nanocore | 56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
Size

4.3MB
MD5

5b2f4e07e883c0b165daaba2127a589f
SHA1

c9edf782418140d7720f58d996dbcaeec965ee50
SHA256

56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f
SHA512

80be5d187ad54b8396fab7045bc7f15f1eb1434bfa2e30707b4f4b5e59548039f2ee2cc8f6b4f7edde01bfd680306fcd875bf653be8b88c6d67bd6fb26e84010

Score

10^/10

nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

109.230.215.181:1604

127.0.0.1:1604

Mutex

7fa6e9c8-20ea-4047-9f02-2251015e4ea4

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-03-10T10:37:21.189476636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
1604
default_group
crypt authorized
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
7fa6e9c8-20ea-4047-9f02-2251015e4ea4
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
109.230.215.181
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 17 IoCs

Processes:

lolll.exeTsexun.execonfiditial.exeSwiftProtector.execonfiditial.exe swiftprotector.exe icsys.icn.exeexplorer.exeClient.exeicsys.icn.exespoolsv.exesvchost.exespoolsv.exeRobloxAppLanucher.exerobloxapplanucher.exe icsys.icn.exeexplorer.exe

pid	process
4280	lolll.exe
4240	Tsexun.exe
4700	confiditial.exe
568	SwiftProtector.exe
956	confiditial.exe
1204	swiftprotector.exe
3516	icsys.icn.exe
1996	explorer.exe
2224	Client.exe
2156	icsys.icn.exe
2516	spoolsv.exe
680	svchost.exe
4584	spoolsv.exe
4468	RobloxAppLanucher.exe
3300	robloxapplanucher.exe
308	icsys.icn.exe
4304	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.execonfiditial.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	confiditial.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exeTsexun.exelolll.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Monitor = "C:\\Program Files (x86)\\IMAP Monitor\\imapmon.exe"	Tsexun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDPBlox Agent = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lolll.exe\""	lolll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Tsexun.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Tsexun.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Tsexun.exe

flow	ioc
2	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

svchost.exeexplorer.exesvchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{039D1EFF-A0C9-4D71-871A-F82F9E7535D4}.catalogItem	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F9B1C421-3E8B-491A-A51F-CA51C16C003A}.catalogItem	svchost.exe

Drops file in Program Files directory 4 IoCs

Processes:

Tsexun.exelolll.exe

description	ioc	process
File created	C:\Program Files (x86)\IMAP Monitor\imapmon.exe	Tsexun.exe
File opened for modification	C:\Program Files (x86)\IMAP Monitor\imapmon.exe	Tsexun.exe
File created	C:\Program Files (x86)\SubDir\Client.exe	lolll.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	lolll.exe

Drops file in Windows directory 7 IoCs

Processes:

RobloxAppLanucher.exeexplorer.execonfiditial.exeSwiftProtector.exeicsys.icn.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	RobloxAppLanucher.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	confiditial.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	SwiftProtector.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3844 3300 WerFault.exe robloxapplanucher.exe

pid	pid_target	process	target process
3844	3300	WerFault.exe	robloxapplanucher.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

748 schtasks.exe
4412 schtasks.exe

pid	process
748	schtasks.exe
4412	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SwiftProtector.execonfiditial.exe

pid	process
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
4700	confiditial.exe
4700	confiditial.exe
568	SwiftProtector.exe
4700	confiditial.exe
4700	confiditial.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
4700	confiditial.exe
4700	confiditial.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
4700	confiditial.exe
4700	confiditial.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
4700	confiditial.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
568	SwiftProtector.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

