darkcomet | c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101

Analysis

max time kernel
157s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe
Size

2.7MB
MD5

349b587ed5fda616d179ba9a1718fb4c
SHA1

d503cdd4bd462f182ff328cc262ec0f99486d6f4
SHA256

c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101
SHA512

29e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd
SSDEEP

24576:SKKTygi5eQlaRERr3Aui0K29imwteZGSzZt3cn5uXPBL7I7noV6jOIyz8+CQBKZq:+IKjOIy3DBKZFOeBYie

Score

10^/10

darkcomet ph evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

justfordarkcomet.zapto.org:1604

127.0.0.1:1604

192.168.0.2:1604

Mutex

DC_MUTEX-E6M25ZF

Attributes

gencode
ytR7Ej1ChUCo
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	vbc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	vbc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	vbc.exe

Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

vbc.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	vbc.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

vbc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vbc.exe

Executes dropped EXE 3 IoCs

Processes:

Call Of duty 2 wh.exeWLIDSCV.exeNBfjzsAMLEadIpfE.exe

pid process

4932 Call Of duty 2 wh.exe
2140 WLIDSCV.exe
4284 NBfjzsAMLEadIpfE.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2844 attrib.exe
3688 attrib.exe

pid	process
4932	Call Of duty 2 wh.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe

pid	process
2844	attrib.exe
3688	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exeWLIDSCV.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WLIDSCV.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exevbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nixXXcTJlDkJiOil = "C:\\Users\\Admin\\AppData\\Roaming\\NBfjzsAMLEadIpfE.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ugtAYUTPz = "C:\\Users\\Admin\\AppData\\Roaming\\LZrWcMqIG.exe"	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exeCall Of duty 2 wh.exeNBfjzsAMLEadIpfE.exe

description	pid	process	target process
PID 1348 set thread context of 4160	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 4932 set thread context of 4904	4932	Call Of duty 2 wh.exe	vbc.exe
PID 4284 set thread context of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

attrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377072393"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000890"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1774211343"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1805460571"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000890"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{92144B66-752D-11ED-B696-DA88DC7FA106} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000890"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1774211343"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\LZrWcMqIG.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WLIDSCV.exeCall Of duty 2 wh.exeNBfjzsAMLEadIpfE.exe

pid	process
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4932	Call Of duty 2 wh.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe
2140	WLIDSCV.exe
4284	NBfjzsAMLEadIpfE.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

vbc.exeiexplore.exe

pid process

4984 vbc.exe
552 iexplore.exe

pid	process
4984	vbc.exe
552	iexplore.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

WLIDSCV.exeCall Of duty 2 wh.exeNBfjzsAMLEadIpfE.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2140	WLIDSCV.exe
Token: SeDebugPrivilege	4932	Call Of duty 2 wh.exe
Token: SeDebugPrivilege	4284	NBfjzsAMLEadIpfE.exe
Token: SeIncreaseQuotaPrivilege	4984	vbc.exe
Token: SeSecurityPrivilege	4984	vbc.exe
Token: SeTakeOwnershipPrivilege	4984	vbc.exe
Token: SeLoadDriverPrivilege	4984	vbc.exe
Token: SeSystemProfilePrivilege	4984	vbc.exe
Token: SeSystemtimePrivilege	4984	vbc.exe
Token: SeProfSingleProcessPrivilege	4984	vbc.exe
Token: SeIncBasePriorityPrivilege	4984	vbc.exe
Token: SeCreatePagefilePrivilege	4984	vbc.exe
Token: SeBackupPrivilege	4984	vbc.exe
Token: SeRestorePrivilege	4984	vbc.exe
Token: SeShutdownPrivilege	4984	vbc.exe
Token: SeDebugPrivilege	4984	vbc.exe
Token: SeSystemEnvironmentPrivilege	4984	vbc.exe
Token: SeChangeNotifyPrivilege	4984	vbc.exe
Token: SeRemoteShutdownPrivilege	4984	vbc.exe
Token: SeUndockPrivilege	4984	vbc.exe
Token: SeManageVolumePrivilege	4984	vbc.exe
Token: SeImpersonatePrivilege	4984	vbc.exe
Token: SeCreateGlobalPrivilege	4984	vbc.exe
Token: 33	4984	vbc.exe
Token: 34	4984	vbc.exe
Token: 35	4984	vbc.exe
Token: 36	4984	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

