nanocore | d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef284d2e02d57b7090632e1bf06b8fa3.exe
Size

3.7MB
MD5

ef284d2e02d57b7090632e1bf06b8fa3
SHA1

85c5c5dc98d3d49478635f1d846761ab21ff7827
SHA256

d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7
SHA512

2d2e4c7d85626be637b5f959b72de9493759adfff7a6e4a7a640f7a02102b68714f039f85570770952f9b7546a6664c0f7879fc5e07ff3a83e630808069dfb57
SSDEEP

3072:WM/ZmolMbeDeDejyCeaev0beJ0kXC0ex75qlyrBmkepbe3eTLe3UzoeyeYHIHO+r:

Score

10^/10

nanocore defense_evasion discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

backu4734.duckdns.org:8092

Mutex

ccf3c62d-d356-4a80-bb94-307bc35a5e01

Attributes

activate_away_mode
false
backup_connection_host
backu4734.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-01-05T15:22:20.555580436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8092
default_group
Backup
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ccf3c62d-d356-4a80-bb94-307bc35a5e01
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
backu4734.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Windows security bypass 2 TTPs 3 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	ef284d2e02d57b7090632e1bf06b8fa3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe = "0"	ef284d2e02d57b7090632e1bf06b8fa3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe = "0"	ef284d2e02d57b7090632e1bf06b8fa3.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3192	powershell.exe
1976	powershell.exe
2020	powershell.exe
2032	powershell.exe
2560	powershell.exe
2524	powershell.exe
4376	powershell.exe
3400	powershell.exe
3324	powershell.exe
5080	powershell.exe
3232	powershell.exe
560	powershell.exe
3088	powershell.exe
5040	powershell.exe
4440	powershell.exe
5520	powershell.exe
4444	powershell.exe
5060	powershell.exe
384	powershell.exe
3304	powershell.exe
3756	powershell.exe
3128	powershell.exe
3548	powershell.exe
5456	powershell.exe
5544	powershell.exe
2608	powershell.exe
3160	powershell.exe
4360	powershell.exe
4472	powershell.exe
2984	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	ef284d2e02d57b7090632e1bf06b8fa3.exe

Windows security modification 2 TTPs 4 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	ef284d2e02d57b7090632e1bf06b8fa3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	ef284d2e02d57b7090632e1bf06b8fa3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe = "0"	ef284d2e02d57b7090632e1bf06b8fa3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe = "0"	ef284d2e02d57b7090632e1bf06b8fa3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Host = "C:\\Program Files (x86)\\TCP Host\\tcphost.exe"	ef284d2e02d57b7090632e1bf06b8fa3.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ef284d2e02d57b7090632e1bf06b8fa3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
3680	ef284d2e02d57b7090632e1bf06b8fa3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3680 set thread context of 5904	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	162

