darkcomet | c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101

Analysis

max time kernel
152s
max time network
171s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe
Size

2.7MB
MD5

349b587ed5fda616d179ba9a1718fb4c
SHA1

d503cdd4bd462f182ff328cc262ec0f99486d6f4
SHA256

c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101
SHA512

29e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd
SSDEEP

24576:SKKTygi5eQlaRERr3Aui0K29imwteZGSzZt3cn5uXPBL7I7noV6jOIyz8+CQBKZq:+IKjOIy3DBKZFOeBYie

Score

10^/10

darkcomet ph evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

justfordarkcomet.zapto.org:1604

127.0.0.1:1604

192.168.0.2:1604

Mutex

DC_MUTEX-E6M25ZF

Attributes

gencode
ytR7Ej1ChUCo
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	vbc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	vbc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	vbc.exe

Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

vbc.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	vbc.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

vbc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vbc.exe

Executes dropped EXE 3 IoCs

Processes:

Call Of duty 2 wh.exeWLIDSCV.exeNBfjzsAMLEadIpfE.exe

pid process

1616 Call Of duty 2 wh.exe
1668 WLIDSCV.exe
988 NBfjzsAMLEadIpfE.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1100 attrib.exe
1520 attrib.exe

pid	process
1616	Call Of duty 2 wh.exe
1668	WLIDSCV.exe
988	NBfjzsAMLEadIpfE.exe

pid	process
1100	attrib.exe
1520	attrib.exe

Loads dropped DLL 6 IoCs

Processes:

c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exeWLIDSCV.exe

pid	process
1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe
1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe
1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe
1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe
1668	WLIDSCV.exe
1668	WLIDSCV.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exevbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\nixXXcTJlDkJiOil = "C:\\Users\\Admin\\AppData\\Roaming\\NBfjzsAMLEadIpfE.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ugtAYUTPz = "C:\\Users\\Admin\\AppData\\Roaming\\LZrWcMqIG.exe"	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exeCall Of duty 2 wh.exeNBfjzsAMLEadIpfE.exe

description	pid	process	target process
PID 1376 set thread context of 892	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1616 set thread context of 1080	1616	Call Of duty 2 wh.exe	vbc.exe
PID 988 set thread context of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

attrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377072453"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B1B7CBC1-752D-11ED-AFC0-6662AD81E03A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\LZrWcMqIG.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WLIDSCV.exeCall Of duty 2 wh.exeNBfjzsAMLEadIpfE.exe

pid	process
1668	WLIDSCV.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
1668	WLIDSCV.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
1668	WLIDSCV.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
1668	WLIDSCV.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
1668	WLIDSCV.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
1668	WLIDSCV.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
1668	WLIDSCV.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe
1668	WLIDSCV.exe
1616	Call Of duty 2 wh.exe
988	NBfjzsAMLEadIpfE.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

WLIDSCV.exeCall Of duty 2 wh.exeNBfjzsAMLEadIpfE.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1668	WLIDSCV.exe
Token: SeDebugPrivilege	1616	Call Of duty 2 wh.exe
Token: SeDebugPrivilege	988	NBfjzsAMLEadIpfE.exe
Token: SeIncreaseQuotaPrivilege	1936	vbc.exe
Token: SeSecurityPrivilege	1936	vbc.exe
Token: SeTakeOwnershipPrivilege	1936	vbc.exe
Token: SeLoadDriverPrivilege	1936	vbc.exe
Token: SeSystemProfilePrivilege	1936	vbc.exe
Token: SeSystemtimePrivilege	1936	vbc.exe
Token: SeProfSingleProcessPrivilege	1936	vbc.exe
Token: SeIncBasePriorityPrivilege	1936	vbc.exe
Token: SeCreatePagefilePrivilege	1936	vbc.exe
Token: SeBackupPrivilege	1936	vbc.exe
Token: SeRestorePrivilege	1936	vbc.exe
Token: SeShutdownPrivilege	1936	vbc.exe
Token: SeDebugPrivilege	1936	vbc.exe
Token: SeSystemEnvironmentPrivilege	1936	vbc.exe
Token: SeChangeNotifyPrivilege	1936	vbc.exe
Token: SeRemoteShutdownPrivilege	1936	vbc.exe
Token: SeUndockPrivilege	1936	vbc.exe
Token: SeManageVolumePrivilege	1936	vbc.exe
Token: SeImpersonatePrivilege	1936	vbc.exe
Token: SeCreateGlobalPrivilege	1936	vbc.exe
Token: 33	1936	vbc.exe
Token: 34	1936	vbc.exe
Token: 35	1936	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1296 iexplore.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