552 iexplore.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

vbc.exevbc.exeiexplore.exeIEXPLORE.EXEvbc.exe

pid process

4160 vbc.exe
4904 vbc.exe
552 iexplore.exe
552 iexplore.exe
4084 IEXPLORE.EXE
4084 IEXPLORE.EXE
4984 vbc.exe
4084 IEXPLORE.EXE
4084 IEXPLORE.EXE

pid	process
552	iexplore.exe

pid	process
4160	vbc.exe
4904	vbc.exe
552	iexplore.exe
552	iexplore.exe
4084	IEXPLORE.EXE
4084	IEXPLORE.EXE
4984	vbc.exe
4084	IEXPLORE.EXE
4084	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exeCall Of duty 2 wh.exevbc.exevbc.exeWLIDSCV.exeiexplore.exeNBfjzsAMLEadIpfE.exevbc.exe

description	pid	process	target process
PID 1348 wrote to memory of 4160	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1348 wrote to memory of 4160	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1348 wrote to memory of 4160	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1348 wrote to memory of 4160	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1348 wrote to memory of 4160	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1348 wrote to memory of 4160	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1348 wrote to memory of 4160	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1348 wrote to memory of 4160	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1348 wrote to memory of 3756	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	cmd.exe
PID 1348 wrote to memory of 3756	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	cmd.exe
PID 1348 wrote to memory of 3756	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	cmd.exe
PID 1348 wrote to memory of 4932	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	Call Of duty 2 wh.exe
PID 1348 wrote to memory of 4932	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	Call Of duty 2 wh.exe
PID 1348 wrote to memory of 4932	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	Call Of duty 2 wh.exe
PID 1348 wrote to memory of 4892	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1348 wrote to memory of 4892	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 1348 wrote to memory of 4892	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	vbc.exe
PID 4932 wrote to memory of 4904	4932	Call Of duty 2 wh.exe	vbc.exe
PID 4932 wrote to memory of 4904	4932	Call Of duty 2 wh.exe	vbc.exe
PID 4932 wrote to memory of 4904	4932	Call Of duty 2 wh.exe	vbc.exe
PID 4932 wrote to memory of 4904	4932	Call Of duty 2 wh.exe	vbc.exe
PID 4932 wrote to memory of 4904	4932	Call Of duty 2 wh.exe	vbc.exe
PID 4932 wrote to memory of 4904	4932	Call Of duty 2 wh.exe	vbc.exe
PID 4932 wrote to memory of 4904	4932	Call Of duty 2 wh.exe	vbc.exe
PID 4932 wrote to memory of 4904	4932	Call Of duty 2 wh.exe	vbc.exe
PID 4932 wrote to memory of 1140	4932	Call Of duty 2 wh.exe	cmd.exe
PID 4932 wrote to memory of 1140	4932	Call Of duty 2 wh.exe	cmd.exe
PID 4932 wrote to memory of 1140	4932	Call Of duty 2 wh.exe	cmd.exe
PID 4892 wrote to memory of 2032	4892	vbc.exe	cvtres.exe
PID 4892 wrote to memory of 2032	4892	vbc.exe	cvtres.exe
PID 4892 wrote to memory of 2032	4892	vbc.exe	cvtres.exe
PID 4932 wrote to memory of 3360	4932	Call Of duty 2 wh.exe	vbc.exe
PID 4932 wrote to memory of 3360	4932	Call Of duty 2 wh.exe	vbc.exe
PID 4932 wrote to memory of 3360	4932	Call Of duty 2 wh.exe	vbc.exe
PID 1348 wrote to memory of 2140	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	WLIDSCV.exe
PID 1348 wrote to memory of 2140	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	WLIDSCV.exe
PID 1348 wrote to memory of 2140	1348	c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe	WLIDSCV.exe
PID 3360 wrote to memory of 1620	3360	vbc.exe	cvtres.exe
PID 3360 wrote to memory of 1620	3360	vbc.exe	cvtres.exe
PID 3360 wrote to memory of 1620	3360	vbc.exe	cvtres.exe
PID 4932 wrote to memory of 552	4932	Call Of duty 2 wh.exe	iexplore.exe
PID 4932 wrote to memory of 552	4932	Call Of duty 2 wh.exe	iexplore.exe
PID 2140 wrote to memory of 4284	2140	WLIDSCV.exe	NBfjzsAMLEadIpfE.exe
PID 2140 wrote to memory of 4284	2140	WLIDSCV.exe	NBfjzsAMLEadIpfE.exe
PID 2140 wrote to memory of 4284	2140	WLIDSCV.exe	NBfjzsAMLEadIpfE.exe
PID 552 wrote to memory of 4084	552	iexplore.exe	IEXPLORE.EXE
PID 552 wrote to memory of 4084	552	iexplore.exe	IEXPLORE.EXE
PID 552 wrote to memory of 4084	552	iexplore.exe	IEXPLORE.EXE
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4284 wrote to memory of 4984	4284	NBfjzsAMLEadIpfE.exe	vbc.exe
PID 4984 wrote to memory of 4080	4984	vbc.exe	cmd.exe
PID 4984 wrote to memory of 4080	4984	vbc.exe	cmd.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2844 attrib.exe
3688 attrib.exe

