8736514ffd25ec6121a53f017e6bd524bdc840f54f246d10953ed129905a828a

Resubmissions

24/07/2024, 09:18

240724-k9p5ws1fmf 7

24/07/2024, 09:00

240724-kybs5a1bka 7

Analysis

max time kernel
109s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runme.exe
Size

6.2MB
MD5

89f99b96ddd54a813fb0719f972ce962
SHA1

a37b8e8579a21deb4fece12f6d9a8538d7293f14
SHA256

8736514ffd25ec6121a53f017e6bd524bdc840f54f246d10953ed129905a828a
SHA512

57d4c3eabd9baba5b89c6a22e66cb5fb472e98cd0ceb6b3f300d85d00c5f0070d0c449243ef7bfee1c932231068758fc4f427465d8259706ba5b82132901f5f4
SSDEEP

98304:hTcD5a29JQu1lfjFzjtQZzN+aKHtv+5iUyB2:+M2X/VHQHb5iUyB2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4456	Bt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3136 set thread context of 3040	3136	tcpsvcs.exe	97

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tcpsvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchIndexer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662863513453977"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GcDownload\\VZHTLWEYLNHMN\\Bt.exe"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward\ = "{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ = "BtDaemon.cBluetoothDaemon"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\GcDownload\\VZHTLWEYLNHMN"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GcDownload\\VZHTLWEYLNHMN\\Bt.exe"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION	Bt.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3576	vlc.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3136	tcpsvcs.exe
3136	tcpsvcs.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
3040	more.com
3040	more.com
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
3776	chrome.exe
3776	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3576	vlc.exe

Suspicious behavior: MapViewOfSection 16 IoCs

pid	Process
3136	tcpsvcs.exe
3136	tcpsvcs.exe
3136	tcpsvcs.exe
4456	Bt.exe
4456	Bt.exe
4456	Bt.exe
4456	Bt.exe
4456	Bt.exe
4456	Bt.exe
3040	more.com
3040	more.com
3136	tcpsvcs.exe
4172	SearchIndexer.exe
4172	SearchIndexer.exe
4172	SearchIndexer.exe
3040	more.com

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	taskmgr.exe
Token: SeSystemProfilePrivilege	2604	taskmgr.exe
Token: SeCreateGlobalPrivilege	2604	taskmgr.exe
Token: 33	2604	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2604	taskmgr.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
2604	taskmgr.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4456	Bt.exe
3576	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 3572	4568	runme.exe	84
PID 4568 wrote to memory of 3572	4568	runme.exe	84
PID 4568 wrote to memory of 3572	4568	runme.exe	84
PID 4568 wrote to memory of 3572	4568	runme.exe	84
PID 4568 wrote to memory of 3572	4568	runme.exe	84
PID 4568 wrote to memory of 3572	4568	runme.exe	84
PID 4568 wrote to memory of 3572	4568	runme.exe	84
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 4568 wrote to memory of 3136	4568	runme.exe	85
PID 3136 wrote to memory of 4456	3136	tcpsvcs.exe	88
PID 3136 wrote to memory of 4456	3136	tcpsvcs.exe	88
PID 3136 wrote to memory of 4456	3136	tcpsvcs.exe	88
PID 3136 wrote to memory of 4456	3136	tcpsvcs.exe	88
PID 3136 wrote to memory of 4456	3136	tcpsvcs.exe	88
PID 3136 wrote to memory of 4456	3136	tcpsvcs.exe	88
PID 3136 wrote to memory of 4456	3136	tcpsvcs.exe	88
PID 3136 wrote to memory of 3040	3136	tcpsvcs.exe	97
PID 3136 wrote to memory of 3040	3136	tcpsvcs.exe	97
PID 3136 wrote to memory of 3040	3136	tcpsvcs.exe	97
PID 3136 wrote to memory of 3040	3136	tcpsvcs.exe	97
PID 3136 wrote to memory of 3040	3136	tcpsvcs.exe	97
PID 3136 wrote to memory of 3040	3136	tcpsvcs.exe	97
PID 3136 wrote to memory of 3040	3136	tcpsvcs.exe	97
PID 3136 wrote to memory of 3040	3136	tcpsvcs.exe	97
PID 3040 wrote to memory of 4172	3040	more.com	102
PID 3040 wrote to memory of 4172	3040	more.com	102
PID 3040 wrote to memory of 4172	3040	more.com	102
PID 3040 wrote to memory of 4172	3040	more.com	102
PID 3040 wrote to memory of 4172	3040	more.com	102
PID 3040 wrote to memory of 4172	3040	more.com	102
PID 3040 wrote to memory of 4172	3040	more.com	102
PID 3776 wrote to memory of 552	3776	chrome.exe	106
PID 3776 wrote to memory of 552	3776	chrome.exe	106
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107
PID 3776 wrote to memory of 1044	3776	chrome.exe	107

C:\Users\Admin\AppData\Local\Temp\runme.exe
"C:\Users\Admin\AppData\Local\Temp\runme.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\tcpsvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\runme.exe"
  2⤵
  PID:3572
- C:\Windows\SysWOW64\tcpsvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\runme.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Users\Admin\AppData\Roaming\GcDownload\VZHTLWEYLNHMN\Bt.exe
    C:\Users\Admin\AppData\Roaming\GcDownload\VZHTLWEYLNHMN\Bt.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    PID:4456
- - C:\Windows\SysWOW64\more.com
    C:\Windows\SysWOW64\more.com
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\SearchIndexer.exe
      C:\Windows\SysWOW64\SearchIndexer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:4172

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe9607cc40,0x7ffe9607cc4c,0x7ffe9607cc58
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3400,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:8

