nanocore | 3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

Analysis

max time kernel
152s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
Size

367KB
MD5

12f37f82ebcbcd459eb0116f3755c9ba
SHA1

5f52fee0433948de413003b97c72fa5bf4dba78c
SHA256

3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b
SHA512

c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2
SSDEEP

6144:RFawrQ3IMBQFebwxfk7S7Mp0lJDMXh97ckFDZEWAahXUSZYea7K1VDR60LBRJjXX:LatIMqeQf4S7MpkZMVFDUa5T+K1VDRLQ

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.0.0

tolaresfgc.ddns.net:6400

Mutex

e3ce3bd9-a714-42c3-b555-60de7e4e2e48

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2014-08-02T00:23:07.409088836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6400
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e3ce3bd9-a714-42c3-b555-60de7e4e2e48
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
tolaresfgc.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.0.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 18 IoCs

pid	Process
808	IpOverUsbSvrc.exe
3436	atiesrx.exe
4596	atiesrx.exe
1392	IpOverUsbSvrc.exe
1468	IpOverUsbSvrc.exe
3124	atiesrx.exe
2584	IpOverUsbSvrc.exe
3480	atiesrx.exe
4492	atiesrx.exe
4408	atiesrx.exe
3424	atiesrx.exe
656	atiesrx.exe
632	atiesrx.exe
700	atiesrx.exe
3452	atiesrx.exe
4312	atiesrx.exe
4576	atiesrx.exe
628	atiesrx.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	atiesrx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	atiesrx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 396 set thread context of 856	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	81
PID 3436 set thread context of 4596	3436	atiesrx.exe	87
PID 856 set thread context of 4964	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	86
PID 4596 set thread context of 3124	4596	atiesrx.exe	90
PID 4596 set thread context of 3480	4596	atiesrx.exe	92
PID 4596 set thread context of 4492	4596	atiesrx.exe	93
PID 4596 set thread context of 4408	4596	atiesrx.exe	97
PID 4596 set thread context of 3424	4596	atiesrx.exe	99
PID 4596 set thread context of 656	4596	atiesrx.exe	100
PID 4596 set thread context of 632	4596	atiesrx.exe	103
PID 4596 set thread context of 700	4596	atiesrx.exe	104
PID 4596 set thread context of 3452	4596	atiesrx.exe	105
PID 4596 set thread context of 4312	4596	atiesrx.exe	106
PID 4596 set thread context of 4576	4596	atiesrx.exe	107
PID 4596 set thread context of 628	4596	atiesrx.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
808	IpOverUsbSvrc.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4964	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
Token: SeDebugPrivilege	808	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
Token: SeDebugPrivilege	3436	atiesrx.exe
Token: SeDebugPrivilege	4964	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
Token: SeDebugPrivilege	4596	atiesrx.exe
Token: SeDebugPrivilege	2584	IpOverUsbSvrc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 856	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	81
PID 396 wrote to memory of 856	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	81
PID 396 wrote to memory of 856	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	81
PID 396 wrote to memory of 856	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	81
PID 396 wrote to memory of 856	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	81
PID 396 wrote to memory of 856	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	81
PID 396 wrote to memory of 856	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	81
PID 396 wrote to memory of 856	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	81
PID 396 wrote to memory of 808	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	84
PID 396 wrote to memory of 808	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	84
PID 396 wrote to memory of 808	396	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	84
PID 808 wrote to memory of 3436	808	IpOverUsbSvrc.exe	85
PID 808 wrote to memory of 3436	808	IpOverUsbSvrc.exe	85
PID 808 wrote to memory of 3436	808	IpOverUsbSvrc.exe	85
PID 3436 wrote to memory of 4596	3436	atiesrx.exe	87
PID 3436 wrote to memory of 4596	3436	atiesrx.exe	87
PID 3436 wrote to memory of 4596	3436	atiesrx.exe	87
PID 856 wrote to memory of 4964	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	86
PID 856 wrote to memory of 4964	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	86
PID 856 wrote to memory of 4964	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	86
PID 3436 wrote to memory of 4596	3436	atiesrx.exe	87
PID 3436 wrote to memory of 4596	3436	atiesrx.exe	87
PID 3436 wrote to memory of 4596	3436	atiesrx.exe	87
PID 3436 wrote to memory of 4596	3436	atiesrx.exe	87
PID 3436 wrote to memory of 4596	3436	atiesrx.exe	87
PID 856 wrote to memory of 4964	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	86
PID 856 wrote to memory of 4964	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	86
PID 856 wrote to memory of 4964	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	86
PID 856 wrote to memory of 4964	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	86
PID 856 wrote to memory of 4964	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	86
PID 3436 wrote to memory of 1468	3436	atiesrx.exe	89
PID 3436 wrote to memory of 1468	3436	atiesrx.exe	89
PID 3436 wrote to memory of 1468	3436	atiesrx.exe	89
PID 856 wrote to memory of 1392	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	88
PID 856 wrote to memory of 1392	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	88
PID 856 wrote to memory of 1392	856	3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe	88
PID 4596 wrote to memory of 3124	4596	atiesrx.exe	90
PID 4596 wrote to memory of 3124	4596	atiesrx.exe	90
PID 4596 wrote to memory of 3124	4596	atiesrx.exe	90
PID 4596 wrote to memory of 3124	4596	atiesrx.exe	90
PID 4596 wrote to memory of 3124	4596	atiesrx.exe	90
PID 4596 wrote to memory of 3124	4596	atiesrx.exe	90
PID 4596 wrote to memory of 3124	4596	atiesrx.exe	90
PID 4596 wrote to memory of 3124	4596	atiesrx.exe	90
PID 4596 wrote to memory of 2584	4596	atiesrx.exe	91
PID 4596 wrote to memory of 2584	4596	atiesrx.exe	91
PID 4596 wrote to memory of 2584	4596	atiesrx.exe	91
PID 4596 wrote to memory of 3480	4596	atiesrx.exe	92
PID 4596 wrote to memory of 3480	4596	atiesrx.exe	92
PID 4596 wrote to memory of 3480	4596	atiesrx.exe	92
PID 4596 wrote to memory of 3480	4596	atiesrx.exe	92
PID 4596 wrote to memory of 3480	4596	atiesrx.exe	92
PID 4596 wrote to memory of 3480	4596	atiesrx.exe	92
PID 4596 wrote to memory of 3480	4596	atiesrx.exe	92
PID 4596 wrote to memory of 3480	4596	atiesrx.exe	92
PID 4596 wrote to memory of 4492	4596	atiesrx.exe	93
PID 4596 wrote to memory of 4492	4596	atiesrx.exe	93
PID 4596 wrote to memory of 4492	4596	atiesrx.exe	93
PID 4596 wrote to memory of 4492	4596	atiesrx.exe	93
PID 4596 wrote to memory of 4492	4596	atiesrx.exe	93
PID 4596 wrote to memory of 4492	4596	atiesrx.exe	93
PID 4596 wrote to memory of 4492	4596	atiesrx.exe	93
PID 4596 wrote to memory of 4492	4596	atiesrx.exe	93
PID 4596 wrote to memory of 4408	4596	atiesrx.exe	97

