Analysis Overview
SHA256
964fa0512b4b0bcc0e5c134ca5338afeb6122fb47df3142d2147d84772027837
Threat Level: Known bad
The file document_reader - Copy.exe was found to be: Known bad.
Malicious Activity Summary
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect DarkGate stealer
Downloads MZ/PE file
Uses the VBS compiler for execution
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
HTTP links in PDF interactive object
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-06 13:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-06 13:18
Reported
2024-02-06 13:20
Platform
win7-20231215-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
DarkGate
Detect DarkGate stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2116 created 1164 | N/A | \??\c:\tes2\Autoit3.exe | C:\Windows\system32\Dwm.exe |
| PID 2116 created 2968 | N/A | \??\c:\tes2\Autoit3.exe | C:\Program Files\Google\Chrome\Application\chrome.exe |
| PID 2116 created 2968 | N/A | \??\c:\tes2\Autoit3.exe | C:\Program Files\Google\Chrome\Application\chrome.exe |
| PID 2116 created 1164 | N/A | \??\c:\tes2\Autoit3.exe | C:\Windows\system32\Dwm.exe |
| PID 2116 created 2968 | N/A | \??\c:\tes2\Autoit3.exe | C:\Program Files\Google\Chrome\Application\chrome.exe |
| PID 2116 created 1108 | N/A | \??\c:\tes2\Autoit3.exe | C:\Windows\system32\taskhost.exe |
| PID 2116 created 1164 | N/A | \??\c:\tes2\Autoit3.exe | C:\Windows\system32\Dwm.exe |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2116 set thread context of 1584 | N/A | \??\c:\tes2\Autoit3.exe | C:\Windows\SysWOW64\WerFault.exe |
HTTP links in PDF interactive object
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tes2\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tes2\Autoit3.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\document_reader - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\document_reader - Copy.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "c:\temp\document.pdf"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef71d9758,0x7fef71d9768,0x7fef71d9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1340 --field-trial-handle=1300,i,9049485556236824123,5857239144607537981,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1300,i,9049485556236824123,5857239144607537981,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1300,i,9049485556236824123,5857239144607537981,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1300,i,9049485556236824123,5857239144607537981,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1300,i,9049485556236824123,5857239144607537981,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1576 --field-trial-handle=1300,i,9049485556236824123,5857239144607537981,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1440 --field-trial-handle=1300,i,9049485556236824123,5857239144607537981,131072 /prefetch:1
\??\c:\tes2\Autoit3.exe
c:\tes2\Autoit3.exe c:\tes2\script.au3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --disable-gpu-compositing --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3300 --field-trial-handle=1300,i,9049485556236824123,5857239144607537981,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3816 --field-trial-handle=1300,i,9049485556236824123,5857239144607537981,131072 /prefetch:8
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe
Network
| Country | Destination | Domain | Proto |
| CA | 45.61.156.3:80 | 45.61.156.3 | tcp |
| CA | 45.61.156.3:80 | 45.61.156.3 | tcp |
| CA | 45.61.156.3:80 | 45.61.156.3 | tcp |
| CA | 45.61.156.3:80 | 45.61.156.3 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:8094 | tcp |
Files
memory/2520-0-0x00000000000E0000-0x00000000000E1000-memory.dmp
\??\pipe\crashpad_2516_WUCMHOCZJNEBMCQT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\temp\document.pdf
| MD5 | 27e8c717e7bfc321f8d641b7e92dfa83 |
| SHA1 | 6ca9787e526bf712018f9e73cc8b452c41ef2473 |
| SHA256 | 88677605ba42401eecd5fe442e0aedcedfa1a6c6266cfd6ce4cc462afdf928ae |
| SHA512 | 3fc118c66576cab643e09e2fc5822d059f89e5e0c6b3d919289099a8796e83bbfd6f7b95694d52cbe6c9b040c703111c62393cf139cadeb593848f6a09400e85 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\tes2\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2520-59-0x0000000000B50000-0x0000000000F4E000-memory.dmp
\??\c:\tes2\script.au3
| MD5 | c37514367bf7b08d6cd30f938b33146a |
| SHA1 | 06f277690f2bbe71bdfc77ca227455657bd02c31 |
| SHA256 | 9dd25ba75e415f2e6260de78977091e1ada7b6f0f5cba7c4944673c65fbd7609 |
| SHA512 | 3a009923ff8152720b1e327b0dfd159122d4282f12d7ad540837111226ec3535eb2d550adf065729ea9155f4eb4f46128d0d91bc87a083bcc176f062df2d6b23 |
\??\c:\tes2\test.txt
| MD5 | 4252e248997cb141c0d2b5211d9459f7 |
| SHA1 | cad24dbb355b37345b85c9e276931ba6b3a7dd1c |
| SHA256 | c8fd4ff9ccaca0d223aaf28f8a25b54a241666b5ddd81f0ea16217868d7025d8 |