Tsexun.exeexplorer.exesvchost.exe

pid process

4240 Tsexun.exe
1996 explorer.exe
680 svchost.exe

pid	process
4240	Tsexun.exe
1996	explorer.exe
680	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Tsexun.exeswiftprotector.exe lolll.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4240	Tsexun.exe
Token: SeDebugPrivilege	1204	swiftprotector.exe
Token: SeDebugPrivilege	4280	lolll.exe
Token: SeDebugPrivilege	2224	Client.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

confiditial.exeSwiftProtector.exeicsys.icn.exeexplorer.exeicsys.icn.exespoolsv.exesvchost.exespoolsv.exeRobloxAppLanucher.exeicsys.icn.exeexplorer.exe

pid	process
4700	confiditial.exe
568	SwiftProtector.exe
568	SwiftProtector.exe
4700	confiditial.exe
3516	icsys.icn.exe
3516	icsys.icn.exe
1996	explorer.exe
1996	explorer.exe
2156	icsys.icn.exe
2516	spoolsv.exe
2156	icsys.icn.exe
2516	spoolsv.exe
680	svchost.exe
680	svchost.exe
4584	spoolsv.exe
4584	spoolsv.exe
4468	RobloxAppLanucher.exe
4468	RobloxAppLanucher.exe
308	icsys.icn.exe
308	icsys.icn.exe
4304	explorer.exe
4304	explorer.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.execonfiditial.exeSwiftProtector.exelolll.execonfiditial.exe icsys.icn.execmd.exeexplorer.exespoolsv.exesvchost.exeRobloxAppLanucher.exeClient.exeicsys.icn.exe