C:\Users\Admin\AppData\Local\Temp\3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
"C:\Users\Admin\AppData\Local\Temp\3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
  "C:\Users\Admin\AppData\Local\Temp\3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Users\Admin\AppData\Local\Temp\3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe
    "C:\Users\Admin\AppData\Local\Temp\3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe"
    3⤵
    - Checks whether UAC is enabled
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- - C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
    3⤵
    - Executes dropped EXE
    PID:1392
- C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        5⤵
        Executes dropped EXE
        
        PID:3124
    - - C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        5⤵
        Executes dropped EXE
        
        PID:3480
    - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        5⤵
        Executes dropped EXE
        
        PID:4492
    - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        5⤵
        Executes dropped EXE
        
        PID:4408
    - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        5⤵
        Executes dropped EXE
        
        PID:3424
    - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        5⤵
        Executes dropped EXE
        
        PID:656
    - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        5⤵
        Executes dropped EXE
        
        PID:632
    - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        5⤵
        Executes dropped EXE
        
        PID:700
    - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        5⤵
        Executes dropped EXE
        
        PID:3452
    - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        5⤵
        Executes dropped EXE
        
        PID:4312
    - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        5⤵
        Executes dropped EXE
        
        PID:4576
    - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        5⤵
        Executes dropped EXE
        
        PID:628
  - - C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
      4⤵
      Executes dropped EXE
      PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b.exe.log

