nanocore | e844192fb4c52758db729e18e8898fe0921bdbe1e2d3ac3da6a6b5d2cedecb71

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-10-2023 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f80bd53a58316d8fb43c24725c923ff2.exe
Size

4.1MB
MD5

f80bd53a58316d8fb43c24725c923ff2
SHA1

45c116a5e5e1680c47dd01605aa5d5033b436162
SHA256

e844192fb4c52758db729e18e8898fe0921bdbe1e2d3ac3da6a6b5d2cedecb71
SHA512

3a0f0dcba8a4cbe3a9185f8965a9201e0fdfd0179fb374fbb590bfb717d71ad6a102a890322ba69447bb7ba16f6dd583af9a92c673cb34a2ddef21876ecd3634
SSDEEP

98304:FzEls77BGpj21HbwiWDO7PLgJSZdhmrJcgltWjW6ftjkn/0L4yGZ//2LXWAgUq:F17tGKHbIDO7DMorOqglAj3Sq4P2LmxU

Score

10^/10

nanocore quasar warzonerat slave evasion infostealer keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

fgudhiiugiufgifufgihdhuidfxgd.duckdns.org:54984

nojewsjwooujweq.duckdns.org:54984

Mutex

1da888af-eaab-4d01-bce7-7d314165f9b1

Attributes

activate_away_mode
true
backup_connection_host
nojewsjwooujweq.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-07-18T15:13:25.638938236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1da888af-eaab-4d01-bce7-7d314165f9b1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
fgudhiiugiufgifufgihdhuidfxgd.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

warzonerat

fgudhiiugiufgifufgihdhuidfxgd.duckdns.org:5200

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

fgudhiiugiufgifufgihdhuidfxgd.duckdns.org:4782

Mutex

c01ef685-50b2-41b1-af94-aee5bc04e6fd

Attributes

encryption_key
6550C5FD133683B3330870C778B7DB73E923F472
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 9 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\systemq.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\systemq.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\systemq.exe	family_quasar
behavioral1/memory/2776-34-0x0000000000AB0000-0x0000000000DD4000-memory.dmp	family_quasar
behavioral1/memory/2712-44-0x000000001B6C0000-0x000000001B740000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\svchost.exe	family_quasar
behavioral1/memory/2208-80-0x0000000000930000-0x0000000000C54000-memory.dmp	family_quasar
C:\Windows\system32\SubDir\svchost.exe	family_quasar
C:\Windows\System32\SubDir\svchost.exe	family_quasar

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
\Users\Admin\Documents\svchost.exe	warzonerat
C:\Users\Admin\Documents\svchost.exe	warzonerat
\Users\Admin\Documents\svchost.exe	warzonerat
C:\Users\Admin\Documents\svchost.exe	warzonerat

Executes dropped EXE 7 IoCs

Processes:

nanocore_payload.exepm_payload.exewz_payload.exesystemq.exesvchost.exesvchost.exeSyncRoot.exe

pid process

2608 nanocore_payload.exe
2712 pm_payload.exe
2872 wz_payload.exe
2776 systemq.exe
1648 svchost.exe
2208 svchost.exe
2988 SyncRoot.exe

pid	process
2608	nanocore_payload.exe
2712	pm_payload.exe
2872	wz_payload.exe
2776	systemq.exe
1648	svchost.exe
2208	svchost.exe
2988	SyncRoot.exe

Loads dropped DLL 9 IoCs

Processes:

f80bd53a58316d8fb43c24725c923ff2.exewz_payload.exetaskeng.exe

pid	process
2304	f80bd53a58316d8fb43c24725c923ff2.exe
2304	f80bd53a58316d8fb43c24725c923ff2.exe
2304	f80bd53a58316d8fb43c24725c923ff2.exe
2304	f80bd53a58316d8fb43c24725c923ff2.exe
2304	f80bd53a58316d8fb43c24725c923ff2.exe
2304	f80bd53a58316d8fb43c24725c923ff2.exe
2872	wz_payload.exe
2872	wz_payload.exe
1488	taskeng.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

nanocore_payload.exewz_payload.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Subsystem = "C:\\Program Files (x86)\\IMAP Subsystem\\imapss.exe"	nanocore_payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\Documents\\svchost.exe"	wz_payload.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

nanocore_payload.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nanocore_payload.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nanocore_payload.exe