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TCP Host\tcphost.exe	ef284d2e02d57b7090632e1bf06b8fa3.exe
File opened for modification	C:\Program Files (x86)\TCP Host\tcphost.exe	ef284d2e02d57b7090632e1bf06b8fa3.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe	ef284d2e02d57b7090632e1bf06b8fa3.exe
File opened for modification	C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe	ef284d2e02d57b7090632e1bf06b8fa3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5352	3680	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef284d2e02d57b7090632e1bf06b8fa3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef284d2e02d57b7090632e1bf06b8fa3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5420	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6096	schtasks.exe
5368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3400	powershell.exe
3324	powershell.exe
2608	powershell.exe
3400	powershell.exe
3324	powershell.exe
2608	powershell.exe
3192	powershell.exe
3088	powershell.exe
4472	powershell.exe
3088	powershell.exe
3192	powershell.exe
4472	powershell.exe
1976	powershell.exe
5080	powershell.exe
4444	powershell.exe
1976	powershell.exe
5080	powershell.exe
4444	powershell.exe
3232	powershell.exe
3232	powershell.exe
3756	powershell.exe
3756	powershell.exe
2984	powershell.exe
2984	powershell.exe
2984	powershell.exe
3232	powershell.exe
3756	powershell.exe
3548	powershell.exe
2020	powershell.exe
2032	powershell.exe
3548	powershell.exe
2020	powershell.exe
2032	powershell.exe
560	powershell.exe
560	powershell.exe
3160	powershell.exe
3160	powershell.exe
5060	powershell.exe
5060	powershell.exe
560	powershell.exe
3160	powershell.exe
5060	powershell.exe
4440	powershell.exe
4440	powershell.exe
5040	powershell.exe
5040	powershell.exe
4360	powershell.exe
4360	powershell.exe
4440	powershell.exe
4360	powershell.exe
5040	powershell.exe
384	powershell.exe
384	powershell.exe
3128	powershell.exe
3128	powershell.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
384	powershell.exe
3128	powershell.exe
4376	powershell.exe
4376	powershell.exe
2524	powershell.exe
2524	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5904	ef284d2e02d57b7090632e1bf06b8fa3.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	5520	powershell.exe
Token: SeDebugPrivilege	5456	powershell.exe
Token: SeDebugPrivilege	5544	powershell.exe
Token: SeDebugPrivilege	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe
Token: SeDebugPrivilege	5904	ef284d2e02d57b7090632e1bf06b8fa3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 3400	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	90
PID 3680 wrote to memory of 3400	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	90
PID 3680 wrote to memory of 3400	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	90
PID 3680 wrote to memory of 3324	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	91
PID 3680 wrote to memory of 3324	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	91
PID 3680 wrote to memory of 3324	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	91
PID 3680 wrote to memory of 2608	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	94
PID 3680 wrote to memory of 2608	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	94
PID 3680 wrote to memory of 2608	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	94
PID 3680 wrote to memory of 3088	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	96
PID 3680 wrote to memory of 3088	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	96
PID 3680 wrote to memory of 3088	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	96
PID 3680 wrote to memory of 3192	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	115
PID 3680 wrote to memory of 3192	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	115
PID 3680 wrote to memory of 3192	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	115
PID 3680 wrote to memory of 4472	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	99
PID 3680 wrote to memory of 4472	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	99
PID 3680 wrote to memory of 4472	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	99
PID 3680 wrote to memory of 1976	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	102
PID 3680 wrote to memory of 1976	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	102
PID 3680 wrote to memory of 1976	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	102
PID 3680 wrote to memory of 5080	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	103
PID 3680 wrote to memory of 5080	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	103
PID 3680 wrote to memory of 5080	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	103
PID 3680 wrote to memory of 4444	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	106
PID 3680 wrote to memory of 4444	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	106
PID 3680 wrote to memory of 4444	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	106
PID 3680 wrote to memory of 3756	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	108
PID 3680 wrote to memory of 3756	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	108
PID 3680 wrote to memory of 3756	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	108
PID 3680 wrote to memory of 3232	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	109
PID 3680 wrote to memory of 3232	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	109
PID 3680 wrote to memory of 3232	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	109
PID 3680 wrote to memory of 2984	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	112
PID 3680 wrote to memory of 2984	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	112
PID 3680 wrote to memory of 2984	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	112
PID 3680 wrote to memory of 3548	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	116
PID 3680 wrote to memory of 3548	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	116
PID 3680 wrote to memory of 3548	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	116
PID 3680 wrote to memory of 2020	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	118
PID 3680 wrote to memory of 2020	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	118
PID 3680 wrote to memory of 2020	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	118
PID 3680 wrote to memory of 2032	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	120
PID 3680 wrote to memory of 2032	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	120
PID 3680 wrote to memory of 2032	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	120
PID 3680 wrote to memory of 560	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	124
PID 3680 wrote to memory of 560	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	124
PID 3680 wrote to memory of 560	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	124
PID 3680 wrote to memory of 3160	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	126
PID 3680 wrote to memory of 3160	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	126
PID 3680 wrote to memory of 3160	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	126
PID 3680 wrote to memory of 5060	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	128
PID 3680 wrote to memory of 5060	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	128
PID 3680 wrote to memory of 5060	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	128
PID 3680 wrote to memory of 5040	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	130
PID 3680 wrote to memory of 5040	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	130
PID 3680 wrote to memory of 5040	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	130
PID 3680 wrote to memory of 4440	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	131
PID 3680 wrote to memory of 4440	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	131
PID 3680 wrote to memory of 4440	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	131
PID 3680 wrote to memory of 4360	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	133
PID 3680 wrote to memory of 4360	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	133
PID 3680 wrote to memory of 4360	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	133
PID 3680 wrote to memory of 384	3680	ef284d2e02d57b7090632e1bf06b8fa3.exe	137