description	pid	process	target process
PID 4952 wrote to memory of 4280	4952	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	lolll.exe
PID 4952 wrote to memory of 4280	4952	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	lolll.exe
PID 4952 wrote to memory of 4240	4952	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	Tsexun.exe
PID 4952 wrote to memory of 4240	4952	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	Tsexun.exe
PID 4952 wrote to memory of 4240	4952	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	Tsexun.exe
PID 4952 wrote to memory of 4700	4952	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	confiditial.exe
PID 4952 wrote to memory of 4700	4952	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	confiditial.exe
PID 4952 wrote to memory of 4700	4952	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	confiditial.exe
PID 4952 wrote to memory of 568	4952	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	SwiftProtector.exe
PID 4952 wrote to memory of 568	4952	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	SwiftProtector.exe
PID 4952 wrote to memory of 568	4952	56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe	SwiftProtector.exe
PID 4700 wrote to memory of 956	4700	confiditial.exe	confiditial.exe
PID 4700 wrote to memory of 956	4700	confiditial.exe	confiditial.exe
PID 4700 wrote to memory of 956	4700	confiditial.exe	confiditial.exe
PID 568 wrote to memory of 1204	568	SwiftProtector.exe	swiftprotector.exe
PID 568 wrote to memory of 1204	568	SwiftProtector.exe	swiftprotector.exe
PID 568 wrote to memory of 1204	568	SwiftProtector.exe	swiftprotector.exe
PID 4700 wrote to memory of 3516	4700	confiditial.exe	icsys.icn.exe
PID 4700 wrote to memory of 3516	4700	confiditial.exe	icsys.icn.exe
PID 4700 wrote to memory of 3516	4700	confiditial.exe	icsys.icn.exe
PID 4280 wrote to memory of 748	4280	lolll.exe	schtasks.exe
PID 4280 wrote to memory of 748	4280	lolll.exe	schtasks.exe
PID 956 wrote to memory of 4328	956	confiditial.exe	cmd.exe
PID 956 wrote to memory of 4328	956	confiditial.exe	cmd.exe
PID 956 wrote to memory of 4328	956	confiditial.exe	cmd.exe
PID 3516 wrote to memory of 1996	3516	icsys.icn.exe	explorer.exe
PID 3516 wrote to memory of 1996	3516	icsys.icn.exe	explorer.exe
PID 3516 wrote to memory of 1996	3516	icsys.icn.exe	explorer.exe
PID 4328 wrote to memory of 4188	4328	cmd.exe	reg.exe
PID 4328 wrote to memory of 4188	4328	cmd.exe	reg.exe
PID 4328 wrote to memory of 4188	4328	cmd.exe	reg.exe
PID 4280 wrote to memory of 2224	4280	lolll.exe	Client.exe
PID 4280 wrote to memory of 2224	4280	lolll.exe	Client.exe
PID 568 wrote to memory of 2156	568	SwiftProtector.exe	icsys.icn.exe
PID 568 wrote to memory of 2156	568	SwiftProtector.exe	icsys.icn.exe
PID 568 wrote to memory of 2156	568	SwiftProtector.exe	icsys.icn.exe
PID 1996 wrote to memory of 2516	1996	explorer.exe	spoolsv.exe
PID 1996 wrote to memory of 2516	1996	explorer.exe	spoolsv.exe
PID 1996 wrote to memory of 2516	1996	explorer.exe	spoolsv.exe
PID 2516 wrote to memory of 680	2516	spoolsv.exe	svchost.exe
PID 2516 wrote to memory of 680	2516	spoolsv.exe	svchost.exe
PID 2516 wrote to memory of 680	2516	spoolsv.exe	svchost.exe
PID 680 wrote to memory of 4584	680	svchost.exe	spoolsv.exe
PID 680 wrote to memory of 4584	680	svchost.exe	spoolsv.exe
PID 680 wrote to memory of 4584	680	svchost.exe	spoolsv.exe
PID 956 wrote to memory of 4468	956	confiditial.exe	RobloxAppLanucher.exe
PID 956 wrote to memory of 4468	956	confiditial.exe	RobloxAppLanucher.exe
PID 956 wrote to memory of 4468	956	confiditial.exe	RobloxAppLanucher.exe
PID 4468 wrote to memory of 3300	4468	RobloxAppLanucher.exe	robloxapplanucher.exe
PID 4468 wrote to memory of 3300	4468	RobloxAppLanucher.exe	robloxapplanucher.exe
PID 4468 wrote to memory of 3300	4468	RobloxAppLanucher.exe	robloxapplanucher.exe
PID 2224 wrote to memory of 4412	2224	Client.exe	schtasks.exe
PID 2224 wrote to memory of 4412	2224	Client.exe	schtasks.exe
PID 4468 wrote to memory of 308	4468	RobloxAppLanucher.exe	icsys.icn.exe
PID 4468 wrote to memory of 308	4468	RobloxAppLanucher.exe	icsys.icn.exe
PID 4468 wrote to memory of 308	4468	RobloxAppLanucher.exe	icsys.icn.exe
PID 308 wrote to memory of 4304	308	icsys.icn.exe	explorer.exe
PID 308 wrote to memory of 4304	308	icsys.icn.exe	explorer.exe
PID 308 wrote to memory of 4304	308	icsys.icn.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
"C:\Users\Admin\AppData\Local\Temp\56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4952

C:\Users\Admin\AppData\Local\Temp\lolll.exe
"C:\Users\Admin\AppData\Local\Temp\lolll.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RDPBlox Agent" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\lolll.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:748

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RDPBlox Agent" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4412

C:\Users\Admin\AppData\Local\Temp\Tsexun.exe
"C:\Users\Admin\AppData\Local\Temp\Tsexun.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Users\Admin\AppData\Local\Temp\confiditial.exe
"C:\Users\Admin\AppData\Local\Temp\confiditial.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700

\??\c:\users\admin\appdata\local\temp\confiditial.exe
c:\users\admin\appdata\local\temp\confiditial.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe" /f
5⤵
PID:4188

C:\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe
"C:\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468

\??\c:\users\admin\appdata\roaming\robloxapplanucher.exe
c:\users\admin\appdata\roaming\robloxapplanucher.exe
5⤵
- Executes dropped EXE
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 1088
6⤵
- Program crash
PID:3844

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4304

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:680

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Users\Admin\AppData\Local\Temp\SwiftProtector.exe
"C:\Users\Admin\AppData\Local\Temp\SwiftProtector.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:568

