darkcomet | 8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2023 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A1DB2DK7S9.CNT.exe
Size

2.1MB
MD5

9cb1667d78bac6997eefe37a44397558
SHA1

992651316c65ac2f6e0bd301543bea6c6cc507b1
SHA256

8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69
SHA512

21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69
SSDEEP

24576:RUMPXPReQkyrfVQHxsvw2HuSOVyrGYZF0CV8twiylCS9u+cY7KPJ+HlD9IExKMac:3pe9qNQHxfwGUlype8+cY7KUx3

Score

10^/10

darkcomet nanocore febeuary 2023 evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

FEBEUARY 2023

timmy08.ddns.net:39399

Mutex

DC_MUTEX-Q2S9RDY

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
uwAzfkQN5QEN
install
true
offline_keylogger
true
persistence
true
reg_key
chrome

Extracted

Family

nanocore

Version

1.2.2.0

timmy06.ddns.net:28289

timmy08.ddns.net:28289

Mutex

62f06349-2bb0-4c20-ac84-f82ad01a1521

Attributes

activate_away_mode
false
backup_connection_host
timmy08.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-12-01T20:37:32.816492236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
28289
default_group
FEBRUARY 2023
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
62f06349-2bb0-4c20-ac84-f82ad01a1521
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
timmy06.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

A1DB2DK7S9.CNT.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	A1DB2DK7S9.CNT.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Disables Task Manager via registry modification
evasion
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4880 attrib.exe
1512 attrib.exe

pid	process
4880	attrib.exe
1512	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A1DB2DK7S9.CNT.exeA1DB2DK7S9.CNT.exemsdcsc.exemsdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	A1DB2DK7S9.CNT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	A1DB2DK7S9.CNT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Executes dropped EXE 4 IoCs

Processes:

STUB 003.EXEmsdcsc.exemsdcsc.exeSTUB 003.EXE

pid process

3332 STUB 003.EXE
4924 msdcsc.exe
1156 msdcsc.exe
5048 STUB 003.EXE

pid	process
3332	STUB 003.EXE
4924	msdcsc.exe
1156	msdcsc.exe
5048	STUB 003.EXE

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

STUB 003.EXEmsdcsc.exeA1DB2DK7S9.CNT.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Service = "C:\\Program Files (x86)\\NAT Service\\natsvc.exe"	STUB 003.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	A1DB2DK7S9.CNT.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

STUB 003.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA STUB 003.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	STUB 003.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

A1DB2DK7S9.CNT.exemsdcsc.exe

description	pid	process	target process
PID 4388 set thread context of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4924 set thread context of 1156	4924	msdcsc.exe	msdcsc.exe

Drops file in Program Files directory 2 IoCs

Processes:

STUB 003.EXE

description	ioc	process
File created	C:\Program Files (x86)\NAT Service\natsvc.exe	STUB 003.EXE
File opened for modification	C:\Program Files (x86)\NAT Service\natsvc.exe	STUB 003.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4952 schtasks.exe
5088 schtasks.exe
4836 schtasks.exe
5068 schtasks.exe

pid	process
4952	schtasks.exe
5088	schtasks.exe
4836	schtasks.exe
5068	schtasks.exe

Modifies registry class 1 IoCs

Processes:

A1DB2DK7S9.CNT.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	A1DB2DK7S9.CNT.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

A1DB2DK7S9.CNT.exepowershell.exepowershell.exeSTUB 003.EXEmsdcsc.exepowershell.exepowershell.exe