pid	process
2844	attrib.exe
3688	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe
"C:\Users\Admin\AppData\Local\Temp\c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4160

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- NTFS ADS
PID:3756

C:\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exe
"C:\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Windows\SysWOW64\cmd.exe
"cmd"
3⤵
- NTFS ADS
PID:1140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6aujngdq.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAE8D6EEDBB548828CBE837AE315B2C0.TMP"
4⤵
PID:1620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:552 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_acvxrqk.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEEB977055BA748E2B929FDD6FA266411.TMP"
3⤵
PID:2032

C:\Users\Admin\AppData\Roaming\WLIDSCV.exe
"C:\Users\Admin\AppData\Roaming\WLIDSCV.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe
"C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
4⤵
- Modifies firewall policy service
- Windows security bypass
- Disables RegEdit via registry modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
5⤵
PID:4080

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
6⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
5⤵
PID:3980

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
6⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:3688

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
ac572cbbc82d6d652cdbe2596aeac4ee

SHA1
a631b27cf33fe134f42ed411d7ea06c21df41ad5

SHA256
50b6d8f62150a7bd25fb3e462130e8e054a0f1fb619487e8c426a4c8bf6bdca8

SHA512
070095ec83e4eeccae5dcbadcb3132f08fd0aac50badbc42cb72691236b6cfcdf14ce275fb1bf5511896bb4dd25c2121e044341003c1a507be8fabc0b2b1bfff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
f390d56e5df4500f4f6856243a5a1e42

SHA1
df9e375af08894bf177a362eb55fc7ec398fbb9b

SHA256
ddb7923dfa6aefc149a9b40c55466e82be52ef518b144967cbfebb06dad8f869

SHA512
c80b934b5d81a8543c57c3c4d007d8b1ed815ae646f13ab3818dca3e08651d5e57dc5aa2618dc1f58d59a782af65c195d23b2f3e5424b39a0a99427e4badbe72

Download Submit
C:\Users\Admin\AppData\Local\Temp\6aujngdq.0.vb
Filesize
1KB

MD5
50c58a9068c0a03cc687dc2b4d48897b

SHA1
30a152329a9ec53af43ddf8b7afa7e9fa8db5137

SHA256
0ba8eaadd1312856fcd44457e5ed4a1dc4e81b9730747d9386a462937396f9c8

SHA512
a4f04862809b2e28af4e97e8958e2b554e1ea89abb2d697a4b0aea05946e44369ea054a51f0ea53f973cbbbd6c7e810fe799b9212f5766e85461f2b186be68d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6aujngdq.cmdline
Filesize
248B

MD5
971588d50f5cffef10bb7fa78cc6c59c

SHA1
d0b1f7c3ef02d2f00aee42ee54b1b09536825bd1

SHA256
4d4d45f53b2ab1411aea9ab53255e78b4ee61e516bb25a5894fdaf2c48028e3e

SHA512
668cfdead29c195e1fe71af29b005c8fc49650c00acb9ae384accee016380e38cd506adb63ab2ea4eedf28a3d2d8bbbb4ff80af6b436a02e18d2f3c8076ce30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB9DF.tmp
Filesize
1KB

