nanocore | 80c22a635c8c465742fe3062fc705710d561ef1decc7094f22adc041bb2f15ed

Analysis

max time kernel
107s
max time network
111s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
24/02/2025, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PW Loader.exe
Size

354KB
MD5

638ded3b1d340c2a35f1891759e11d3b
SHA1

e290bb38e046a6d2ceef5632f1c1ab1fefde4d93
SHA256

d46c7ba651d37e8e51e062320fa860fc7aa69b5ab142a91d614bf61a64b8f9eb
SHA512

b8e61d0b992e887abc87f20b8ed7bff65801e9b9288a2ed296e4f4e2e3e1f0192c9b74a831a0d59814de222e73e358a14b2ae623ac5dd61d896b0445f7a21ab2
SSDEEP

6144:/0XQ1m1ii5mwp+wR0O+VbL68KadaT6Cwfn/7NIY/Y+nNK2UX+8+Hxr:/0XQ1XQUweNbLBKa8T6CS/JaXJ+Hxr

Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Executes dropped EXE 3 IoCs

pid	Process
3128	PW.exe
2008	Loader.exe
2484	Loader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files\\UDP Subsystem\\udpss.exe"	PW.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PW.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\UDP Subsystem\udpss.exe	PW.exe
File opened for modification	C:\Program Files\UDP Subsystem\udpss.exe	PW.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PW.exe	PW Loader.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PW Loader.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1356	PING.EXE
4588	PING.EXE

Delays execution with timeout.exe 9 IoCs

defense_evasion

pid	Process
3144	timeout.exe
3772	timeout.exe
1124	timeout.exe
4028	timeout.exe
4768	timeout.exe
4732	timeout.exe
2904	timeout.exe
3236	timeout.exe
2864	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133848301919896318"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1356	PING.EXE
4588	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5096	schtasks.exe
4740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
680	powershell.exe
680	powershell.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
2256	chrome.exe
2256	chrome.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe
3128	PW.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3128	PW.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	3128	PW.exe
Token: SeDebugPrivilege	3128	PW.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeCreatePagefilePrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4836	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 680	4048	PW Loader.exe	81
PID 4048 wrote to memory of 680	4048	PW Loader.exe	81
PID 4048 wrote to memory of 680	4048	PW Loader.exe	81
PID 4048 wrote to memory of 3128	4048	PW Loader.exe	82
PID 4048 wrote to memory of 3128	4048	PW Loader.exe	82
PID 4048 wrote to memory of 2008	4048	PW Loader.exe	84
PID 4048 wrote to memory of 2008	4048	PW Loader.exe	84
PID 4048 wrote to memory of 2008	4048	PW Loader.exe	84
PID 2008 wrote to memory of 3376	2008	Loader.exe	86
PID 2008 wrote to memory of 3376	2008	Loader.exe	86
PID 3376 wrote to memory of 1520	3376	cmd.exe	87
PID 3376 wrote to memory of 1520	3376	cmd.exe	87
PID 1520 wrote to memory of 1612	1520	cmd.exe	88
PID 1520 wrote to memory of 1612	1520	cmd.exe	88
PID 1520 wrote to memory of 3880	1520	cmd.exe	89
PID 1520 wrote to memory of 3880	1520	cmd.exe	89
PID 3376 wrote to memory of 4900	3376	cmd.exe	90
PID 3376 wrote to memory of 4900	3376	cmd.exe	90
PID 3376 wrote to memory of 1544	3376	cmd.exe	91
PID 3376 wrote to memory of 1544	3376	cmd.exe	91
PID 3376 wrote to memory of 4732	3376	cmd.exe	92
PID 3376 wrote to memory of 4732	3376	cmd.exe	92
PID 3128 wrote to memory of 5096	3128	PW.exe	93
PID 3128 wrote to memory of 5096	3128	PW.exe	93
PID 3128 wrote to memory of 4740	3128	PW.exe	95
PID 3128 wrote to memory of 4740	3128	PW.exe	95
PID 3376 wrote to memory of 2904	3376	cmd.exe	98
PID 3376 wrote to memory of 2904	3376	cmd.exe	98
PID 3376 wrote to memory of 1356	3376	cmd.exe	99
PID 3376 wrote to memory of 1356	3376	cmd.exe	99
PID 3376 wrote to memory of 3144	3376	cmd.exe	100
PID 3376 wrote to memory of 3144	3376	cmd.exe	100
PID 3376 wrote to memory of 3236	3376	cmd.exe	102
PID 3376 wrote to memory of 3236	3376	cmd.exe	102
PID 3376 wrote to memory of 3772	3376	cmd.exe	103
PID 3376 wrote to memory of 3772	3376	cmd.exe	103
PID 2256 wrote to memory of 1056	2256	chrome.exe	107
PID 2256 wrote to memory of 1056	2256	chrome.exe	107
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108
PID 2256 wrote to memory of 3132	2256	chrome.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PW Loader.exe
"C:\Users\Admin\AppData\Local\Temp\PW Loader.exe" echo dziwka
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAegBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbQB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZwBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AegB0ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\PW.exe
  "C:\Windows\PW.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA095.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5096
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /f /tn "UDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA142.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4740
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9C11.tmp\9C12.tmp\9C13.bat C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:1612
    - - C:\Windows\system32\cmd.exe
        
