darkcomet | 8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
Size

631KB
MD5

9a04b9dd0be01c47737dd6014c002ff9
SHA1

46824f75ee05bdb80b051b7affb6cb271d8b7476
SHA256

8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5
SHA512

9c5f8d69a6fa146e9a2bfb02f8954cec04fbe7d2967a001a0781be47a75d9526a76380659a46b2b5cb5b135987f128da6441d2e8119e5aeec67d04ce64caa8f4
SSDEEP

12288:x+h/yhmu0LuZmSYnV472X/+tNhqGERdjft7djMzAv/1mk2b7g:YueY5YnVs2v+t/qfRdjfth9I

Score

10^/10

darkcomet levieux100 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Levieux100

levieux.no-ip.biz:3080

Mutex

DC_MUTEX-MANUVG1

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
AwsRZtgYnACw
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe

Executes dropped EXE 15 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
1604	msdcsc.exe
1520	msdcsc.exe
1180	msdcsc.exe
1596	msdcsc.exe
1528	msdcsc.exe
1304	msdcsc.exe
964	msdcsc.exe
1716	msdcsc.exe
1528	msdcsc.exe
1140	msdcsc.exe
1212	msdcsc.exe
1632	msdcsc.exe
1528	msdcsc.exe
1156	msdcsc.exe
836	msdcsc.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/564-57-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/564-59-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/564-60-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/564-62-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/564-64-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/564-65-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/564-67-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1540-80-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1540-81-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1540-84-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2000-101-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1032-113-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/684-131-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1804-142-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1388-160-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1476-171-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1052-189-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1920-200-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1920-201-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/544-217-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1056-233-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/848-242-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/848-249-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1304-260-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/668-278-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Loads dropped DLL 15 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid	process
564	vbc.exe
1540	vbc.exe
2000	vbc.exe
1032	vbc.exe
684	vbc.exe
1804	vbc.exe
1388	vbc.exe
1476	vbc.exe
1052	vbc.exe
1920	vbc.exe
544	vbc.exe
1056	vbc.exe
848	vbc.exe
1304	vbc.exe
668	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WinUpdate\\WinUpdate.exe"	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\AwsRZtgYnACw\\AwsRZtgYnACw\\msdcsc.exe"	vbc.exe

Drops file in System32 directory 59 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe	vbc.exe

Suspicious use of SetThreadContext 15 IoCs

Processes:

8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe

description	pid	process	target process
PID 992 set thread context of 564	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 1540	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 2000	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 1032	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 684	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 1804	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 1388	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 1476	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 1052	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 1920	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 544	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 1056	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 848	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 1304	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 set thread context of 668	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe

pid	process
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exevbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
Token: SeIncreaseQuotaPrivilege	564	vbc.exe
Token: SeSecurityPrivilege	564	vbc.exe
Token: SeTakeOwnershipPrivilege	564	vbc.exe
Token: SeLoadDriverPrivilege	564	vbc.exe
Token: SeSystemProfilePrivilege	564	vbc.exe
Token: SeSystemtimePrivilege	564	vbc.exe
Token: SeProfSingleProcessPrivilege	564	vbc.exe
Token: SeIncBasePriorityPrivilege	564	vbc.exe
Token: SeCreatePagefilePrivilege	564	vbc.exe
Token: SeBackupPrivilege	564	vbc.exe
Token: SeRestorePrivilege	564	vbc.exe
Token: SeShutdownPrivilege	564	vbc.exe
Token: SeDebugPrivilege	564	vbc.exe
Token: SeSystemEnvironmentPrivilege	564	vbc.exe
Token: SeChangeNotifyPrivilege	564	vbc.exe
Token: SeRemoteShutdownPrivilege	564	vbc.exe
Token: SeUndockPrivilege	564	vbc.exe
Token: SeManageVolumePrivilege	564	vbc.exe
Token: SeImpersonatePrivilege	564	vbc.exe
Token: SeCreateGlobalPrivilege	564	vbc.exe
Token: 33	564	vbc.exe
Token: 34	564	vbc.exe
Token: 35	564	vbc.exe
Token: SeIncreaseQuotaPrivilege	1540	vbc.exe
Token: SeSecurityPrivilege	1540	vbc.exe
Token: SeTakeOwnershipPrivilege	1540	vbc.exe
Token: SeLoadDriverPrivilege	1540	vbc.exe
Token: SeSystemProfilePrivilege	1540	vbc.exe
Token: SeSystemtimePrivilege	1540	vbc.exe
Token: SeProfSingleProcessPrivilege	1540	vbc.exe
Token: SeIncBasePriorityPrivilege	1540	vbc.exe
Token: SeCreatePagefilePrivilege	1540	vbc.exe
Token: SeBackupPrivilege	1540	vbc.exe
Token: SeRestorePrivilege	1540	vbc.exe
Token: SeShutdownPrivilege	1540	vbc.exe
Token: SeDebugPrivilege	1540	vbc.exe
Token: SeSystemEnvironmentPrivilege	1540	vbc.exe
Token: SeChangeNotifyPrivilege	1540	vbc.exe
Token: SeRemoteShutdownPrivilege	1540	vbc.exe
Token: SeUndockPrivilege	1540	vbc.exe
Token: SeManageVolumePrivilege	1540	vbc.exe
Token: SeImpersonatePrivilege	1540	vbc.exe
Token: SeCreateGlobalPrivilege	1540	vbc.exe
Token: 33	1540	vbc.exe
Token: 34	1540	vbc.exe
Token: 35	1540	vbc.exe
Token: SeIncreaseQuotaPrivilege	2000	vbc.exe
Token: SeSecurityPrivilege	2000	vbc.exe
Token: SeTakeOwnershipPrivilege	2000	vbc.exe
Token: SeLoadDriverPrivilege	2000	vbc.exe
Token: SeSystemProfilePrivilege	2000	vbc.exe
Token: SeSystemtimePrivilege	2000	vbc.exe
Token: SeProfSingleProcessPrivilege	2000	vbc.exe
Token: SeIncBasePriorityPrivilege	2000	vbc.exe
Token: SeCreatePagefilePrivilege	2000	vbc.exe
Token: SeBackupPrivilege	2000	vbc.exe
Token: SeRestorePrivilege	2000	vbc.exe
Token: SeShutdownPrivilege	2000	vbc.exe
Token: SeDebugPrivilege	2000	vbc.exe
Token: SeSystemEnvironmentPrivilege	2000	vbc.exe
Token: SeChangeNotifyPrivilege	2000	vbc.exe
Token: SeRemoteShutdownPrivilege	2000	vbc.exe
Token: SeUndockPrivilege	2000	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 992 wrote to memory of 564	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 564	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 564	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 564	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 564	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 564	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 564	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 564	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 564 wrote to memory of 1604	564	vbc.exe	msdcsc.exe
PID 564 wrote to memory of 1604	564	vbc.exe	msdcsc.exe
PID 564 wrote to memory of 1604	564	vbc.exe	msdcsc.exe
PID 564 wrote to memory of 1604	564	vbc.exe	msdcsc.exe
PID 992 wrote to memory of 1540	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1540	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1540	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1540	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1540	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1540	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1540	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1540	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 1540 wrote to memory of 1520	1540	vbc.exe	msdcsc.exe
PID 1540 wrote to memory of 1520	1540	vbc.exe	msdcsc.exe
PID 1540 wrote to memory of 1520	1540	vbc.exe	msdcsc.exe
PID 1540 wrote to memory of 1520	1540	vbc.exe	msdcsc.exe
PID 992 wrote to memory of 2000	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 2000	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 2000	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 2000	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 2000	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 2000	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 2000	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 2000	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 2000 wrote to memory of 1180	2000	vbc.exe	msdcsc.exe
PID 2000 wrote to memory of 1180	2000	vbc.exe	msdcsc.exe
PID 2000 wrote to memory of 1180	2000	vbc.exe	msdcsc.exe
PID 2000 wrote to memory of 1180	2000	vbc.exe	msdcsc.exe
PID 992 wrote to memory of 1032	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1032	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1032	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1032	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1032	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1032	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1032	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1032	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 1032 wrote to memory of 1596	1032	vbc.exe	msdcsc.exe
PID 1032 wrote to memory of 1596	1032	vbc.exe	msdcsc.exe
PID 1032 wrote to memory of 1596	1032	vbc.exe	msdcsc.exe
PID 1032 wrote to memory of 1596	1032	vbc.exe	msdcsc.exe
PID 992 wrote to memory of 684	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 684	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 684	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 684	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 684	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 684	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 684	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 684	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 684 wrote to memory of 1528	684	vbc.exe	msdcsc.exe
PID 684 wrote to memory of 1528	684	vbc.exe	msdcsc.exe
PID 684 wrote to memory of 1528	684	vbc.exe	msdcsc.exe
PID 684 wrote to memory of 1528	684	vbc.exe	msdcsc.exe
PID 992 wrote to memory of 1804	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1804	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1804	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe
PID 992 wrote to memory of 1804	992	8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe
"C:\Users\Admin\AppData\Local\Temp\8bd70b0cd4920456cc9105f9a6cb933cd4061125e7a3f2a7ef0c6e964f7f47d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1804