\??\c:\users\admin\appdata\local\temp\swiftprotector.exe
c:\users\admin\appdata\local\temp\swiftprotector.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3300 -ip 3300
1⤵
PID:4444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SubDir\Client.exe
Filesize
144KB

MD5
1a0448c47734940a92640e24fff2691a

SHA1
5a2871f19808a40004c7c8d08d77459e44dd4e89

SHA256
192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72

SHA512
9c5075d9961317c3a0495330707cf2515ce2ddde46503b34b03cd1e90c286b49baa8513b7ea5dceecfa0cbe880e133b6e245f22a8c0ce4f7f277547514ddcfd6

Download Submit
C:\Program Files (x86)\SubDir\Client.exe
Filesize
144KB

MD5
1a0448c47734940a92640e24fff2691a

SHA1
5a2871f19808a40004c7c8d08d77459e44dd4e89

SHA256
192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72

SHA512
9c5075d9961317c3a0495330707cf2515ce2ddde46503b34b03cd1e90c286b49baa8513b7ea5dceecfa0cbe880e133b6e245f22a8c0ce4f7f277547514ddcfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwiftProtector.exe
Filesize
3.9MB

MD5
67102e58d227ec190ffebcd885740da5

SHA1
a44d35c2fdcf52d7dc928bb8055bba719e0424d9

SHA256
eba20e95254ca56dbc8bb5c55adb85b058e17bcfa8d3acf8113a3824707b66ed

SHA512
7b42098b73db8e0206a19c13cd682d789c1f58449f0735f6dc7efe39e86bb8a33d23d7066a45c65204eb4f3623564582d37fd39ecfca97b897cee7619a930c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwiftProtector.exe
Filesize
3.9MB

MD5
67102e58d227ec190ffebcd885740da5

SHA1
a44d35c2fdcf52d7dc928bb8055bba719e0424d9

SHA256
eba20e95254ca56dbc8bb5c55adb85b058e17bcfa8d3acf8113a3824707b66ed

SHA512
7b42098b73db8e0206a19c13cd682d789c1f58449f0735f6dc7efe39e86bb8a33d23d7066a45c65204eb4f3623564582d37fd39ecfca97b897cee7619a930c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsexun.exe
Filesize
202KB

MD5
5c62a179832fc0df04addc93f9f9dd42

SHA1
64d6d19725e625fe8641dc8c4ae93b8a404712ff

SHA256
e7a79d110e0746b26523766a947fbe3eae5b6d38e0acadc743b8a9f3bb54eb31

SHA512
d1afcfd97e267620f0689abea903e2ef4a45b3eec448b6b1c0bf2600dec62250fac48e964a0447dfa04f9e2ef76b506b1113f1ff3746715b6f76dac36b0f910d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsexun.exe
Filesize
202KB

MD5
5c62a179832fc0df04addc93f9f9dd42

SHA1
64d6d19725e625fe8641dc8c4ae93b8a404712ff

SHA256
e7a79d110e0746b26523766a947fbe3eae5b6d38e0acadc743b8a9f3bb54eb31

SHA512
d1afcfd97e267620f0689abea903e2ef4a45b3eec448b6b1c0bf2600dec62250fac48e964a0447dfa04f9e2ef76b506b1113f1ff3746715b6f76dac36b0f910d

Download Submit
C:\Users\Admin\AppData\Local\Temp\confiditial.exe
Filesize
443KB

MD5
d5b6b17536612d87bdc78221c15785f8

SHA1
cd38f8f228bcbc76214fab1e653388c2b0d16e07

SHA256
66f50d0ee3976f06cfe75fd9f117528bc48a2083b947e166a307bd6bc5e959fc

SHA512
467988028cf1396cee1b04eadb6513a493b84bedb51d0b75df8c68320eb3f519ad4f54fe9aef4183e997d722e9fce1b641252e82b5d1b10f48611c22cde56906