        cmd
        5⤵
        
        PID:3880
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4900
  - - C:\Windows\system32\mode.com
      mode 76, 30
      4⤵
      PID:1544
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4732
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2904
  - - C:\Windows\system32\PING.EXE
      ping /n 1 /w 400 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1356
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3144
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3236
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3772
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1124

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb6f73cc40,0x7ffb6f73cc4c,0x7ffb6f73cc58
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,16076650552278690425,12158147521611273814,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1920,i,16076650552278690425,12158147521611273814,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,16076650552278690425,12158147521611273814,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,16076650552278690425,12158147521611273814,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,16076650552278690425,12158147521611273814,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,16076650552278690425,12158147521611273814,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4620,i,16076650552278690425,12158147521611273814,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4424 /prefetch:8
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,16076650552278690425,12158147521611273814,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,16076650552278690425,12158147521611273814,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4916,i,16076650552278690425,12158147521611273814,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:3004

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FF8E.tmp\FF8F.tmp\FF90.bat C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  PID:3700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    PID:2968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:1008
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:2528
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1664
- - C:\Windows\system32\mode.com
    mode 76, 30
    3⤵
    PID:1792
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2864
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4028
- - C:\Windows\system32\PING.EXE
    ping /n 1 /w 400 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4588
- - C:\Windows\system32\timeout.exe
    timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4768

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3a816eec161d1e797aa66a1a3433f7de

SHA1
98b138720545dd0a612f4a472ef29f8dc1f35a47

SHA256
afbd754eccbc2224c9a91a71473c923ab4348394dbe387ebcf090db459e82f70

SHA512
e67cd660942cfb7e9ae4508645b46f050336733343a6cd8d93e89f342ec61828790236f58406f84bf1519042d0a077d125f557706f9fb6e9c7762db705984752

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
725178b631c4c69b6e88974a26a30b31

SHA1
5a2096cd448fa54f9858d534b3dc5085f85169dc

SHA256
d63f92909eaa92027155601cc2319882f5f9eb0cb85bd0be8145d0b6dacbd54f

SHA512
55ebb4b70cc4625deb439c9a52c4782475fb4375165fc93bdc503e09ff8842bc18cd70b2be8088a3c027d71dc033acb859ade884d30254461a2ba0f67c79bda1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
48d1f8d16b31eaad5f37c80e1eb32232

SHA1
6860ce145c24fc28baf8ff31e0caa4c4549c9ab2

SHA256
7425f7e01f68086a9070081261b245b8dde68048c89e09e800f7e3182ff4ba98

SHA512
4fca2febd5830cea22e9e9adc3d9aaede48710903c746c932c3f405a286f8a52e76ec1427d19edd3b3b34b29b68e8357662309583aa906cc143fdeacf2bac2e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
93322e9ab507642dbc3008a29e1f553a

SHA1
885b9b66c9abb582e977d29782f2c309497f80ae

SHA256
b08f98236ffed8a26dfc99d3d47204ba46f971f085ef92d920dc2a4a400661c3

SHA512
b8d4ebd521a0f33c1e430c08feb0b00de73045e67779d98efcbeede45ee72e9e7e71e1a2344626261851405fe075f5e9c6152ecc9cf8a394e214f86fd9ffebc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
181c67d6316f8fd9714aab9bf3bad9ea

