neshta | f2c139ededc6158ae672aa2ae484cbdf503517af131062ddd80a106dd7827557

Analysis

max time kernel
1220s
max time network
1798s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

34KB
MD5

c066e2162e9aa7dd672e4c20c1c8c9eb
SHA1

20c061ca760ed127dd7c43ad5147064af4009d93
SHA256

f2c139ededc6158ae672aa2ae484cbdf503517af131062ddd80a106dd7827557
SHA512

aa75920ffef507b16ed23f7c4033374ec5b1ae56d9f6f32db6a0b632366a031280be4b6c2fed4ef895fda459899dccb62def861ffb90d287a23112a9d56a4adf
SSDEEP

384:PxXv9qZ/QXokXcjlcTB+Gx//wD7rXVhLHzVdfgkBE2jHuh/58pkFyHBLTLZwYGoy:JXB2GxebHzDyCw/VFye9F+Ojh7yaEr4

Score

10^/10

neshta stormkitty umbral xworm discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

cheflilou-43810.portmap.host:43810

Mutex

JQrIKWspeoVSCrcE

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

umbral

https://discord.com/api/webhooks/1300923716687106088/zBYqs8nJ3MptGRgCn45okL0BWnQ0FdPIXStaaykk5DhZfBnHinW4M0Ve6U2CSPsMATf2

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0003000000003e6e-218.dat	family_neshta
behavioral1/memory/1928-353-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1928-359-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000003e6e-218.dat	family_umbral
behavioral1/files/0x000300000000549a-224.dat	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2824-1-0x0000000000CB0000-0x0000000000CBE000-memory.dmp	family_xworm

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2824-360-0x000000001BA30000-0x000000001BB50000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe
2940	powershell.exe
2400	powershell.exe
2408	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2618	discord.com
2619	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2593	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2696	cmd.exe
1536	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2544	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1560	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1536	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1780	chrome.exe
1780	chrome.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2060	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	XClient.exe
Token: SeDebugPrivilege	2824	XClient.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeDebugPrivilege	2060	taskmgr.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe
Token: SeShutdownPrivilege	1780	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
1780	chrome.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2616	1780	chrome.exe	33
PID 1780 wrote to memory of 2616	1780	chrome.exe	33
PID 1780 wrote to memory of 2616	1780	chrome.exe	33
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2832	1780	chrome.exe	35
PID 1780 wrote to memory of 2676	1780	chrome.exe	36
PID 1780 wrote to memory of 2676	1780	chrome.exe	36
PID 1780 wrote to memory of 2676	1780	chrome.exe	36
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37
PID 1780 wrote to memory of 2844	1780	chrome.exe	37

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1140	attrib.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2824
- C:\Users\Admin\AppData\Local\Temp\orcfco.exe
  "C:\Users\Admin\AppData\Local\Temp\orcfco.exe"
  2⤵
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\3582-490\orcfco.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\orcfco.exe"
    3⤵
    PID:784
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2652
  - - C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\3582-490\orcfco.exe"
      4⤵
      Views/modifies file attributes
      PID:1140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3582-490\orcfco.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:1356
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:1600
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:932
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2408
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1560
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\3582-490\orcfco.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2696
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1536
- C:\Windows\system32\cmd.exe
  "cmd"
  2⤵
  PID:2168
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef71f9758,0x7fef71f9768,0x7fef71f9778
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1280,i,13446387987556117231,9701170856913446183,131072 /prefetch:2
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1280,i,13446387987556117231,9701170856913446183,131072 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1280,i,13446387987556117231,9701170856913446183,131072 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1280,i,13446387987556117231,9701170856913446183,131072 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1280,i,13446387987556117231,9701170856913446183,131072 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1408 --field-trial-handle=1280,i,13446387987556117231,9701170856913446183,131072 /prefetch:2
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3188 --field-trial-handle=1280,i,13446387987556117231,9701170856913446183,131072 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 --field-trial-handle=1280,i,13446387987556117231,9701170856913446183,131072 /prefetch:8
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3684 --field-trial-handle=1280,i,13446387987556117231,9701170856913446183,131072 /prefetch:1
  2⤵
  PID:2268

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2168

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
20cb03bf14fb3ac872a11d3ed8e2a5d0