Download Submit
C:\Users\Admin\AppData\Local\Temp\confiditial.exe
Filesize
443KB

MD5
d5b6b17536612d87bdc78221c15785f8

SHA1
cd38f8f228bcbc76214fab1e653388c2b0d16e07

SHA256
66f50d0ee3976f06cfe75fd9f117528bc48a2083b947e166a307bd6bc5e959fc

SHA512
467988028cf1396cee1b04eadb6513a493b84bedb51d0b75df8c68320eb3f519ad4f54fe9aef4183e997d722e9fce1b641252e82b5d1b10f48611c22cde56906

Download Submit
C:\Users\Admin\AppData\Local\Temp\confiditial.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
C:\Users\Admin\AppData\Local\Temp\lolll.exe
Filesize
144KB

MD5
1a0448c47734940a92640e24fff2691a

SHA1
5a2871f19808a40004c7c8d08d77459e44dd4e89

SHA256
192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72

SHA512
9c5075d9961317c3a0495330707cf2515ce2ddde46503b34b03cd1e90c286b49baa8513b7ea5dceecfa0cbe880e133b6e245f22a8c0ce4f7f277547514ddcfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lolll.exe
Filesize
144KB

MD5
1a0448c47734940a92640e24fff2691a

SHA1
5a2871f19808a40004c7c8d08d77459e44dd4e89

SHA256
192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72

SHA512
9c5075d9961317c3a0495330707cf2515ce2ddde46503b34b03cd1e90c286b49baa8513b7ea5dceecfa0cbe880e133b6e245f22a8c0ce4f7f277547514ddcfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\swiftprotector.exe
Filesize
3.7MB

MD5
d74f68403eef6477b3337b7a2bec802d

SHA1
368e0511048175f0118d526008c5679af968af98

SHA256
ad083f18a81539b7ddef2c7da3533587f29c863e6633402c56a5d429a461e9af

SHA512
55bd1883a849fdbbf9397f7635f07b7a7fee9a7c949fe25af1335b70e89c96af8c3fb5014bc8cfa9dc7e66ee88e7a8764be7dcaa5f5028ba25ab4d96d6b5c4dd

Download Submit
C:\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe
Filesize
443KB

MD5
d5b6b17536612d87bdc78221c15785f8

SHA1
cd38f8f228bcbc76214fab1e653388c2b0d16e07

SHA256
66f50d0ee3976f06cfe75fd9f117528bc48a2083b947e166a307bd6bc5e959fc

SHA512
467988028cf1396cee1b04eadb6513a493b84bedb51d0b75df8c68320eb3f519ad4f54fe9aef4183e997d722e9fce1b641252e82b5d1b10f48611c22cde56906

Download Submit
C:\Users\Admin\AppData\Roaming\RobloxAppLanucher.exe
Filesize
443KB

MD5
d5b6b17536612d87bdc78221c15785f8

SHA1
cd38f8f228bcbc76214fab1e653388c2b0d16e07

SHA256
66f50d0ee3976f06cfe75fd9f117528bc48a2083b947e166a307bd6bc5e959fc

SHA512
467988028cf1396cee1b04eadb6513a493b84bedb51d0b75df8c68320eb3f519ad4f54fe9aef4183e997d722e9fce1b641252e82b5d1b10f48611c22cde56906

Download Submit
C:\Users\Admin\AppData\Roaming\robloxapplanucher.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
207KB

MD5
cbf5463c248cf80b17f8783c27e4abb5

SHA1
24e5715cf12ad2381f47ae58ed5737a5c20846cc

SHA256
43fb248fa1b4d828961c1ca14a290f1aa6b5b97cf8d9d0f642f8421a9e005d1b

SHA512
3c72fa11d0e55fdd1375ca6fffe31e5d1f392eb1506f6d0d921c2f19b43a5dd07e81b843cd668f1c64381bca9e39b4648a33449f7661d18053ebc2d21317ca96