Drops file in System32 directory 6 IoCs

Processes:

systemq.exesvchost.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\svchost.exe	systemq.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	systemq.exe
File opened for modification	C:\Windows\system32\SubDir	systemq.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system32\SubDir	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SyncRoot.exe

description pid process target process

PID 2988 set thread context of 2928 2988 SyncRoot.exe AddInUtil.exe

description	pid	process	target process
PID 2988 set thread context of 2928	2988	SyncRoot.exe	AddInUtil.exe

Drops file in Program Files directory 2 IoCs

Processes:

nanocore_payload.exe

description	ioc	process
File created	C:\Program Files (x86)\IMAP Subsystem\imapss.exe	nanocore_payload.exe
File opened for modification	C:\Program Files (x86)\IMAP Subsystem\imapss.exe	nanocore_payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2948 schtasks.exe
752 schtasks.exe

pid	process
2948	schtasks.exe
752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exenanocore_payload.exepowershell.exepowershell.exeAddInUtil.exe

pid	process
2764	powershell.exe
2356	powershell.exe
2608	nanocore_payload.exe
2608	nanocore_payload.exe
2608	nanocore_payload.exe
2608	nanocore_payload.exe
2608	nanocore_payload.exe
2608	nanocore_payload.exe
1360	powershell.exe
1684	powershell.exe
2928	AddInUtil.exe
2928	AddInUtil.exe
2928	AddInUtil.exe
2928	AddInUtil.exe
2928	AddInUtil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nanocore_payload.exe

pid process

2608 nanocore_payload.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

svchost.exe

pid process

1648 svchost.exe

pid	process
2608	nanocore_payload.exe

pid	process
1648	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exesystemq.exepowershell.exenanocore_payload.exepm_payload.exesvchost.exepowershell.exepowershell.exeSyncRoot.exeAddInUtil.exe

description	pid	process
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2776	systemq.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2608	nanocore_payload.exe
Token: SeDebugPrivilege	2712	pm_payload.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2988	SyncRoot.exe
Token: SeDebugPrivilege	2928	AddInUtil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2208 svchost.exe

pid	process
2208	svchost.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

f80bd53a58316d8fb43c24725c923ff2.exewz_payload.exesystemq.exesvchost.exesvchost.exetaskeng.exetaskeng.exeSyncRoot.exe

