gurcu | 214082ec55ebca25be21e5b5227ad0e89c08026c55a21fc57dc4bd2764f5d28f

Analysis

max time kernel
146s
max time network
158s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
05/04/2025, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rihuata-main/nborepadiktad.exe
Size

154KB
MD5

45c60c8cd85b2c5bf1e45d9cedffb0f5
SHA1

44dcaed457ea5d71bdb8e363cda3571073072066
SHA256

f8ca9367e456da03cb05e50cba8f20d36bf59035b0b42e4c149d143a12d9bf0a
SHA512

e4833825aba49dd471cdbd912594da200f751837351cb68404867b158e9d078a95196012b1a6cffbe72e835f5a4001f10f969ae68303a2dbb452b08a6569099d
SSDEEP

3072:tuBUoLruBEaO77ZKKf9bjPoppy7KQWlKdDsQOv:tuaoLiVO8Kf9bjAry7KQWGO

Score

10^/10

gurcu collection discovery persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot8044316559:AAFBKJlXZImRdKtbDCT2g5_pK-tOr4SgrOo/sendMessage?chat_id=7099179555

http://96.9.124.250:8070

http://209.38.221.184:8080

http://46.235.26.83:8080

http://147.28.185.29:80

http://206.166.251.4:8080

http://51.159.4.50:8080

http://167.235.70.96:8080

http://194.164.198.113:8080

http://132.145.17.167:9090

https://5.196.181.135:443

http://116.202.101.219:8080

https://185.217.98.121:443

http://185.217.98.121:8080

http://159.203.174.113:8090

http://107.161.20.142:8080

https://192.99.196.191:443

http://65.49.205.24:8080

https://154.9.207.142:443

http://67.230.176.97:8080

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	nborepadiktad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	nborepadiktad.exe

Executes dropped EXE 4 IoCs

pid	Process
1216	nborepadiktad.exe
4768	tor-real.exe
1400	nborepadiktad.exe
5512	nborepadiktad.exe

Loads dropped DLL 8 IoCs

pid	Process
4768	tor-real.exe
4768	tor-real.exe
4768	tor-real.exe
4768	tor-real.exe
4768	tor-real.exe
4768	tor-real.exe
4768	tor-real.exe
4768	tor-real.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nborepadiktad.exe
Key opened	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nborepadiktad.exe
Key opened	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nborepadiktad.exe
Key opened	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nborepadiktad.exe
Key opened	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nborepadiktad.exe
Key opened	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nborepadiktad.exe
Key opened	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nborepadiktad.exe
Key opened	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nborepadiktad.exe
Key opened	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nborepadiktad.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tor-real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
6100	cmd.exe
3548	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1544	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\Local Settings	nborepadiktad.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1216	nborepadiktad.exe
1216	nborepadiktad.exe
1216	nborepadiktad.exe
1216	nborepadiktad.exe
1216	nborepadiktad.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	nborepadiktad.exe
Token: SeDebugPrivilege	1216	nborepadiktad.exe
Token: SeAssignPrimaryTokenPrivilege	1216	nborepadiktad.exe
Token: SeIncreaseQuotaPrivilege	1216	nborepadiktad.exe
Token: SeSecurityPrivilege	1216	nborepadiktad.exe
Token: SeTakeOwnershipPrivilege	1216	nborepadiktad.exe
Token: SeLoadDriverPrivilege	1216	nborepadiktad.exe
Token: SeSystemtimePrivilege	1216	nborepadiktad.exe
Token: SeBackupPrivilege	1216	nborepadiktad.exe
Token: SeRestorePrivilege	1216	nborepadiktad.exe
Token: SeShutdownPrivilege	1216	nborepadiktad.exe
Token: SeSystemEnvironmentPrivilege	1216	nborepadiktad.exe
Token: SeUndockPrivilege	1216	nborepadiktad.exe
Token: SeManageVolumePrivilege	1216	nborepadiktad.exe
Token: SeDebugPrivilege	1400	nborepadiktad.exe
Token: SeDebugPrivilege	5512	nborepadiktad.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4528	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 5684	3884	nborepadiktad.exe	81
PID 3884 wrote to memory of 5684	3884	nborepadiktad.exe	81
PID 5684 wrote to memory of 5492	5684	cmd.exe	83
PID 5684 wrote to memory of 5492	5684	cmd.exe	83
PID 5684 wrote to memory of 1544	5684	cmd.exe	84
PID 5684 wrote to memory of 1544	5684	cmd.exe	84
PID 5684 wrote to memory of 2452	5684	cmd.exe	85
PID 5684 wrote to memory of 2452	5684	cmd.exe	85
PID 5684 wrote to memory of 1216	5684	cmd.exe	86
PID 5684 wrote to memory of 1216	5684	cmd.exe	86
PID 1216 wrote to memory of 4768	1216	nborepadiktad.exe	93
PID 1216 wrote to memory of 4768	1216	nborepadiktad.exe	93
PID 1216 wrote to memory of 4768	1216	nborepadiktad.exe	93
PID 1216 wrote to memory of 6100	1216	nborepadiktad.exe	96
PID 1216 wrote to memory of 6100	1216	nborepadiktad.exe	96
PID 6100 wrote to memory of 2196	6100	cmd.exe	98
PID 6100 wrote to memory of 2196	6100	cmd.exe	98
PID 6100 wrote to memory of 3548	6100	cmd.exe	99
PID 6100 wrote to memory of 3548	6100	cmd.exe	99
PID 6100 wrote to memory of 3844	6100	cmd.exe	100
PID 6100 wrote to memory of 3844	6100	cmd.exe	100
PID 1216 wrote to memory of 1584	1216	nborepadiktad.exe	101
PID 1216 wrote to memory of 1584	1216	nborepadiktad.exe	101
PID 1584 wrote to memory of 1272	1584	cmd.exe	103
PID 1584 wrote to memory of 1272	1584	cmd.exe	103
PID 1584 wrote to memory of 3900	1584	cmd.exe	104
PID 1584 wrote to memory of 3900	1584	cmd.exe	104
PID 1584 wrote to memory of 3432	1584	cmd.exe	105
PID 1584 wrote to memory of 3432	1584	cmd.exe	105
PID 1216 wrote to memory of 4528	1216	nborepadiktad.exe	107
PID 1216 wrote to memory of 4528	1216	nborepadiktad.exe	107
PID 1216 wrote to memory of 4528	1216	nborepadiktad.exe	107
PID 4528 wrote to memory of 636	4528	AcroRd32.exe	109
PID 4528 wrote to memory of 636	4528	AcroRd32.exe	109
PID 4528 wrote to memory of 636	4528	AcroRd32.exe	109
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110
PID 636 wrote to memory of 4376	636	RdrCEF.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nborepadiktad.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nborepadiktad.exe

C:\Users\Admin\AppData\Local\Temp\rihuata-main\nborepadiktad.exe
"C:\Users\Admin\AppData\Local\Temp\rihuata-main\nborepadiktad.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "nborepadiktad" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\nborepadiktad.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\rihuata-main\nborepadiktad.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\nborepadiktad.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5684
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5492
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:1544
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "nborepadiktad" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\nborepadiktad.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2452
- - C:\Users\Admin\AppData\Local\Starlabs\nborepadiktad.exe
    "C:\Users\Admin\AppData\Local\Starlabs\nborepadiktad.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:1216
  - - C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\tor-real.exe
      "C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\torrc.txt"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4768
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:6100
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2196
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3548
    - - C:\Windows\system32\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        5⤵
        
        PID:3844
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1272
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3900
    - - C:\Windows\system32\findstr.exe
        
        findstr "SSID BSSID Signal"
        5⤵
        
        PID:3432
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\461-08-HK.pdf"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8BABA7AE00F70D32B907861BFC69F6D7 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=10F68F296B1E420EAC37A1EC96A81635 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=10F68F296B1E420EAC37A1EC96A81635 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=25FEC03E540FAEB0C9D6FB16E4D50E68 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2F5CF4AD7353E40C75F38591FA3F5331 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2F5CF4AD7353E40C75F38591FA3F5331 --renderer-client-id=5 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E1574F2212D1B10C974CD8C28632B41C --mojo-platform-channel-handle=1896 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=504BBB1B874FCA223B24568B98FB6612 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4392

C:\Users\Admin\AppData\Local\Starlabs\nborepadiktad.exe
"C:\Users\Admin\AppData\Local\Starlabs\nborepadiktad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4612

C:\Users\Admin\AppData\Local\Starlabs\nborepadiktad.exe
"C:\Users\Admin\AppData\Local\Starlabs\nborepadiktad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
64009c1587815a822bcba27b2b43ab9e

SHA1
ec3a1c79f3f4012856c2917b0686b0e8af5b8e95

SHA256
e1533c50d883d15ce0fb289ebf2c46d4784d61c23879fcb4e49662744c400821

SHA512
6c1a659ecd9ca3dc4e2ecc76b2bd193714534e71f0bc30998845db6dbad638b17b60d71341f9da616975fdafb3ca29b34aa222570172cb99f3400c0737b31fea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nborepadiktad.exe.log

Filesize
847B

MD5
d38514e42f9c4d7be98adbe1fb5b65b5

SHA1
3b7b9f9955b69255e3c6cd3f3bd3eeced8f5b12e

SHA256
cc22cec1420f1eb22c370caf2c8731aa09c1fcc9607802ef5c31eb1ac060f313

SHA512
bc8e51ef3e04ec03a844c7257b09395b5d7caf19e07f5ff95331e4a232412e90d415884ba4dd5fbc29313c1c2a2ea4b7459b8e329500eaa527508670eacd87ac

Download Submit
C:\Users\Admin\AppData\Local\Starlabs\nborepadiktad.exe

Filesize
154KB

MD5
45c60c8cd85b2c5bf1e45d9cedffb0f5

SHA1
44dcaed457ea5d71bdb8e363cda3571073072066

SHA256
f8ca9367e456da03cb05e50cba8f20d36bf59035b0b42e4c149d143a12d9bf0a

SHA512
e4833825aba49dd471cdbd912594da200f751837351cb68404867b158e9d078a95196012b1a6cffbe72e835f5a4001f10f969ae68303a2dbb452b08a6569099d

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\p.dat

Filesize
4B

MD5
3323fe11e9595c09af38fe67567a9394

SHA1
e6402ee50e78b6141db94c840ca7903762665732

SHA256
ac1964eb089654e01f7bfb4871e0cd31ea4d2aa6e6e48774b6b9917b1341dbf6

SHA512
f1ad502af8d1e6d5df8f08b6cae406ac0419a1b855603d55c3dace262778da5816ea84e8e5ad09265bead98c6dddc4294ba96e4ae20a7cd490be022f6bcba9a0

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\data\cached-microdesc-consensus.tmp

Filesize
3.0MB

MD5
33843c38cb7648b83af389ad1560dd87

SHA1
124a727585c3c298a2f537fd07c61baf8ef5dda1

SHA256
2c1a614db7503bb5cafa9c4e357b08287732c35e722c494ccb5caf3041dafb72

SHA512
1cd1f717dfe6f51c904fed88c8c0719a1939d98d2b40042c29e4d362a744bc76eb0eb14281c1fec7b4d6028ec0474630f5fbe364c039a79373253ef0c1f7b26f

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\data\cached-microdescs.new

Filesize
8.6MB

MD5
aa76e239c36fde70d9ecdcef52e001c0

SHA1
2a4c42af5eee2ffc306e9d387bdb8190470da883

SHA256
73c486a0f084782a500639ae12bf15711d71ad6b2e599bafc8031aea9d1613bb

SHA512
ce0de309f2e5abea8567b812bb8303e065c12253325999404f8d2415742e292abc12010537639795e93e5d9de497197cff5420619d944e6d0e01094cb39ac7bd

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\host\hostname

Filesize
64B

MD5
5a2c0b97c41c0ab0c238f9358e9c29c7

SHA1
e1b9d8ec6f6e9409e0673b31d718b972eecda99c

SHA256
fdee071a970be5f96580c4a74684656fbe7aa1f655a7e8d99dff03deab4b9fbd

SHA512
fe1bd2372d48ef10cb4dc890101893549302144f8974dfb70620940a574707e20d231a1b9330c5297e7ef6e79170c46ad1800a452c95d61049463adf2dde086d

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
6d48d76a4d1c9b0ff49680349c4d28ae

SHA1
1bb3666c16e11eff8f9c3213b20629f02d6a66cb

SHA256
3f08728c7a67e4998fbdc7a7cb556d8158efdcdaf0acf75b7789dccace55662d

SHA512
09a4fd7b37cf52f6a0c3bb0a7517e2d2439f4af8e03130aed3296d7448585ea5e3c0892e1e1202f658ef2d083ce13c436779e202c39620a70a17b026705c65c9

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\libevent-2-1-7.dll

Filesize
1.1MB

MD5
a3bf8e33948d94d490d4613441685eee

SHA1
75ed7f6e2855a497f45b15270c3ad4aed6ad02e2

SHA256
91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585

SHA512
c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\libgcc_s_sjlj-1.dll

Filesize
1.0MB

MD5
bd40ff3d0ce8d338a1fe4501cd8e9a09

SHA1
3aae8c33bf0ec9adf5fbf8a361445969de409b49

SHA256
ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c

SHA512
404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\libssl-1_1.dll

Filesize
1.1MB

MD5
945d225539becc01fbca32e9ff6464f0

SHA1
a614eb470defeab01317a73380f44db669100406

SHA256
c697434857a039bf27238c105be0487a0c6c611dd36cb1587c3c6b3bf582718a

SHA512
409f8f1e6d683a3cbe7954bce37013316dee086cdbd7ecda88acb5d94031cff6166a93b641875116327151823cce747bcf254c0185e0770e2b74b7c5e067bc4a

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\libssp-0.dll

Filesize
246KB

MD5
b77328da7cead5f4623748a70727860d

SHA1
13b33722c55cca14025b90060e3227db57bf5327

SHA256
46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7

SHA512
2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\libwinpthread-1.dll

Filesize
512KB

MD5
19d7cc4377f3c09d97c6da06fbabc7dc

SHA1
3a3ba8f397fb95ed5df22896b2c53a326662fcc9

SHA256
228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d

SHA512
23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\tor-real.exe

Filesize
4.0MB

MD5
07244a2c002ffdf1986b454429eace0b

SHA1
d7cd121caac2f5989aa68a052f638f82d4566328

SHA256
e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf

SHA512
4a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\torrc.txt

Filesize
226B

MD5
26bc343aa74a87695629e88e5eeddd84

SHA1
63ec9a3550191505b52c4047bd0f35a848cf2032

SHA256
ea866baac787e828703e50a827bac9fdb216ceb5020f0395f5340a6340b6b9e8

SHA512
4111ba3a094d91e1ba461605277a51d92f150049b2ad1d493c60d2a6c0bbe523c4e91ab48706c4712c4bcbff985c8483705798e2fb7488ededd0187b9d3e7b86

Download Submit
C:\Users\Admin\AppData\Local\oh3x5d8ezx\tor\zlib1.dll

Filesize
121KB

MD5
6f98da9e33cd6f3dd60950413d3638ac

SHA1
e630bdf8cebc165aa81464ff20c1d55272d05675

SHA256
219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773

SHA512
2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c

Download Submit
C:\Users\Admin\AppData\Roaming\461-08-HK.pdf

Filesize
7.4MB

MD5
6c26cf81bd798ef27824d7abfe0a56b0

SHA1
160af1f93918bf8d1491fea1fcedf7162656884c

SHA256
7d4f9eac04fc0f4910813ce1ba1d8e9dc64bf5220e79bf5478e021fd29aacdcb

SHA512
7404763a9e16d31ca0eb647381c9e5684be58f267c62a2fd243dd12725e5ed03096ef5b6f9a7c41bd08e5afe8ced4e6c956bb42e517abc0aa09f5b43c133e9a5

Download Submit
memory/3884-4-0x00007FFA769C0000-0x00007FFA77482000-memory.dmp

Filesize
10.8MB

Download
memory/3884-2-0x00007FFA769C0000-0x00007FFA77482000-memory.dmp

Filesize
10.8MB

Download
memory/3884-1-0x000002720D160000-0x000002720D18C000-memory.dmp

Filesize
176KB

Download
memory/3884-0-0x00007FFA769C3000-0x00007FFA769C5000-memory.dmp

Filesize
8KB

Download
memory/4768-137-0x00000000748D0000-0x00000000749B6000-memory.dmp

Filesize
920KB

Download
memory/4768-199-0x0000000000590000-0x00000000009A4000-memory.dmp

Filesize
4.1MB

Download
memory/4768-136-0x00000000749C0000-0x0000000074A41000-memory.dmp

Filesize
516KB

Download
memory/4768-135-0x0000000074A50000-0x0000000074A94000-memory.dmp

Filesize
272KB

Download
memory/4768-134-0x0000000074AE0000-0x0000000074BE4000-memory.dmp

Filesize
1.0MB

Download
memory/4768-132-0x0000000000590000-0x00000000009A4000-memory.dmp

Filesize
4.1MB

Download
memory/4768-139-0x00000000745A0000-0x0000000074896000-memory.dmp

Filesize
3.0MB

Download
memory/4768-133-0x0000000074BF0000-0x0000000074CEB000-memory.dmp

Filesize
1004KB

Download
memory/4768-164-0x0000000000590000-0x00000000009A4000-memory.dmp

Filesize
4.1MB

Download
memory/4768-138-0x00000000748A0000-0x00000000748C6000-memory.dmp

Filesize
152KB

Download
memory/4768-103-0x0000000000590000-0x00000000009A4000-memory.dmp

Filesize
4.1MB

Download
memory/4768-102-0x00000000748A0000-0x00000000748C6000-memory.dmp

Filesize
152KB

Download
memory/4768-101-0x0000000074BF0000-0x0000000074CEB000-memory.dmp

Filesize
1004KB

Download
memory/4768-304-0x0000000000590000-0x00000000009A4000-memory.dmp

Filesize
4.1MB

Download
memory/4768-312-0x0000000000590000-0x00000000009A4000-memory.dmp

Filesize
4.1MB

Download
memory/4768-320-0x0000000000590000-0x00000000009A4000-memory.dmp

Filesize
4.1MB

Download
memory/4768-328-0x0000000000590000-0x00000000009A4000-memory.dmp

Filesize
4.1MB

Download
memory/4768-337-0x0000000000590000-0x00000000009A4000-memory.dmp

Filesize
4.1MB

Download