C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe
"C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe"
1⤵
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3232
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3160
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5992
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:5420
- C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe
  "C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe"
  2⤵
  PID:5896
- C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe
  "C:\Users\Admin\AppData\Local\Temp\ef284d2e02d57b7090632e1bf06b8fa3.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:5904
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "TCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2611.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:6096
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "TCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp276A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1916
  2⤵
  - Program crash
  PID:5352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3680 -ip 3680
1⤵
PID:6104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
16529e0ca141bca0cf71dc625a92863e

SHA1
98104169ba47caac6c0da1bc01f8ccfd529be5da

SHA256
ae776200c92c047d2c28f9317f72bd8b7c7d17fce9189e58e99eeb7dd74eb92e

SHA512
72bf5b33e212d7870f9e29a4984a194d827088092200ab0d8af9505bb7160b2793cc8738334a1852f3154f901c04555898838b250b8eab2b53c0628ff800eaa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
04fc1ffa66255e27a777ab369c58668d

SHA1
ef9eca47f704276f09aae90eeeaf801682c0afaa

SHA256
e47edb04887884b77a72102e435a5b3329516ec1900654cb7950febf5f4e0416

SHA512
807dfaba07003cb513907536e52895f83171b151ea7e49f210e199389a6b9bdd002e0a8c5051e1dd46f9c0956b9722940019b57ef89c048a05b86e4b2b58d31b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
40075a11ed73b894b9302eeb1d54d11f

SHA1
a241ac0dae6630dd550e11314fb96f67f9cfeeb1

SHA256
25bf75a8555c48402ee600e0b852490b9d4eb9eb670a4a0fa914e6dbc06c0e72

SHA512
404a25c770dc6075c2cd8c08d2372100f02c039c135217e7ea50972a52259178e263e67bebbceee2a3bf910140cffa2c04f94bb7bc4f0bcef2afb0d8ff7c048e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
97b8ba200c04737cc38bf07f31c2bbdc

SHA1
527ca295834dcfdbe6c81261daa1679ba0573036

SHA256
a42b576ce690d00b036d7b1310f3c95fc2a3d4392b39e54c86ee27e0cbcad226

SHA512
e3508b123de588ad0b6ecc1b1877f9c19e35524bb06d88ce29487a66c473fc94bdc28a729006d44d89e0755505fee4634597d105aa8ca820fad52c1a49d9eb2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
12f1f280749d87f04fc575c1ef421fba

SHA1
1d3a2d4f1e27540ac7035eb520ff34890a3991d7

SHA256
ec330ef079a59bfea0161ee3895367e07994758e649c8dab46d214d48afa6353

SHA512
27d40d6e529d925de44bcb78924272668f133efc74a5d9be13dedaa4271bd91a4bcd342fb34d8d5011ef515ce9eba8f0c6bf6dc5c206526758a0f49ba10d7ecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c21a06fa4e14b75602cd3476cbf74210

SHA1
3cbdf9839b8c42e6b8191b4220d5c5c531af5e6a

SHA256
3bb346e452adcaf48bb8f05394d35f77851fda1f8babe7e9e2d73cd060a107c2

SHA512
58a1a143e18fd37acca3cb37cf1b809f4edf0f0466f54ca0c1df3d9d7f2cdb4f1931f844f80cb1cfe96a62e20a5f3d728f908ef51c283d6ba27ca52a0ae9d5cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
356B

MD5
e2999322dc826e6047e5d6d294746511

SHA1
b6870db9167fe2298218d8a3b8585554050427a8

SHA256
c4b4f121dcfe8d3f6b52ea66b2b4633eaadde313e9c2ea7833a0013079f668e1

SHA512
2f7b2f18fec40352b27bbff213180b3c26893b2d8da8ee4ce99f24699c0ec319ad00da001471038be6a6f6f4d698a3bf6fecc55a2e8f75ca558a58f7bfd07f4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ea2541605249d0bcb5461da90c39255d

SHA1
1ad761c7cd8407f03ece3e75e689cf8abf3d4949

SHA256
c9bdb5867d29c3b940086cdfaa8ddcacdf86900f90306340d314e62bd92e8fe5

SHA512
0767a0af57733a12d41036786385c3dfd36eac50ba09d1ffcb1f8dd32b7c521015a984e607c7c7a2529fbb7b946bac8454e64f3370d39940c8967875f96adcc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9a46c2aeaa177f1dc56bf5b6c5fe8966