description	pid	process	target process
PID 2304 wrote to memory of 2764	2304	f80bd53a58316d8fb43c24725c923ff2.exe	powershell.exe
PID 2304 wrote to memory of 2764	2304	f80bd53a58316d8fb43c24725c923ff2.exe	powershell.exe
PID 2304 wrote to memory of 2764	2304	f80bd53a58316d8fb43c24725c923ff2.exe	powershell.exe
PID 2304 wrote to memory of 2764	2304	f80bd53a58316d8fb43c24725c923ff2.exe	powershell.exe
PID 2304 wrote to memory of 2608	2304	f80bd53a58316d8fb43c24725c923ff2.exe	nanocore_payload.exe
PID 2304 wrote to memory of 2608	2304	f80bd53a58316d8fb43c24725c923ff2.exe	nanocore_payload.exe
PID 2304 wrote to memory of 2608	2304	f80bd53a58316d8fb43c24725c923ff2.exe	nanocore_payload.exe
PID 2304 wrote to memory of 2608	2304	f80bd53a58316d8fb43c24725c923ff2.exe	nanocore_payload.exe
PID 2304 wrote to memory of 2712	2304	f80bd53a58316d8fb43c24725c923ff2.exe	pm_payload.exe
PID 2304 wrote to memory of 2712	2304	f80bd53a58316d8fb43c24725c923ff2.exe	pm_payload.exe
PID 2304 wrote to memory of 2712	2304	f80bd53a58316d8fb43c24725c923ff2.exe	pm_payload.exe
PID 2304 wrote to memory of 2712	2304	f80bd53a58316d8fb43c24725c923ff2.exe	pm_payload.exe
PID 2304 wrote to memory of 2872	2304	f80bd53a58316d8fb43c24725c923ff2.exe	wz_payload.exe
PID 2304 wrote to memory of 2872	2304	f80bd53a58316d8fb43c24725c923ff2.exe	wz_payload.exe
PID 2304 wrote to memory of 2872	2304	f80bd53a58316d8fb43c24725c923ff2.exe	wz_payload.exe
PID 2304 wrote to memory of 2872	2304	f80bd53a58316d8fb43c24725c923ff2.exe	wz_payload.exe
PID 2304 wrote to memory of 2776	2304	f80bd53a58316d8fb43c24725c923ff2.exe	systemq.exe
PID 2304 wrote to memory of 2776	2304	f80bd53a58316d8fb43c24725c923ff2.exe	systemq.exe
PID 2304 wrote to memory of 2776	2304	f80bd53a58316d8fb43c24725c923ff2.exe	systemq.exe
PID 2304 wrote to memory of 2776	2304	f80bd53a58316d8fb43c24725c923ff2.exe	systemq.exe
PID 2872 wrote to memory of 2356	2872	wz_payload.exe	powershell.exe
PID 2872 wrote to memory of 2356	2872	wz_payload.exe	powershell.exe
PID 2872 wrote to memory of 2356	2872	wz_payload.exe	powershell.exe
PID 2872 wrote to memory of 2356	2872	wz_payload.exe	powershell.exe
PID 2776 wrote to memory of 2948	2776	systemq.exe	schtasks.exe
PID 2776 wrote to memory of 2948	2776	systemq.exe	schtasks.exe
PID 2776 wrote to memory of 2948	2776	systemq.exe	schtasks.exe
PID 2872 wrote to memory of 1648	2872	wz_payload.exe	svchost.exe
PID 2872 wrote to memory of 1648	2872	wz_payload.exe	svchost.exe
PID 2872 wrote to memory of 1648	2872	wz_payload.exe	svchost.exe
PID 2872 wrote to memory of 1648	2872	wz_payload.exe	svchost.exe
PID 2776 wrote to memory of 2208	2776	systemq.exe	svchost.exe
PID 2776 wrote to memory of 2208	2776	systemq.exe	svchost.exe
PID 2776 wrote to memory of 2208	2776	systemq.exe	svchost.exe
PID 1648 wrote to memory of 1360	1648	svchost.exe	powershell.exe
PID 1648 wrote to memory of 1360	1648	svchost.exe	powershell.exe
PID 1648 wrote to memory of 1360	1648	svchost.exe	powershell.exe
PID 1648 wrote to memory of 1360	1648	svchost.exe	powershell.exe
PID 2208 wrote to memory of 752	2208	svchost.exe	schtasks.exe
PID 2208 wrote to memory of 752	2208	svchost.exe	schtasks.exe
PID 2208 wrote to memory of 752	2208	svchost.exe	schtasks.exe
PID 1648 wrote to memory of 2344	1648	svchost.exe	cmd.exe
PID 1648 wrote to memory of 2344	1648	svchost.exe	cmd.exe
PID 1648 wrote to memory of 2344	1648	svchost.exe	cmd.exe
PID 1648 wrote to memory of 2344	1648	svchost.exe	cmd.exe
PID 1648 wrote to memory of 2344	1648	svchost.exe	cmd.exe
PID 1648 wrote to memory of 2344	1648	svchost.exe	cmd.exe
PID 1144 wrote to memory of 1684	1144	taskeng.exe	powershell.exe
PID 1144 wrote to memory of 1684	1144	taskeng.exe	powershell.exe
PID 1144 wrote to memory of 1684	1144	taskeng.exe	powershell.exe
PID 1488 wrote to memory of 2988	1488	taskeng.exe	SyncRoot.exe
PID 1488 wrote to memory of 2988	1488	taskeng.exe	SyncRoot.exe
PID 1488 wrote to memory of 2988	1488	taskeng.exe	SyncRoot.exe
PID 2988 wrote to memory of 2928	2988	SyncRoot.exe	AddInUtil.exe
PID 2988 wrote to memory of 2928	2988	SyncRoot.exe	AddInUtil.exe
PID 2988 wrote to memory of 2928	2988	SyncRoot.exe	AddInUtil.exe
PID 2988 wrote to memory of 2928	2988	SyncRoot.exe	AddInUtil.exe
PID 2988 wrote to memory of 2928	2988	SyncRoot.exe	AddInUtil.exe
PID 2988 wrote to memory of 2928	2988	SyncRoot.exe	AddInUtil.exe
PID 2988 wrote to memory of 2928	2988	SyncRoot.exe	AddInUtil.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f80bd53a58316d8fb43c24725c923ff2.exe
"C:\Users\Admin\AppData\Local\Temp\f80bd53a58316d8fb43c24725c923ff2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAaAB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAcgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbQBzACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Users\Admin\AppData\Local\Temp\pm_payload.exe
"C:\Users\Admin\AppData\Local\Temp\pm_payload.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe
"C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Users\Admin\AppData\Local\Temp\wz_payload.exe
"C:\Users\Admin\AppData\Local\Temp\wz_payload.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Users\Admin\Documents\svchost.exe
"C:\Users\Admin\Documents\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\systemq.exe
"C:\Users\Admin\AppData\Local\Temp\systemq.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\SubDir\svchost.exe
"C:\Windows\system32\SubDir\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:752

