939281eac1c6e5aa2e4238a1e545e67b2609c15f517474b2a5133bb64fe9c1eb

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2024, 17:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PepperX (1).exe
Size

146KB
MD5

39c9477cf131ca5ccc05c8871c0e10e6
SHA1

07b2581b2cb41053d09c4bb896aaabc1d28f2a7b
SHA256

939281eac1c6e5aa2e4238a1e545e67b2609c15f517474b2a5133bb64fe9c1eb
SHA512

689fd585232031f746b1573d3ed66ac329420611d4e1092ce6952b49ab0c168091726bd02189a4e183d1196ced4f51953e4eb25a5219a36f86d8f6761da9f129
SSDEEP

1536:xzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDqk3sA9atm8z+L8QBfuSoyAMjwT:KqJogYkcSNm9V7D7352v+L8DnyAewT

Score

9^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	635A.tmp

Deletes itself 1 IoCs

pid	Process
1752	635A.tmp

Executes dropped EXE 1 IoCs

pid	Process
1752	635A.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini	PepperX (1).exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini	PepperX (1).exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP02qo7e20l6wzsxnbhvavf_f_d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP9v6d1z3w7nd7vp0o93bhvxrvc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPqlv02x838c_7kerdgf0q02rnd.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\1pvSvxmZY.bmp"	PepperX (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1pvSvxmZY.bmp"	PepperX (1).exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1752	635A.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PepperX (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	635A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop	PepperX (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallpaperStyle = "10"	PepperX (1).exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771146566897679"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1pvSvxmZY\ = "1pvSvxmZY"	PepperX (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1pvSvxmZY\DefaultIcon	PepperX (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1pvSvxmZY	PepperX (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1pvSvxmZY\DefaultIcon\ = "C:\\ProgramData\\1pvSvxmZY.ico"	PepperX (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1pvSvxmZY	PepperX (1).exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1188	ONENOTE.EXE
1188	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe
3292	PepperX (1).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp
1752	635A.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeDebugPrivilege	3292	PepperX (1).exe
Token: 36	3292	PepperX (1).exe
Token: SeImpersonatePrivilege	3292	PepperX (1).exe
Token: SeIncBasePriorityPrivilege	3292	PepperX (1).exe
Token: SeIncreaseQuotaPrivilege	3292	PepperX (1).exe
Token: 33	3292	PepperX (1).exe
Token: SeManageVolumePrivilege	3292	PepperX (1).exe
Token: SeProfSingleProcessPrivilege	3292	PepperX (1).exe
Token: SeRestorePrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSystemProfilePrivilege	3292	PepperX (1).exe
Token: SeTakeOwnershipPrivilege	3292	PepperX (1).exe
Token: SeShutdownPrivilege	3292	PepperX (1).exe
Token: SeDebugPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeBackupPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe
Token: SeSecurityPrivilege	3292	PepperX (1).exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1188	ONENOTE.EXE
1188	ONENOTE.EXE
1188	ONENOTE.EXE
1188	ONENOTE.EXE
1188	ONENOTE.EXE
1188	ONENOTE.EXE
1188	ONENOTE.EXE
1188	ONENOTE.EXE
1188	ONENOTE.EXE
1188	ONENOTE.EXE
1188	ONENOTE.EXE
1188	ONENOTE.EXE
1188	ONENOTE.EXE
1188	ONENOTE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 5052	3292	PepperX (1).exe	92
PID 3292 wrote to memory of 5052	3292	PepperX (1).exe	92
PID 1308 wrote to memory of 1724	1308	chrome.exe	102
PID 1308 wrote to memory of 1724	1308	chrome.exe	102
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 3944	1308	chrome.exe	103
PID 1308 wrote to memory of 1692	1308	chrome.exe	104
PID 1308 wrote to memory of 1692	1308	chrome.exe	104
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105
PID 1308 wrote to memory of 2972	1308	chrome.exe	105