vbc.exevbc.exeiexplore.exeIEXPLORE.EXEvbc.exe

pid process

892 vbc.exe
1080 vbc.exe
1296 iexplore.exe
1296 iexplore.exe
1488 IEXPLORE.EXE
1488 IEXPLORE.EXE
1936 vbc.exe
1488 IEXPLORE.EXE
1488 IEXPLORE.EXE

pid	process
1296	iexplore.exe

pid	process
892	vbc.exe
1080	vbc.exe
1296	iexplore.exe
1296	iexplore.exe
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
1936	vbc.exe
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exeCall Of duty 2 wh.exevbc.exeWLIDSCV.exeNBfjzsAMLEadIpfE.exeiexplore.exe

description	pid	process	target process
PID 1376 wrote to memory of 892	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1376 wrote to memory of 892	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1376 wrote to memory of 892	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1376 wrote to memory of 892	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1376 wrote to memory of 892	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1376 wrote to memory of 892	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1376 wrote to memory of 892	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1376 wrote to memory of 892	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1376 wrote to memory of 892	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1376 wrote to memory of 468	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	cmd.exe
PID 1376 wrote to memory of 468	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	cmd.exe
PID 1376 wrote to memory of 468	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	cmd.exe
PID 1376 wrote to memory of 468	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	cmd.exe
PID 1376 wrote to memory of 1616	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	Call Of duty 2 wh.exe
PID 1376 wrote to memory of 1616	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	Call Of duty 2 wh.exe
PID 1376 wrote to memory of 1616	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	Call Of duty 2 wh.exe
PID 1376 wrote to memory of 1616	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	Call Of duty 2 wh.exe
PID 1376 wrote to memory of 1520	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1376 wrote to memory of 1520	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1376 wrote to memory of 1520	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1376 wrote to memory of 1520	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1616 wrote to memory of 1080	1616	Call Of duty 2 wh.exe	vbc.exe
PID 1616 wrote to memory of 1080	1616	Call Of duty 2 wh.exe	vbc.exe
PID 1616 wrote to memory of 1080	1616	Call Of duty 2 wh.exe	vbc.exe
PID 1616 wrote to memory of 1080	1616	Call Of duty 2 wh.exe	vbc.exe
PID 1616 wrote to memory of 1080	1616	Call Of duty 2 wh.exe	vbc.exe
PID 1616 wrote to memory of 1080	1616	Call Of duty 2 wh.exe	vbc.exe
PID 1616 wrote to memory of 1080	1616	Call Of duty 2 wh.exe	vbc.exe
PID 1616 wrote to memory of 1080	1616	Call Of duty 2 wh.exe	vbc.exe
PID 1616 wrote to memory of 1080	1616	Call Of duty 2 wh.exe	vbc.exe
PID 1520 wrote to memory of 1688	1520	vbc.exe	cvtres.exe
PID 1520 wrote to memory of 1688	1520	vbc.exe	cvtres.exe
PID 1520 wrote to memory of 1688	1520	vbc.exe	cvtres.exe
PID 1520 wrote to memory of 1688	1520	vbc.exe	cvtres.exe
PID 1376 wrote to memory of 1668	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	WLIDSCV.exe
PID 1376 wrote to memory of 1668	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	WLIDSCV.exe
PID 1376 wrote to memory of 1668	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	WLIDSCV.exe
PID 1376 wrote to memory of 1668	1376	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	WLIDSCV.exe
PID 1616 wrote to memory of 1952	1616	Call Of duty 2 wh.exe	cmd.exe
PID 1616 wrote to memory of 1952	1616	Call Of duty 2 wh.exe	cmd.exe
PID 1616 wrote to memory of 1952	1616	Call Of duty 2 wh.exe	cmd.exe
PID 1616 wrote to memory of 1952	1616	Call Of duty 2 wh.exe	cmd.exe
PID 1668 wrote to memory of 988	1668	WLIDSCV.exe	NBfjzsAMLEadIpfE.exe
PID 1668 wrote to memory of 988	1668	WLIDSCV.exe	NBfjzsAMLEadIpfE.exe
PID 1668 wrote to memory of 988	1668	WLIDSCV.exe	NBfjzsAMLEadIpfE.exe
PID 1668 wrote to memory of 988	1668	WLIDSCV.exe	NBfjzsAMLEadIpfE.exe
PID 1616 wrote to memory of 1296	1616	Call Of duty 2 wh.exe	iexplore.exe
PID 1616 wrote to memory of 1296	1616	Call Of duty 2 wh.exe	iexplore.exe
PID 1616 wrote to memory of 1296	1616	Call Of duty 2 wh.exe	iexplore.exe
PID 1616 wrote to memory of 1296	1616	Call Of duty 2 wh.exe	iexplore.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 988 wrote to memory of 1936	988	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 1296 wrote to memory of 1488	1296	iexplore.exe	IEXPLORE.EXE