pid	process
4388	A1DB2DK7S9.CNT.exe
4388	A1DB2DK7S9.CNT.exe
4388	A1DB2DK7S9.CNT.exe
4388	A1DB2DK7S9.CNT.exe
4388	A1DB2DK7S9.CNT.exe
4388	A1DB2DK7S9.CNT.exe
4388	A1DB2DK7S9.CNT.exe
4388	A1DB2DK7S9.CNT.exe
4388	A1DB2DK7S9.CNT.exe
1256	powershell.exe
2600	powershell.exe
4388	A1DB2DK7S9.CNT.exe
4388	A1DB2DK7S9.CNT.exe
4388	A1DB2DK7S9.CNT.exe
2600	powershell.exe
1256	powershell.exe
3332	STUB 003.EXE
3332	STUB 003.EXE
3332	STUB 003.EXE
4924	msdcsc.exe
4924	msdcsc.exe
4924	msdcsc.exe
4924	msdcsc.exe
4924	msdcsc.exe
4924	msdcsc.exe
4924	msdcsc.exe
4924	msdcsc.exe
2984	powershell.exe
3596	powershell.exe
4924	msdcsc.exe
2984	powershell.exe
3596	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

STUB 003.EXE

pid process

3332 STUB 003.EXE

pid	process
3332	STUB 003.EXE

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

A1DB2DK7S9.CNT.exepowershell.exepowershell.exeA1DB2DK7S9.CNT.exeSTUB 003.EXEmsdcsc.exepowershell.exepowershell.exemsdcsc.exe

description	pid	process
Token: SeDebugPrivilege	4388	A1DB2DK7S9.CNT.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeIncreaseQuotaPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeSecurityPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeTakeOwnershipPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeLoadDriverPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeSystemProfilePrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeSystemtimePrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeProfSingleProcessPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeIncBasePriorityPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeCreatePagefilePrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeBackupPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeRestorePrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeShutdownPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeDebugPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeSystemEnvironmentPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeChangeNotifyPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeRemoteShutdownPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeUndockPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeManageVolumePrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeImpersonatePrivilege	3996	A1DB2DK7S9.CNT.exe
Token: SeCreateGlobalPrivilege	3996	A1DB2DK7S9.CNT.exe
Token: 33	3996	A1DB2DK7S9.CNT.exe
Token: 34	3996	A1DB2DK7S9.CNT.exe
Token: 35	3996	A1DB2DK7S9.CNT.exe
Token: 36	3996	A1DB2DK7S9.CNT.exe
Token: SeDebugPrivilege	3332	STUB 003.EXE
Token: SeDebugPrivilege	4924	msdcsc.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeIncreaseQuotaPrivilege	1156	msdcsc.exe
Token: SeSecurityPrivilege	1156	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1156	msdcsc.exe
Token: SeLoadDriverPrivilege	1156	msdcsc.exe
Token: SeSystemProfilePrivilege	1156	msdcsc.exe
Token: SeSystemtimePrivilege	1156	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1156	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1156	msdcsc.exe
Token: SeCreatePagefilePrivilege	1156	msdcsc.exe
Token: SeBackupPrivilege	1156	msdcsc.exe
Token: SeRestorePrivilege	1156	msdcsc.exe
Token: SeShutdownPrivilege	1156	msdcsc.exe
Token: SeDebugPrivilege	1156	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1156	msdcsc.exe
Token: SeChangeNotifyPrivilege	1156	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1156	msdcsc.exe
Token: SeUndockPrivilege	1156	msdcsc.exe
Token: SeManageVolumePrivilege	1156	msdcsc.exe
Token: SeImpersonatePrivilege	1156	msdcsc.exe
Token: SeCreateGlobalPrivilege	1156	msdcsc.exe
Token: 33	1156	msdcsc.exe
Token: 34	1156	msdcsc.exe
Token: 35	1156	msdcsc.exe
Token: 36	1156	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1156 msdcsc.exe

