nanocore | 85bd3b83fb8e9310068cc155999c11d8ee2a71e88f757d59927a3564a97699e6

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-10-2021 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rq6cPaymentreceipt.js
Size

81KB
MD5

989740b7f7dab7211c4005e833f37954
SHA1

a814fbaf107d44cbf8ae69a766cb5e7e90a08e4e
SHA256

85bd3b83fb8e9310068cc155999c11d8ee2a71e88f757d59927a3564a97699e6
SHA512

3831d2bf05c928ad2feb83b41ab7544eb62424ca05961698c1b7a349747aab39b75f745e303937af4fad38c437c31813bc471d9cc3ae2f016bc6c1036b6a801d

Score

10^/10

nanocore vjw0rm evasion keylogger persistence spyware stealer trojan worm

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

kenimaf.duckdns.org:8090

Mutex

543e7469-d950-4ec2-a110-de54f8d16167

Attributes

activate_away_mode
true
backup_connection_host
kenimaf.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-01T06:39:50.225932136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8090
default_group
kenn
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
543e7469-d950-4ec2-a110-de54f8d16167
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
kenimaf.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

vjw0rm

http://6200js.duckdns.org:6200

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Blocklisted process makes network request 5 IoCs

Processes:

wscript.exe

flow pid process

5 528 wscript.exe
7 528 wscript.exe
9 528 wscript.exe
11 528 wscript.exe
13 528 wscript.exe
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

fj9onm3.exefj9onm3.exexzf75ic.exexzf75ic.exekq0uyzv.exekq0uyzv.exekq0uyzv.exekq0uyzv.exe

pid process

1944 fj9onm3.exe
1056 fj9onm3.exe
736 xzf75ic.exe
1196 xzf75ic.exe
1832 kq0uyzv.exe
876 kq0uyzv.exe
960 kq0uyzv.exe
1920 kq0uyzv.exe

flow	pid	process
5	528	wscript.exe
7	528	wscript.exe
9	528	wscript.exe
11	528	wscript.exe
13	528	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rq6cPaymentreceipt.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rq6cPaymentreceipt.js	wscript.exe

Loads dropped DLL 10 IoCs

Processes:

fj9onm3.exeWerFault.exexzf75ic.exekq0uyzv.exe

pid	process
1944	fj9onm3.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
736	xzf75ic.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

fj9onm3.exexzf75ic.exekq0uyzv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	fj9onm3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	fj9onm3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe = "0"	fj9onm3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe = "0"	fj9onm3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe = "0"	xzf75ic.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe = "0"	kq0uyzv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kq0uyzv.exewscript.exefj9onm3.exexzf75ic.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\Windows\\Cursors\\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\\svchost.exe"	kq0uyzv.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\BB4HJP0E1C = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\rq6cPaymentreceipt.js'"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\Windows\\Cursors\\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\\svchost.exe"	fj9onm3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\Windows\\Cursors\\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\\svchost.exe"	xzf75ic.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

fj9onm3.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fj9onm3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fj9onm3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 44 IoCs

Processes:

fj9onm3.exexzf75ic.exekq0uyzv.exe

pid	process
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
736	xzf75ic.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

fj9onm3.exexzf75ic.exekq0uyzv.exe

description	pid	process	target process
PID 1944 set thread context of 1056	1944	fj9onm3.exe	fj9onm3.exe
PID 736 set thread context of 1196	736	xzf75ic.exe	xzf75ic.exe
PID 1832 set thread context of 1920	1832	kq0uyzv.exe	kq0uyzv.exe

Drops file in Windows directory 2 IoCs

Processes:

fj9onm3.exe

description	ioc	process
File created	C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe	fj9onm3.exe
File opened for modification	C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe	fj9onm3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1740 1944 WerFault.exe fj9onm3.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1072 schtasks.exe

pid	pid_target	process	target process
1740	1944	WerFault.exe	fj9onm3.exe

pid	process
1072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

fj9onm3.exepowershell.exepowershell.exepowershell.exefj9onm3.exeWerFault.exexzf75ic.exepowershell.exepowershell.exepowershell.exekq0uyzv.exepowershell.exepowershell.exepowershell.exe