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1100 attrib.exe
1520 attrib.exe

pid	process
1100	attrib.exe
1520	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe
"C:\Users\Admin\AppData\Local\Temp\c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:892

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- NTFS ADS
PID:468

C:\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exe
"C:\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Windows\SysWOW64\cmd.exe
"cmd"
3⤵
- NTFS ADS
PID:1952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rkceib5x.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFEF8.tmp"
3⤵
PID:1688

C:\Users\Admin\AppData\Roaming\WLIDSCV.exe
"C:\Users\Admin\AppData\Roaming\WLIDSCV.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe
"C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
4⤵
- Modifies firewall policy service
- Windows security bypass
- Disables RegEdit via registry modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
5⤵
PID:1768

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
6⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
5⤵
PID:380

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
6⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1100

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFF09.tmp
Filesize
1KB

MD5
16f7aa19cb1791520cc7ffa4ada2bb1f

SHA1
93200faec416a1327483af192a044755940bde5f

SHA256
8c0e694a63eb42a1ea74dc9f9577766bbc1f48653a3a4904fd3435cad71650e7

SHA512
a75b4525c6bc35ba735c83029262b56ab35175961296cea2ac78a60e41d504ba716e5c52c82eeb5fd4bfe7e260c1653e304c4abb470059b5c13940796d6c84e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkceib5x.0.vb
Filesize
1KB

MD5
807864bc5874b59e52fb57ad8f94cb43

SHA1
ebe40463b82af606869fd9eb5fbf7a0c9e2d8eed

SHA256
d0d58960f9306f7245f38e44d66f9c8f938eb0e3a3b4e6c29ba2b326ce3acf7d

SHA512
ac009ba60a589ca71aace3f8321b11721d0d912c5cab4079cc6075ac607de705817b234a0429b8b4a6cd39e37c72ca755345500fd8391bfc279347e39a9452d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkceib5x.cmdline
Filesize
248B

MD5
6de578a06d7c79461c35e958646a9e56

SHA1
c32b91b2da888266fdf164e177a41dd12cacde64

SHA256
648a044c9384e29be14910664d99accc626364daba9ed7990a251cfc4cfa94c5

SHA512
c07af38c9e0f56b833fc9d63320b66e94fc148877562ddd2175e8a5805333dced9055cd89751a341f587b2260a43844512a164725fe7f95ffef13029ee2a70a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFEF8.tmp
Filesize
644B

MD5
070d19a29fd713891607e27d97ead816

SHA1
e42cf75eb53e89ce253dea01274f383bc498cb3b

SHA256
1ee0d7a798e175d5a7d518bb3b27d4cebff4bc1bade76f4a3e433d88ee926d1e

SHA512
65a26d184056e35d15c6609bc15313742cbc77baeb0228e1081bdc96ff91631fdcf363787a1bfdfa4883155039c7ef2953ad7e4e4f20e2f71005d0bec98e27ef

Download Submit
C:\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exe
Filesize
1.1MB