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
207KB

MD5
cbf5463c248cf80b17f8783c27e4abb5

SHA1
24e5715cf12ad2381f47ae58ed5737a5c20846cc

SHA256
43fb248fa1b4d828961c1ca14a290f1aa6b5b97cf8d9d0f642f8421a9e005d1b

SHA512
3c72fa11d0e55fdd1375ca6fffe31e5d1f392eb1506f6d0d921c2f19b43a5dd07e81b843cd668f1c64381bca9e39b4648a33449f7661d18053ebc2d21317ca96

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
206KB

MD5
236fcd610104998879eda7e50223e062

SHA1
118c958aa567392c8b2fa4db346a06b4fd3aae8b

SHA256
86695953b3c8dd1a1b6bb23fb44a186ff3defc74fe55c0676f4b7e9862e49c7d

SHA512
6baf260372ceee96123eb8fedc474647ed8def88d992bf76568828f2448583d5c57033a7c7e5f4516a492e450c7ed0b0a89a6aa5c2a075768ec9c4f883cf1561

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
206KB

MD5
236fcd610104998879eda7e50223e062

SHA1
118c958aa567392c8b2fa4db346a06b4fd3aae8b

SHA256
86695953b3c8dd1a1b6bb23fb44a186ff3defc74fe55c0676f4b7e9862e49c7d

SHA512
6baf260372ceee96123eb8fedc474647ed8def88d992bf76568828f2448583d5c57033a7c7e5f4516a492e450c7ed0b0a89a6aa5c2a075768ec9c4f883cf1561

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
206KB

MD5
236fcd610104998879eda7e50223e062

SHA1
118c958aa567392c8b2fa4db346a06b4fd3aae8b

SHA256
86695953b3c8dd1a1b6bb23fb44a186ff3defc74fe55c0676f4b7e9862e49c7d

SHA512
6baf260372ceee96123eb8fedc474647ed8def88d992bf76568828f2448583d5c57033a7c7e5f4516a492e450c7ed0b0a89a6aa5c2a075768ec9c4f883cf1561

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
207KB

MD5
9d4a13eda8a705fa25dafae7a615ad65

SHA1
add11596a067c2c48945aa46b323acfbc365b3b1

SHA256
0642a28f43ae43c675e8407943d15905f6e7a8b1b1614a0ee18af1cf5fdebbee

SHA512
89716d5156ddb75a6aa28ce00000f2720ab1c26c9964eb099599d6b2ef7190e0ce5ef566d4f5249abfb70fd448d8248b90bf68e7a98b8c2f29b4290bebb5248e

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
207KB

MD5
9d4a13eda8a705fa25dafae7a615ad65

SHA1
add11596a067c2c48945aa46b323acfbc365b3b1

SHA256
0642a28f43ae43c675e8407943d15905f6e7a8b1b1614a0ee18af1cf5fdebbee

SHA512
89716d5156ddb75a6aa28ce00000f2720ab1c26c9964eb099599d6b2ef7190e0ce5ef566d4f5249abfb70fd448d8248b90bf68e7a98b8c2f29b4290bebb5248e

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
207KB

MD5
306bdc0314f82b394d8f3fa8cbaaa15d

SHA1
a78a1bcf6c3adb19c17eb8235b553a79f037043b

SHA256
2e5edfcc0ac9023a9e2bf0bb28fe0a7293969de694d8287b41a4b09333ccf266

SHA512
6c1dd918179c9454a1e210419725b82a5c9e5ba16fed35703ffafa124c158d3a358acd0030f06acf763d90c1b52c42edffbe2da52042c928ef0713dc336985b4