| SHA512 | 25ddfeca9124262bf7f8963585729cc95ecf17584cb2265d2f71b07f5846c1e5b38f15209a5b2a94cc0a38e83e6f6a2eefc339948e15f01aaf0caf74060ca8e2 |
memory/2116-63-0x0000000003670000-0x0000000004640000-memory.dmp
memory/2116-64-0x0000000004B60000-0x0000000004EBB000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a7ff4c4f-6828-4f14-8358-b9a345a707ec.tmp
| MD5 | a5cd45fa94f462cc88a1982b07466ae5 |
| SHA1 | 207a5824efab00ba9f0ef7d94efb808c15296ee0 |
| SHA256 | 15cf6ddb64c48e17cfbb6173ef6c362430073cc51a2ea92745af4e6c3ac9de6f |
| SHA512 | 76a192786a6cf9251f0cccb77aff41ab98a0cf759a74133811f240e9468ef24d278dbfcbc4ab90ffe108903c6c5ee2549fa75f6753f9dc0128c8b62aabdb01d5 |
memory/2636-165-0x0000000000400000-0x0000000000400000-memory.dmp
memory/1584-172-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1584-171-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2116-173-0x0000000004B60000-0x0000000004EBB000-memory.dmp
memory/1584-174-0x0000000000400000-0x0000000000472000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-06 13:18
Reported
2024-02-06 13:21
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
DarkGate
Detect DarkGate stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3616 created 3772 | N/A | \??\c:\tes2\Autoit3.exe | C:\Windows\system32\DllHost.exe |
| PID 1448 created 2696 | N/A | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\system32\taskhostw.exe |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hCFeGKe = "C:\\ProgramData\\dhbdbgc\\Autoit3.exe C:\\ProgramData\\dhbdbgc\\efdghfb.au3" | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3616 set thread context of 1448 | N/A | \??\c:\tes2\Autoit3.exe | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1448 set thread context of 1592 | N/A | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
HTTP links in PDF interactive object
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tes2\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tes2\Autoit3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133516991162292599" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tes2\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Users\Admin\AppData\Local\Temp\document_reader - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\document_reader - Copy.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "c:\temp\document.pdf"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffe353d9758,0x7ffe353d9768,0x7ffe353d9778
\??\c:\tes2\Autoit3.exe
c:\tes2\Autoit3.exe c:\tes2\script.au3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4552 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3732 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:8
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| CA | 45.61.156.3:80 | 45.61.156.3 | tcp |
| CA | 45.61.156.3:80 | 45.61.156.3 | tcp |
| CA | 45.61.156.3:80 | 45.61.156.3 | tcp |
| CA | 45.61.156.3:80 | 45.61.156.3 | tcp |
| US | 8.8.8.8:53 | 3.156.61.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bizabiza.mywire.org | udp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| US | 8.8.8.8:53 | bizabiza.mywire.org | udp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
| DE | 45.147.228.138:8094 | bizabiza.mywire.org | tcp |
Files
memory/1484-0-0x000001D56CA00000-0x000001D56CA01000-memory.dmp
\??\pipe\crashpad_2040_BAAJRGWXVMEOQXDO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\tes2\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\temp\document.pdf
| MD5 | a26f0dc347b844309a57cb651f03e243 |
| SHA1 | 2d1c78b1b8d776cbbb6e443458e8733d8315b911 |
| SHA256 | 68d7a72f821bae0a1466aa88f5d43ea11740c323e52e578629f8842a994ea2d6 |
| SHA512 | 8cb31d86b02802fa53273b54edd42c8d208aa3296519e8ec332b1ea51c079b0592b24a9b2c9e533c24c31dea31fcfff52c5d1e6fcfb1cdeb23f4cb48fadf9a35 |
memory/1484-16-0x0000000000710000-0x0000000000B0E000-memory.dmp
\??\c:\tes2\script.au3
| MD5 | c37514367bf7b08d6cd30f938b33146a |
| SHA1 | 06f277690f2bbe71bdfc77ca227455657bd02c31 |
| SHA256 | 9dd25ba75e415f2e6260de78977091e1ada7b6f0f5cba7c4944673c65fbd7609 |
| SHA512 | 3a009923ff8152720b1e327b0dfd159122d4282f12d7ad540837111226ec3535eb2d550adf065729ea9155f4eb4f46128d0d91bc87a083bcc176f062df2d6b23 |
\??\c:\tes2\test.txt
| MD5 | 4252e248997cb141c0d2b5211d9459f7 |
| SHA1 | cad24dbb355b37345b85c9e276931ba6b3a7dd1c |
| SHA256 | c8fd4ff9ccaca0d223aaf28f8a25b54a241666b5ddd81f0ea16217868d7025d8 |
| SHA512 | 25ddfeca9124262bf7f8963585729cc95ecf17584cb2265d2f71b07f5846c1e5b38f15209a5b2a94cc0a38e83e6f6a2eefc339948e15f01aaf0caf74060ca8e2 |
memory/3616-27-0x0000000004BB0000-0x0000000005B80000-memory.dmp
memory/3616-28-0x0000000006260000-0x00000000065BB000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
\??\c:\tes2\Autoit3.exe
| MD5 | eee5e08f818497f64d26f8969f9640a1 |
| SHA1 | bda31b6c209232a732fc3b0ff1e136824f4a4780 |
| SHA256 | ac492754c566f98d21e65dc95c784ddbbcc47ea50c4ff2224e5cc5bb15494848 |