MD5
5161ef523bfd5701f9b5f5225f040f19

SHA1
18fcab853e6e475286caa4f6598aed4169223885

SHA256
e00974d91ab5fd276dcfe490a261073dc00a3e9bf8b918880715db74a84d34f0

SHA512
898abda2099c81800066be158118400571740c62b8349b60f5c5e724564881c2606f8d1ed70f86610c7e4d238763dc89078cbe30e2c20b3515e80ef181033ad5

Download Submit
C:\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exe
Filesize
1.1MB

MD5
5161ef523bfd5701f9b5f5225f040f19

SHA1
18fcab853e6e475286caa4f6598aed4169223885

SHA256
e00974d91ab5fd276dcfe490a261073dc00a3e9bf8b918880715db74a84d34f0

SHA512
898abda2099c81800066be158118400571740c62b8349b60f5c5e724564881c2606f8d1ed70f86610c7e4d238763dc89078cbe30e2c20b3515e80ef181033ad5

Download Submit
C:\Users\Admin\AppData\Roaming\LZrWcMqIG.exe:ZONE.identifier
Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GD7DYF3C.txt
Filesize
608B

MD5
4ab4fb46e254e2f0c15cf8317ec2183f

SHA1
40eba42c9d57e032a8231d157c09b195ae79e54c

SHA256
b2e780609ba6cfc38b6c4ea9be581b010706a8638121eb7d62dbb906bfa76495

SHA512
57e94f7d548da24c1e73aa20401dd704b7e5bbbeced1c1a5c542b72e3fd1ea5b9aab6646cb95a77ca1298eb097a2365ce5a1be6de48379dc23c045092a09b740

Download Submit
C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe
Filesize
2.7MB

MD5
349b587ed5fda616d179ba9a1718fb4c

SHA1
d503cdd4bd462f182ff328cc262ec0f99486d6f4

SHA256
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101

SHA512
29e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd

Download Submit
C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe
Filesize
2.7MB

MD5
349b587ed5fda616d179ba9a1718fb4c

SHA1
d503cdd4bd462f182ff328cc262ec0f99486d6f4

SHA256
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101

SHA512
29e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd

Download Submit
C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe:ZONE.identifier
Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Roaming\WLIDSCV.exe
Filesize
7KB

MD5
dd85b585599a1f2a306ce67280db3c7a

SHA1
cf0b1257efd26c1fe2dc878275ac7b6c4d7173f5

SHA256
22629de901d99f27d0303a886259d99688f0eaa24cd1b878f51eda1e1130ea03

SHA512
e587d80fd922d4da6beb982b0734fa87ba9b62ebd30fdf7cbf3177d94fdcb54650e54274c78d887f3cbbace499c534e5c5d5d307eeb2813dccbc5375d8861912

Download Submit
C:\Users\Admin\AppData\Roaming\WLIDSCV.exe
Filesize
7KB

MD5
dd85b585599a1f2a306ce67280db3c7a

SHA1
cf0b1257efd26c1fe2dc878275ac7b6c4d7173f5

SHA256
22629de901d99f27d0303a886259d99688f0eaa24cd1b878f51eda1e1130ea03

SHA512
e587d80fd922d4da6beb982b0734fa87ba9b62ebd30fdf7cbf3177d94fdcb54650e54274c78d887f3cbbace499c534e5c5d5d307eeb2813dccbc5375d8861912

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt
Filesize
138B

MD5
ce5116376502f7ea74e285546554e7a7

SHA1
49e0d08484aff6abbc2074bb7c5c5d1771c695bc

SHA256
6f50f66872b7759dba6e033ec4ebeceee513870233fa84467e52750bf8bb1ba6

SHA512
06e2cf5747aaef37b9ac5750b082b6012e663367c008c51a1eab4434184e2c4b446d4bc35c98518734a998e042b51d8bbcbedaef6121986df611fd1923f6401a

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt
Filesize
74B

MD5
98aae9187c8f33add1f036a632df36e1

SHA1
e882acb6a1b6a9970b6d5f6063a955970db13d01

SHA256
30f496723a7b1fc9e5e4e4dde14a0a084deac35e44f1e2c0bb88a1f884a9a67a

SHA512
af94dce01956734948e2214931d3472a9f94efd3a26130e9d8242ead68d7167ab0b1eff9bd0d66244ffbb03f38a4c27801e9994a85796290212e4838a0692a0b