pid	process
1944	fj9onm3.exe
1944	fj9onm3.exe
1944	fj9onm3.exe
1960	powershell.exe
1988	powershell.exe
872	powershell.exe
1056	fj9onm3.exe
1056	fj9onm3.exe
1056	fj9onm3.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1056	fj9onm3.exe
1056	fj9onm3.exe
1056	fj9onm3.exe
1056	fj9onm3.exe
1056	fj9onm3.exe
1056	fj9onm3.exe
736	xzf75ic.exe
1684	powershell.exe
1460	powershell.exe
1952	powershell.exe
736	xzf75ic.exe
736	xzf75ic.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe
2028	powershell.exe
1644	powershell.exe
2016	powershell.exe
1832	kq0uyzv.exe
1832	kq0uyzv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fj9onm3.exe

pid process

1056 fj9onm3.exe

pid	process
1056	fj9onm3.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

fj9onm3.exepowershell.exepowershell.exepowershell.exefj9onm3.exeWerFault.exexzf75ic.exepowershell.exepowershell.exepowershell.exekq0uyzv.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1944	fj9onm3.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1056	fj9onm3.exe
Token: SeDebugPrivilege	1740	WerFault.exe
Token: SeDebugPrivilege	736	xzf75ic.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1832	kq0uyzv.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.exefj9onm3.exexzf75ic.exekq0uyzv.exe