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
207KB

MD5
306bdc0314f82b394d8f3fa8cbaaa15d

SHA1
a78a1bcf6c3adb19c17eb8235b553a79f037043b

SHA256
2e5edfcc0ac9023a9e2bf0bb28fe0a7293969de694d8287b41a4b09333ccf266

SHA512
6c1dd918179c9454a1e210419725b82a5c9e5ba16fed35703ffafa124c158d3a358acd0030f06acf763d90c1b52c42edffbe2da52042c928ef0713dc336985b4

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
206KB

MD5
130c3a8915bc9c5ad88d18e92b548a81

SHA1
b180cc877e61db1076b87749b0aba81fb2617b9c

SHA256
f1b5172aac340207c21de533e0e2057e4020e60249658cd623322679445751d9

SHA512
c666f27281ed491cfd45a5141434e8b666a753f6f4e5e5c45d42b5b08ee2d22859bd980a6e070941150708a1d821113ce23b4b3a666b6a5190c873767e9f53d0

Download Submit
\??\c:\users\admin\appdata\local\temp\confiditial.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
\??\c:\users\admin\appdata\local\temp\swiftprotector.exe
Filesize
3.7MB

MD5
d74f68403eef6477b3337b7a2bec802d

SHA1
368e0511048175f0118d526008c5679af968af98

SHA256
ad083f18a81539b7ddef2c7da3533587f29c863e6633402c56a5d429a461e9af

SHA512
55bd1883a849fdbbf9397f7635f07b7a7fee9a7c949fe25af1335b70e89c96af8c3fb5014bc8cfa9dc7e66ee88e7a8764be7dcaa5f5028ba25ab4d96d6b5c4dd

Download Submit
\??\c:\users\admin\appdata\roaming\robloxapplanucher.exe
Filesize
236KB

MD5
52b8ea8dad39e992554154fd9eb1c88d

SHA1
fb48daaadb6e33b0032555a34e7b21a598f80407

SHA256
6efdf705c1f2a141e99c5a41468b5e07237ffff4e232925187b35b7c8b19e169

SHA512
ba7b35f8584247816042be6c2b02b9cc718efe314b56f8aaf3ca7b5640873c41981af599351e35e0cb4fc27bd6a1531fa165ccf461104b4c8b616d0a8053e097

Download Submit
\??\c:\windows\resources\spoolsv.exe
Filesize
207KB

MD5
306bdc0314f82b394d8f3fa8cbaaa15d

SHA1
a78a1bcf6c3adb19c17eb8235b553a79f037043b

SHA256
2e5edfcc0ac9023a9e2bf0bb28fe0a7293969de694d8287b41a4b09333ccf266

SHA512
6c1dd918179c9454a1e210419725b82a5c9e5ba16fed35703ffafa124c158d3a358acd0030f06acf763d90c1b52c42edffbe2da52042c928ef0713dc336985b4

Download Submit
\??\c:\windows\resources\svchost.exe
Filesize
206KB

MD5
130c3a8915bc9c5ad88d18e92b548a81

SHA1
b180cc877e61db1076b87749b0aba81fb2617b9c

SHA256
f1b5172aac340207c21de533e0e2057e4020e60249658cd623322679445751d9

SHA512
c666f27281ed491cfd45a5141434e8b666a753f6f4e5e5c45d42b5b08ee2d22859bd980a6e070941150708a1d821113ce23b4b3a666b6a5190c873767e9f53d0

Download Submit
\??\c:\windows\resources\themes\explorer.exe
Filesize
207KB

MD5
cbf5463c248cf80b17f8783c27e4abb5

SHA1
24e5715cf12ad2381f47ae58ed5737a5c20846cc

SHA256
43fb248fa1b4d828961c1ca14a290f1aa6b5b97cf8d9d0f642f8421a9e005d1b

SHA512
3c72fa11d0e55fdd1375ca6fffe31e5d1f392eb1506f6d0d921c2f19b43a5dd07e81b843cd668f1c64381bca9e39b4648a33449f7661d18053ebc2d21317ca96