SHA1
766aba651ba30a03121e353fa35b02eb7c11f7c3

SHA256
70b1e0e171c29a212a48360a1cd693e43b8ab86a7d31a84274320d7f8739c1f9

SHA512
5eeb0e3d7107b822b2b2c5f99af1f2a05898b829af27a635071615e6106ee6cc25001b1bdae42ccb50865b7d13c10a529e828d260691bb49026825e043e03633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
23b9543051c01bd958e00d0ebe085e10

SHA1
ed39854638783262d790654c16a3915fe582b36b

SHA256
b3466c7caa19c0a21be2a42fe2be598d7143664a0b08a44ca30124d0d47eb6ea

SHA512
f8feb632e166d0007a161ef7bca7d4ab0ae5db16a5ecb9661d00b48fa268df16a83e66347faccfc55bdc069ed4d38eefe66a77fbf5653d9f41a2438c431a8250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
530b92cd1654014f9ad9bd9cf051c222

SHA1
23e6e1779d35910b0fce6cbfa6b45243b35c1976

SHA256
c1f2e56be00a02937f9f4c6d07468c5b357b4042dc48351ef033bb4be9871f19

SHA512
952b7bbf89ce10aa170dc95ce929192fd55c53dc94daed483169fdb70789cc75c0e57e7484a2452ec892aa87ab1ebfe08e6e2ce985957b850e3a019b99ab707c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
38423af295323e2e8412c75bb047a5f0

SHA1
6af5af2b65c3b946c7e1977e0744e785d40d4b3b

SHA256
46dd2b1af578817f16dde0001dd26f591fbd6785523c9097dd9aca9b80127931

SHA512
1387813843485cbf54a4aba90bc92cc8736572cce0825d30fc57b00e36997a7bc6753cb8930486a5bfc20a7eaef5561514a288b377cb651ee18f33750d18bb63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5cffc50323e4083303e576d3ba8688e2

SHA1
14e254ad12c8bfa2745dc6fdab01947cb9cd1f02

SHA256
92263440ff150081f7ce4fe17447b597f088bdb3d14a511123c0afcf098a6c9c

SHA512
adb3a654705efec701f099ebe85d9d5ab69280f115cbd823b78e4c15fb428372eba0c1e3858f28058c125be2c5e64f8a824408a0647ee84f1388a7c4d885ec44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a34ff9315b5b0216b4df7f89ebe85b74

SHA1
1d4e656c834ccd1f6439001a0c87955cf8d56ae1

SHA256
a27d973605348cb99849eeaac1bfe73e511483acb4115a249a7d365c98d6403b

SHA512
0c76ca2b8a602fc4a6dc2c1c7ca180dbcff01d6f53fe55b4ca394868f3a83c9f989f019d348e039f589a8b5cd369e3348c716d52583b56080b448172b9a090fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f5d0ef0cf13510de73670751b22a6137

SHA1
c70ccdda5ecd96db0572ad56eaf3821393537e9f

SHA256
93d1fa97b32cef8800127bd9c8db303e40c34b8c5c6d3b98bb33af693fb998bb

SHA512
6363f4458145fa0700c6e3c306e50361b0f6090a6c3493af08e9b81938ec7a5f1aaf68a1585778f89f9b648d1fe70489e38bfa150f7b0c84824add2f5d972860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2050b01d385594d224bdebbafe2c3bd0

SHA1
cd27fcdd6cfc69c7d0ef06f9b7bde29d537235e6

SHA256
a8cfb78b71b46e88d197a1bb3a7021932b409be1a49d4725a12f1b201a7bd0fd

SHA512
058236def2e256752498c9fa5c2ab7363be85ac26b11f88a84fb781314dd72864748dcedcc8271d7bca0ca05bceb0733c63981254327f95b8240aa7530f18118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f156b61fa49e17059c05cbb5e71f1184

SHA1
71ed1337c5c6696914656f2d7cf208cc3b9b256f

SHA256
69b3660a65a308d9d2d35358347f3716bf6d0adead81dfc5746a13cd058b3fa2

SHA512
d581bb5720b0f04cc3340302bf2eb9708431f081d5997106cc477ff01043aa28121f5c577562252ccd6a9247b81f53ee1b25b8df0791f5f8bb1f3af76495b3ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
754e2f5631be5d8b4b2aedf7aeee57c8

SHA1
95120a7340f4fa91aa24059a6815859fb877eb6e

SHA256
29c96a9f3a676dd921797706f8a9513d725831da315e89e1696d24a0d931e524

SHA512
383e82a7284b373a00eeb06d2a1c9bd963a120b7e21315e9822ab15ab58efddf10178920eda59cd821a4251c3e284ba54370618779e7eb4e0895fcb8639a1438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6d92d9c80e7a7ab2b39f78bc7435ed01

