nanocore | d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Size

3.7MB
MD5

ef284d2e02d57b7090632e1bf06b8fa3
SHA1

85c5c5dc98d3d49478635f1d846761ab21ff7827
SHA256

d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7
SHA512

2d2e4c7d85626be637b5f959b72de9493759adfff7a6e4a7a640f7a02102b68714f039f85570770952f9b7546a6664c0f7879fc5e07ff3a83e630808069dfb57
SSDEEP

3072:WM/ZmolMbeDeDejyCeaev0beJ0kXC0ex75qlyrBmkepbe3eTLe3UzoeyeYHIHO+r:

Score

10^/10

nanocore defense_evasion discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

backu4734.duckdns.org:8092

Mutex

ccf3c62d-d356-4a80-bb94-307bc35a5e01

Attributes

activate_away_mode
false
backup_connection_host
backu4734.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-01-05T15:22:20.555580436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8092
default_group
Backup
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ccf3c62d-d356-4a80-bb94-307bc35a5e01
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
backu4734.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Windows security bypass 2 TTPs 3 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe = "0"	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe = "0"	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4396	powershell.exe
3112	powershell.exe
5340	powershell.exe
6120	powershell.exe
4684	powershell.exe
456	powershell.exe
4772	powershell.exe
3460	powershell.exe
5320	powershell.exe
6264	powershell.exe
4160	powershell.exe
5492	powershell.exe
5520	powershell.exe
6044	powershell.exe
4192	powershell.exe
1376	powershell.exe
5112	powershell.exe
1948	powershell.exe
6092	powershell.exe
6240	powershell.exe
4664	powershell.exe
5188	powershell.exe
6212	powershell.exe
4588	powershell.exe
2412	powershell.exe
3128	powershell.exe
3176	powershell.exe
2992	powershell.exe
5540	powershell.exe
4260	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Windows security modification 2 TTPs 4 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe = "0"	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe = "0"	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Service = "C:\\Program Files (x86)\\NAT Service\\natsv.exe"	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 7036	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	154