Download Submit
\??\c:\windows\resources\themes\icsys.icn.exe
Filesize
207KB

MD5
9d4a13eda8a705fa25dafae7a615ad65

SHA1
add11596a067c2c48945aa46b323acfbc365b3b1

SHA256
0642a28f43ae43c675e8407943d15905f6e7a8b1b1614a0ee18af1cf5fdebbee

SHA512
89716d5156ddb75a6aa28ce00000f2720ab1c26c9964eb099599d6b2ef7190e0ce5ef566d4f5249abfb70fd448d8248b90bf68e7a98b8c2f29b4290bebb5248e

Download Submit
memory/308-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/308-233-0x0000000000000000-mapping.dmp

Download
memory/568-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/568-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/568-140-0x0000000000000000-mapping.dmp

Download
memory/680-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/680-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/680-205-0x0000000000000000-mapping.dmp

Download
memory/748-170-0x0000000000000000-mapping.dmp

Download
memory/956-153-0x0000000000000000-mapping.dmp

Download
memory/956-163-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/956-158-0x0000000004E30000-0x0000000004ECC000-memory.dmp

Filesize
624KB

Download
memory/956-157-0x0000000000410000-0x0000000000450000-memory.dmp

Filesize
256KB

Download
memory/1204-173-0x0000000006460000-0x000000000646A000-memory.dmp

Filesize
40KB

Download
memory/1204-164-0x0000000006270000-0x0000000006302000-memory.dmp

Filesize
584KB

Download
memory/1204-159-0x0000000000000000-mapping.dmp

Download
memory/1204-174-0x0000000006490000-0x00000000064E6000-memory.dmp

Filesize
344KB

Download
memory/1204-180-0x0000000006530000-0x0000000006596000-memory.dmp

Filesize
408KB

Download
memory/1996-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-177-0x0000000000000000-mapping.dmp

Download
memory/2156-188-0x0000000000000000-mapping.dmp

Download
memory/2156-201-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-185-0x0000000000000000-mapping.dmp

Download
memory/2224-198-0x00007FF84D730000-0x00007FF84E1F1000-memory.dmp

Filesize
10.8MB

Download
memory/2224-247-0x00007FF84D730000-0x00007FF84E1F1000-memory.dmp

Filesize
10.8MB

Download
memory/2516-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-191-0x0000000000000000-mapping.dmp

Download
memory/3300-228-0x0000000000000000-mapping.dmp

Download
memory/3516-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-166-0x0000000000000000-mapping.dmp

Download
memory/3516-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-182-0x0000000000000000-mapping.dmp

Download
memory/4240-232-0x0000000073C10000-0x00000000741C1000-memory.dmp

Filesize
5.7MB

Download
memory/4240-152-0x0000000073C10000-0x00000000741C1000-memory.dmp

Filesize
5.7MB

Download
memory/4240-133-0x0000000000000000-mapping.dmp

Download
memory/4280-193-0x00007FF84D730000-0x00007FF84E1F1000-memory.dmp

Filesize
10.8MB

Download
memory/4280-162-0x0000000002B30000-0x0000000002B42000-memory.dmp

Filesize
72KB

Download
memory/4280-130-0x0000000000000000-mapping.dmp

Download
memory/4280-135-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/4280-165-0x0000000002CA0000-0x0000000002CDC000-memory.dmp

Filesize
240KB

Download
memory/4280-148-0x00007FF84D730000-0x00007FF84E1F1000-memory.dmp

Filesize
10.8MB

Download
memory/4304-239-0x0000000000000000-mapping.dmp

Download
memory/4304-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-175-0x0000000000000000-mapping.dmp

Download
memory/4412-231-0x0000000000000000-mapping.dmp

Download
memory/4468-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-216-0x0000000000000000-mapping.dmp

Download
memory/4468-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-211-0x0000000000000000-mapping.dmp

Download
memory/4700-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-136-0x0000000000000000-mapping.dmp

Download
memory/4700-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download