SHA1
b1ba3673d44827a801298eb035863afdcf066e7b

SHA256
ae7d5b12eca1b5f73c9b127dff395d8354aa249d7c74191d472e3f32b848028a

SHA512
630ecddadd3ea768b158fda6f5da9ff47f030dd19b9a313c03839270b2091aba11368257d7e6f62616070f2d8b7ec125add1212b281404b40bffcd79d9c650e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
798a83247a1a042748bd88aa20df9bab

SHA1
0f26ad63e892598d14af5d938d0d61d3b7e0e456

SHA256
f9125a55c4d975c22834378099b4f56cba0f1d76a35707f965347f064d92efdf

SHA512
0d30fa0abfe1eebe4c52b4783ee1b00bb540dc0ca31d2f24bc6bceaaf07157f5b92f8d5401740cc22473b6316cd04a97d4db630bc052d3106fcfaf82e4a4d4f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d375f6623f34615c3d9d152da9a631fd

SHA1
cf75d0511de2fa5580c43ca14865b95bdd5226e3

SHA256
c4bb57cb4e2802f501bd075f2b5f34f725d320ec55fab64631d2b947b7f6a14d

SHA512
a8e00c652093dd4b298d6e209e225923e8d3d7716d0382f6ca1fd69e1f3c26f52a161faf4666c749e539ba960eb8b56a063e5c190f89f95225a7dea47dc9bacb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6190ffa3d14e50c505ceb428d89f747e

SHA1
c99d26a14fa5ad730d6cdd8bdd90ab0d44a95ca3

SHA256
ca30315569cf4b8f673a3c84156d25c71fef3ff8ed6b938b794be6926523d4f8

SHA512
6231ba5691810f2eda5dab13d7798256184b8b6e4669c71842430fed60f8c1337f516637f54773d95ec0f0d3d50968c151d19090ad983e4d88474f3ea4094c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f53fd609518ebde7f1da63089ac07a7a

SHA1
0bdd410cecad66935a11a148db472cb591d307b1

SHA256
494b50fce67cae7f1aabac074096c9f42362feb56ffad491d4c3641d8304f931

SHA512
dcc8bc9dc55a0ce926270cff6ecaead647a49844a4742bdc294d69bb962661cfe796acd41fc053d9148be835cc4211ccb938a08db0c44c898631baa027984db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6c1e0d45ef4db29ef2eab204c375b45e

SHA1
9eeb36618f4e6beb176efb93f6c35eb3c1519060

SHA256
3dd17fa5348055cf23f775a536c2258094d97ffee601d7e0124ae8c2ce89dbd2

SHA512
45160826d43d93d8689474764de52627dffbd352a8cef92893cfc59c98cd68492d6dc92dc37caf1a1b51dc872be75b1f275ade4c296456fa7ec77f88e110ae14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
24f06d2b556933a6d7930c736c2634c9

SHA1
b076b858c3893b8520b9475e86f632ec5e101bde

SHA256
1b5a4f57411fcc49b95d7bd8e908313e1b8bda8c4ca0df63a164faf44229e899

SHA512
e47d6ca0e1b098533e2f533f374452fb578adddbfbd0ae9948bf214d010940f667528349928ca7b653a71b69bbe327cb4d8aebc9f2f404c4c10d830ca96e0308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3165abc403645f8a20aef24d394ea2bc

SHA1
abd83c11c00fa76093e30a703a171a771855cfc3

SHA256
4a787d2ac9ea4ef42165650b615e0303bf025dbb1aeb7b86a8d8484597b400bc

SHA512
18c07e6a4a1120b51d92e20d1cf91b45f0363ed67d200a44f93e48459c01c55e73d2369630a167cd4b7650697a7216f9f134f3ea38cc0d63015769ca67a8c2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nqdfnlxb.efb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2611.tmp

Filesize
1KB

MD5
547a0f429416de4a5d31fea5a8b37c41

SHA1
5116e814699f3b88b79443bd34881a8cb2e00df3

SHA256
38af3ff333d956d0f04755459d7997c654b6f21aa3626165da69057db13d7c2d

SHA512
020d9c529847604e92dee6c6a1d832d907ed821370baac29368624c4833d50363eab6f767fa884e49060f8923684ffbbfaa6fd494286dd8154283bfebb4a75b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp276A.tmp