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NAT Service\natsv.exe	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
File opened for modification	C:\Program Files (x86)\NAT Service\natsv.exe	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
File opened for modification	C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6220	4736	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5980	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5832	schtasks.exe
6592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2412	powershell.exe
1376	powershell.exe
4588	powershell.exe
1376	powershell.exe
2412	powershell.exe
4588	powershell.exe
3128	powershell.exe
3128	powershell.exe
456	powershell.exe
456	powershell.exe
5112	powershell.exe
5112	powershell.exe
3128	powershell.exe
456	powershell.exe
5112	powershell.exe
4160	powershell.exe
4160	powershell.exe
4396	powershell.exe
4396	powershell.exe
4260	powershell.exe
4260	powershell.exe
4160	powershell.exe
4396	powershell.exe
4260	powershell.exe
3176	powershell.exe
3176	powershell.exe
4664	powershell.exe
4664	powershell.exe
1948	powershell.exe
1948	powershell.exe
4192	powershell.exe
4192	powershell.exe
4684	powershell.exe
4684	powershell.exe
2992	powershell.exe
2992	powershell.exe
1948	powershell.exe
4664	powershell.exe
3176	powershell.exe
4192	powershell.exe
4684	powershell.exe
2992	powershell.exe
4772	powershell.exe
4772	powershell.exe
3112	powershell.exe
3112	powershell.exe
3460	powershell.exe
3460	powershell.exe
5520	powershell.exe
5520	powershell.exe
5492	powershell.exe
5492	powershell.exe
5540	powershell.exe
5540	powershell.exe
3112	powershell.exe
3460	powershell.exe
4772	powershell.exe
5320	powershell.exe
5320	powershell.exe
5492	powershell.exe
5340	powershell.exe
5340	powershell.exe
5188	powershell.exe
5188	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
7036	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	5520	powershell.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	5540	powershell.exe
Token: SeDebugPrivilege	5320	powershell.exe
Token: SeDebugPrivilege	5340	powershell.exe
Token: SeDebugPrivilege	5188	powershell.exe
Token: SeDebugPrivilege	6044	powershell.exe
Token: SeDebugPrivilege	6120	powershell.exe
Token: SeDebugPrivilege	6092	powershell.exe
Token: SeDebugPrivilege	6212	powershell.exe
Token: SeDebugPrivilege	6264	powershell.exe
Token: SeDebugPrivilege	6240	powershell.exe
Token: SeDebugPrivilege	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Token: SeDebugPrivilege	7036	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2412	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	89
PID 4736 wrote to memory of 2412	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	89
PID 4736 wrote to memory of 2412	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	89
PID 4736 wrote to memory of 1376	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	91
PID 4736 wrote to memory of 1376	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	91
PID 4736 wrote to memory of 1376	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	91
PID 4736 wrote to memory of 4588	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	93
PID 4736 wrote to memory of 4588	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	93
PID 4736 wrote to memory of 4588	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	93
PID 4736 wrote to memory of 3128	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	95
PID 4736 wrote to memory of 3128	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	95
PID 4736 wrote to memory of 3128	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	95
PID 4736 wrote to memory of 456	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	96
PID 4736 wrote to memory of 456	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	96
PID 4736 wrote to memory of 456	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	96
PID 4736 wrote to memory of 5112	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	99
PID 4736 wrote to memory of 5112	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	99
PID 4736 wrote to memory of 5112	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	99
PID 4736 wrote to memory of 4260	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	101
PID 4736 wrote to memory of 4260	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	101
PID 4736 wrote to memory of 4260	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	101
PID 4736 wrote to memory of 4160	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	102
PID 4736 wrote to memory of 4160	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	102
PID 4736 wrote to memory of 4160	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	102
PID 4736 wrote to memory of 4396	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	104
PID 4736 wrote to memory of 4396	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	104
PID 4736 wrote to memory of 4396	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	104
PID 4736 wrote to memory of 4664	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	107
PID 4736 wrote to memory of 4664	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	107
PID 4736 wrote to memory of 4664	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	107
PID 4736 wrote to memory of 3176	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	108
PID 4736 wrote to memory of 3176	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	108
PID 4736 wrote to memory of 3176	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	108
PID 4736 wrote to memory of 1948	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	109
PID 4736 wrote to memory of 1948	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	109
PID 4736 wrote to memory of 1948	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	109
PID 4736 wrote to memory of 4684	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	113
PID 4736 wrote to memory of 4684	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	113
PID 4736 wrote to memory of 4684	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	113
PID 4736 wrote to memory of 4192	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	115
PID 4736 wrote to memory of 4192	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	115
PID 4736 wrote to memory of 4192	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	115
PID 4736 wrote to memory of 2992	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	117
PID 4736 wrote to memory of 2992	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	117
PID 4736 wrote to memory of 2992	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	117
PID 4736 wrote to memory of 4772	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	119
PID 4736 wrote to memory of 4772	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	119
PID 4736 wrote to memory of 4772	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	119
PID 4736 wrote to memory of 3460	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	120
PID 4736 wrote to memory of 3460	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	120
PID 4736 wrote to memory of 3460	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	120
PID 4736 wrote to memory of 3112	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	123
PID 4736 wrote to memory of 3112	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	123
PID 4736 wrote to memory of 3112	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	123
PID 4736 wrote to memory of 5492	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	125
PID 4736 wrote to memory of 5492	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	125
PID 4736 wrote to memory of 5492	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	125
PID 4736 wrote to memory of 5520	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	127
PID 4736 wrote to memory of 5520	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	127
PID 4736 wrote to memory of 5520	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	127
PID 4736 wrote to memory of 5540	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	128
PID 4736 wrote to memory of 5540	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	128
PID 4736 wrote to memory of 5540	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	128
PID 4736 wrote to memory of 5188	4736	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	131