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1304

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1388

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1476

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1052

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1920

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:544

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1056

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:848

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1304

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1156

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:668

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe
"C:\Windows\system32\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\AwsRZtgYnACw\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/544-210-0x00000000004B8CD0-mapping.dmp

Download
memory/544-217-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/564-65-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/564-60-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/564-67-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/564-56-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/564-62-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/564-57-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/564-61-0x00000000004B8CD0-mapping.dmp

Download
memory/564-64-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/564-59-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/668-269-0x00000000004B8CD0-mapping.dmp

Download
memory/668-278-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/684-122-0x00000000004B8CD0-mapping.dmp

Download
memory/684-131-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/836-276-0x0000000000000000-mapping.dmp

Download
memory/848-242-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/848-249-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/848-239-0x00000000004B8CD0-mapping.dmp

Download
memory/964-158-0x0000000000000000-mapping.dmp

Download
memory/992-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/992-55-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/992-82-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/992-66-0x00000000021E5000-0x00000000021F6000-memory.dmp

Filesize
68KB

Download
memory/1032-113-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1032-108-0x00000000004B8CD0-mapping.dmp

Download
memory/1052-189-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1052-180-0x00000000004B8CD0-mapping.dmp

Download
memory/1056-233-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1056-224-0x00000000004B8CD0-mapping.dmp

Download
memory/1140-203-0x0000000000000000-mapping.dmp

Download
memory/1156-262-0x0000000000000000-mapping.dmp

Download
memory/1180-99-0x0000000000000000-mapping.dmp

Download
memory/1212-216-0x0000000000000000-mapping.dmp

Download
memory/1304-144-0x0000000000000000-mapping.dmp

Download
memory/1304-255-0x00000000004B8CD0-mapping.dmp

Download
memory/1304-260-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1388-151-0x00000000004B8CD0-mapping.dmp

Download
memory/1388-160-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1476-166-0x00000000004B8CD0-mapping.dmp

Download
memory/1476-171-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1520-85-0x0000000000000000-mapping.dmp

Download
memory/1528-247-0x0000000000000000-mapping.dmp

Download
memory/1528-129-0x0000000000000000-mapping.dmp

Download
memory/1528-187-0x0000000000000000-mapping.dmp

Download
memory/1540-84-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1540-80-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1540-77-0x00000000004B8CD0-mapping.dmp

Download
memory/1540-81-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1596-115-0x0000000000000000-mapping.dmp

Download
memory/1604-69-0x0000000000000000-mapping.dmp

Download
memory/1632-231-0x0000000000000000-mapping.dmp

Download
memory/1716-173-0x0000000000000000-mapping.dmp

Download
memory/1804-137-0x00000000004B8CD0-mapping.dmp

Download
memory/1804-142-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1920-201-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1920-200-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1920-195-0x00000000004B8CD0-mapping.dmp

Download
memory/2000-93-0x00000000004B8CD0-mapping.dmp

Download
memory/2000-101-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download