pid	process
1156	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

A1DB2DK7S9.CNT.exeA1DB2DK7S9.CNT.execmd.execmd.exeSTUB 003.EXE

description	pid	process	target process
PID 4388 wrote to memory of 1256	4388	A1DB2DK7S9.CNT.exe	powershell.exe
PID 4388 wrote to memory of 1256	4388	A1DB2DK7S9.CNT.exe	powershell.exe
PID 4388 wrote to memory of 1256	4388	A1DB2DK7S9.CNT.exe	powershell.exe
PID 4388 wrote to memory of 2600	4388	A1DB2DK7S9.CNT.exe	powershell.exe
PID 4388 wrote to memory of 2600	4388	A1DB2DK7S9.CNT.exe	powershell.exe
PID 4388 wrote to memory of 2600	4388	A1DB2DK7S9.CNT.exe	powershell.exe
PID 4388 wrote to memory of 4952	4388	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 4388 wrote to memory of 4952	4388	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 4388 wrote to memory of 4952	4388	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 4388 wrote to memory of 2264	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 2264	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 2264	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 4388 wrote to memory of 3996	4388	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 3996 wrote to memory of 3992	3996	A1DB2DK7S9.CNT.exe	cmd.exe
PID 3996 wrote to memory of 3992	3996	A1DB2DK7S9.CNT.exe	cmd.exe
PID 3996 wrote to memory of 3992	3996	A1DB2DK7S9.CNT.exe	cmd.exe
PID 3996 wrote to memory of 2980	3996	A1DB2DK7S9.CNT.exe	cmd.exe
PID 3996 wrote to memory of 2980	3996	A1DB2DK7S9.CNT.exe	cmd.exe
PID 3996 wrote to memory of 2980	3996	A1DB2DK7S9.CNT.exe	cmd.exe
PID 3996 wrote to memory of 3332	3996	A1DB2DK7S9.CNT.exe	STUB 003.EXE
PID 3996 wrote to memory of 3332	3996	A1DB2DK7S9.CNT.exe	STUB 003.EXE
PID 3996 wrote to memory of 3332	3996	A1DB2DK7S9.CNT.exe	STUB 003.EXE
PID 2980 wrote to memory of 4880	2980	cmd.exe	attrib.exe
PID 2980 wrote to memory of 4880	2980	cmd.exe	attrib.exe
PID 2980 wrote to memory of 4880	2980	cmd.exe	attrib.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3996 wrote to memory of 1920	3996	A1DB2DK7S9.CNT.exe	notepad.exe
PID 3992 wrote to memory of 1512	3992	cmd.exe	attrib.exe
PID 3992 wrote to memory of 1512	3992	cmd.exe	attrib.exe
PID 3992 wrote to memory of 1512	3992	cmd.exe	attrib.exe
PID 3332 wrote to memory of 5088	3332	STUB 003.EXE	schtasks.exe
PID 3332 wrote to memory of 5088	3332	STUB 003.EXE	schtasks.exe
PID 3332 wrote to memory of 5088	3332	STUB 003.EXE	schtasks.exe
PID 3332 wrote to memory of 4836	3332	STUB 003.EXE	schtasks.exe
PID 3332 wrote to memory of 4836	3332	STUB 003.EXE	schtasks.exe
PID 3332 wrote to memory of 4836	3332	STUB 003.EXE	schtasks.exe
PID 3996 wrote to memory of 4924	3996	A1DB2DK7S9.CNT.exe	msdcsc.exe
PID 3996 wrote to memory of 4924	3996	A1DB2DK7S9.CNT.exe	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4880 attrib.exe
1512 attrib.exe

pid	process
4880	attrib.exe
1512	attrib.exe

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vWYrDTb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vWYrDTb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E77.tmp"
2⤵
- Creates scheduled task(s)
PID:4952

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1512

C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
"C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAT Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp87ED.tmp"
4⤵
- Creates scheduled task(s)
PID:5088

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAT Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8955.tmp"
4⤵
- Creates scheduled task(s)
PID:4836

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1920

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vWYrDTb.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vWYrDTb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp79FD.tmp"
4⤵
- Creates scheduled task(s)
PID:5068

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
"C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE"
5⤵
- Executes dropped EXE
PID:5048

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
804f7c975bcde332d5062792ad2b053f