C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
"C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe"
1⤵
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5492
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5540
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5320
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5340
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6092
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6120
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:5980
- C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
  "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:7036
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "NAT Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE1D4.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5832
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "NAT Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE223.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:6592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1988
  2⤵
  - Program crash
  PID:6220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4736 -ip 4736
1⤵
PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
88f37b8b05c8412c9b89196ce0b49f5a

SHA1
c98028b1332640ef169e2ba4bb3e59609aa384a7

SHA256
6cb81bae4cec1acc341f1aa7d7faa8a4cd15fe589766749819c2251e2fbfff83

SHA512
4ba82ec458a2983cfa477897b5513bc8d2efc3e5e38f2ea9d756a26841ef5b08a706450cc92e91b6199e3118d7e904539612a808479f7c54f234ab3dc29154a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
787839e73289992a4bf9bdacce67cec7

SHA1
941a86bcff6e20a32b510ed017598e7fb4f0a968

SHA256
11648ece53cdab664d969ea6c75bcef791dcd2840b282eb2031f0b3191abf489

SHA512
69294b0d98675837c129030918efafb829f72b5e50f833cd711a4b5aea270df14089fd5b319a0e9d27ccfbb12e1d2c3b9116d592bc7f8cddbd717e5a48792f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
787b500500380da14ff4719ab00accdf

SHA1
0704d814dd25497e16bf41656126ac01270cf1ee

SHA256
3b419b538507dd8b0f3ee5289b73a5ad994dcb791f4d7635c212a971c1787dd7

SHA512
11273cd86b0d26a637ec3e0a1fa414da708d4f15cb48578e58f76498268a2abcfd1bd76b3929d9dfb3a7ec6c9838eb64c82c75bbd06a94d93ff728194b800213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
25bd9bf7dba452d3f297cdebdd9728ee

SHA1
521c53c27a0395ea43836eb8a01cd9d0f0cfffad

SHA256
c0503d060a07eabeab9eeaa30c45badccd512a744f579123e653f9527f62dee8

SHA512
92335b86a080304702157e4431360cbae34572df3d668331c7b24f2788c16bb927e57632841aecde49723eb537488948c82e8a86bb58e844b4646164dd72dd7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
397f81351ff6589f5780a082857f6d53

SHA1
27e3402611903006b6816aee80f69d660d2c9e7f

SHA256
f92f1d07286bc527485b785ce51b431c89cb92962c89d46bbd767ec8bb35370b

SHA512
7c9964ff012ba09fd2025e9cb9182ef93e2204954a5bf0b5706aafde2a277fcaf97f96dc91cd78016933b89f867f727fd75722bb9021d3bdcc09814189bbb0c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
00708d7494cee0e6b5608bfe832bbc40

SHA1
6d876b88a73730f337fb4f70c3f77efc02214e68

SHA256
6a4d6cc02d73d65bcc5b3d6ff9ece116707c56870e737394b9a70c4274bb5332

SHA512
50de3c360eb43212a5354ba3e005944f1f21e04c706f55c8dbe79162c6af75a08552072fe927dba00921d648e4f52a39d2f4a74e46fa9cab949229be17d8b8b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bfb90fc49996ff714f7c2905400e5be1

SHA1
73be8a5c0e0833386332b258030a7fb4a46edf3a

SHA256
f765525011aa40cfe2192a8ffc8572b8d56353ee2a8e333725dd03677f079754

SHA512
36bc61a788279a35cd7c5e77c016ecd7139e35ac7401323335b9e85b996c3c88ad30669b6827ee985ddfa9112e6e9cc2bb9d0c5f2f1e296523f4ade3606e28f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2f4355002fd2482642d4d1da8b9c9458

