darkcomet | c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6

Analysis

max time kernel
206s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Size

384KB
MD5

fd1db0659e64c6c253a6f6b6ef624151
SHA1

d3004a293774e76624155f2e0751d2abc3a64885
SHA256

c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6
SHA512

3650e7647eb478678cd459c5442223a4703f6ec7fe4a37bc644afe18821588dde06b36e488c07c718bd20f179c6937cb705343f903598ec3167bbe86248c5905
SSDEEP

6144:Hlb6SDOiIN4o2cOMayarS0IjX7n6wXmzbBFXoNWfi:H0Siiu2cOMayaZerXXmhFXPa

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Executes dropped EXE 10 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid process

3372 msdcsc.exe
2000 msdcsc.exe
332 msdcsc.exe
4600 msdcsc.exe
5020 msdcsc.exe
3852 msdcsc.exe
3160 msdcsc.exe
2240 msdcsc.exe
4944 msdcsc.exe
432 msdcsc.exe

pid	process
3372	msdcsc.exe
2000	msdcsc.exe
332	msdcsc.exe
4600	msdcsc.exe
5020	msdcsc.exe
3852	msdcsc.exe
3160	msdcsc.exe
2240	msdcsc.exe
4944	msdcsc.exe
432	msdcsc.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1636-132-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/1636-133-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	upx
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	upx
behavioral2/memory/1636-144-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/3372-145-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	upx
behavioral2/memory/3372-155-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/2000-156-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	upx
behavioral2/memory/2000-166-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/332-167-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	upx
behavioral2/memory/332-177-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/4600-178-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/4600-179-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	upx
behavioral2/memory/4600-189-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/5020-190-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	upx
behavioral2/memory/5020-200-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/3852-201-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	upx
behavioral2/memory/3852-211-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/3160-212-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/3160-220-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	upx
behavioral2/memory/3160-223-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/2240-224-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	upx
behavioral2/memory/2240-234-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/4944-235-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	upx
behavioral2/memory/4944-238-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/432-239-0x0000000000400000-0x00000000004F9000-memory.dmp	upx

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msdcsc.exemsdcsc.exemsdcsc.exec52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exec52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 32 IoCs

Processes:

msdcsc.exemsdcsc.exec52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exec52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe

Runs ping.exe 1 TTPs 30 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1784	PING.EXE
808	PING.EXE
1072	PING.EXE
3172	PING.EXE
4424	PING.EXE
1776	PING.EXE
544	PING.EXE
2996	PING.EXE
4980	PING.EXE
4080	PING.EXE
1236	PING.EXE
3568	PING.EXE
1292	PING.EXE
2228	PING.EXE
2228	PING.EXE
3032	PING.EXE
836	PING.EXE
3180	PING.EXE
3060	PING.EXE
1452	PING.EXE
3332	PING.EXE
3980	PING.EXE
4612	PING.EXE
1108	PING.EXE
1644	PING.EXE
976	PING.EXE
956	PING.EXE
1496	PING.EXE
4308	PING.EXE
1448	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exemsdcsc.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeSecurityPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeTakeOwnershipPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeLoadDriverPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeSystemProfilePrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeSystemtimePrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeProfSingleProcessPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeIncBasePriorityPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeCreatePagefilePrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeBackupPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeRestorePrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeShutdownPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeDebugPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeSystemEnvironmentPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeChangeNotifyPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeRemoteShutdownPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeUndockPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeManageVolumePrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeImpersonatePrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeCreateGlobalPrivilege	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: 33	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: 34	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: 35	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: 36	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
Token: SeIncreaseQuotaPrivilege	3372	msdcsc.exe
Token: SeSecurityPrivilege	3372	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3372	msdcsc.exe
Token: SeLoadDriverPrivilege	3372	msdcsc.exe
Token: SeSystemProfilePrivilege	3372	msdcsc.exe
Token: SeSystemtimePrivilege	3372	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3372	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3372	msdcsc.exe
Token: SeCreatePagefilePrivilege	3372	msdcsc.exe
Token: SeBackupPrivilege	3372	msdcsc.exe
Token: SeRestorePrivilege	3372	msdcsc.exe
Token: SeShutdownPrivilege	3372	msdcsc.exe
Token: SeDebugPrivilege	3372	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3372	msdcsc.exe
Token: SeChangeNotifyPrivilege	3372	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3372	msdcsc.exe
Token: SeUndockPrivilege	3372	msdcsc.exe
Token: SeManageVolumePrivilege	3372	msdcsc.exe
Token: SeImpersonatePrivilege	3372	msdcsc.exe
Token: SeCreateGlobalPrivilege	3372	msdcsc.exe
Token: 33	3372	msdcsc.exe
Token: 34	3372	msdcsc.exe
Token: 35	3372	msdcsc.exe
Token: 36	3372	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2000	msdcsc.exe
Token: SeSecurityPrivilege	2000	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2000	msdcsc.exe
Token: SeLoadDriverPrivilege	2000	msdcsc.exe
Token: SeSystemProfilePrivilege	2000	msdcsc.exe
Token: SeSystemtimePrivilege	2000	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2000	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2000	msdcsc.exe
Token: SeCreatePagefilePrivilege	2000	msdcsc.exe
Token: SeBackupPrivilege	2000	msdcsc.exe
Token: SeRestorePrivilege	2000	msdcsc.exe
Token: SeShutdownPrivilege	2000	msdcsc.exe
Token: SeDebugPrivilege	2000	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2000	msdcsc.exe
Token: SeChangeNotifyPrivilege	2000	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2000	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.execmd.execmd.execmd.exemsdcsc.execmd.execmd.execmd.exemsdcsc.execmd.execmd.execmd.exemsdcsc.exe