SHA1
74e72dbf06aa0d1b339df971fbb845a8ca3ec3cb

SHA256
16d0aa86c51b4d0c21de1ec9e86f20151b103df6c5d74171e5fa0017fda8d1ab

SHA512
a2faff3f7970adab89c28036b9f4d71db456313c0c51109040748fbbcf8585a8df013e4036be2db05294c2ba454ff70807798d8c3afe9289a842c02b90787da5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
178d7033ef48b45028d1b88b8469ba2e

SHA1
375bb53b854278b754cf32993aacd67fb54609d5

SHA256
620b9091ee4ad809a4de466a257ed6532b4a08bb3c014b50a6934de7154e4619

SHA512
f24658bada447d4e9e6f633625dc67f508ccb4f1271dcb17ae8f8ee2aa58d426653d951997cde364fc8e272e987f838ac15a56c6b5ba59e42ba4967a5c6c9598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
883d1fb4183a838c002857126e83d3c7

SHA1
b0c1fd77247ee2120ea0acfe48a3476099335826

SHA256
bc7c62442af3e68b4ac92c60707339654d7a2f81f7a459e328f1f2146a32838c

SHA512
4bb6c4268714b1a3e6e4b4f91020080370730382235339716f5525daae6c1937b123c145458efb079282bd828c6af0bf89a7edfee9fcb0179f52885542da3c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
713d89a15e7242d0f5ca0f6a2a5df34c

SHA1
f95d9d73d9a644e7e52ff389bc0ca6e0161a580d

SHA256
83388ddda4f82d322359a1a1b2542c005a459a5bc23f8372e5edfdc20b206d47

SHA512
1b6972a89a39119cb3a8600d59bd36a128de2e4def2ec6aebf4545e1d616cd89e1faabddae3208693c38e55b1afba0114027ed9fa3256a7896805df9e08b0257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
00a3ecbcca0b6a5cd4ab99bf680ae8c6

SHA1
2f66af21b7eb1e1d0ab69157532932b481d86a4c

SHA256
6ac9a316ce072beab8ac180ca71c162a6b081ec97f17fcbd86182c47790c83b1

SHA512
06ac3cb5a98a099a19dd6c06580ba1efc10faaf3146381b379006658347af6130bd1c71ecb14f70990cb4f4503997e6e7343ff164ec5e87bdbbe70df244e84b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
d20b3cb193b03a94a35e7b4b01f0d675

SHA1
9a72fc7642e79db0142b234e95f4a91ad6ec9054

SHA256
1931317afcd48d150e96e7102d22e1dc4689fa85909bd19206d9a1bd9aa6bcbc

SHA512
76380e5f11e224db9963e8e3ab508a6a4fee8c49361ad23b5d5d09bac7ed8fd4eed6a26cb08958119acd88693b6a6b07d69b0e4513aca88509bcd5ade3fee7c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
50188bbe85a28f237e8d8038ca17c234

SHA1
878aff83ed9c9fb0bfc1404ce2aaf3977994de8a

SHA256
b2b0a6a8076be256ab07119f7e39b8e6f4c5a3b94a1530ff54fe3ea6b1f947ca

SHA512
ff4c8493b1be5f9efda22a49cb44157e231b62e116257ee0289c4b10ee876d9ee5cba5bb361c5efee528a90ce80b70eec1da7e0b68a5df570c57b1a4f95c78e8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\17a5fc73-9de3-4675-ba2e-0545f7ebf1c5.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
203b2ca5a2fe1d3878718d1bb3773c8c

SHA1
c93a804898f610a9cc2f0381662861fc4b29aa19

SHA256
15d0f55e1c46a3c7f596c74c720763d650e93ce8b17bcda04ece3e1a1d9f0709

SHA512
d927ab3fb0e8073510bec19270f6c162597906455ab8852b28191e8b7e3535924ac8968afd24d8afa00a262165a93637387d164a366837507ef09fb64964516b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
b7ba1387f6cc063a62920459e03c4ef7

