Download
memory/5584-57-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5788-106-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5788-108-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5900-196-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5900-194-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5940-184-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5940-182-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5956-134-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/5956-136-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/6096-156-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download
memory/6096-154-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Filesize
10.8MB

Download