description	pid	process	target process
PID 1636 wrote to memory of 4544	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe	cmd.exe
PID 1636 wrote to memory of 4544	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe	cmd.exe
PID 1636 wrote to memory of 4544	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe	cmd.exe
PID 1636 wrote to memory of 1736	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe	cmd.exe
PID 1636 wrote to memory of 1736	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe	cmd.exe
PID 1636 wrote to memory of 1736	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe	cmd.exe
PID 1636 wrote to memory of 572	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe	cmd.exe
PID 1636 wrote to memory of 572	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe	cmd.exe
PID 1636 wrote to memory of 572	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe	cmd.exe
PID 1736 wrote to memory of 956	1736	cmd.exe	PING.EXE
PID 1736 wrote to memory of 956	1736	cmd.exe	PING.EXE
PID 1736 wrote to memory of 956	1736	cmd.exe	PING.EXE
PID 4544 wrote to memory of 1784	4544	cmd.exe	PING.EXE
PID 4544 wrote to memory of 1784	4544	cmd.exe	PING.EXE
PID 4544 wrote to memory of 1784	4544	cmd.exe	PING.EXE
PID 572 wrote to memory of 2228	572	cmd.exe	PING.EXE
PID 572 wrote to memory of 2228	572	cmd.exe	PING.EXE
PID 572 wrote to memory of 2228	572	cmd.exe	PING.EXE
PID 1636 wrote to memory of 3372	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe	msdcsc.exe
PID 1636 wrote to memory of 3372	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe	msdcsc.exe
PID 1636 wrote to memory of 3372	1636	c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe	msdcsc.exe
PID 3372 wrote to memory of 560	3372	msdcsc.exe	cmd.exe
PID 3372 wrote to memory of 560	3372	msdcsc.exe	cmd.exe
PID 3372 wrote to memory of 560	3372	msdcsc.exe	cmd.exe
PID 3372 wrote to memory of 4336	3372	msdcsc.exe	cmd.exe
PID 3372 wrote to memory of 4336	3372	msdcsc.exe	cmd.exe
PID 3372 wrote to memory of 4336	3372	msdcsc.exe	cmd.exe
PID 3372 wrote to memory of 3932	3372	msdcsc.exe	cmd.exe
PID 3372 wrote to memory of 3932	3372	msdcsc.exe	cmd.exe
PID 3372 wrote to memory of 3932	3372	msdcsc.exe	cmd.exe
PID 560 wrote to memory of 4424	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 4424	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 4424	560	cmd.exe	PING.EXE
PID 4336 wrote to memory of 3180	4336	cmd.exe	PING.EXE
PID 4336 wrote to memory of 3180	4336	cmd.exe	PING.EXE
PID 4336 wrote to memory of 3180	4336	cmd.exe	PING.EXE
PID 3932 wrote to memory of 3332	3932	cmd.exe	PING.EXE
PID 3932 wrote to memory of 3332	3932	cmd.exe	PING.EXE
PID 3932 wrote to memory of 3332	3932	cmd.exe	PING.EXE
PID 3372 wrote to memory of 2000	3372	msdcsc.exe	msdcsc.exe
PID 3372 wrote to memory of 2000	3372	msdcsc.exe	msdcsc.exe
PID 3372 wrote to memory of 2000	3372	msdcsc.exe	msdcsc.exe
PID 2000 wrote to memory of 1988	2000	msdcsc.exe	cmd.exe
PID 2000 wrote to memory of 1988	2000	msdcsc.exe	cmd.exe
PID 2000 wrote to memory of 1988	2000	msdcsc.exe	cmd.exe
PID 2000 wrote to memory of 1236	2000	msdcsc.exe	cmd.exe
PID 2000 wrote to memory of 1236	2000	msdcsc.exe	cmd.exe
PID 2000 wrote to memory of 1236	2000	msdcsc.exe	cmd.exe
PID 2000 wrote to memory of 952	2000	msdcsc.exe	cmd.exe
PID 2000 wrote to memory of 952	2000	msdcsc.exe	cmd.exe
PID 2000 wrote to memory of 952	2000	msdcsc.exe	cmd.exe
PID 1988 wrote to memory of 1776	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1776	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1776	1988	cmd.exe	PING.EXE
PID 1236 wrote to memory of 544	1236	cmd.exe	PING.EXE
PID 1236 wrote to memory of 544	1236	cmd.exe	PING.EXE
PID 1236 wrote to memory of 544	1236	cmd.exe	PING.EXE
PID 952 wrote to memory of 3032	952	cmd.exe	PING.EXE
PID 952 wrote to memory of 3032	952	cmd.exe	PING.EXE
PID 952 wrote to memory of 3032	952	cmd.exe	PING.EXE
PID 2000 wrote to memory of 332	2000	msdcsc.exe	msdcsc.exe
PID 2000 wrote to memory of 332	2000	msdcsc.exe	msdcsc.exe
PID 2000 wrote to memory of 332	2000	msdcsc.exe	msdcsc.exe
PID 332 wrote to memory of 4992	332	msdcsc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe
"C:\Users\Admin\AppData\Local\Temp\c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
3⤵
- Runs ping.exe
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
3⤵
- Runs ping.exe
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
3⤵
- Runs ping.exe
PID:2228

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
4⤵
- Runs ping.exe
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
4⤵
- Runs ping.exe
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
4⤵
- Runs ping.exe
PID:3332

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
5⤵
- Runs ping.exe
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
5⤵
- Runs ping.exe
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
5⤵
- Runs ping.exe
PID:3032

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
5⤵
PID:4992

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
6⤵
- Runs ping.exe
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
5⤵
PID:3044

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
6⤵
- Runs ping.exe
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
5⤵
PID:5096

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
6⤵
- Runs ping.exe
PID:3980

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
6⤵
PID:1092

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
7⤵
- Runs ping.exe
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
6⤵
PID:1996