MD5
6a39283204786976d77426a4ee292d64

SHA1
4f0e6f72f21cdf2f036ac27b289078bfdd9cb9df

SHA256
12c0a2d92faf38971a139a29331242d5b36fed686131b922894a8fd346361a43

SHA512
9db90cb83123665200757003d0b2c0ebfc1696218593eb002c998df749681f60dcab34f32be5b1c52d1b6659c90893d065433a9c78fa5dc3ba4d28c691601b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB46.tmp
Filesize
1KB

MD5
2e1c8915924d27b2b42768410914b1f6

SHA1
6dc544f75e22cbb43d16f377005a628e15b1fd7e

SHA256
93e41e59c02e7ed9d342fd1b101709ed40a73a152cb3838f95885f048936929e

SHA512
a5f88cf3998d80cd2d1f0de5dd55ba16440ac085d4797f6d26910ca42c700cdfeae470b89f679704d0f35136866ea23e817669c8fd82644dcada8c479c522c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_acvxrqk.0.vb
Filesize
1KB

MD5
807864bc5874b59e52fb57ad8f94cb43

SHA1
ebe40463b82af606869fd9eb5fbf7a0c9e2d8eed

SHA256
d0d58960f9306f7245f38e44d66f9c8f938eb0e3a3b4e6c29ba2b326ce3acf7d

SHA512
ac009ba60a589ca71aace3f8321b11721d0d912c5cab4079cc6075ac607de705817b234a0429b8b4a6cd39e37c72ca755345500fd8391bfc279347e39a9452d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_acvxrqk.cmdline
Filesize
248B

MD5
29c4e61003a34ef1c389e1cf3115e974

SHA1
4a5209a5c8cfcc9c2adec8a611cac6a4e7e5ba07

SHA256
4fe54a894326d1a99ff7077abdd770ffb9487f6816f92e879773de28576343fc

SHA512
8c5a353b22ec992b853955c04873002ad7d8588ffce18a7ff29831b1b6d804e4c750ae50a4e326afa4bd615634f94097dbf0ccde49bfdcb289c418745e95307e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEAE8D6EEDBB548828CBE837AE315B2C0.TMP
Filesize
644B

MD5
070d19a29fd713891607e27d97ead816

SHA1
e42cf75eb53e89ce253dea01274f383bc498cb3b

SHA256
1ee0d7a798e175d5a7d518bb3b27d4cebff4bc1bade76f4a3e433d88ee926d1e

SHA512
65a26d184056e35d15c6609bc15313742cbc77baeb0228e1081bdc96ff91631fdcf363787a1bfdfa4883155039c7ef2953ad7e4e4f20e2f71005d0bec98e27ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEEB977055BA748E2B929FDD6FA266411.TMP
Filesize
644B

MD5
070d19a29fd713891607e27d97ead816

SHA1
e42cf75eb53e89ce253dea01274f383bc498cb3b

SHA256
1ee0d7a798e175d5a7d518bb3b27d4cebff4bc1bade76f4a3e433d88ee926d1e

SHA512
65a26d184056e35d15c6609bc15313742cbc77baeb0228e1081bdc96ff91631fdcf363787a1bfdfa4883155039c7ef2953ad7e4e4f20e2f71005d0bec98e27ef

Download Submit
C:\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exe
Filesize
1.1MB

MD5
5161ef523bfd5701f9b5f5225f040f19

SHA1
18fcab853e6e475286caa4f6598aed4169223885

SHA256
e00974d91ab5fd276dcfe490a261073dc00a3e9bf8b918880715db74a84d34f0

SHA512
898abda2099c81800066be158118400571740c62b8349b60f5c5e724564881c2606f8d1ed70f86610c7e4d238763dc89078cbe30e2c20b3515e80ef181033ad5

Download Submit
C:\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exe
Filesize
1.1MB

MD5
5161ef523bfd5701f9b5f5225f040f19

SHA1
18fcab853e6e475286caa4f6598aed4169223885

SHA256
e00974d91ab5fd276dcfe490a261073dc00a3e9bf8b918880715db74a84d34f0

SHA512
898abda2099c81800066be158118400571740c62b8349b60f5c5e724564881c2606f8d1ed70f86610c7e4d238763dc89078cbe30e2c20b3515e80ef181033ad5

Download Submit
C:\Users\Admin\AppData\Roaming\LZrWcMqIG.exe:ZONE.identifier
Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe
Filesize
2.7MB