C:\Users\Admin\AppData\Local\Temp\PepperX (1).exe
"C:\Users\Admin\AppData\Local\Temp\PepperX (1).exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:5052
- C:\ProgramData\635A.tmp
  "C:\ProgramData\635A.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\635A.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff3159cc40,0x7fff3159cc4c,0x7fff3159cc58
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2128,i,11988583845829145530,5791210577317833335,262144 --variations-seed-version --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1964,i,11988583845829145530,5791210577317833335,262144 --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:3
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,11988583845829145530,5791210577317833335,262144 --variations-seed-version --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,11988583845829145530,5791210577317833335,262144 --variations-seed-version --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,11988583845829145530,5791210577317833335,262144 --variations-seed-version --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,11988583845829145530,5791210577317833335,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4912,i,11988583845829145530,5791210577317833335,262144 --variations-seed-version --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,11988583845829145530,5791210577317833335,262144 --variations-seed-version --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4688,i,11988583845829145530,5791210577317833335,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4668,i,11988583845829145530,5791210577317833335,262144 --variations-seed-version --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=860,i,11988583845829145530,5791210577317833335,262144 --variations-seed-version --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  PID:4900

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
PID:3456
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{078EFD65-6F9D-4B31-9005-9914251B9F6A}.xps" 133771146479960000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1188

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini

Filesize
129B

MD5
238b92556009471dc4c16586ef9e35c7

SHA1
157d990813dbb303ea8fa304d990e44195ce46a8

SHA256
57ab39fb81794ae98d62277db1931ddd4691d2490ab37323bac2f02faf10c2f2

SHA512
24f6b1f5a22f4488c7ef623766c266e6f923937b6093c13209f1a3bdcb616b71a125f7c56892371ab19290b3d3ce9f732e28284c10ac49984491de5d986fee22

Download Submit
C:\1pvSvxmZY.README.txt

Filesize
348B

MD5
9810eed5ecd966874ebeb398ac6531ed

SHA1
17d2e2bc15df652734b79185cb323e652559fd6a

SHA256
53183e5ed0cf42bed46b17c9dcc92ea49737bb57dce34f1e20675a913796566e

SHA512
b26ca61461ed8b09f037e33d209cd0a22959b89e3e7895e057f544010fd5ae037e4fa76311763c121cd6e8b3050de22fa7d2163b4d9cf40585e14f5024e0cb79

Download Submit
C:\ProgramData\635A.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6703B3C8-1244.pma.1pvSvxmZY

Filesize
4.0MB

MD5
e6dc965fe04819da79c3bb2dafd34ada

SHA1
ea54d7408e26e0ba7a8e054c2b43911bbb04b2f8

SHA256
59b9ae7567e3be617e5ade5a7734509121df16eed0b52470036b9ac26c4c591a

SHA512
60b331477400dad93ecf2d3c3fd281b4869bf3bf0c6a307eb2becc811cdcab5632299829afbd61b197ea8f57c49d5bb84045a89b5c506ee68ecbd49498774e4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1118ff62-f00b-4e18-a775-5a63df364542.tmp

Filesize
9KB

MD5
793ace625c6411ae197fc71e647a5eaa

SHA1
db440127bc39280d1a7a5f61c15e1bbaa87c9091

SHA256
0936409eb5622f3161bc47469e5dac8b4b80c8102233f6ac5b5f31fde92182a3

SHA512
57f7b823364bcef9dde64c0acaf98a33094ea0790a5599d6b2f82bb2612a4913fe2e12082f82a29c598f49210178ab0c5430be66568852972998a58e18002e0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
88c154de077559e9a4f1e4643caa09aa

SHA1
a9d541626ce0b253e2d6e6cc5eddd8f7fb6a9a38

SHA256
fcab4c5b318635124ce5109a0192a598c4a9612ec278925f0e9cd2c798b902dd

SHA512
bd8072976915309c5a8b8be891e9bec135b858bd4016047e9937ba4f0f07402d684b6dac63923600a2d6b1e6870b0aabdc73eb27345826ab07046237bfa65fd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
336B

MD5
0656e0d3d1fa0344353b50b32762dc01

SHA1
dc5056719abca5047b94c5ec8cd00051a64643aa

SHA256
6dcf8c8995f5abf12ce132c8e672094e9108567ebf9e8ac4aaeacc179955bd67

SHA512
393309212e906d9d6e36f9ef009bc6a12c312bf3bd861c9c406e06d7579de26d655e2f71405b139cad52686aa907c5e9e7d4c8f6421f923fe6167613c1a05f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6b0c271aad4b40a0d2eed30a2093a06c

SHA1
89a437873b20b2773fb198ad2e80e5e7e83cca0b

SHA256
634962da553ab7119425e316aeb9b5baa0ca71af26c81520b7912de278b11071

SHA512
2b223a2cc21375cd7a3dd0ae36cbac5060d9ad7757a08489812fc7aac594196de7f23a6b72f8213a77015616ec1f6aca3defcec56b4c694addfdfb46c5917440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
000f2840c0d52cf41d45eb763021c579