Download Submit
\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exe
Filesize
1.1MB

MD5
5161ef523bfd5701f9b5f5225f040f19

SHA1
18fcab853e6e475286caa4f6598aed4169223885

SHA256
e00974d91ab5fd276dcfe490a261073dc00a3e9bf8b918880715db74a84d34f0

SHA512
898abda2099c81800066be158118400571740c62b8349b60f5c5e724564881c2606f8d1ed70f86610c7e4d238763dc89078cbe30e2c20b3515e80ef181033ad5

Download Submit
\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exe
Filesize
1.1MB

MD5
5161ef523bfd5701f9b5f5225f040f19

SHA1
18fcab853e6e475286caa4f6598aed4169223885

SHA256
e00974d91ab5fd276dcfe490a261073dc00a3e9bf8b918880715db74a84d34f0

SHA512
898abda2099c81800066be158118400571740c62b8349b60f5c5e724564881c2606f8d1ed70f86610c7e4d238763dc89078cbe30e2c20b3515e80ef181033ad5

Download Submit
\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe
Filesize
2.7MB

MD5
349b587ed5fda616d179ba9a1718fb4c

SHA1
d503cdd4bd462f182ff328cc262ec0f99486d6f4

SHA256
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101

SHA512
29e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd

Download Submit
\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe
Filesize
2.7MB

MD5
349b587ed5fda616d179ba9a1718fb4c

SHA1
d503cdd4bd462f182ff328cc262ec0f99486d6f4

SHA256
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101

SHA512
29e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd

Download Submit
\Users\Admin\AppData\Roaming\WLIDSCV.exe
Filesize
7KB

MD5
dd85b585599a1f2a306ce67280db3c7a

SHA1
cf0b1257efd26c1fe2dc878275ac7b6c4d7173f5

SHA256
22629de901d99f27d0303a886259d99688f0eaa24cd1b878f51eda1e1130ea03

SHA512
e587d80fd922d4da6beb982b0734fa87ba9b62ebd30fdf7cbf3177d94fdcb54650e54274c78d887f3cbbace499c534e5c5d5d307eeb2813dccbc5375d8861912

Download Submit
\Users\Admin\AppData\Roaming\WLIDSCV.exe
Filesize
7KB

MD5
dd85b585599a1f2a306ce67280db3c7a

SHA1
cf0b1257efd26c1fe2dc878275ac7b6c4d7173f5

SHA256
22629de901d99f27d0303a886259d99688f0eaa24cd1b878f51eda1e1130ea03

SHA512
e587d80fd922d4da6beb982b0734fa87ba9b62ebd30fdf7cbf3177d94fdcb54650e54274c78d887f3cbbace499c534e5c5d5d307eeb2813dccbc5375d8861912

Download Submit
memory/380-135-0x0000000000000000-mapping.dmp

Download
memory/432-139-0x0000000000000000-mapping.dmp

Download
memory/468-69-0x0000000000000000-mapping.dmp

Download
memory/892-60-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/892-68-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/892-61-0x0000000000401238-mapping.dmp

Download
memory/892-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/892-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/892-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/988-131-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/988-143-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/988-110-0x0000000000000000-mapping.dmp

Download
memory/1080-87-0x0000000000401238-mapping.dmp

Download
memory/1080-93-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1100-138-0x0000000000000000-mapping.dmp

Download
memory/1376-104-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/1376-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/1376-65-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/1376-71-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/1520-137-0x0000000000000000-mapping.dmp

Download
memory/1520-79-0x0000000000000000-mapping.dmp

Download
memory/1616-140-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/1616-74-0x0000000000000000-mapping.dmp

Download
memory/1616-78-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/1668-125-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/1668-101-0x0000000000000000-mapping.dmp

Download
memory/1668-142-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/1688-95-0x0000000000000000-mapping.dmp

Download
memory/1768-136-0x0000000000000000-mapping.dmp

Download
memory/1936-126-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1936-122-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1936-130-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1936-133-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1936-134-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1936-129-0x0000000000490888-mapping.dmp

Download
memory/1936-113-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1936-128-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1936-123-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1936-120-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1936-118-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1936-116-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1936-114-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1936-144-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1952-105-0x0000000000000000-mapping.dmp

Download