MD5
349b587ed5fda616d179ba9a1718fb4c

SHA1
d503cdd4bd462f182ff328cc262ec0f99486d6f4

SHA256
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101

SHA512
29e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd

Download Submit
C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe
Filesize
2.7MB

MD5
349b587ed5fda616d179ba9a1718fb4c

SHA1
d503cdd4bd462f182ff328cc262ec0f99486d6f4

SHA256
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101

SHA512
29e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd

Download Submit
C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe
Filesize
2.7MB

MD5
349b587ed5fda616d179ba9a1718fb4c

SHA1
d503cdd4bd462f182ff328cc262ec0f99486d6f4

SHA256
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101

SHA512
29e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd

Download Submit
C:\Users\Admin\AppData\Roaming\WLIDSCV.exe
Filesize
7KB

MD5
00e90e6cd098ab943b761562d1fbbee5

SHA1
12ea9bfd4d7f394c6021f459a1b0f364325007d8

SHA256
70334556a71765f4c6fb4182e989f6bdeb3bd70ef2099d4010aed4891b49d088

SHA512
6fae5eb6e616dde5271310c8c42e041bce98ff31dc151c15170218eec7a120da1eb36e74329de52331ef3d0f8a74377beda31fac3d09594d3625457389d0b813

Download Submit
C:\Users\Admin\AppData\Roaming\WLIDSCV.exe
Filesize
7KB

MD5
00e90e6cd098ab943b761562d1fbbee5

SHA1
12ea9bfd4d7f394c6021f459a1b0f364325007d8

SHA256
70334556a71765f4c6fb4182e989f6bdeb3bd70ef2099d4010aed4891b49d088

SHA512
6fae5eb6e616dde5271310c8c42e041bce98ff31dc151c15170218eec7a120da1eb36e74329de52331ef3d0f8a74377beda31fac3d09594d3625457389d0b813

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt
Filesize
138B

MD5
ce5116376502f7ea74e285546554e7a7

SHA1
49e0d08484aff6abbc2074bb7c5c5d1771c695bc

SHA256
6f50f66872b7759dba6e033ec4ebeceee513870233fa84467e52750bf8bb1ba6

SHA512
06e2cf5747aaef37b9ac5750b082b6012e663367c008c51a1eab4434184e2c4b446d4bc35c98518734a998e042b51d8bbcbedaef6121986df611fd1923f6401a

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt
Filesize
74B

MD5
98aae9187c8f33add1f036a632df36e1

SHA1
e882acb6a1b6a9970b6d5f6063a955970db13d01

SHA256
30f496723a7b1fc9e5e4e4dde14a0a084deac35e44f1e2c0bb88a1f884a9a67a

SHA512
af94dce01956734948e2214931d3472a9f94efd3a26130e9d8242ead68d7167ab0b1eff9bd0d66244ffbb03f38a4c27801e9994a85796290212e4838a0692a0b

Download Submit
memory/1140-154-0x0000000000000000-mapping.dmp

Download
memory/1348-132-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1348-170-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1620-168-0x0000000000000000-mapping.dmp

Download
memory/2032-159-0x0000000000000000-mapping.dmp

Download
memory/2140-183-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/2140-176-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/2140-164-0x0000000000000000-mapping.dmp

Download
memory/2844-187-0x0000000000000000-mapping.dmp

Download
memory/2864-186-0x0000000000000000-mapping.dmp

Download
memory/3360-162-0x0000000000000000-mapping.dmp

Download
memory/3688-188-0x0000000000000000-mapping.dmp

Download
memory/3756-136-0x0000000000000000-mapping.dmp

Download
memory/3980-185-0x0000000000000000-mapping.dmp

Download
memory/4080-184-0x0000000000000000-mapping.dmp

Download
memory/4160-133-0x0000000000000000-mapping.dmp

Download
memory/4160-139-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4160-142-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4160-134-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4284-189-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/4284-174-0x0000000000000000-mapping.dmp

Download
memory/4284-181-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/4892-146-0x0000000000000000-mapping.dmp

Download
memory/4904-147-0x0000000000000000-mapping.dmp

Download
memory/4904-156-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4932-173-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/4932-153-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/4932-143-0x0000000000000000-mapping.dmp

Download
memory/4984-182-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4984-180-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4984-179-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4984-178-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4984-177-0x0000000000000000-mapping.dmp

Download
memory/4984-190-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download