C:\Windows\system32\taskeng.exe
taskeng.exe {9C103686-2822-4448-9E25-52BB0DE27EFA} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\taskeng.exe
taskeng.exe {6BFEC69F-D615-4EEA-9D1B-1D892E8D38D9} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Roaming\Key\SyncRoot.exe
C:\Users\Admin\AppData\Roaming\Key\SyncRoot.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe

Filesize
202KB

MD5
8b31cbd0f87d48349f9c32f0277044d6

SHA1
76852e00cb42c41b7885a260b55cd626c29b57d8

SHA256
15f43e7843401484c486ddcfcf8119d2cd0f29f2e99017f4c96c83e530a91b17

SHA512
18c37e95db0d2d20795783906ed21dfc9aace21066c621e7e45e926053d46d48205e18d8a3633381857e947f680237a6503667bd88ba94da37f167cae0e88f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe

Filesize
202KB

MD5
8b31cbd0f87d48349f9c32f0277044d6

SHA1
76852e00cb42c41b7885a260b55cd626c29b57d8

SHA256
15f43e7843401484c486ddcfcf8119d2cd0f29f2e99017f4c96c83e530a91b17

SHA512
18c37e95db0d2d20795783906ed21dfc9aace21066c621e7e45e926053d46d48205e18d8a3633381857e947f680237a6503667bd88ba94da37f167cae0e88f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe

Filesize
202KB

MD5
8b31cbd0f87d48349f9c32f0277044d6

SHA1
76852e00cb42c41b7885a260b55cd626c29b57d8

SHA256
15f43e7843401484c486ddcfcf8119d2cd0f29f2e99017f4c96c83e530a91b17

SHA512
18c37e95db0d2d20795783906ed21dfc9aace21066c621e7e45e926053d46d48205e18d8a3633381857e947f680237a6503667bd88ba94da37f167cae0e88f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pm_payload.exe

Filesize
629KB

MD5
aa3e9f597ba0fe867af9efeb80a02caa

SHA1
ebe56e2604462b6d2882c774f7bcafe8c78892e0

SHA256
2b6233c0a91a1f89f344eeb74130a3a058c54fc28fb2b61f57bfc070da104633

SHA512
40a480823d756b8df1e6a9ae695c142768969a2c9d8ee10264f18be486e17fdaf5fdbf26745f512566d9502c459d7134f1c135cd917d621ad01f68545b255270

Download Submit
C:\Users\Admin\AppData\Local\Temp\pm_payload.exe

Filesize
629KB

MD5
aa3e9f597ba0fe867af9efeb80a02caa

SHA1
ebe56e2604462b6d2882c774f7bcafe8c78892e0

SHA256
2b6233c0a91a1f89f344eeb74130a3a058c54fc28fb2b61f57bfc070da104633

SHA512
40a480823d756b8df1e6a9ae695c142768969a2c9d8ee10264f18be486e17fdaf5fdbf26745f512566d9502c459d7134f1c135cd917d621ad01f68545b255270

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemq.exe

Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemq.exe

Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
C:\Users\Admin\AppData\Roaming\Key\SyncRoot.exe

Filesize
629KB

MD5
aa3e9f597ba0fe867af9efeb80a02caa

SHA1
ebe56e2604462b6d2882c774f7bcafe8c78892e0

SHA256
2b6233c0a91a1f89f344eeb74130a3a058c54fc28fb2b61f57bfc070da104633

SHA512
40a480823d756b8df1e6a9ae695c142768969a2c9d8ee10264f18be486e17fdaf5fdbf26745f512566d9502c459d7134f1c135cd917d621ad01f68545b255270

Download Submit
C:\Users\Admin\AppData\Roaming\Key\SyncRoot.exe

Filesize
629KB

MD5
aa3e9f597ba0fe867af9efeb80a02caa

SHA1
ebe56e2604462b6d2882c774f7bcafe8c78892e0

SHA256
2b6233c0a91a1f89f344eeb74130a3a058c54fc28fb2b61f57bfc070da104633

SHA512
40a480823d756b8df1e6a9ae695c142768969a2c9d8ee10264f18be486e17fdaf5fdbf26745f512566d9502c459d7134f1c135cd917d621ad01f68545b255270