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3680

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
485c0b79ff6419005da9b909072a30e7

SHA1
f8e17bc9fc21d166dd7f5b93f2f36e261cbaac9a

SHA256
c177a382b28050e9b612ea884bd9e9414adb4f4ff8eb785927ff8e9987fb4cb2

SHA512
0286a8e41c471bb68bba68b89d2545a60e10e773c077b7899cd33199878900f6f6353722a5d2aebc3ba2674db7ae48200b5c731bcfa78ddbd98b49ac55a3de95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\98becd63-e3dc-4efa-b298-b783ddf38d7e.tmp

Filesize
1KB

MD5
c1a072d5b38638ff76e4275b17d4e349

SHA1
6ed20303878753e05fafe4b179eccfb605013331

SHA256
82bf0a86815eb55e2bb62f70cc7a9ab43bc112ac35ba747a7e83100676414ada

SHA512
da1c9960567342330df773b14c25b3f49b596445c229f198ec581d01785f92506ab32a18b69824e42851d39fac385080ae2fedaa40f0c6b6fe7fb2c4166c1b6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0ae5ad66e357eb595f8442f3a2482f21

SHA1
587fc39dec3f32f494147d2efba37eea91a472fb

SHA256
ab3eac386aa27f99dc404304868d291d8e34d9ee4c1f5ab1964aae2efdd5950c

SHA512
949cdb4284dd2f68b92cfad3f462ba6dcf1b9eb43240d958ae6608b47530bcbe769edf04c9e5ffd60e8e2ca0b8de4a830a129ebc2e36b49851dfa375eb3a6373

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc0e0c7c418e4ad073ae3ce9af91413f

SHA1
5787e6d1fda4ab1d4b09a1e663645bb16d32c37a

SHA256
5327fe73e979c7a7b63ccd44428c093d338f1c6af48790ad42c24d05f77c1f11

SHA512
268c5ab38377c0f6b25ab9d90b991be4f76958794308dfb7d5aeaa11ff478ca60d3e6e2608642fb6453c2faeaff90da19d1c3f3126eb16bd3c9e9a7a071e1122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b534dd950d929db27cbb970d62e491c4

SHA1
8c00bea9fe3eb30abfd5b26472fc6ab347f33df4

SHA256
3777d36b8e9668f4309e2a1d183ddad0aacb0fde347b9cf185e936051276d7b0

SHA512
cf18ad9e1458eebbec2d4b9b66a4337c71eb3eb4a49c8fb2cb11d22b7f8b5f45b819ad48617ab237b594927dcaa3ac383d1bd1bf505044fd16277ae82d946a20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
187KB

MD5
2ec02c6db8b60edf4ee63191c6dd6f2d

SHA1
5e7b9f00951d2062f24033fcdc8c5f7cf51c60d0

SHA256
8f1f21a3308e93f8961d06a2e449b0abaaf64f0befe5adfdc1cd49cd1c0f6a8e

SHA512
d2a05c47ff01fc8aff0cd209cd07595c7364b3971928b258cc30019a8a3c387073cc2a26ee1f477abe1ee2fd2d16fe95ecfd9a0f97a96084dd7504b333dfcf56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc56d7d7

Filesize
1.1MB

MD5
a445da645fb9aa52b2bf33c0948a3741

SHA1
ff043462ab8b50341aad656168e6cb9db139093b

SHA256
4d4e49273a61513035ad5d7ca0416f0450b9d2ad1073052ad48bdfbc098626e6

SHA512
7903850530f1debb53b698809815e4782006ac9305a7a7b6153eb7015aff09495075c1a745813cc478cca152aa4b0f4fe33d49bdf5741f70b4d679e5dbf61d94

Download Submit
C:\Users\Admin\AppData\Roaming\GcDownload\VZHTLWEYLNHMN\Bt.exe

Filesize
47KB

MD5
916d7425a559aaa77f640710a65f9182

SHA1
23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13

SHA256
118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35

SHA512
d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

Download Submit
memory/3136-925-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3136-930-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/3136-919-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/3136-920-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/3136-921-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3136-922-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/3136-923-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3136-924-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3136-917-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3136-926-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3136-927-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/3136-928-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/3136-929-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3136-918-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/3136-931-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/3136-932-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3136-933-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/3136-934-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/3136-935-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3136-936-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3136-941-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/3136-942-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3136-944-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3136-940-0x0000000010000000-0x0000000010116000-memory.dmp

Filesize
1.1MB

Download
memory/3136-937-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3136-916-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4568-52-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-938-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/4568-39-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-37-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-36-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-35-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-34-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-33-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-32-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-31-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-30-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-29-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-28-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-27-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-24-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-23-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-22-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-21-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-19-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-17-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-16-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-13-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-14-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-10-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-8-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-6-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-2-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-0-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-261-0x0000000000400000-0x0000000000A3B000-memory.dmp

Filesize
6.2MB

Download
memory/4568-448-0x0000000000400000-0x0000000000A3B000-memory.dmp

Filesize
6.2MB

Download
memory/4568-41-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-42-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-43-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-939-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4568-44-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-40-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-45-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-46-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-47-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-49-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-50-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-51-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-84-0x0000000000400000-0x0000000000A3B000-memory.dmp

Filesize
6.2MB

Download
memory/4568-53-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-54-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-55-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-58-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-59-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-60-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-61-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-62-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-93-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/4568-63-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-1-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-3-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-7-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-9-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-12-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-11-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-973-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/4568-15-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-18-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-20-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-25-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-26-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-38-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-48-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-56-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download
memory/4568-57-0x0000000002780000-0x0000000002896000-memory.dmp

Filesize
1.1MB

Download