SHA1
1254a7626aed32643f2bf3e2d0f7ec725ab7e28c

SHA256
4b1a2a9f5e5b22fa3c072a2dddd2fa8ca4b8051fb2dfcdef1bedf33bdd696752

SHA512
b44eaabab9941261074234c58e8f1cb9fc11a337a4e24e5c5b57811686fd6a296ed220b6d981949052459771152f969cbb8da1c1301b6aae26ded4a20d639700

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1872155ff16588630427d47a81c445d0

SHA1
17af95eb8f3eaaa8dc2bf8440a2767fef55ad121

SHA256
4870bf5ee3c2ba14a22897424ea34e8e25791a344a3dd26c7b1cadb6599cbb33

SHA512
4381e0e07253a867d405fda821bb095bf4bf8f5a5cf317f89495d64c28dcf1820b67d42a7b6ec0ca3ab54e0067da8cd90737b58a64f9ad38258bc2f099952b10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a9d5ce34377f554ec8c7d2de5e184d63

SHA1
9bb626626f66eb3c8ec9fa037b3fd12b5a69c3b3

SHA256
09c61fb28324dddeeb4bc7f5dad67b523ea7e02d0402c33a38f4d848f93036bd

SHA512
9c3be16d6074ddcc5dabc1598594309fea411df22f6467bfd80552b38757dbed3d3dd624d8a99486a5f4d18edd9dfd9a00e73cda9bc12052f952cf8a1242c4c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f692af2cf0c687dee9292f8e1b5c1f4d

SHA1
4db1644a83bc26786df3b15d32e44646865a3308

SHA256
22b9701f48f5619a1020e0a0e953186c65abf58a93edb296be4acbfc7f0268c4

SHA512
4bf684e596a98f0acd08ebac4ae72dcc32b01f082ba825b0438e8144850a98cb907a59e41ef8044a7d450e16647ecfbf3d844cdce1647f7bb56e4885ed70f1df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7a5f8e8111cd2097ed55f2da1d0b8c2a

SHA1
dfba3e97db87249c9dbc216ef53e117c2e191262

SHA256
a7dc891622a5527c6fe4a91fba5da286a400e37175ca8e412da4a36cfde11831

SHA512
d1b54b74fa5ed7a86393e489585f73bddc495a4be990922ed09d3165e3c03b0b2461a1d6cf89cefbb3dd329bc61500041b39318caff768ba9ab4ac89d9967218

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1874d8c8934b883293efaa73b8586226

SHA1
1cc20352e64566689b29e6e96cffdf4c83d86437

SHA256
653b83e42ef66171f8e2171622ae7ae49ba9c8d7afd63011d64ccc712d502ea0

SHA512
5bd515f57ed6c235070a6a1dfd592e64d62b4634b829bbcaf3cc4c71394b4b0b91de953fb6b8a4a1cbd5cd18f01462aad76d655767fd34a8cf317e40fea59d42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3e7e317e7702ded226fa2e1a8b431dd4

SHA1
40080657a2949affcde46ebd19de1a02670ebec4

SHA256
379becf998e81579926cbe282fea30882dcea8382b42ba8a62d22be925e25c2d

SHA512
d9dc11dd9549059ce6e93cdfcf31156b5cd4598ed3326436a8a43b4a2ee3c0f0a641e801d7563b66f9bfbcdf8f02c7735ef7990db6e72c4ff02862bf803a2013

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d3a7a5c250f11aa7d7a3a1f39787417

SHA1
cee13dd60101134b193497e2953f8854041ba70b

SHA256
c5ea48dd2de6475f161d899543576a0487723ec2bb458f35f8bed7b188fba683

SHA512
2f9de58acf0710a9f803c29f7d86d9e6e77cfc9c5233ca3fd24720ceccea2660304c5d485242b212b546503fed1bc95778b2f7b024a56d94d7bc0fe5d6ab1c94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
35249be5f51199ee37ea11b36e21c7b8

SHA1
953d192b9cffbed6cb994425590f9fe541ed4d8e

SHA256
ca135f7f097c8d20f4882387c9287a8ffd822132bc51f59e3c0cf8b791990928

SHA512
d69896520398592eefa6d9cc2f2e10abb9ad90dc840f953d871f5847c8b849af0880788e4f2dda44472f24b9d1833a99425e55ade8d1576d25eca21a1be628b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
fc581b47a0b8437058ca7be070d31898