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
7⤵
- Runs ping.exe
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
6⤵
PID:3616

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
7⤵
- Runs ping.exe
PID:1072

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
7⤵
PID:700

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
8⤵
- Runs ping.exe
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
7⤵
PID:3216

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
8⤵
- Runs ping.exe
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
7⤵
PID:4116

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
8⤵
- Runs ping.exe
PID:1108

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
8⤵
PID:2736

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
9⤵
- Runs ping.exe
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
8⤵
PID:2184

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
9⤵
- Runs ping.exe
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
8⤵
PID:3700

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
9⤵
- Runs ping.exe
PID:3172

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
9⤵
PID:4080

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
10⤵
- Runs ping.exe
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
9⤵
PID:1692

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
10⤵
- Runs ping.exe
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
9⤵
PID:3988

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
10⤵
- Runs ping.exe
PID:2996

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
10⤵
PID:3748

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
11⤵
- Runs ping.exe
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
10⤵
PID:4840

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
11⤵
- Runs ping.exe
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
10⤵
PID:3276

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
11⤵
- Runs ping.exe
PID:4980

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
11⤵
PID:2040

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
12⤵
- Runs ping.exe
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
11⤵
PID:4700

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
12⤵
- Runs ping.exe
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
11⤵
PID:3536

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
12⤵
- Runs ping.exe
PID:1448

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
66B

MD5
928f845a43174a6b50c9d6570ffcdb80

SHA1
9629e5d002dc135413b955de93265f94bbb52411

SHA256
7b6ab8d8dd0c4871db96bb2ebe5f00596e891b6585edd125836bff6410ba5c37

SHA512
2b7b6e68fde35cd63ba2d9a13d5929988fba551b9ec546558a56ea7588bd146032b4473bcac733d4c3a938bf86bdac392e28208c8a4c71f7ffb2f37b8f680f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
131B

MD5
fa5e4409731a04062d34bbcc60914374

SHA1
0ebd1dfb094fe66ede921918a9efa4ef88527f29

SHA256
cb01da5f82bb69690006fce20f95a9c4b644f8c9b65c1254e830ec6271907f71

SHA512
f3d911283116ef1975a1f1b0a25b123bd1f66431e849dae084a804bee5029be720371a28e333f1a957df2c47180ab371a8e3eedc80916f7669aeb85143912054

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
66B

MD5
928f845a43174a6b50c9d6570ffcdb80

SHA1
9629e5d002dc135413b955de93265f94bbb52411

SHA256
7b6ab8d8dd0c4871db96bb2ebe5f00596e891b6585edd125836bff6410ba5c37

SHA512
2b7b6e68fde35cd63ba2d9a13d5929988fba551b9ec546558a56ea7588bd146032b4473bcac733d4c3a938bf86bdac392e28208c8a4c71f7ffb2f37b8f680f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
66B

MD5
928f845a43174a6b50c9d6570ffcdb80

SHA1
9629e5d002dc135413b955de93265f94bbb52411

SHA256
7b6ab8d8dd0c4871db96bb2ebe5f00596e891b6585edd125836bff6410ba5c37

SHA512
2b7b6e68fde35cd63ba2d9a13d5929988fba551b9ec546558a56ea7588bd146032b4473bcac733d4c3a938bf86bdac392e28208c8a4c71f7ffb2f37b8f680f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
66B

MD5
928f845a43174a6b50c9d6570ffcdb80

SHA1
9629e5d002dc135413b955de93265f94bbb52411

SHA256
7b6ab8d8dd0c4871db96bb2ebe5f00596e891b6585edd125836bff6410ba5c37

SHA512
2b7b6e68fde35cd63ba2d9a13d5929988fba551b9ec546558a56ea7588bd146032b4473bcac733d4c3a938bf86bdac392e28208c8a4c71f7ffb2f37b8f680f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
66B