SHA1
d8e7bf1b3efba5e8ec036fb17e06f600b18642e7

SHA256
efc31231a84c4b2f97d6e8d04d0b824d57f17f6ad2436b2aecaf05cbdbd38347

SHA512
321296937bcf4a9c83491204d80d7218b44d4f6be4d19b39e4a12aa8b0e6cf7cd7c0ada36dd2356112ebf1686174900bd3ecf89cb6c00d7b980e22303df2193c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
804f7c975bcde332d5062792ad2b053f

SHA1
d8e7bf1b3efba5e8ec036fb17e06f600b18642e7

SHA256
efc31231a84c4b2f97d6e8d04d0b824d57f17f6ad2436b2aecaf05cbdbd38347

SHA512
321296937bcf4a9c83491204d80d7218b44d4f6be4d19b39e4a12aa8b0e6cf7cd7c0ada36dd2356112ebf1686174900bd3ecf89cb6c00d7b980e22303df2193c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c0a7b08db372f4c6289e1ca3171e95d2

SHA1
aecfba335088bcbae0fc73de5ef54e2b9c606e14

SHA256
6ad22366d9131b59a1cb1c0c1cf0a2cfc9033265f14df862652c2ceeddc0b7f6

SHA512
9182e08e2ee9962daaa33fd8c8a2921f2a79af8068d52dbab33d78e103fb2e8e3fcb8eda3c386078722ca8ba0af7c3e9295d975e97f9fa424c2a942215254aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bh2l5zcd.1tj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79FD.tmp
Filesize
1KB

MD5
ca06438ddae3dc2c98e0766c3ee82880

SHA1
6b22a1e2d8c58976981e8afa77738b98e5202286

SHA256
de1539a99733ad4218e2f44e9ecad38e4b0eb48f0200f4f0000b0b42fa8120dc

SHA512
687306f7f7834026b9241c9028725ea79cb6c6bbcb97aba594cd2166140d1dd6f8021d4373f0b5c913e25cf3f40c8f3c55deaf2531ff79ceebfc5952fe57753a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E77.tmp
Filesize
1KB

MD5
ca06438ddae3dc2c98e0766c3ee82880

SHA1
6b22a1e2d8c58976981e8afa77738b98e5202286

SHA256
de1539a99733ad4218e2f44e9ecad38e4b0eb48f0200f4f0000b0b42fa8120dc

SHA512
687306f7f7834026b9241c9028725ea79cb6c6bbcb97aba594cd2166140d1dd6f8021d4373f0b5c913e25cf3f40c8f3c55deaf2531ff79ceebfc5952fe57753a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87ED.tmp
Filesize
1KB

MD5
bee7e3f58413577299b5b7131a33fa4c

SHA1
9e4f8c4ea7777c026e0cef09b9b154440074faa7

SHA256
ba85fd61d6c18e39b83ba2fd82d3859bbde7c082ddf95c8ea1cf9aff1d1e9402

SHA512
8241b56d56e1ea61648039a17de400c2263875f742038f22c7f87b7470d2b4d45c4d289d967f09fef9d05f1e1af3145723b49d8bac3f4a23e4cb810d3d84e94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8955.tmp
Filesize
1KB

MD5
45cb9fac03bbbeb9a6e82b85eb3efbda

SHA1
4d6c00b68434d11f346ce844ccbc2ed7b7d4acff

SHA256
185deb301fb4155d92e158bad5a52722c63ae7399a5b9d3d875050d5389b933a

SHA512
00713c53d7193660ba223a47fa46225cb6d870ea5ea794f703efc73e21e6e01b7283dac5be3d5280e553b922521e32bc7db591bf471bd7673a1a0b62b198073b