SHA1
1720ee0079c3b2deba2445a392504fc8883d1291

SHA256
90729d09ec2a6b70d547430de246f65ce9c754668d3c80cb8b3dae0b80b89481

SHA512
dd1278cefc1b064ba74609a2f025890160ac3c3ba5774c8ffb98538e2b2868f0d9d59d52eda7674b0a5993ea4f6261a462fdf152d3a2e9a682b586630f959c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C11.tmp\9C12.tmp\9C13.bat

Filesize
873B

MD5
566e6a066b92cfebc3d0335e4040cb4e

SHA1
46d51fafe54222520870b8b0152ec21171c9b74d

SHA256
32ae4d96a660d1a0e4383d7b589a581d0c6cd20727cf918c787fa695f2820a0e

SHA512
c9f8d55845368226163c605c44ce47f92dea81d4d40dfdd317ffb67a0175de1cd9ccd74285fac940974be7bf41642055a79775baae3f766df323c142f8eca556

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
117KB

MD5
02d696883a7203cc4751705c59bc1e2a

SHA1
2ab1c8e52cee860f41342949d9b7cf8d2f1011d9

SHA256
5ca70c26ef954b416ca7f7419f8291a5db7db3523139126e5a8e07d3a33ca72c

SHA512
0dc4c42e406783946ec279c037c7141839c73cf080e834a12abc3ac4e016af8bc52b712affd539693ddc5f40f3231ac983a9e3c3db5bc4aefadacad2a8efc6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kg2vbudh.xfi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA095.tmp

Filesize
1KB

MD5
2ffead7bac45fb92c7e7fdd337c3d07d

SHA1
cf1335a23b061148d12ab7297b09bc9a028a0e3d

SHA256
08f809f86780ba005342a9cbb3ae9a54a3c151a0b494cbcd59fcc53903e705d6

SHA512
0f9d3da64b85770e1e8e383071b42d193cd24e2f4e1693a7f4ce98a1e0c92a175c683f69b9ff727abad6161f5ece39f0ea2caa098e24314256a90864192ac178

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA142.tmp

Filesize
1KB

MD5
a1acb04d3cfe1a7882c8e748898a0d4d

SHA1
a6b80ebf50bc6d8b35e3f32d075bd56ebd3516c4

SHA256
d6bdd0343bab999e45c920e6e9e78b2f62f9d5dd6b8009512ed1e0a442bbfe8c

SHA512
7b0e371acca63c5bf9f652f0811ed7c4c769952dbdda443c859017da5a81896d33792711c124f4f54486462f9f40e52d096d41c8cf961a3308933f39b80e577c

Download Submit
C:\Windows\PW.exe

Filesize
203KB

MD5
b2f82753cb0f4d065662b530924bb50c

SHA1
631f130194792d63f7fa75451eb3175422d93af8

SHA256
8b4cda9baec878f1dd69acf5e3fe33ef80b4ba84856e6416be9a0f40028329a4

SHA512
1c120dd4ae8aed29692ded0fc7099fff5a26a1a26b7d1ebd00af325e5e9617b933419ecd9407ef5dec35482bc9809df1ace9ed482dc9c260f6a6eb0ff5e46466

Download Submit
memory/680-30-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/680-47-0x0000000005BE0000-0x0000000005BFE000-memory.dmp