Download Submit
C:\Users\Admin\AppData\Roaming\Key\SyncRoot.exe

Filesize
629KB

MD5
aa3e9f597ba0fe867af9efeb80a02caa

SHA1
ebe56e2604462b6d2882c774f7bcafe8c78892e0

SHA256
2b6233c0a91a1f89f344eeb74130a3a058c54fc28fb2b61f57bfc070da104633

SHA512
40a480823d756b8df1e6a9ae695c142768969a2c9d8ee10264f18be486e17fdaf5fdbf26745f512566d9502c459d7134f1c135cd917d621ad01f68545b255270

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\34MWBORI6GQXQ9E407EA.temp

Filesize
7KB

MD5
5209e79de4f0874a1f6773cd29a4eec3

SHA1
684a7738c11b421b293dc35e736b054684b935ae

SHA256
c8fd7a3e10f9b9e5718451ac37e2d9b13b2c36656d3db6703600da4b09451032

SHA512
1f85a41db8d9e3f0c7ef51e91c6e260eeb6f2e02ae892a2cfcedc6e1297a0a462c8dc4c37269e5fe0b7786ee14d702a027ceacbe3f2667c2df10d35c99220548

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5209e79de4f0874a1f6773cd29a4eec3

SHA1
684a7738c11b421b293dc35e736b054684b935ae

SHA256
c8fd7a3e10f9b9e5718451ac37e2d9b13b2c36656d3db6703600da4b09451032

SHA512
1f85a41db8d9e3f0c7ef51e91c6e260eeb6f2e02ae892a2cfcedc6e1297a0a462c8dc4c37269e5fe0b7786ee14d702a027ceacbe3f2667c2df10d35c99220548

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5209e79de4f0874a1f6773cd29a4eec3

SHA1
684a7738c11b421b293dc35e736b054684b935ae

SHA256
c8fd7a3e10f9b9e5718451ac37e2d9b13b2c36656d3db6703600da4b09451032

SHA512
1f85a41db8d9e3f0c7ef51e91c6e260eeb6f2e02ae892a2cfcedc6e1297a0a462c8dc4c37269e5fe0b7786ee14d702a027ceacbe3f2667c2df10d35c99220548

Download Submit
C:\Users\Admin\Documents\svchost.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
C:\Users\Admin\Documents\svchost.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
C:\Windows\System32\SubDir\svchost.exe

Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
C:\Windows\System32\SubDir\svchost.exe

Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
C:\Windows\system32\SubDir\svchost.exe

Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
\Users\Admin\AppData\Local\Temp\nanocore_payload.exe

Filesize
202KB

MD5
8b31cbd0f87d48349f9c32f0277044d6

SHA1
76852e00cb42c41b7885a260b55cd626c29b57d8

SHA256
15f43e7843401484c486ddcfcf8119d2cd0f29f2e99017f4c96c83e530a91b17

SHA512
18c37e95db0d2d20795783906ed21dfc9aace21066c621e7e45e926053d46d48205e18d8a3633381857e947f680237a6503667bd88ba94da37f167cae0e88f7b

Download Submit
\Users\Admin\AppData\Local\Temp\nanocore_payload.exe

Filesize
202KB

MD5
8b31cbd0f87d48349f9c32f0277044d6

SHA1
76852e00cb42c41b7885a260b55cd626c29b57d8

SHA256
15f43e7843401484c486ddcfcf8119d2cd0f29f2e99017f4c96c83e530a91b17

SHA512
18c37e95db0d2d20795783906ed21dfc9aace21066c621e7e45e926053d46d48205e18d8a3633381857e947f680237a6503667bd88ba94da37f167cae0e88f7b

Download Submit
\Users\Admin\AppData\Local\Temp\pm_payload.exe

Filesize
629KB

MD5
aa3e9f597ba0fe867af9efeb80a02caa

SHA1
ebe56e2604462b6d2882c774f7bcafe8c78892e0

SHA256
2b6233c0a91a1f89f344eeb74130a3a058c54fc28fb2b61f57bfc070da104633

SHA512
40a480823d756b8df1e6a9ae695c142768969a2c9d8ee10264f18be486e17fdaf5fdbf26745f512566d9502c459d7134f1c135cd917d621ad01f68545b255270