SHA1
784defc03bf46e49bdd781295ae0290134604801

SHA256
c2bbcbab8746f5ff07c381ce1fce44786038c896a4dfef6932a60b2346bf4196

SHA512
656be52168fba2fa5a0c47c4dae4fea74bfa8828fca15bb74dcc65c08a1a24af324f818a66e8c1efe7a65d1e079f7e242981f17fdb0514b873cc5062f1352593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
456b529cddc957c29b4b38a45745dc96

SHA1
d66d26b549dce7a86ee7f2f8369515480e6610bf

SHA256
c998db856c734d28f38cd2e0a104515ca989c6f7b7b648ddd208a5c142473ed7

SHA512
8ead158a65c5f9113fa04cd66feeb8c257242a5d9963af0b092be89f3976665a0183840da7465eed8c249ddeb6448fed5d57f4f11623a240dd36748cd2051344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
55eca0cb48b16b082c00eef145b91c27

SHA1
8c7dfa8bee88dae404b0db303748526edc89f48c

SHA256
694851905e2438d7d6d7cb9abff9fd1aa47931c6f48008644fc8af1c65b0de8e

SHA512
e99333e9b6971a5d0ef3408aba4278de6d7d7c891dabe5216e4fc9b93648cf06056be49e1d70edbbc9cca59ff9fd0699ce7b6b388f691d1da72d85411b18e04e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b9e65555c96a2e9edf6e1f33d7451132

SHA1
36626230afcbfac919ebd12bc7022230f6335551

SHA256
1053d1ef63b9edb5b7c9110708a62b18a4586542ad323cfdd7027c675f7fe708

SHA512
7858f3dd08e3efa13562c1fdab97a21d4b9eac4f5d16b2ed8de594fbdc9bac3c23d0cee179500c434d9b94664882e07b12f67f7bd899922db7d133982c989ad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
32c91fd43c6f6f787181c7329143bd54

SHA1
99fc8606886cdee0fcdb99a514fed68454e6e0b3

SHA256
54fbaaeb8af4d75144724d62327a6b10fd8f7ab780586d629fa80b6e416fe655

SHA512
de75f1b3502ed607c2bc6ea0558e9df8374aaaab3320a340cae42660f441cd49c529f31283356a42343614cd433d5ef0c1c2775fe507619c28bdc0f29878b0c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d807ea1fafd078afaa61cf95f1b46eb5

SHA1
57a2a4047f83cb3b904b5ef24aeffcce3035300d

SHA256
ac2feddc4299b7047be900d9b218ba814b0598229ffa19b925ce4b54255200da

SHA512
36986a26108cc20c8d6d70a946505d2aeb1a0761de2c93acfedc126744404ee69feab984094ab318dccfa5a6c46ffb4c18d818d9fb9988b2d5ae4c5541906785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
5ecd412145133b1135f94fb3a4d264c9

SHA1
db5bf84a7a834e126db3867cbdae7eb2ee6c3724

SHA256
f528c2317a17a56b13aaaecbff50da566f65550b816b390819fec6a21506f724

SHA512
7892ad090bbbf9f535a812a9e46e816bf95ba5f3f93b3f59fc145846feeabb1d0082f7ec300f0fdec43bbcfc2c63d29a53f72fe8362c02b1ba490ca87d98c6a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
7a134ee7fa3c05bf3b6e0e7975aa1b49

SHA1
b6628cc5f1418fec20eaf0b59e12cfb572a07712

SHA256
cdbbd9c0a152ecadc80e6554c56a6c063c1665986a262cc4e90390da504145ca

SHA512
c97c32d0d5984ce766c0dd6399d284c99874ad39067c8ab65258dfdcb2948c622b5c89c9b593687e1829f9e0c7223e81539a717e94d6d68c5fd06b1e35cfe071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b97a5f2f193c94a62de797851d0a31e0