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.1MB

MD5
9cb1667d78bac6997eefe37a44397558

SHA1
992651316c65ac2f6e0bd301543bea6c6cc507b1

SHA256
8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

SHA512
21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.1MB

MD5
9cb1667d78bac6997eefe37a44397558

SHA1
992651316c65ac2f6e0bd301543bea6c6cc507b1

SHA256
8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

SHA512
21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.1MB

MD5
9cb1667d78bac6997eefe37a44397558

SHA1
992651316c65ac2f6e0bd301543bea6c6cc507b1

SHA256
8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

SHA512
21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.1MB

MD5
9cb1667d78bac6997eefe37a44397558

SHA1
992651316c65ac2f6e0bd301543bea6c6cc507b1

SHA256
8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

SHA512
21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69

Download Submit
memory/804-332-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/1156-323-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1156-330-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/1156-324-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1156-325-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1156-363-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1156-335-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1156-326-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1156-333-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1256-145-0x0000000005140000-0x0000000005768000-memory.dmp

Filesize
6.2MB

Download
memory/1256-273-0x000000007F670000-0x000000007F680000-memory.dmp

Filesize
64KB

Download
memory/1256-291-0x00000000075B0000-0x00000000075B8000-memory.dmp

Filesize
32KB

Download
memory/1256-144-0x00000000049C0000-0x00000000049F6000-memory.dmp

Filesize
216KB

Download
memory/1256-289-0x00000000074C0000-0x00000000074CE000-memory.dmp

Filesize
56KB

Download
memory/1256-149-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/1256-284-0x0000000007300000-0x000000000730A000-memory.dmp

Filesize
40KB

Download
memory/1256-256-0x0000000071090000-0x00000000710DC000-memory.dmp

Filesize
304KB

Download
memory/1256-164-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1256-169-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1256-270-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1920-189-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2600-272-0x0000000007280000-0x000000000729A000-memory.dmp

Filesize
104KB

Download
memory/2600-177-0x0000000005F80000-0x0000000005F9E000-memory.dmp

Filesize
120KB

Download
memory/2600-148-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/2600-170-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/2600-271-0x000000007F000000-0x000000007F010000-memory.dmp

Filesize
64KB

Download
memory/2600-267-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/2600-253-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download
memory/2600-243-0x0000000071090000-0x00000000710DC000-memory.dmp

Filesize
304KB

Download
memory/2600-285-0x0000000007500000-0x0000000007596000-memory.dmp

Filesize
600KB

Download
memory/2600-269-0x00000000078D0000-0x0000000007F4A000-memory.dmp

Filesize
6.5MB

Download
memory/2600-147-0x00000000050A0000-0x00000000050C2000-memory.dmp

Filesize
136KB

Download
memory/2600-242-0x0000000006550000-0x0000000006582000-memory.dmp

Filesize
200KB

Download
memory/2600-290-0x00000000075C0000-0x00000000075DA000-memory.dmp

Filesize
104KB

Download
memory/2984-345-0x00000000716C0000-0x000000007170C000-memory.dmp

Filesize
304KB

Download
memory/2984-357-0x0000000004510000-0x0000000004520000-memory.dmp

Filesize
64KB

Download
memory/2984-327-0x0000000004510000-0x0000000004520000-memory.dmp

Filesize
64KB

Download
memory/2984-328-0x0000000004510000-0x0000000004520000-memory.dmp

Filesize
64KB

Download
memory/2984-358-0x000000007F8A0000-0x000000007F8B0000-memory.dmp

Filesize
64KB

Download
memory/3332-188-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/3332-295-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/3332-296-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/3332-268-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/3596-334-0x00000000716C0000-0x000000007170C000-memory.dmp

Filesize
304KB

Download
memory/3596-329-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3596-356-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3996-172-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3996-171-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3996-174-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3996-186-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3996-287-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3996-187-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/4388-136-0x0000000005300000-0x000000000530A000-memory.dmp

Filesize
40KB

Download
memory/4388-137-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/4388-138-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/4388-139-0x00000000073E0000-0x000000000747C000-memory.dmp

Filesize
624KB

Download
memory/4388-133-0x0000000000730000-0x000000000094E000-memory.dmp

Filesize
2.1MB

Download
memory/4388-135-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/4388-134-0x0000000005940000-0x0000000005EE4000-memory.dmp

Filesize
5.6MB

Download
memory/4924-297-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4924-286-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/5048-355-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download