MD5
928f845a43174a6b50c9d6570ffcdb80

SHA1
9629e5d002dc135413b955de93265f94bbb52411

SHA256
7b6ab8d8dd0c4871db96bb2ebe5f00596e891b6585edd125836bff6410ba5c37

SHA512
2b7b6e68fde35cd63ba2d9a13d5929988fba551b9ec546558a56ea7588bd146032b4473bcac733d4c3a938bf86bdac392e28208c8a4c71f7ffb2f37b8f680f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
66B

MD5
928f845a43174a6b50c9d6570ffcdb80

SHA1
9629e5d002dc135413b955de93265f94bbb52411

SHA256
7b6ab8d8dd0c4871db96bb2ebe5f00596e891b6585edd125836bff6410ba5c37

SHA512
2b7b6e68fde35cd63ba2d9a13d5929988fba551b9ec546558a56ea7588bd146032b4473bcac733d4c3a938bf86bdac392e28208c8a4c71f7ffb2f37b8f680f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
66B

MD5
928f845a43174a6b50c9d6570ffcdb80

SHA1
9629e5d002dc135413b955de93265f94bbb52411

SHA256
7b6ab8d8dd0c4871db96bb2ebe5f00596e891b6585edd125836bff6410ba5c37

SHA512
2b7b6e68fde35cd63ba2d9a13d5929988fba551b9ec546558a56ea7588bd146032b4473bcac733d4c3a938bf86bdac392e28208c8a4c71f7ffb2f37b8f680f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
66B

MD5
928f845a43174a6b50c9d6570ffcdb80

SHA1
9629e5d002dc135413b955de93265f94bbb52411

SHA256
7b6ab8d8dd0c4871db96bb2ebe5f00596e891b6585edd125836bff6410ba5c37

SHA512
2b7b6e68fde35cd63ba2d9a13d5929988fba551b9ec546558a56ea7588bd146032b4473bcac733d4c3a938bf86bdac392e28208c8a4c71f7ffb2f37b8f680f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
66B

MD5
928f845a43174a6b50c9d6570ffcdb80

SHA1
9629e5d002dc135413b955de93265f94bbb52411

SHA256
7b6ab8d8dd0c4871db96bb2ebe5f00596e891b6585edd125836bff6410ba5c37

SHA512
2b7b6e68fde35cd63ba2d9a13d5929988fba551b9ec546558a56ea7588bd146032b4473bcac733d4c3a938bf86bdac392e28208c8a4c71f7ffb2f37b8f680f63

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
384KB

MD5
fd1db0659e64c6c253a6f6b6ef624151

SHA1
d3004a293774e76624155f2e0751d2abc3a64885

SHA256
c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6

SHA512
3650e7647eb478678cd459c5442223a4703f6ec7fe4a37bc644afe18821588dde06b36e488c07c718bd20f179c6937cb705343f903598ec3167bbe86248c5905

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
384KB

MD5
fd1db0659e64c6c253a6f6b6ef624151

SHA1
d3004a293774e76624155f2e0751d2abc3a64885

SHA256
c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6

SHA512
3650e7647eb478678cd459c5442223a4703f6ec7fe4a37bc644afe18821588dde06b36e488c07c718bd20f179c6937cb705343f903598ec3167bbe86248c5905

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
384KB

MD5
fd1db0659e64c6c253a6f6b6ef624151

SHA1
d3004a293774e76624155f2e0751d2abc3a64885

SHA256
c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6

SHA512
3650e7647eb478678cd459c5442223a4703f6ec7fe4a37bc644afe18821588dde06b36e488c07c718bd20f179c6937cb705343f903598ec3167bbe86248c5905

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
384KB

MD5
fd1db0659e64c6c253a6f6b6ef624151

SHA1
d3004a293774e76624155f2e0751d2abc3a64885

SHA256
c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6

SHA512
3650e7647eb478678cd459c5442223a4703f6ec7fe4a37bc644afe18821588dde06b36e488c07c718bd20f179c6937cb705343f903598ec3167bbe86248c5905