SHA1
94f640e25c17ee8d7c17b8a1705d6a8310568934

SHA256
459823dbfa75fdf13255a6baf07fa29f90c737ac1ae3a0866e5ba1c32fece0f0

SHA512
3ba6efb066da8a6fce0c0069a28fdc68beb3d496c5a9c0b4f2de4f1a243d25849383e927f734d8c01a9ef38305c5ab22b54b13eb4c4b8a43708b39bd86536a90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
5ce471a2aaee7785e9cea0f7da27747d

SHA1
1f422ab9426effcca9855f790b17deee70d834b9

SHA256
fc748a9579e51be9085ff854556c00d38d590bf6bf84c1db4e53c00fdd05a51c

SHA512
2ad56e749e942fe0ad69815a6f4bb9cacbaf9503f82493b2b706b084f0bdf23b97383e957b09652db094e8c053b471521f59b73b77e570bfee7e3d8be8de9421

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
dc948cef89936d8063dc83ec128a9ac4

SHA1
04144f34af7d658f1ed473b1190797d0c93db5c7

SHA256
0ac0ad64dfa0302c369074aec410e1f20b8d497a515749eeb0c704d18603d875

SHA512
5f7244b5a2a0100e0ed104978cf10df8dc026865311a6ecca645ba2886fe0fccf6a7db3fd2dc49f95554efa28d2955ee6b30cc1d6ee5a285be1b961e974689cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe5871b0.TMP

Filesize
1KB

MD5
204a945956e96a03b66ab417e1b02ccd

SHA1
e36e15c1040907d4bad59f0f1a1389d387c2afb7

SHA256
1594fe6c60dbbecf1d12df98d91cf2ba4bcb510037d5b120bd3a052c58adabe6

SHA512
beb278cafbfc24ae32abb56ed9cf98f39818861ec6437364440f64cfa48bd33f178d5bfec1e3b6338788fd4705b91de883915922b31a1c59583c6e0a12b9572b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDD

Filesize
146KB

MD5
38979309b73d7f2a421c43394f3cfec1

SHA1
6339841f2f860102bb59e894bf3b3d892f92c937

SHA256
496d5c3bade165279752b2cb9139ba6fb187611c404793132256cad21093834c

SHA512
ea368ecd11713961322e83bdfcd0811583a37c6b7a3815229ba806e071298521f75a011c29130571af91899d7a9ab40a85be6782845bdd4253bc3d9e45195870

Download Submit
C:\Users\Admin\AppData\Local\Temp\{15F4C762-6304-43B2-8552-24B7B85457F7}

Filesize
4KB

MD5
6de205218b94448c944b859c47ec3255

SHA1
08bc49a267fffe0caa091df1e199939b6eec3434

SHA256
f48bf1c5678e917fcbdc75ba07617cd222063647db542dd151283ce7cd9115ee

SHA512
6f45f231c13d9fa6c8438e738288bd614b5de9da9306f9bbb75bf65ca7b674f394c636e7efdae7b5bb84e8c8b5801a9190b5d61145623d5569139e2ac1d91fd1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\DDDDDDDDDDD

Filesize
129B

MD5
488662d234195c18fc987ec66e07b13a

SHA1
75a9656ae25836f20f71a451b643f5e17061cccc

SHA256
8014980423a8abc3f893085fbd2855d91cd3a7a706e65076b8ea92110f76659d

SHA512
fb19a8ec719b2645755448de1f90e0bf75c5fb8b3e46cb105e8a8451ba1920767851191c19c2675a82865671a068dd07217a008bd444a141ad08ee363aca3c29

Download Submit
memory/1188-2889-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1188-2885-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1188-2992-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1188-2918-0x00007FFF0C9D0000-0x00007FFF0C9E0000-memory.dmp

Filesize
64KB

Download
memory/1188-2991-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1188-2894-0x00007FFF0C9D0000-0x00007FFF0C9E0000-memory.dmp

Filesize
64KB

Download
memory/1188-2990-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1188-2888-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1188-2886-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1188-2887-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1188-2993-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/3292-0-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

Filesize
2.0MB

Download
memory/3292-2821-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

Filesize
2.0MB

Download
memory/3292-2895-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

Filesize
2.0MB

Download