Analysis
-
max time kernel
196s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2023 21:36
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
darkcomet
IDMAN
arrivals.ddns.net:2323
DC_MUTEX-391X2ZJ
-
InstallPath
MSDCSC\IDMAN.exe
-
gencode
CUWbhGwmWBMb
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
IDMAN
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
CRACKED.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\IDMAN.exe" CRACKED.EXE -
Modifies firewall policy service 2 TTPs 12 IoCs
Processes:
CRACKED.EXECRACKED.EXECRACKED.EXEIDMAN.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile CRACKED.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" CRACKED.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" CRACKED.EXE Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile CRACKED.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" CRACKED.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" CRACKED.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" CRACKED.EXE Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile IDMAN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" IDMAN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" IDMAN.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile CRACKED.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" CRACKED.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CRACKED.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation CRACKED.EXE -
Executes dropped EXE 9 IoCs
Processes:
CRACKED.EXENANOCORE.EXEIDMAN.exeCRACKED.EXENANOCORE.EXECRACKED.EXENANOCORE.EXECRACKED.EXENANOCORE.EXEpid process 1624 CRACKED.EXE 3928 NANOCORE.EXE 4356 IDMAN.exe 1688 CRACKED.EXE 2676 NANOCORE.EXE 3928 CRACKED.EXE 4220 NANOCORE.EXE 2144 CRACKED.EXE 3432 NANOCORE.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
IDMAN.exeCRACKED.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMAN = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\IDMAN.exe" IDMAN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMAN = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\IDMAN.exe" CRACKED.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedw20.exedw20.exedw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
Processes:
dw20.exedw20.exedw20.exedw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 575ec7859e45d901 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31019936" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3655726976" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31019936" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3655726976" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{05854533-BF94-11ED-B7D7-42C2EBB090FB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{9B0F3A0B-16F0-4AE8-838D-2BB87770FB9E}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe -
Modifies registry class 2 IoCs
Processes:
OpenWith.exeiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
IDMAN.exetaskmgr.exepid process 4356 IDMAN.exe 3744 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
CRACKED.EXEIDMAN.exedw20.exeCRACKED.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 1624 CRACKED.EXE Token: SeSecurityPrivilege 1624 CRACKED.EXE Token: SeTakeOwnershipPrivilege 1624 CRACKED.EXE Token: SeLoadDriverPrivilege 1624 CRACKED.EXE Token: SeSystemProfilePrivilege 1624 CRACKED.EXE Token: SeSystemtimePrivilege 1624 CRACKED.EXE Token: SeProfSingleProcessPrivilege 1624 CRACKED.EXE Token: SeIncBasePriorityPrivilege 1624 CRACKED.EXE Token: SeCreatePagefilePrivilege 1624 CRACKED.EXE Token: SeBackupPrivilege 1624 CRACKED.EXE Token: SeRestorePrivilege 1624 CRACKED.EXE Token: SeShutdownPrivilege 1624 CRACKED.EXE Token: SeDebugPrivilege 1624 CRACKED.EXE Token: SeSystemEnvironmentPrivilege 1624 CRACKED.EXE Token: SeChangeNotifyPrivilege 1624 CRACKED.EXE Token: SeRemoteShutdownPrivilege 1624 CRACKED.EXE Token: SeUndockPrivilege 1624 CRACKED.EXE Token: SeManageVolumePrivilege 1624 CRACKED.EXE Token: SeImpersonatePrivilege 1624 CRACKED.EXE Token: SeCreateGlobalPrivilege 1624 CRACKED.EXE Token: 33 1624 CRACKED.EXE Token: 34 1624 CRACKED.EXE Token: 35 1624 CRACKED.EXE Token: 36 1624 CRACKED.EXE Token: SeIncreaseQuotaPrivilege 