Filesize
496B

MD5
cb76b18ebed3a9f05a14aed43d35fba6

SHA1
836a4b4e351846fca08b84149cb734cb59b8c0d6

SHA256
8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

SHA512
7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\IpOverUsbSvrc.exe.log

Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\atiesrx.exe.log

Filesize
496B

MD5
cb76b18ebed3a9f05a14aed43d35fba6

SHA1
836a4b4e351846fca08b84149cb734cb59b8c0d6

SHA256
8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

SHA512
7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
7KB

MD5
75e2b1e76cfa816dc39afe47a71bf1e6

SHA1
8684430c09c4d7e3ef7e9fe9d25c9e4cf6fc39bf

SHA256
96f866ee12f737f05c398bba493049ba11a433dc4a1f7bc6bc697cd15ec21042

SHA512
6ddb18eaf80bc49fc561ab7bc8a0308444b79f440f6ca08f9c901e29dd55362c3206f239866654ff0bc0fb3c92d9fce64b1d7ebf287f6ee775b4a91fd702fb5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
7KB

MD5
75e2b1e76cfa816dc39afe47a71bf1e6

SHA1
8684430c09c4d7e3ef7e9fe9d25c9e4cf6fc39bf

SHA256
96f866ee12f737f05c398bba493049ba11a433dc4a1f7bc6bc697cd15ec21042

SHA512
6ddb18eaf80bc49fc561ab7bc8a0308444b79f440f6ca08f9c901e29dd55362c3206f239866654ff0bc0fb3c92d9fce64b1d7ebf287f6ee775b4a91fd702fb5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
7KB

MD5
75e2b1e76cfa816dc39afe47a71bf1e6

SHA1
8684430c09c4d7e3ef7e9fe9d25c9e4cf6fc39bf

SHA256
96f866ee12f737f05c398bba493049ba11a433dc4a1f7bc6bc697cd15ec21042

SHA512
6ddb18eaf80bc49fc561ab7bc8a0308444b79f440f6ca08f9c901e29dd55362c3206f239866654ff0bc0fb3c92d9fce64b1d7ebf287f6ee775b4a91fd702fb5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
7KB

MD5
75e2b1e76cfa816dc39afe47a71bf1e6

SHA1
8684430c09c4d7e3ef7e9fe9d25c9e4cf6fc39bf

SHA256
96f866ee12f737f05c398bba493049ba11a433dc4a1f7bc6bc697cd15ec21042

SHA512
6ddb18eaf80bc49fc561ab7bc8a0308444b79f440f6ca08f9c901e29dd55362c3206f239866654ff0bc0fb3c92d9fce64b1d7ebf287f6ee775b4a91fd702fb5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
7KB

MD5
75e2b1e76cfa816dc39afe47a71bf1e6

SHA1
8684430c09c4d7e3ef7e9fe9d25c9e4cf6fc39bf

SHA256
96f866ee12f737f05c398bba493049ba11a433dc4a1f7bc6bc697cd15ec21042

SHA512
6ddb18eaf80bc49fc561ab7bc8a0308444b79f440f6ca08f9c901e29dd55362c3206f239866654ff0bc0fb3c92d9fce64b1d7ebf287f6ee775b4a91fd702fb5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
367KB

MD5
12f37f82ebcbcd459eb0116f3755c9ba

SHA1
5f52fee0433948de413003b97c72fa5bf4dba78c

SHA256
3f53417e31696760acfd0eeaaf65e472f245cdafbdbaa6cfbe82696be7a50f4b

SHA512
c04996d7e87fb30226cc059058ece91106ed4c40727532977c2db977dd9dc22b47d78238a363c4e0accec90112d6cb1f4e43b73b9a63033c346793929eea2fd2

Download Submit
memory/396-133-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/396-132-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/396-148-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/628-238-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/632-213-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/632-214-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/656-208-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/656-209-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/700-218-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/700-219-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/808-146-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/808-143-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/808-149-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/856-170-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/856-145-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/856-136-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1392-172-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1392-168-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1392-164-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1468-173-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1468-169-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1468-165-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/2584-188-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/2584-182-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3124-181-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3124-183-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3124-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3424-203-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3424-204-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3436-144-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3436-171-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3436-147-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3452-223-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3452-224-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3480-187-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3480-189-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4312-229-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4312-228-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4408-199-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4408-198-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4492-193-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4492-194-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4576-233-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4576-234-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4596-152-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4596-162-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4596-166-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4964-163-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4964-167-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download