SHA1
d57141d6f5d0539e81a82ba6ce5b7fd293b49618

SHA256
399a65cb50766eca5e6ed3c47982ef4104dd52d45b83e719dc5dc84c01397b51

SHA512
1226285b9be12cd82f300b7af3232c5e5dd16b2b10a885f2be973bd7ccb59382dac591fb02425908cc6a21d7f8a4a0d02e962848be381c3a2ccf532c10d980fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
3e5e2b131c0f1b80071cdf753c2123a2

SHA1
4cab8fede1c1c7f9d8b29ebe774b5e6d9a6e9299

SHA256
6df02fb7972f242c9e92efd15cc53e4325e6712f945e1e41cdc91f8dfd0606ff

SHA512
69bab9413ef36011fac6538723064a7f0d6852b28ccf072160ca5506a6618eb109abcb5400d7d18a8ebab29f83813f484ce642001b84556b5020d03d1aabc9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
221a56d947d7a27a313a2e941b571bed

SHA1
7e7d4db34ff05bf274d142cdbbc92723e54a9788

SHA256
0cb1db197dfce4f86aa3ef15ec474a0edbf30ba25c82369492b8cdbb781a3f70

SHA512
061c93d1fa520d00006828a6504898172f49d238a27a31aec7430262ddc3f242dfdf8c382d4c3536d1796e387a9b516cc2865816dbf835f4998b0128aaf69bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
b3efc9cf989b020edc82c064b7d80f94

SHA1
d3aa52fa339543e7da3eadd93544b55a75d3beb3

SHA256
8de347aaa216ec86a0104048aefeb318432941af8e56bc15f1145782f2bb4d81

SHA512
b8f0ed0bcc23a168cc0fe5d8c737ce16d2dbeafdfd2cfecc878c901bd82e706cb66ee18d8ef725d589562e4eb8a2393784fce80bb1cbe53600ccd2629bc2c240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
590fb4011820ed1d8c07959bf9f6d041

SHA1
013a4ff3d8270103d9655e023965f2907081972b

SHA256
b7b367ae6c27a5a248865b286b5a3c699c282a943930ebd6c996d5eff7290763

SHA512
acaa18e01503a823f8357b56515cb15c5aad6797810b6da1b681ca24a7d2c7de57649b00d177cc677312fe2bd9d6fdf9d3f6e90176e625b48a619fb2104c945c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cefc05b7a17e170882e5260fe9661796

SHA1
ca741bf4e15d8f78f1484bce58794bae6d21c67b

SHA256
c115fe0bbcad89c750661b852bb060db6be2b18e09e0fe3164c281b641e14e9f

SHA512
fd4b6ce8001efd1ac59cd207b5cd29d4dc444cee4f56c17060918db55306c40e5b30ede5dea5fa68f283d62d6cf790dd5b2055d7256d03e84f9e3a53b352e169

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5jcp4q21.1xg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE1D4.tmp

Filesize
1KB

MD5
3fbf14339a82779a96ebe15d61e84dc7

SHA1
11a57b2c1bfb3559d4b2d09054d4fa63912d260c

SHA256
c9f9a132e24f96a42e87d7e5596f991666c4c208fd5eceddb14b8202f30e0b9a

SHA512
94f2a2d8982183cf69ae981da42b47b97d3db46b7612c8eeddf348d27c4b4c0a8e0cdc8e42f17da826673dda75e24d7e8e0e3be9690f455dca70ada0d5eeb429

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE223.tmp

Filesize
1KB

MD5
cd8e69b89899eb65a199cc8019e502ad

SHA1
19ae04c02d02e2828e4513de66734c383660d1a5

SHA256
cf1a9b78745b0f788fea2f579f1e3a82efc7425edb1f35abb8dd8e1cbaaf03ef

SHA512
9a2bf35fc687ec6ac81ad3fe16f82f104ad880be6b36afc7297264de09d50e85d9d3376ed9378d56b08ef94ca700b886cc40768587fc623c7fb6117265bd7033