SHA1
8399b39f5c4b0551826e5d08d6c3c3a556363e21

SHA256
aa62986b15e21553d7b1e677191549e24f78b268e75cfbf0c6d14816ceeedcb0

SHA512
fde8b35be23a91f5ac1bbbe3e515fb4bb69a7d48b5f19ca003b5d90b6523b666bc0d80fa931bfb811de757107f3a62b3f49a8c2aecad85de4c7e78f25eb543ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000007.log

Filesize
10KB

MD5
f4f229c12cb36d8eed0560f76d4c75af

SHA1
2bde6b1a9e3d0abfb821d162737f94825b8c80f5

SHA256
52f8eb8f829a48831c5c83278d8baa117bca8d2a6de7e128d40aed0da3f35ae5

SHA512
c686c15ca869fafd4c7d894f4d0a54ab0134da6de2e35467efb210a51293f82894197ec74d20be2a1e7ba9fe6b1888cbde6f9518835efda3d30392547d49a2c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
6fdc3e2472f9f65270af08f79ca9299b

SHA1
6a2a7feecb38d16bb557e17b0b09706b583db0c8

SHA256
be7b2c34807cb0c12b4e3763eddaa6f52bc5752475e647844546e924cbe0b102

SHA512
53a2b162bd4d65eb45ffb5991794a70f63551bd331c6f011e66d1c438425453e4e24ec9ac060d498742b09603868c4217476e6e83c5d4a2c347e577b4d74069e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2aafbfba0beb6e0c67e964b45786652c

SHA1
349f16c0962a127f9dd347c7a942b2b4f6f400c1

SHA256
463cac1fbab59e414357bb24b0b11aa100f15c21ad12c577a5444b5156ebf04b

SHA512
a0eb45042b3922be35af45d698e75d531e622c86337213a568f3cad99c82802022218d05f208257054b140691099ada25f714fd013c212e6ec77a62483bdff2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
85512a7917f1598ba22d03db858cdcb2

SHA1
a6186fd9c1aef35f6deb6a9e1db454fd09d9cfa9

SHA256
81b6fdcbe812fd7683732cb66b4503da42483d5e4af7a86ce0ea0f7d09c1ccb1

SHA512
9cfc8f8e6a9ed0391909b95c62896d2f0633a8b133a0e54ac5d11c79736d205916d72f8d63ec7f29a6f6aec2e065063c062f5537a48e32f601f075d61fea2425

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
a6712cac7c28583427087b0afc939159

SHA1
75fd11a6203a2231f6d4de8a327c4ba89688e2f9

SHA256
ddfe95a472522329b446f84101dbb1301163a83a9ed7fb86d90d2fa16e074cd0

SHA512
9ce8ec3115f39b1ad9d3e137481059c26b52c6d67894ba4f36f442286cb5c11a869abb5e6203a96d67b2b483ec352f94c622516eb344bad1a9951f8ac5fe0b80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
201ef0c3da952fdd5e3ebcc7fea23f8d

SHA1
db4a5efb2bab775b0ccfcd3aeab8e703bcbc5ccf

SHA256
f6e663f99a23a17170915e487ca7e27467b7853893d4933e73b9feddfa6742b0

SHA512
7fe02e61aa15cdebd2f78ed922044e43d281880d653b174d14a604ae73cfa13e8c2df6e1fc43c35541286e82823b499ca0ab61e3d71a4446bb49221e93eb5abf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
70dd1218869e64de2e93ffe0507ec2a1

SHA1
05fd8f11416ffbadf2954b0135627a3c0b39ac53

SHA256
493b5277a649ab596f82a44f5d9bd6be4f894b95411710da2c93c9f0f804cf26

SHA512
3181dcceabbb65edd287f4e8bd2945fd61babee4cbd9591713ea474b952d66acf1e90bc0954979179878ba3ac706cf2def8f0bdec4ebd892051751e9ab78169d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0f7723aff84a4f5bbcbd2be697abf5f1

SHA1
6123e79263dc45fe29d26500eaba270e4ec39ba1

SHA256
4bb0fa03df9f1c8a6adc613afbb9f3bee92dd51d68b9ceeaf7228d4fe34d7937

SHA512
3ee1f4d2dbfd1f7e0fceb2447d06ded0e08ac2e168e4571622809195765acd3c9f482f7aa82e89c2d94ebb47eb6e8c39cf82101d802cbb5650c284105ead2ffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb

Filesize
1KB

MD5
cc3810d7095e9ba30eddd9f7c02e783c

SHA1
58e59270c2d5c5f9ee7e4a2ef55af786b22254d7

SHA256
8659f69681aff39239470438d3a8cf8537f8c27113c2bde201c4ae870b4ef58d

SHA512
90f6b96f82a0dd64521db2c7aff5868415f253a28602288456dade19aea856de08d79b65e5b7d90195424e4430b3f8462044d75947bea4f25aa6b4b6a3a7b9fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.log

Filesize
2KB

MD5
acce9f1473f69ff129b9b85914b29a5f

SHA1
223e2109f89085cc1d95d4926e8f636414d12eea

SHA256
19860ac9ee3dae9719aa1d74ff1279920f0739369d6c9cf85bd5fc85ec5eb496

SHA512
043dde292d5a999ff34aaebf2adc4298c2bc0d4f35058b7f6177ffb61ee115ec5d733b7d412efa0f921ff67ed7c27aa7913868a19b1b96540ad1c7065efc848f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
92KB

MD5
c4770355ebe4a55afda671478abe9f8c

SHA1
ec9366cb9ffa861dfda08bbdc82547ac3536d527

SHA256
ef2fe2a1f622de80217ecb18001fc297bcca6dc3fa5826d977cb5a6ab35cddc3

SHA512
7280b9f0bc9f87959de8050c43b985d53a59102d897dc94efc38e851ae351aeeaeb3b07e535b0406d655644b4a4a6a97b4c61ca6fe869ad44fabea421a111371

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
347KB

MD5
e4bc85e1864a062245154b5e94f266a1

SHA1
fde47b5fd084d5b1f3aea297002f232d74e046ca

SHA256
beffe31f8c670b579426944fc6148adab8680f9bb5cab74b1ffb11cd782d99a0

SHA512
85f8c38dc96f8f23879995f7205dbe27c3c0ddfd7681108af03f2d68c3aaa0d026f5f8f3f82c08eccaa3bc2811738f87192ab17541372afaf946e2ddf3e15240

Download Submit
C:\Users\Admin\AppData\Local\Temp\orcfco.exe

Filesize
270KB

MD5
f76710d1d5a29fca7e79fe4edf8c91d8

SHA1
6fb0a847757bbb11b6879faee49ba2206d062c37

SHA256
9a1e6e1d123a3989318515c475e04f02ece3d85eade3ab77c6c3baf928abb1e4

SHA512
6735e5431f6dee3c3d20612440fb0b320f6330b58c54d178683c61874335749a90f8992662f250ed8286e26e4eae1ccf13e145e53b5fb43a5bff2678a73511b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ee8896617299f2ecb0c5e70466d0e551

SHA1
a4e17c3211fc08e716b4efcc018c641f796fd31f

SHA256
4f49db9845d679f272ee818e7c9eef5a4a278b65778798a350d1ac5e1f8bf452

SHA512
fa4815d60c7b8dc60af198c6eaf8e0700251bce544a5cd30d553e6a7c73538ab5e788790942d50535083ce1524c34dbc3955e5819c2b815a54a7d3e34081f192

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\orcfco.exe

Filesize
229KB

MD5
13a44ae702c2f8ec11472d6b965b8786

SHA1
dc410e60fce3498499d148c37d54dc25ca502aa4

SHA256
9ed2f2b8b28c3d25bb88732ffb42cb352552cf73448372ca2566511bfb8cd401

SHA512
63116b191589b5209e80206a9a4454e56c522fd3d53655abb0c4dfe4b08f2a381cd9a3b52e97167dfd2753f9ca69ba8ff6e9e14915c00d7e610fc477dc2d453f

Download Submit
memory/1928-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2060-107-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-164-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-185-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-184-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-193-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-194-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-195-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-196-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-197-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-198-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-199-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-200-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-165-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-208-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-209-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-210-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-211-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-212-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-213-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-183-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-156-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-106-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-59-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-60-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-84-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-79-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/2060-78-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2408-351-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2408-352-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2576-309-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2824-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2824-9-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2824-8-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2824-7-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2824-360-0x000000001BA30000-0x000000001BB50000-memory.dmp

Filesize
1.1MB

Download
memory/2824-361-0x0000000000BD0000-0x0000000000BDE000-memory.dmp

Filesize
56KB

Download
memory/2824-6-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2824-1-0x0000000000CB0000-0x0000000000CBE000-memory.dmp

Filesize
56KB

Download