description	pid	process	target process
PID 528 wrote to memory of 1072	528	wscript.exe	schtasks.exe
PID 528 wrote to memory of 1072	528	wscript.exe	schtasks.exe
PID 528 wrote to memory of 1072	528	wscript.exe	schtasks.exe
PID 528 wrote to memory of 1944	528	wscript.exe	fj9onm3.exe
PID 528 wrote to memory of 1944	528	wscript.exe	fj9onm3.exe
PID 528 wrote to memory of 1944	528	wscript.exe	fj9onm3.exe
PID 528 wrote to memory of 1944	528	wscript.exe	fj9onm3.exe
PID 1944 wrote to memory of 1960	1944	fj9onm3.exe	powershell.exe
PID 1944 wrote to memory of 1960	1944	fj9onm3.exe	powershell.exe
PID 1944 wrote to memory of 1960	1944	fj9onm3.exe	powershell.exe
PID 1944 wrote to memory of 1960	1944	fj9onm3.exe	powershell.exe
PID 1944 wrote to memory of 872	1944	fj9onm3.exe	powershell.exe
PID 1944 wrote to memory of 872	1944	fj9onm3.exe	powershell.exe
PID 1944 wrote to memory of 872	1944	fj9onm3.exe	powershell.exe
PID 1944 wrote to memory of 872	1944	fj9onm3.exe	powershell.exe
PID 1944 wrote to memory of 1988	1944	fj9onm3.exe	powershell.exe
PID 1944 wrote to memory of 1988	1944	fj9onm3.exe	powershell.exe
PID 1944 wrote to memory of 1988	1944	fj9onm3.exe	powershell.exe
PID 1944 wrote to memory of 1988	1944	fj9onm3.exe	powershell.exe
PID 1944 wrote to memory of 1056	1944	fj9onm3.exe	fj9onm3.exe
PID 1944 wrote to memory of 1056	1944	fj9onm3.exe	fj9onm3.exe
PID 1944 wrote to memory of 1056	1944	fj9onm3.exe	fj9onm3.exe
PID 1944 wrote to memory of 1056	1944	fj9onm3.exe	fj9onm3.exe
PID 1944 wrote to memory of 1056	1944	fj9onm3.exe	fj9onm3.exe
PID 1944 wrote to memory of 1056	1944	fj9onm3.exe	fj9onm3.exe
PID 1944 wrote to memory of 1056	1944	fj9onm3.exe	fj9onm3.exe
PID 1944 wrote to memory of 1056	1944	fj9onm3.exe	fj9onm3.exe
PID 1944 wrote to memory of 1056	1944	fj9onm3.exe	fj9onm3.exe
PID 1944 wrote to memory of 1740	1944	fj9onm3.exe	WerFault.exe
PID 1944 wrote to memory of 1740	1944	fj9onm3.exe	WerFault.exe
PID 1944 wrote to memory of 1740	1944	fj9onm3.exe	WerFault.exe
PID 1944 wrote to memory of 1740	1944	fj9onm3.exe	WerFault.exe
PID 528 wrote to memory of 736	528	wscript.exe	xzf75ic.exe
PID 528 wrote to memory of 736	528	wscript.exe	xzf75ic.exe
PID 528 wrote to memory of 736	528	wscript.exe	xzf75ic.exe
PID 528 wrote to memory of 736	528	wscript.exe	xzf75ic.exe
PID 736 wrote to memory of 1460	736	xzf75ic.exe	powershell.exe
PID 736 wrote to memory of 1460	736	xzf75ic.exe	powershell.exe
PID 736 wrote to memory of 1460	736	xzf75ic.exe	powershell.exe
PID 736 wrote to memory of 1460	736	xzf75ic.exe	powershell.exe
PID 736 wrote to memory of 1952	736	xzf75ic.exe	powershell.exe
PID 736 wrote to memory of 1952	736	xzf75ic.exe	powershell.exe
PID 736 wrote to memory of 1952	736	xzf75ic.exe	powershell.exe
PID 736 wrote to memory of 1952	736	xzf75ic.exe	powershell.exe
PID 736 wrote to memory of 1684	736	xzf75ic.exe	powershell.exe
PID 736 wrote to memory of 1684	736	xzf75ic.exe	powershell.exe
PID 736 wrote to memory of 1684	736	xzf75ic.exe	powershell.exe
PID 736 wrote to memory of 1684	736	xzf75ic.exe	powershell.exe
PID 736 wrote to memory of 1196	736	xzf75ic.exe	xzf75ic.exe
PID 736 wrote to memory of 1196	736	xzf75ic.exe	xzf75ic.exe
PID 736 wrote to memory of 1196	736	xzf75ic.exe	xzf75ic.exe
PID 736 wrote to memory of 1196	736	xzf75ic.exe	xzf75ic.exe
PID 736 wrote to memory of 1196	736	xzf75ic.exe	xzf75ic.exe
PID 736 wrote to memory of 1196	736	xzf75ic.exe	xzf75ic.exe
PID 736 wrote to memory of 1196	736	xzf75ic.exe	xzf75ic.exe
PID 736 wrote to memory of 1196	736	xzf75ic.exe	xzf75ic.exe
PID 736 wrote to memory of 1196	736	xzf75ic.exe	xzf75ic.exe
PID 528 wrote to memory of 1832	528	wscript.exe	kq0uyzv.exe
PID 528 wrote to memory of 1832	528	wscript.exe	kq0uyzv.exe
PID 528 wrote to memory of 1832	528	wscript.exe	kq0uyzv.exe
PID 528 wrote to memory of 1832	528	wscript.exe	kq0uyzv.exe
PID 1832 wrote to memory of 2028	1832	kq0uyzv.exe	powershell.exe
PID 1832 wrote to memory of 2028	1832	kq0uyzv.exe	powershell.exe
PID 1832 wrote to memory of 2028	1832	kq0uyzv.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\rq6cPaymentreceipt.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\rq6cPaymentreceipt.js
  2⤵
  - Creates scheduled task(s)
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe
  "C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe
    "C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1780
    3⤵
    - Loads dropped DLL
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe
  "C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe
    "C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe"
    3⤵
    - Executes dropped EXE
    PID:1196
- C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe
  "C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe
    "C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe"
    3⤵
    - Executes dropped EXE
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe
    "C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe"
    3⤵
    - Executes dropped EXE
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe
    "C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe"
    3⤵
    - Executes dropped EXE
    PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
0e5624f592bdf95a6335e3ef6bd8255f

SHA1
b597cd02c6f8d877092e9ca2398b091d542d3b45

SHA256
424960abcb973ad1aa4e670fe851b2263b98b2a710451e0a095f128992241d7c

SHA512
e9eb5bf907b14ef28cbfe610074fe5a801b485b969bb7235dcb92a3499db0217b1b58d3ef7c07792071b7e9564425421b92a030b3a167608f970c071def9113b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
0e5624f592bdf95a6335e3ef6bd8255f