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
384KB

MD5
fd1db0659e64c6c253a6f6b6ef624151

SHA1
d3004a293774e76624155f2e0751d2abc3a64885

SHA256
c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6

SHA512
3650e7647eb478678cd459c5442223a4703f6ec7fe4a37bc644afe18821588dde06b36e488c07c718bd20f179c6937cb705343f903598ec3167bbe86248c5905

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
384KB

MD5
fd1db0659e64c6c253a6f6b6ef624151

SHA1
d3004a293774e76624155f2e0751d2abc3a64885

SHA256
c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6

SHA512
3650e7647eb478678cd459c5442223a4703f6ec7fe4a37bc644afe18821588dde06b36e488c07c718bd20f179c6937cb705343f903598ec3167bbe86248c5905

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
384KB

MD5
fd1db0659e64c6c253a6f6b6ef624151

SHA1
d3004a293774e76624155f2e0751d2abc3a64885

SHA256
c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6

SHA512
3650e7647eb478678cd459c5442223a4703f6ec7fe4a37bc644afe18821588dde06b36e488c07c718bd20f179c6937cb705343f903598ec3167bbe86248c5905

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
384KB

MD5
fd1db0659e64c6c253a6f6b6ef624151

SHA1
d3004a293774e76624155f2e0751d2abc3a64885

SHA256
c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6

SHA512
3650e7647eb478678cd459c5442223a4703f6ec7fe4a37bc644afe18821588dde06b36e488c07c718bd20f179c6937cb705343f903598ec3167bbe86248c5905

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
384KB

MD5
fd1db0659e64c6c253a6f6b6ef624151

SHA1
d3004a293774e76624155f2e0751d2abc3a64885

SHA256
c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6

SHA512
3650e7647eb478678cd459c5442223a4703f6ec7fe4a37bc644afe18821588dde06b36e488c07c718bd20f179c6937cb705343f903598ec3167bbe86248c5905

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
384KB

MD5
fd1db0659e64c6c253a6f6b6ef624151

SHA1
d3004a293774e76624155f2e0751d2abc3a64885

SHA256
c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6

SHA512
3650e7647eb478678cd459c5442223a4703f6ec7fe4a37bc644afe18821588dde06b36e488c07c718bd20f179c6937cb705343f903598ec3167bbe86248c5905

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
384KB

MD5
fd1db0659e64c6c253a6f6b6ef624151

SHA1
d3004a293774e76624155f2e0751d2abc3a64885

SHA256
c52abb32db94605646393bb19038b26915e5e946965fbef23df8bb12fa95b4b6

SHA512
3650e7647eb478678cd459c5442223a4703f6ec7fe4a37bc644afe18821588dde06b36e488c07c718bd20f179c6937cb705343f903598ec3167bbe86248c5905

Download Submit
memory/332-167-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/332-164-0x0000000000000000-mapping.dmp

Download
memory/332-177-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/432-239-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/544-162-0x0000000000000000-mapping.dmp

Download
memory/560-146-0x0000000000000000-mapping.dmp

Download
memory/572-136-0x0000000000000000-mapping.dmp

Download
memory/700-191-0x0000000000000000-mapping.dmp

Download
memory/808-184-0x0000000000000000-mapping.dmp

Download
memory/836-185-0x0000000000000000-mapping.dmp

Download
memory/952-159-0x0000000000000000-mapping.dmp

Download
memory/956-138-0x0000000000000000-mapping.dmp

Download
memory/976-229-0x0000000000000000-mapping.dmp

Download
memory/1072-186-0x0000000000000000-mapping.dmp

Download
memory/1092-180-0x0000000000000000-mapping.dmp

Download
memory/1108-197-0x0000000000000000-mapping.dmp

Download
memory/1236-158-0x0000000000000000-mapping.dmp

Download
memory/1236-206-0x0000000000000000-mapping.dmp

Download
memory/1452-230-0x0000000000000000-mapping.dmp

Download
memory/1496-172-0x0000000000000000-mapping.dmp

Download
memory/1636-133-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1636-132-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1636-144-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1644-207-0x0000000000000000-mapping.dmp