4356 IDMAN.exe Token: SeSecurityPrivilege 4356 IDMAN.exe Token: SeTakeOwnershipPrivilege 4356 IDMAN.exe Token: SeLoadDriverPrivilege 4356 IDMAN.exe Token: SeSystemProfilePrivilege 4356 IDMAN.exe Token: SeSystemtimePrivilege 4356 IDMAN.exe Token: SeProfSingleProcessPrivilege 4356 IDMAN.exe Token: SeIncBasePriorityPrivilege 4356 IDMAN.exe Token: SeCreatePagefilePrivilege 4356 IDMAN.exe Token: SeBackupPrivilege 4356 IDMAN.exe Token: SeRestorePrivilege 4356 IDMAN.exe Token: SeShutdownPrivilege 4356 IDMAN.exe Token: SeDebugPrivilege 4356 IDMAN.exe Token: SeSystemEnvironmentPrivilege 4356 IDMAN.exe Token: SeChangeNotifyPrivilege 4356 IDMAN.exe Token: SeRemoteShutdownPrivilege 4356 IDMAN.exe Token: SeUndockPrivilege 4356 IDMAN.exe Token: SeManageVolumePrivilege 4356 IDMAN.exe Token: SeImpersonatePrivilege 4356 IDMAN.exe Token: SeCreateGlobalPrivilege 4356 IDMAN.exe Token: 33 4356 IDMAN.exe Token: 34 4356 IDMAN.exe Token: 35 4356 IDMAN.exe Token: 36 4356 IDMAN.exe Token: SeBackupPrivilege 4776 dw20.exe Token: SeBackupPrivilege 4776 dw20.exe Token: SeIncreaseQuotaPrivilege 1688 CRACKED.EXE Token: SeSecurityPrivilege 1688 CRACKED.EXE Token: SeTakeOwnershipPrivilege 1688 CRACKED.EXE Token: SeLoadDriverPrivilege 1688 CRACKED.EXE Token: SeSystemProfilePrivilege 1688 CRACKED.EXE Token: SeSystemtimePrivilege 1688 CRACKED.EXE Token: SeProfSingleProcessPrivilege 1688 CRACKED.EXE Token: SeIncBasePriorityPrivilege 1688 CRACKED.EXE Token: SeCreatePagefilePrivilege 1688 CRACKED.EXE Token: SeBackupPrivilege 1688 CRACKED.EXE Token: SeRestorePrivilege 1688 CRACKED.EXE Token: SeShutdownPrivilege 1688 CRACKED.EXE Token: SeDebugPrivilege 1688 CRACKED.EXE Token: SeSystemEnvironmentPrivilege 1688 CRACKED.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
iexplore.exetaskmgr.exepid process 2352 iexplore.exe 2352 iexplore.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe 3744 taskmgr.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIDMAN.exeOpenWith.exepid process 2352 iexplore.exe 2352 iexplore.exe 1008 IEXPLORE.EXE 1008 IEXPLORE.EXE 4356 IDMAN.exe 4428 OpenWith.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
iexplore.exeNanoCore.exeCRACKED.EXEIDMAN.exeNANOCORE.EXENanoCore.exeNANOCORE.EXENanoCore.exeNANOCORE.EXENanoCore.exeNANOCORE.EXEdescription pid process target process PID 2352 wrote to memory of 1008 2352 iexplore.exe IEXPLORE.EXE PID 2352 wrote to memory of 1008 2352 iexplore.exe IEXPLORE.EXE PID 2352 wrote to memory of 1008 2352 iexplore.exe IEXPLORE.EXE PID 3896 wrote to memory of 1624 3896 NanoCore.exe CRACKED.EXE PID 3896 wrote to memory of 1624 3896 NanoCore.exe CRACKED.EXE PID 3896 wrote to memory of 1624 3896 NanoCore.exe CRACKED.EXE PID 3896 wrote to memory of 3928 3896 NanoCore.exe NANOCORE.EXE PID 3896 wrote to memory of 3928 3896 NanoCore.exe NANOCORE.EXE PID 1624 wrote to memory of 4356 1624 CRACKED.EXE IDMAN.exe PID 1624 wrote to memory of 4356 1624 CRACKED.EXE IDMAN.exe PID 1624 wrote to memory of 4356 1624 CRACKED.EXE IDMAN.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 4356 wrote to memory of 788 4356 IDMAN.exe notepad.exe PID 3928 wrote to memory of 4776 3928 NANOCORE.EXE dw20.exe PID 3928 wrote to memory of 4776 3928 NANOCORE.EXE dw20.exe PID 3912 wrote to memory of 1688 3912 NanoCore.exe CRACKED.EXE PID 3912 wrote to memory of 1688 3912 NanoCore.exe CRACKED.EXE PID 3912 wrote to memory of 1688 3912 NanoCore.exe CRACKED.EXE PID 3912 wrote to memory of 2676 3912 NanoCore.exe NANOCORE.EXE PID 3912 wrote to memory of 2676 3912 NanoCore.exe NANOCORE.EXE PID 2676 wrote to memory of 1624 2676 NANOCORE.EXE dw20.exe PID 2676 wrote to memory of 1624 2676 NANOCORE.EXE dw20.exe PID 4620 wrote to memory of 3928 4620 NanoCore.exe CRACKED.EXE PID 4620 wrote to memory of 3928 4620 NanoCore.exe CRACKED.EXE PID 4620 wrote to memory of 3928 4620 NanoCore.exe CRACKED.EXE PID 4620 wrote to memory of 4220 4620 NanoCore.exe NANOCORE.EXE PID 4620 wrote to memory of 4220 4620 NanoCore.exe NANOCORE.EXE PID 4220 wrote to memory of 4360 4220 NANOCORE.EXE dw20.exe PID 4220 wrote to memory of 4360 4220 NANOCORE.EXE dw20.exe PID 544 wrote to memory of 2144 544 NanoCore.exe CRACKED.EXE PID 544 wrote to memory of 2144 544 NanoCore.exe CRACKED.EXE PID 544 wrote to memory of 2144 544 NanoCore.exe CRACKED.EXE PID 544 wrote to memory of 3432 544 NanoCore.exe NANOCORE.EXE PID 544 wrote to memory of 3432 544 NanoCore.exe NANOCORE.EXE PID 3432 wrote to memory of 2208 3432 NANOCORE.EXE dw20.exe PID 3432 wrote to memory of 2208 3432 NANOCORE.EXE dw20.