SHA1
b597cd02c6f8d877092e9ca2398b091d542d3b45

SHA256
424960abcb973ad1aa4e670fe851b2263b98b2a710451e0a095f128992241d7c

SHA512
e9eb5bf907b14ef28cbfe610074fe5a801b485b969bb7235dcb92a3499db0217b1b58d3ef7c07792071b7e9564425421b92a030b3a167608f970c071def9113b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
0e5624f592bdf95a6335e3ef6bd8255f

SHA1
b597cd02c6f8d877092e9ca2398b091d542d3b45

SHA256
424960abcb973ad1aa4e670fe851b2263b98b2a710451e0a095f128992241d7c

SHA512
e9eb5bf907b14ef28cbfe610074fe5a801b485b969bb7235dcb92a3499db0217b1b58d3ef7c07792071b7e9564425421b92a030b3a167608f970c071def9113b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
0e5624f592bdf95a6335e3ef6bd8255f

SHA1
b597cd02c6f8d877092e9ca2398b091d542d3b45

SHA256
424960abcb973ad1aa4e670fe851b2263b98b2a710451e0a095f128992241d7c

SHA512
e9eb5bf907b14ef28cbfe610074fe5a801b485b969bb7235dcb92a3499db0217b1b58d3ef7c07792071b7e9564425421b92a030b3a167608f970c071def9113b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
0e5624f592bdf95a6335e3ef6bd8255f

SHA1
b597cd02c6f8d877092e9ca2398b091d542d3b45

SHA256
424960abcb973ad1aa4e670fe851b2263b98b2a710451e0a095f128992241d7c

SHA512
e9eb5bf907b14ef28cbfe610074fe5a801b485b969bb7235dcb92a3499db0217b1b58d3ef7c07792071b7e9564425421b92a030b3a167608f970c071def9113b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
0e5624f592bdf95a6335e3ef6bd8255f

SHA1
b597cd02c6f8d877092e9ca2398b091d542d3b45

SHA256
424960abcb973ad1aa4e670fe851b2263b98b2a710451e0a095f128992241d7c

SHA512
e9eb5bf907b14ef28cbfe610074fe5a801b485b969bb7235dcb92a3499db0217b1b58d3ef7c07792071b7e9564425421b92a030b3a167608f970c071def9113b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
0e5624f592bdf95a6335e3ef6bd8255f

SHA1
b597cd02c6f8d877092e9ca2398b091d542d3b45

SHA256
424960abcb973ad1aa4e670fe851b2263b98b2a710451e0a095f128992241d7c

SHA512
e9eb5bf907b14ef28cbfe610074fe5a801b485b969bb7235dcb92a3499db0217b1b58d3ef7c07792071b7e9564425421b92a030b3a167608f970c071def9113b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\fj9onm3.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
\Users\Admin\AppData\Local\Temp\fj9onm3.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
\Users\Admin\AppData\Local\Temp\fj9onm3.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
\Users\Admin\AppData\Local\Temp\fj9onm3.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
\Users\Admin\AppData\Local\Temp\fj9onm3.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
\Users\Admin\AppData\Local\Temp\fj9onm3.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
\Users\Admin\AppData\Local\Temp\kq0uyzv.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
\Users\Admin\AppData\Local\Temp\kq0uyzv.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
\Users\Admin\AppData\Local\Temp\kq0uyzv.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
\Users\Admin\AppData\Local\Temp\xzf75ic.exe

MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
memory/528-55-0x000007FEFC441000-0x000007FEFC443000-memory.dmp

Filesize
8KB

Download
memory/736-123-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/736-117-0x0000000000000000-mapping.dmp

Download
memory/736-133-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/736-120-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/872-91-0x0000000002740000-0x000000000338A000-memory.dmp

Filesize
12.3MB

Download
memory/872-87-0x0000000002740000-0x000000000338A000-memory.dmp

Filesize
12.3MB

Download
memory/872-95-0x0000000002740000-0x000000000338A000-memory.dmp

Filesize
12.3MB

Download
memory/872-69-0x0000000000000000-mapping.dmp

Download
memory/1056-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1056-116-0x0000000000CD0000-0x0000000000CDF000-memory.dmp

Filesize
60KB

Download
memory/1056-101-0x0000000000590000-0x00000000005A9000-memory.dmp

Filesize
100KB

Download
memory/1056-102-0x00000000003F0000-0x00000000003F3000-memory.dmp

Filesize
12KB

Download
memory/1056-76-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1056-92-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1056-105-0x0000000000690000-0x000000000069D000-memory.dmp

Filesize
52KB

Download
memory/1056-106-0x0000000000730000-0x0000000000745000-memory.dmp

Filesize
84KB

Download
memory/1056-107-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/1056-108-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/1056-113-0x0000000000C60000-0x0000000000C6F000-memory.dmp

Filesize
60KB

Download
memory/1056-112-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/1056-111-0x00000000007A0000-0x00000000007AD000-memory.dmp

Filesize
52KB

Download
memory/1056-110-0x0000000000790000-0x0000000000797000-memory.dmp

Filesize
28KB

Download
memory/1056-109-0x0000000000780000-0x0000000000786000-memory.dmp

Filesize
24KB

Download
memory/1056-115-0x0000000000EC0000-0x0000000000EE9000-memory.dmp

Filesize
164KB

Download
memory/1056-114-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

Filesize
40KB

Download
memory/1056-100-0x00000000003E0000-0x00000000003E5000-memory.dmp

Filesize
20KB

Download
memory/1056-78-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1056-83-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1056-81-0x000000000041E792-mapping.dmp

Download
memory/1056-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1056-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1072-56-0x0000000000000000-mapping.dmp

Download
memory/1196-149-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1196-143-0x000000000041E792-mapping.dmp

Download
memory/1460-127-0x0000000000000000-mapping.dmp

Download
memory/1460-150-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1460-148-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1460-155-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1644-168-0x0000000000000000-mapping.dmp

Download
memory/1644-193-0x0000000002520000-0x000000000316A000-memory.dmp

Filesize
12.3MB

Download
memory/1644-195-0x0000000002520000-0x000000000316A000-memory.dmp

Filesize
12.3MB

Download
memory/1684-153-0x00000000022E2000-0x00000000022E4000-memory.dmp

Filesize
8KB

Download
memory/1684-130-0x0000000000000000-mapping.dmp

Download
memory/1684-151-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1684-152-0x00000000022E1000-0x00000000022E2000-memory.dmp

Filesize
4KB

Download
memory/1740-104-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/1740-89-0x0000000000000000-mapping.dmp

Download
memory/1832-160-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1832-157-0x0000000000000000-mapping.dmp

Download
memory/1832-163-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/1832-172-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1920-188-0x000000000041E792-mapping.dmp

Download
memory/1920-196-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/1944-57-0x0000000000000000-mapping.dmp

Download
memory/1944-60-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/1944-62-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1944-67-0x00000000003D0000-0x000000000045C000-memory.dmp

Filesize
560KB

Download
memory/1944-63-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1944-65-0x00000000009C0000-0x00000000009C3000-memory.dmp

Filesize
12KB

Download
memory/1944-66-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/1952-156-0x0000000002400000-0x000000000304A000-memory.dmp

Filesize
12.3MB

Download
memory/1952-147-0x0000000002400000-0x000000000304A000-memory.dmp

Filesize
12.3MB

Download
memory/1952-128-0x0000000000000000-mapping.dmp

Download
memory/1952-154-0x0000000002400000-0x000000000304A000-memory.dmp

Filesize
12.3MB

Download
memory/1960-90-0x0000000002341000-0x0000000002342000-memory.dmp

Filesize
4KB

Download
memory/1960-85-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1960-94-0x0000000002342000-0x0000000002344000-memory.dmp

Filesize
8KB

Download
memory/1960-68-0x0000000000000000-mapping.dmp

Download
memory/1988-88-0x0000000002391000-0x0000000002392000-memory.dmp

Filesize
4KB

Download
memory/1988-93-0x0000000002392000-0x0000000002394000-memory.dmp

Filesize
8KB

Download
memory/1988-71-0x0000000000000000-mapping.dmp

Download
memory/1988-86-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2016-170-0x0000000000000000-mapping.dmp

Download
memory/2028-167-0x0000000000000000-mapping.dmp

Download
memory/2028-189-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download
memory/2028-190-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download