Download Submit
memory/456-133-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/1376-17-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-73-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/1376-29-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-499-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-49-0x0000000006810000-0x000000000685C000-memory.dmp

Filesize
304KB

Download
memory/1376-249-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-14-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-48-0x0000000006270000-0x000000000628E000-memory.dmp

Filesize
120KB

Download
memory/1948-268-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/2412-57-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/2412-87-0x0000000007CD0000-0x0000000007CE1000-memory.dmp

Filesize
68KB

Download
memory/2412-121-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/2412-113-0x0000000007E10000-0x0000000007E2A000-memory.dmp

Filesize
104KB

Download
memory/2412-85-0x0000000007B40000-0x0000000007B4A000-memory.dmp

Filesize
40KB

Download
memory/2412-107-0x0000000007D10000-0x0000000007D24000-memory.dmp

Filesize
80KB

Download
memory/2412-7-0x0000000002E40000-0x0000000002E76000-memory.dmp

Filesize
216KB

Download
memory/2412-88-0x0000000007D00000-0x0000000007D0E000-memory.dmp

Filesize
56KB

Download
memory/2412-10-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/2412-9-0x0000000005A20000-0x0000000006048000-memory.dmp

Filesize
6.2MB

Download
memory/2412-15-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/2412-19-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/2412-18-0x00000000061C0000-0x0000000006514000-memory.dmp

Filesize
3.3MB

Download
memory/2412-84-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/2412-118-0x0000000007DF0000-0x0000000007DF8000-memory.dmp

Filesize
32KB

Download
memory/2412-12-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/2412-16-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/2412-13-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/2992-345-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/3112-420-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/3128-123-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/3176-288-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/3460-401-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/4160-193-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/4192-335-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/4260-203-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/4396-183-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/4588-86-0x0000000007D70000-0x0000000007E06000-memory.dmp

Filesize
600KB

Download
memory/4588-51-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/4588-83-0x0000000008130000-0x00000000087AA000-memory.dmp

Filesize
6.5MB

Download
memory/4588-67-0x0000000007990000-0x00000000079AE000-memory.dmp

Filesize
120KB

Download
memory/4588-72-0x00000000079C0000-0x0000000007A63000-memory.dmp

Filesize
652KB

Download
memory/4588-50-0x0000000007750000-0x0000000007782000-memory.dmp

Filesize
200KB

Download
memory/4664-278-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/4684-325-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/4736-2-0x0000000005690000-0x000000000572C000-memory.dmp

Filesize
624KB

Download
memory/4736-5-0x0000000007190000-0x0000000007734000-memory.dmp

Filesize
5.6MB

Download
memory/4736-638-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-1-0x0000000000900000-0x0000000000CB2000-memory.dmp

Filesize
3.7MB

Download
memory/4736-4-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-182-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-3-0x0000000005110000-0x00000000051AC000-memory.dmp

Filesize
624KB

Download
memory/4736-8-0x0000000007940000-0x00000000079D2000-memory.dmp

Filesize
584KB

Download
memory/4736-181-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

Filesize
4KB

Download
memory/4736-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

Filesize
4KB

Download
memory/4736-11-0x0000000007A20000-0x0000000007A2A000-memory.dmp

Filesize
40KB

Download
memory/4772-391-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/5112-143-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/5188-553-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/5320-528-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/5340-543-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/5492-439-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/5520-458-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/5540-468-0x0000000070200000-0x000000007024C000-memory.dmp

Filesize
304KB

Download
memory/7036-627-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/7036-635-0x0000000005970000-0x000000000597A000-memory.dmp

Filesize
40KB

Download
memory/7036-636-0x0000000005980000-0x000000000599E000-memory.dmp

Filesize
120KB

Download
memory/7036-637-0x00000000066E0000-0x00000000066EA000-memory.dmp

Filesize
40KB

Download