Filesize
1KB

MD5
ee9991b78588a1779b0e6611102d0f8f

SHA1
f3add6deb1ce3e74ae70f561a50f2cfdcb7bb8c2

SHA256
248be2ab10954abfbede82da41efd36c03872ac3468f27de52b5b01bd4a96abd

SHA512
fb3df0d41c89ae11e1aa5b16e8ec6b847c6052f00e0225ab7e8832aa43c066dd4634ffebf50f1fe428339b48a14eabb9aa136a1a133286bfb236b71d1559af9a

Download Submit
memory/384-519-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/560-385-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/1976-203-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/2020-332-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/2032-342-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/2524-603-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/2560-499-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/2608-73-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/2984-252-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/3088-140-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/3128-509-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/3160-395-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/3192-115-0x00000000061B0000-0x0000000006504000-memory.dmp

Filesize
3.3MB

Download
memory/3192-130-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/3232-262-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/3304-593-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/3324-50-0x0000000007990000-0x00000000079C2000-memory.dmp

Filesize
200KB

Download
memory/3324-15-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/3324-17-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-19-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-14-0x0000000005A00000-0x0000000005A22000-memory.dmp

Filesize
136KB

Download
memory/3324-97-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-38-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-91-0x0000000007E10000-0x0000000007E18000-memory.dmp

Filesize
32KB

Download
memory/3324-90-0x0000000007E30000-0x0000000007E4A000-memory.dmp

Filesize
104KB

Download
memory/3324-89-0x0000000007D30000-0x0000000007D44000-memory.dmp

Filesize
80KB

Download
memory/3324-16-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/3324-88-0x0000000007D20000-0x0000000007D2E000-memory.dmp

Filesize
56KB

Download
memory/3324-87-0x0000000007CF0000-0x0000000007D01000-memory.dmp

Filesize
68KB

Download
memory/3324-86-0x0000000007D70000-0x0000000007E06000-memory.dmp

Filesize
600KB

Download
memory/3324-85-0x0000000007B60000-0x0000000007B6A000-memory.dmp

Filesize
40KB

Download
memory/3324-72-0x00000000079D0000-0x0000000007A73000-memory.dmp

Filesize
652KB

Download
memory/3324-51-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/3400-52-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/3400-49-0x0000000006C80000-0x0000000006CCC000-memory.dmp

Filesize
304KB

Download
memory/3400-74-0x00000000080D0000-0x000000000874A000-memory.dmp

Filesize
6.5MB

Download
memory/3400-9-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3400-75-0x0000000007A90000-0x0000000007AAA000-memory.dmp

Filesize
104KB

Download
memory/3400-100-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3400-71-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/3400-7-0x0000000002E60000-0x0000000002E96000-memory.dmp

Filesize
216KB

Download
memory/3400-13-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3400-12-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3400-10-0x00000000059F0000-0x0000000006018000-memory.dmp

Filesize
6.2MB

Download
memory/3400-18-0x0000000006120000-0x0000000006474000-memory.dmp

Filesize
3.3MB

Download
memory/3400-48-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/3548-322-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/3548-302-0x0000000006330000-0x0000000006684000-memory.dmp

Filesize
3.3MB

Download
memory/3680-679-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3680-11-0x0000000007880000-0x000000000788A000-memory.dmp

Filesize
40KB

Download
memory/3680-1-0x0000000000BF0000-0x0000000000FA2000-memory.dmp

Filesize
3.7MB

Download
memory/3680-5-0x0000000008A60000-0x0000000009004000-memory.dmp

Filesize
5.6MB

Download
memory/3680-160-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/3680-8-0x00000000077A0000-0x0000000007832000-memory.dmp

Filesize
584KB

Download
memory/3680-2-0x00000000059C0000-0x0000000005A5C000-memory.dmp

Filesize
624KB

Download
memory/3680-4-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3680-175-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3680-3-0x0000000005920000-0x00000000059BC000-memory.dmp

Filesize
624KB

Download
memory/3680-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/3756-275-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/4360-442-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/4376-583-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/4440-462-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/4444-213-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/4472-150-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/5040-452-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/5060-405-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/5080-193-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/5456-623-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/5520-613-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/5544-633-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/5904-653-0x0000000006CE0000-0x0000000006CEA000-memory.dmp

Filesize
40KB

Download
memory/5904-652-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/5904-651-0x0000000005C70000-0x0000000005C7A000-memory.dmp

Filesize
40KB

Download
memory/5904-643-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download