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/daedalus/NanoCore/archive/refs/heads/master.zip1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\NanoCore-master\NanoCore-master\sample\NanoCore.exe"C:\Users\Admin\Downloads\NanoCore-master\NanoCore-master\sample\NanoCore.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXE"C:\Users\Admin\AppData\Roaming\CRACKED.EXE"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe"3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 12483⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\NanoCore-master\NanoCore-master\sample\NanoCore.exe"C:\Users\Admin\Downloads\NanoCore-master\NanoCore-master\sample\NanoCore.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXE"C:\Users\Admin\AppData\Roaming\CRACKED.EXE"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 12163⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Downloads\NanoCore-master\NanoCore-master\sample\NanoCore.exe"C:\Users\Admin\Downloads\NanoCore-master\NanoCore-master\sample\NanoCore.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXE"C:\Users\Admin\AppData\Roaming\CRACKED.EXE"2⤵
- Modifies firewall policy service
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 12243⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\NanoCore-master\NanoCore-master\sample\NanoCore.exe"C:\Users\Admin\Downloads\NanoCore-master\NanoCore-master\sample\NanoCore.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXE"C:\Users\Admin\AppData\Roaming\CRACKED.EXE"2⤵
- Modifies firewall policy service
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 12043⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\NanoCore-master[1].zipFilesize
3.0MB
MD54f1255d0e897c466f337d9707a55c218
SHA169bbae2a275f5cf245f7537d7d62e0f941428f13
SHA256110c0ac80f4d6a7e73183cf5a98f83440943afe69abca9a572ca4a4e54de7d13
SHA5120bd0f4d536d215e5d73a1791399e91a0bc18182488df3e87ff29b66b9d6232b06b766582cb5e66723d7ddcd7b2593fc25eaddfa0aadbdd02d2a23ec4c366729b
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXEFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXEFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXEFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXEFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXEFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXEFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXEFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXEFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXEFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exeFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exeFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXEFilesize
403KB
MD5d902fb22b92a7455eeac95712e9c2179
SHA18e4e0d0965055517c1ddef8442cf74c4f3d700af
SHA25658f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f
SHA512d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXEFilesize
403KB
MD5d902fb22b92a7455eeac95712e9c2179
SHA18e4e0d0965055517c1ddef8442cf74c4f3d700af
SHA25658f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f
SHA512d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXEFilesize
403KB
MD5d902fb22b92a7455eeac95712e9c2179
SHA18e4e0d0965055517c1ddef8442cf74c4f3d700af
SHA25658f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f
SHA512d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXEFilesize
403KB
MD5d902fb22b92a7455eeac95712e9c2179
SHA18e4e0d0965055517c1ddef8442cf74c4f3d700af
SHA25658f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f
SHA512d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXEFilesize
403KB
MD5d902fb22b92a7455eeac95712e9c2179
SHA18e4e0d0965055517c1ddef8442cf74c4f3d700af
SHA25658f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f
SHA512d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXEFilesize
403KB
MD5d902fb22b92a7455eeac95712e9c2179