| SHA512 | 9b06a8812cecf5dae96a1e5eb235b5370f8bb44ada6f02f05db8ab068e765e4365e9b6e6b24d39b6d5fa116ff01e9bec9e78a75c025745c1b4af42284be90d8f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | bcf14183b78ead8091e0027b03a23f8a |
| SHA1 | ac93f68c801e1c4345a9d005d861e6921fe514ff |
| SHA256 | da391a2b503ef637571c961aa550ba15a0ee891d56560a668625c173a50eef97 |
| SHA512 | abdbbc872c82ec40304a5df1eaa30c44c8275050d9fbb1e896b99c8439e4aabc857378d36d548bf232c48367006e4b1de824ca6554316ae38ef2cfc372334bf5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 69e4ec11d675dc8b68028c02b97023f2 |
| SHA1 | 678d1e5e96c7e05a090c19cf36b73d691e84a049 |
| SHA256 | 26aa1790297ee8f71af7cafa081bb439b601cc0da5ff8cecf89836af85e3be4b |
| SHA512 | 64549f4eda67dad3adf7089aeced5f5bd67ad9cf77f11542b1aa780c5b5af6d8b8126085318af022042693e04a4b78991a69c8533018bb24c8abd4267df5359e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | e1b6bf7532564bccc85a42bfd3ed09fc |
| SHA1 | 270f663e72d9b8b02b70d233973e77dc74421eee |
| SHA256 | 99c3d5414243f66423ffeaf59e221282b11d5c33bf6dca683b56c8fead59bd47 |
| SHA512 | f83b8074f52939eb786c44dfba0dfd79af5f961aeb1fba50c1a93be4fae174413bad61786a48abf48f2ba45c164db4edba12903e292b6691028ca8a9c81977ba |
memory/1448-107-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/1448-120-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-121-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-127-0x0000000000400000-0x0000000000472000-memory.dmp
C:\temp\cc.txt
| MD5 | a1edb1cfb617e95114d17a06c27823e0 |
| SHA1 | 02bb843da4e0041766897a8f549e2fef8507b646 |
| SHA256 | fe005fea2084712e00ef1e4fc2d9eb877c7491f4a26296f1ff97c13129abdc60 |
| SHA512 | a64dcc7e8ce715d93b376ac98d1d6cdf28c27759b6a333c5947a227aaf357151ee9f87083adef3f09faa49757b94e70c26ae318ce70f00e775e0a9dee34e0f45 |
memory/3616-130-0x0000000006260000-0x00000000065BB000-memory.dmp
C:\Users\Admin\AppData\Roaming\hCFeGKe
| MD5 | 602f0859d2869bf862a790a3bb2dba5e |
| SHA1 | 7de133ff93509ea749898fbe1f2e6e8a12bb6390 |
| SHA256 | 14e32ee42768c963c6a9caa2f21be397493c7b02290f624fa2aeb954358e2975 |
| SHA512 | e1ac85f32bda84a7b4f2fe9cad7b4264e1121179ff3b2e944350e8fb6e282c5c94b3a5604bbd9c53d42345f63df208809bd0d774074f02bea5878994ab2131ab |
C:\temp\fs.txt
| MD5 | ded0b0f1cba9196c43d6bc4900f6e5ed |
| SHA1 | 01862a3709869af9f5971e17488a99caf6edfd35 |
| SHA256 | e344b20b5c55435fc6bba90fd47903befa086207a3e77cf213f473e9de66a1b1 |
| SHA512 | b0d0e1f385d922597df559e6c7abf193e99eba735b24ce014a4914efc761a13bf0b2705c62b057f66eb5881d645eb90617d1104d1e3fe57d686237c3de004875 |
memory/1448-135-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-137-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-139-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-141-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-142-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-143-0x0000000000400000-0x0000000000472000-memory.dmp
C:\ProgramData\dhbdbgc\becagcb
| MD5 | 8dd6d440183acdf6c4b9036b71380fb0 |
| SHA1 | 9efef10c7975657ed6f755b7fa361ef2861f740e |
| SHA256 | c90485928b47b58b9b98c1ba22b92030f76ab95421fa3dc59fdad00859ba5fde |
| SHA512 | bd855fb8ecaf47b76c0cd86d9f1de20d06161532ab7b89d1bc7bbc747bc1e63ea39f19aec031db9c2e0d7d41909399d0b57e61b2295a97f6c0b952016f76dfc1 |
memory/1592-145-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-146-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-147-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-148-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-149-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-150-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-151-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-152-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-153-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-154-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-155-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-156-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-157-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-158-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-159-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-160-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-161-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-162-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-163-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-164-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-165-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-166-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-167-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-168-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-169-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1448-170-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1592-171-0x0000000000400000-0x0000000000472000-memory.dmp