Download
memory/1692-214-0x0000000000000000-mapping.dmp

Download
memory/1736-135-0x0000000000000000-mapping.dmp

Download
memory/1776-161-0x0000000000000000-mapping.dmp

Download
memory/1784-139-0x0000000000000000-mapping.dmp

Download
memory/1988-157-0x0000000000000000-mapping.dmp

Download
memory/1996-181-0x0000000000000000-mapping.dmp

Download
memory/2000-166-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2000-156-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2000-153-0x0000000000000000-mapping.dmp

Download
memory/2040-236-0x0000000000000000-mapping.dmp

Download
memory/2184-203-0x0000000000000000-mapping.dmp

Download
memory/2228-140-0x0000000000000000-mapping.dmp

Download
memory/2240-224-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2240-221-0x0000000000000000-mapping.dmp

Download
memory/2240-234-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2736-202-0x0000000000000000-mapping.dmp

Download
memory/2996-219-0x0000000000000000-mapping.dmp

Download
memory/3032-163-0x0000000000000000-mapping.dmp

Download
memory/3044-169-0x0000000000000000-mapping.dmp

Download
memory/3060-195-0x0000000000000000-mapping.dmp

Download
memory/3160-220-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3160-223-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3160-212-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3160-209-0x0000000000000000-mapping.dmp

Download
memory/3172-208-0x0000000000000000-mapping.dmp

Download
memory/3180-151-0x0000000000000000-mapping.dmp

Download
memory/3216-192-0x0000000000000000-mapping.dmp

Download
memory/3276-227-0x0000000000000000-mapping.dmp

Download
memory/3332-152-0x0000000000000000-mapping.dmp

Download
memory/3372-155-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3372-141-0x0000000000000000-mapping.dmp

Download
memory/3372-145-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3568-217-0x0000000000000000-mapping.dmp

Download
memory/3616-182-0x0000000000000000-mapping.dmp

Download
memory/3700-204-0x0000000000000000-mapping.dmp

Download
memory/3748-225-0x0000000000000000-mapping.dmp

Download
memory/3852-201-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3852-211-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3852-198-0x0000000000000000-mapping.dmp

Download
memory/3932-148-0x0000000000000000-mapping.dmp

Download
memory/3980-174-0x0000000000000000-mapping.dmp

Download
memory/3988-215-0x0000000000000000-mapping.dmp

Download
memory/4080-173-0x0000000000000000-mapping.dmp

Download
memory/4080-213-0x0000000000000000-mapping.dmp

Download
memory/4116-193-0x0000000000000000-mapping.dmp

Download
memory/4308-218-0x0000000000000000-mapping.dmp

Download
memory/4336-147-0x0000000000000000-mapping.dmp

Download
memory/4424-150-0x0000000000000000-mapping.dmp

Download
memory/4544-134-0x0000000000000000-mapping.dmp

Download
memory/4600-189-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4600-178-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4600-175-0x0000000000000000-mapping.dmp

Download
memory/4600-179-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4612-196-0x0000000000000000-mapping.dmp

Download
memory/4840-226-0x0000000000000000-mapping.dmp

Download
memory/4944-232-0x0000000000000000-mapping.dmp

Download
memory/4944-235-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4944-238-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4980-231-0x0000000000000000-mapping.dmp

Download
memory/4992-168-0x0000000000000000-mapping.dmp

Download
memory/5020-187-0x0000000000000000-mapping.dmp

Download
memory/5020-190-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/5020-200-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/5096-170-0x0000000000000000-mapping.dmp

Download