Filesize
120KB

Download
memory/680-19-0x0000000002720000-0x0000000002756000-memory.dmp

Filesize
216KB

Download
memory/680-53-0x00000000061D0000-0x0000000006204000-memory.dmp

Filesize
208KB

Download
memory/680-54-0x00000000748F0000-0x000000007493C000-memory.dmp

Filesize
304KB

Download
memory/680-63-0x0000000006210000-0x000000000622E000-memory.dmp

Filesize
120KB

Download
memory/680-64-0x0000000006DF0000-0x0000000006E94000-memory.dmp

Filesize
656KB

Download
memory/680-65-0x0000000007570000-0x0000000007BEA000-memory.dmp

Filesize
6.5MB

Download
memory/680-66-0x0000000006F30000-0x0000000006F4A000-memory.dmp

Filesize
104KB

Download
memory/680-67-0x0000000006FC0000-0x0000000006FCA000-memory.dmp

Filesize
40KB

Download
memory/680-68-0x00000000071C0000-0x0000000007256000-memory.dmp

Filesize
600KB

Download
memory/680-69-0x0000000007140000-0x0000000007151000-memory.dmp

Filesize
68KB

Download
memory/680-21-0x000000007338E000-0x000000007338F000-memory.dmp

Filesize
4KB

Download
memory/680-71-0x0000000007190000-0x00000000071A5000-memory.dmp

Filesize
84KB

Download
memory/680-72-0x0000000007280000-0x000000000729A000-memory.dmp

Filesize
104KB

Download
memory/680-26-0x0000000004F70000-0x000000000559A000-memory.dmp

Filesize
6.2MB

Download
memory/680-28-0x0000000004D50000-0x0000000004D72000-memory.dmp

Filesize
136KB

Download
memory/680-29-0x0000000004EF0000-0x0000000004F56000-memory.dmp

Filesize
408KB

Download
memory/680-48-0x0000000005C20000-0x0000000005C6C000-memory.dmp

Filesize
304KB

Download
memory/680-39-0x0000000005710000-0x0000000005A67000-memory.dmp

Filesize
3.3MB

Download
memory/680-86-0x0000000007270000-0x0000000007278000-memory.dmp

Filesize
32KB

Download
memory/680-70-0x0000000007180000-0x000000000718E000-memory.dmp

Filesize
56KB

Download
memory/3128-78-0x000000001D3C0000-0x000000001D3CC000-memory.dmp

Filesize
48KB

Download
memory/3128-79-0x000000001D3D0000-0x000000001D3DE000-memory.dmp

Filesize
56KB

Download
memory/3128-111-0x00007FFB5E785000-0x00007FFB5E786000-memory.dmp

Filesize
4KB

Download
memory/3128-76-0x000000001D370000-0x000000001D37E000-memory.dmp

Filesize
56KB

Download
memory/3128-81-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/3128-85-0x000000001C610000-0x000000001C624000-memory.dmp

Filesize
80KB

Download
memory/3128-90-0x000000001E0B0000-0x000000001E112000-memory.dmp

Filesize
392KB

Download
memory/3128-49-0x000000001CDF0000-0x000000001CDFA000-memory.dmp

Filesize
40KB

Download
memory/3128-82-0x00000000014A0000-0x00000000014B4000-memory.dmp

Filesize
80KB

Download
memory/3128-77-0x000000001D3B0000-0x000000001D3C2000-memory.dmp

Filesize
72KB

Download
memory/3128-112-0x00007FFB5E4D0000-0x00007FFB5EE71000-memory.dmp

Filesize
9.6MB

Download
memory/3128-50-0x000000001CF00000-0x000000001CF1E000-memory.dmp

Filesize
120KB

Download
memory/3128-80-0x000000001D3E0000-0x000000001D3F4000-memory.dmp

Filesize
80KB

Download
memory/3128-75-0x000000001CD70000-0x000000001CD8A000-memory.dmp

Filesize
104KB

Download
memory/3128-83-0x000000001C5D0000-0x000000001C5DE000-memory.dmp

Filesize
56KB

Download
memory/3128-27-0x0000000001480000-0x0000000001488000-memory.dmp

Filesize
32KB

Download
memory/3128-74-0x000000001C630000-0x000000001C642000-memory.dmp

Filesize
72KB

Download
memory/3128-84-0x000000001D3F0000-0x000000001D41E000-memory.dmp

Filesize
184KB

Download
memory/3128-23-0x000000001C2C0000-0x000000001C35C000-memory.dmp

Filesize
624KB

Download
memory/3128-22-0x00007FFB5E785000-0x00007FFB5E786000-memory.dmp

Filesize
4KB

Download
memory/3128-20-0x00007FFB5E4D0000-0x00007FFB5EE71000-memory.dmp

Filesize
9.6MB

Download
memory/3128-25-0x000000001C510000-0x000000001C5B6000-memory.dmp

Filesize
664KB

Download
memory/3128-51-0x000000001D270000-0x000000001D27A000-memory.dmp

Filesize
40KB

Download
memory/3128-18-0x000000001BD50000-0x000000001C21E000-memory.dmp

Filesize
4.8MB

Download
memory/3128-15-0x00007FFB5E785000-0x00007FFB5E786000-memory.dmp

Filesize
4KB

Download