Download Submit
\Users\Admin\AppData\Local\Temp\systemq.exe

Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
\Users\Admin\AppData\Local\Temp\wz_payload.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
\Users\Admin\AppData\Local\Temp\wz_payload.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
\Users\Admin\AppData\Roaming\Key\SyncRoot.exe

Filesize
629KB

MD5
aa3e9f597ba0fe867af9efeb80a02caa

SHA1
ebe56e2604462b6d2882c774f7bcafe8c78892e0

SHA256
2b6233c0a91a1f89f344eeb74130a3a058c54fc28fb2b61f57bfc070da104633

SHA512
40a480823d756b8df1e6a9ae695c142768969a2c9d8ee10264f18be486e17fdaf5fdbf26745f512566d9502c459d7134f1c135cd917d621ad01f68545b255270

Download Submit
\Users\Admin\Documents\svchost.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
\Users\Admin\Documents\svchost.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
memory/1360-92-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-90-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-97-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-95-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/1360-93-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/1360-91-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/1684-112-0x000007FEEB8C0000-0x000007FEEC25D000-memory.dmp

Filesize
9.6MB

Download
memory/1684-110-0x0000000019D30000-0x000000001A012000-memory.dmp

Filesize
2.9MB

Download
memory/1684-111-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/1684-115-0x00000000013E0000-0x0000000001460000-memory.dmp

Filesize
512KB

Download
memory/1684-114-0x00000000013E0000-0x0000000001460000-memory.dmp

Filesize
512KB

Download
memory/1684-117-0x00000000013E0000-0x0000000001460000-memory.dmp

Filesize
512KB

Download
memory/1684-116-0x000007FEEB8C0000-0x000007FEEC25D000-memory.dmp

Filesize
9.6MB

Download
memory/1684-118-0x00000000013E0000-0x0000000001460000-memory.dmp

Filesize
512KB

Download
memory/1684-119-0x000007FEEB8C0000-0x000007FEEC25D000-memory.dmp

Filesize
9.6MB

Download
memory/2208-82-0x000000001B190000-0x000000001B210000-memory.dmp

Filesize
512KB

Download
memory/2208-81-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-80-0x0000000000930000-0x0000000000C54000-memory.dmp

Filesize
3.1MB

Download
memory/2208-113-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2344-100-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2344-102-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2356-57-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2356-75-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2356-56-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2356-58-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2608-47-0x0000000000560000-0x00000000005A0000-memory.dmp

Filesize
256KB

Download
memory/2608-35-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-94-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-36-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-99-0x0000000000560000-0x00000000005A0000-memory.dmp

Filesize
256KB

Download
memory/2712-96-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-98-0x000000001B6C0000-0x000000001B740000-memory.dmp

Filesize
512KB

Download
memory/2712-60-0x0000000000690000-0x00000000006DC000-memory.dmp

Filesize
304KB

Download
memory/2712-67-0x00000000008E0000-0x0000000000934000-memory.dmp

Filesize
336KB

Download
memory/2712-33-0x000000013FF40000-0x000000013FFE2000-memory.dmp

Filesize
648KB

Download
memory/2712-122-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-44-0x000000001B6C0000-0x000000001B740000-memory.dmp

Filesize
512KB

Download
memory/2712-59-0x0000000000630000-0x0000000000686000-memory.dmp

Filesize
344KB

Download
memory/2712-37-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-39-0x000000001BB50000-0x000000001BC52000-memory.dmp

Filesize
1.0MB

Download
memory/2764-41-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-42-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/2764-43-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-48-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/2764-49-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/2764-76-0x0000000073860000-0x0000000073E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-34-0x0000000000AB0000-0x0000000000DD4000-memory.dmp

Filesize
3.1MB

Download
memory/2776-40-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-45-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2776-77-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-133-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2928-134-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/2928-148-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2928-146-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2928-132-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2928-150-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2928-130-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2928-149-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2928-136-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2928-147-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2928-140-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-141-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2928-145-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-143-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2928-144-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2988-131-0x000000001B500000-0x000000001B580000-memory.dmp

Filesize
512KB

Download
memory/2988-142-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-137-0x000000001B500000-0x000000001B580000-memory.dmp

Filesize
512KB

Download
memory/2988-129-0x000000001B500000-0x000000001B580000-memory.dmp

Filesize
512KB

Download
memory/2988-128-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-127-0x000000013F1E0000-0x000000013F282000-memory.dmp

Filesize
648KB

Download