SHA18e4e0d0965055517c1ddef8442cf74c4f3d700af
SHA25658f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f
SHA512d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXEFilesize
403KB
MD5d902fb22b92a7455eeac95712e9c2179
SHA18e4e0d0965055517c1ddef8442cf74c4f3d700af
SHA25658f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f
SHA512d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXEFilesize
403KB
MD5d902fb22b92a7455eeac95712e9c2179
SHA18e4e0d0965055517c1ddef8442cf74c4f3d700af
SHA25658f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f
SHA512d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXEFilesize
403KB
MD5d902fb22b92a7455eeac95712e9c2179
SHA18e4e0d0965055517c1ddef8442cf74c4f3d700af
SHA25658f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f
SHA512d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269
-
C:\Users\Admin\Downloads\NanoCore-master.zip.wos3fq9.partialFilesize
3.0MB
MD54f1255d0e897c466f337d9707a55c218
SHA169bbae2a275f5cf245f7537d7d62e0f941428f13
SHA256110c0ac80f4d6a7e73183cf5a98f83440943afe69abca9a572ca4a4e54de7d13
SHA5120bd0f4d536d215e5d73a1791399e91a0bc18182488df3e87ff29b66b9d6232b06b766582cb5e66723d7ddcd7b2593fc25eaddfa0aadbdd02d2a23ec4c366729b
-
memory/788-192-0x0000000001370000-0x0000000001371000-memory.dmpFilesize
4KB
-
memory/1624-198-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1624-181-0x0000000002270000-0x0000000002271000-memory.dmpFilesize
4KB
-
memory/1688-235-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2144-296-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2676-236-0x0000000000AF0000-0x0000000000B00000-memory.dmpFilesize
64KB
-
memory/3432-297-0x0000000001120000-0x0000000001130000-memory.dmpFilesize
64KB
-
memory/3744-313-0x0000028056C20000-0x0000028056C21000-memory.dmpFilesize
4KB
-
memory/3744-305-0x0000028056C20000-0x0000028056C21000-memory.dmpFilesize
4KB
-
memory/3744-317-0x0000028056C20000-0x0000028056C21000-memory.dmpFilesize
4KB
-
memory/3744-316-0x0000028056C20000-0x0000028056C21000-memory.dmpFilesize
4KB
-
memory/3744-315-0x0000028056C20000-0x0000028056C21000-memory.dmpFilesize
4KB
-
memory/3744-314-0x0000028056C20000-0x0000028056C21000-memory.dmpFilesize
4KB
-
memory/3744-312-0x0000028056C20000-0x0000028056C21000-memory.dmpFilesize
4KB
-
memory/3744-311-0x0000028056C20000-0x0000028056C21000-memory.dmpFilesize
4KB
-
memory/3744-307-0x0000028056C20000-0x0000028056C21000-memory.dmpFilesize
4KB
-
memory/3744-306-0x0000028056C20000-0x0000028056C21000-memory.dmpFilesize
4KB
-
memory/3928-196-0x00000000011C0000-0x00000000011D0000-memory.dmpFilesize
64KB
-
memory/3928-265-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3928-193-0x000000001B590000-0x000000001B636000-memory.dmpFilesize
664KB
-
memory/3928-194-0x000000001BB10000-0x000000001BFDE000-memory.dmpFilesize
4.8MB
-
memory/3928-195-0x000000001C0C0000-0x000000001C15C000-memory.dmpFilesize
624KB
-
memory/3928-200-0x000000001C220000-0x000000001C26C000-memory.dmpFilesize
304KB
-
memory/3928-191-0x0000000000660000-0x00000000006CC000-memory.dmpFilesize
432KB
-
memory/3928-199-0x0000000000B70000-0x0000000000B78000-memory.dmpFilesize
32KB
-
memory/4220-266-0x00000000014E0000-0x00000000014F0000-memory.dmpFilesize
64KB
-
memory/4356-320-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-319-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-208-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-207-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-321-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-318-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-197-0x0000000002140000-0x0000000002141000-memory.dmpFilesize
4KB
-
memory/4356-273-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-304-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-322-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-323-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-325-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-326-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-327-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-328-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4356-329-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB