darkcomet | 8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2023 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A1DB2DK7S9.CNT.exe
Size

2.1MB
MD5

9cb1667d78bac6997eefe37a44397558
SHA1

992651316c65ac2f6e0bd301543bea6c6cc507b1
SHA256

8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69
SHA512

21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69
SSDEEP

24576:RUMPXPReQkyrfVQHxsvw2HuSOVyrGYZF0CV8twiylCS9u+cY7KPJ+HlD9IExKMac:3pe9qNQHxfwGUlype8+cY7KUx3

Score

10^/10

darkcomet nanocore febeuary 2023 evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

FEBEUARY 2023

timmy08.ddns.net:39399

Mutex

DC_MUTEX-Q2S9RDY

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
uwAzfkQN5QEN
install
true
offline_keylogger
true
persistence
true
reg_key
chrome

Extracted

Family

nanocore

Version

1.2.2.0

timmy06.ddns.net:28289

timmy08.ddns.net:28289

Mutex

62f06349-2bb0-4c20-ac84-f82ad01a1521

Attributes

activate_away_mode
false
backup_connection_host
timmy08.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-12-01T20:37:32.816492236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
28289
default_group
FEBRUARY 2023
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
62f06349-2bb0-4c20-ac84-f82ad01a1521
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
timmy06.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

A1DB2DK7S9.CNT.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	A1DB2DK7S9.CNT.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Disables Task Manager via registry modification
evasion
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2008 attrib.exe
2188 attrib.exe

pid	process
2008	attrib.exe
2188	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A1DB2DK7S9.CNT.exeA1DB2DK7S9.CNT.exemsdcsc.exemsdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	A1DB2DK7S9.CNT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	A1DB2DK7S9.CNT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Executes dropped EXE 4 IoCs

Processes:

STUB 003.EXEmsdcsc.exemsdcsc.exeSTUB 003.EXE

pid process

4828 STUB 003.EXE
1492 msdcsc.exe
3312 msdcsc.exe
748 STUB 003.EXE

pid	process
4828	STUB 003.EXE
1492	msdcsc.exe
3312	msdcsc.exe
748	STUB 003.EXE

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

A1DB2DK7S9.CNT.exeSTUB 003.EXEmsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	A1DB2DK7S9.CNT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Service = "C:\\Program Files (x86)\\NAT Service\\natsvc.exe"	STUB 003.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

STUB 003.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA STUB 003.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	STUB 003.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

A1DB2DK7S9.CNT.exemsdcsc.exe

description	pid	process	target process
PID 5016 set thread context of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1492 set thread context of 3312	1492	msdcsc.exe	msdcsc.exe

Drops file in Program Files directory 2 IoCs

Processes:

STUB 003.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\NAT Service\natsvc.exe	STUB 003.EXE
File created	C:\Program Files (x86)\NAT Service\natsvc.exe	STUB 003.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1968 schtasks.exe
4304 schtasks.exe
1880 schtasks.exe
2092 schtasks.exe

pid	process
1968	schtasks.exe
4304	schtasks.exe
1880	schtasks.exe
2092	schtasks.exe

Modifies registry class 1 IoCs

Processes:

A1DB2DK7S9.CNT.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	A1DB2DK7S9.CNT.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

A1DB2DK7S9.CNT.exepowershell.exepowershell.exeSTUB 003.EXEmsdcsc.exepowershell.exepowershell.exe

pid	process
5016	A1DB2DK7S9.CNT.exe
5016	A1DB2DK7S9.CNT.exe
5016	A1DB2DK7S9.CNT.exe
5016	A1DB2DK7S9.CNT.exe
5016	A1DB2DK7S9.CNT.exe
5016	A1DB2DK7S9.CNT.exe
5016	A1DB2DK7S9.CNT.exe
5016	A1DB2DK7S9.CNT.exe
5016	A1DB2DK7S9.CNT.exe
2020	powershell.exe
3640	powershell.exe
5016	A1DB2DK7S9.CNT.exe
5016	A1DB2DK7S9.CNT.exe
5016	A1DB2DK7S9.CNT.exe
2020	powershell.exe
3640	powershell.exe
4828	STUB 003.EXE
4828	STUB 003.EXE
4828	STUB 003.EXE
1492	msdcsc.exe
1492	msdcsc.exe
1492	msdcsc.exe
1492	msdcsc.exe
1492	msdcsc.exe
1492	msdcsc.exe
1492	msdcsc.exe
1492	msdcsc.exe
2112	powershell.exe
4664	powershell.exe
1492	msdcsc.exe
2112	powershell.exe
4664	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

STUB 003.EXE

pid process

4828 STUB 003.EXE

pid	process
4828	STUB 003.EXE

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

A1DB2DK7S9.CNT.exepowershell.exepowershell.exeA1DB2DK7S9.CNT.exeSTUB 003.EXEmsdcsc.exepowershell.exepowershell.exemsdcsc.exe

description	pid	process
Token: SeDebugPrivilege	5016	A1DB2DK7S9.CNT.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeIncreaseQuotaPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeSecurityPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeTakeOwnershipPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeLoadDriverPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeSystemProfilePrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeSystemtimePrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeProfSingleProcessPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeIncBasePriorityPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeCreatePagefilePrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeBackupPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeRestorePrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeShutdownPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeDebugPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeSystemEnvironmentPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeChangeNotifyPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeRemoteShutdownPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeUndockPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeManageVolumePrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeImpersonatePrivilege	1876	A1DB2DK7S9.CNT.exe
Token: SeCreateGlobalPrivilege	1876	A1DB2DK7S9.CNT.exe
Token: 33	1876	A1DB2DK7S9.CNT.exe
Token: 34	1876	A1DB2DK7S9.CNT.exe
Token: 35	1876	A1DB2DK7S9.CNT.exe
Token: 36	1876	A1DB2DK7S9.CNT.exe
Token: SeDebugPrivilege	4828	STUB 003.EXE
Token: SeDebugPrivilege	1492	msdcsc.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeIncreaseQuotaPrivilege	3312	msdcsc.exe
Token: SeSecurityPrivilege	3312	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3312	msdcsc.exe
Token: SeLoadDriverPrivilege	3312	msdcsc.exe
Token: SeSystemProfilePrivilege	3312	msdcsc.exe
Token: SeSystemtimePrivilege	3312	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3312	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3312	msdcsc.exe
Token: SeCreatePagefilePrivilege	3312	msdcsc.exe
Token: SeBackupPrivilege	3312	msdcsc.exe
Token: SeRestorePrivilege	3312	msdcsc.exe
Token: SeShutdownPrivilege	3312	msdcsc.exe
Token: SeDebugPrivilege	3312	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3312	msdcsc.exe
Token: SeChangeNotifyPrivilege	3312	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3312	msdcsc.exe
Token: SeUndockPrivilege	3312	msdcsc.exe
Token: SeManageVolumePrivilege	3312	msdcsc.exe
Token: SeImpersonatePrivilege	3312	msdcsc.exe
Token: SeCreateGlobalPrivilege	3312	msdcsc.exe
Token: 33	3312	msdcsc.exe
Token: 34	3312	msdcsc.exe
Token: 35	3312	msdcsc.exe
Token: 36	3312	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

3312 msdcsc.exe

pid	process
3312	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

A1DB2DK7S9.CNT.exeA1DB2DK7S9.CNT.execmd.execmd.exeSTUB 003.EXE

description	pid	process	target process
PID 5016 wrote to memory of 2020	5016	A1DB2DK7S9.CNT.exe	powershell.exe
PID 5016 wrote to memory of 2020	5016	A1DB2DK7S9.CNT.exe	powershell.exe
PID 5016 wrote to memory of 2020	5016	A1DB2DK7S9.CNT.exe	powershell.exe
PID 5016 wrote to memory of 3640	5016	A1DB2DK7S9.CNT.exe	powershell.exe
PID 5016 wrote to memory of 3640	5016	A1DB2DK7S9.CNT.exe	powershell.exe
PID 5016 wrote to memory of 3640	5016	A1DB2DK7S9.CNT.exe	powershell.exe
PID 5016 wrote to memory of 1968	5016	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 5016 wrote to memory of 1968	5016	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 5016 wrote to memory of 1968	5016	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 5016 wrote to memory of 3924	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 3924	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 3924	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 5016 wrote to memory of 1876	5016	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1876 wrote to memory of 2444	1876	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1876 wrote to memory of 2444	1876	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1876 wrote to memory of 2444	1876	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1876 wrote to memory of 32	1876	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1876 wrote to memory of 32	1876	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1876 wrote to memory of 32	1876	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1876 wrote to memory of 4828	1876	A1DB2DK7S9.CNT.exe	STUB 003.EXE
PID 1876 wrote to memory of 4828	1876	A1DB2DK7S9.CNT.exe	STUB 003.EXE
PID 1876 wrote to memory of 4828	1876	A1DB2DK7S9.CNT.exe	STUB 003.EXE
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 2636	1876	A1DB2DK7S9.CNT.exe	notepad.exe
PID 32 wrote to memory of 2188	32	cmd.exe	attrib.exe
PID 32 wrote to memory of 2188	32	cmd.exe	attrib.exe
PID 32 wrote to memory of 2188	32	cmd.exe	attrib.exe
PID 2444 wrote to memory of 2008	2444	cmd.exe	attrib.exe
PID 2444 wrote to memory of 2008	2444	cmd.exe	attrib.exe
PID 2444 wrote to memory of 2008	2444	cmd.exe	attrib.exe
PID 4828 wrote to memory of 4304	4828	STUB 003.EXE	schtasks.exe
PID 4828 wrote to memory of 4304	4828	STUB 003.EXE	schtasks.exe
PID 4828 wrote to memory of 4304	4828	STUB 003.EXE	schtasks.exe
PID 4828 wrote to memory of 1880	4828	STUB 003.EXE	schtasks.exe
PID 4828 wrote to memory of 1880	4828	STUB 003.EXE	schtasks.exe
PID 4828 wrote to memory of 1880	4828	STUB 003.EXE	schtasks.exe
PID 1876 wrote to memory of 1492	1876	A1DB2DK7S9.CNT.exe	msdcsc.exe
PID 1876 wrote to memory of 1492	1876	A1DB2DK7S9.CNT.exe	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2188 attrib.exe
2008 attrib.exe

pid	process
2188	attrib.exe
2008	attrib.exe

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vWYrDTb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vWYrDTb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5573.tmp"
2⤵
- Creates scheduled task(s)
PID:1968

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2008

C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
"C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAT Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5F56.tmp"
4⤵
- Creates scheduled task(s)
PID:4304

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAT Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp60BE.tmp"
4⤵
- Creates scheduled task(s)
PID:1880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2188

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:2636

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vWYrDTb.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vWYrDTb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4ED7.tmp"
4⤵
- Creates scheduled task(s)
PID:2092

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
"C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE"
5⤵
- Executes dropped EXE
PID:748

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
PID:3924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
950dc606409191dba291ca7102a219b6

SHA1
3158901dc4abef3ec9d86b27fb22d0df5f7dd237

SHA256
0a8d81c4e8bfd70af9d33ff71064edf2b6945c4478eae57ff91af68e834dfbf4

SHA512
0b56fea2f0ab985d944c008cb313268b5ddebfdd86084fb51e4ef0888db462f34e2b47640ba7af613f35316f3941786695d8adc904552b6401a50372913d6c24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
950dc606409191dba291ca7102a219b6

SHA1
3158901dc4abef3ec9d86b27fb22d0df5f7dd237

SHA256
0a8d81c4e8bfd70af9d33ff71064edf2b6945c4478eae57ff91af68e834dfbf4

SHA512
0b56fea2f0ab985d944c008cb313268b5ddebfdd86084fb51e4ef0888db462f34e2b47640ba7af613f35316f3941786695d8adc904552b6401a50372913d6c24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzqe53oz.suu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4ED7.tmp
Filesize
1KB

MD5
ca06438ddae3dc2c98e0766c3ee82880

SHA1
6b22a1e2d8c58976981e8afa77738b98e5202286

SHA256
de1539a99733ad4218e2f44e9ecad38e4b0eb48f0200f4f0000b0b42fa8120dc

SHA512
687306f7f7834026b9241c9028725ea79cb6c6bbcb97aba594cd2166140d1dd6f8021d4373f0b5c913e25cf3f40c8f3c55deaf2531ff79ceebfc5952fe57753a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5573.tmp
Filesize
1KB

MD5
ca06438ddae3dc2c98e0766c3ee82880

SHA1
6b22a1e2d8c58976981e8afa77738b98e5202286

SHA256
de1539a99733ad4218e2f44e9ecad38e4b0eb48f0200f4f0000b0b42fa8120dc

SHA512
687306f7f7834026b9241c9028725ea79cb6c6bbcb97aba594cd2166140d1dd6f8021d4373f0b5c913e25cf3f40c8f3c55deaf2531ff79ceebfc5952fe57753a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5F56.tmp
Filesize
1KB

MD5
bee7e3f58413577299b5b7131a33fa4c

SHA1
9e4f8c4ea7777c026e0cef09b9b154440074faa7

SHA256
ba85fd61d6c18e39b83ba2fd82d3859bbde7c082ddf95c8ea1cf9aff1d1e9402

SHA512
8241b56d56e1ea61648039a17de400c2263875f742038f22c7f87b7470d2b4d45c4d289d967f09fef9d05f1e1af3145723b49d8bac3f4a23e4cb810d3d84e94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp60BE.tmp
Filesize
1KB

MD5
45cb9fac03bbbeb9a6e82b85eb3efbda

SHA1
4d6c00b68434d11f346ce844ccbc2ed7b7d4acff

SHA256
185deb301fb4155d92e158bad5a52722c63ae7399a5b9d3d875050d5389b933a

SHA512
00713c53d7193660ba223a47fa46225cb6d870ea5ea794f703efc73e21e6e01b7283dac5be3d5280e553b922521e32bc7db591bf471bd7673a1a0b62b198073b

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.1MB

MD5
9cb1667d78bac6997eefe37a44397558

SHA1
992651316c65ac2f6e0bd301543bea6c6cc507b1

SHA256
8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

SHA512
21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.1MB

MD5
9cb1667d78bac6997eefe37a44397558

SHA1
992651316c65ac2f6e0bd301543bea6c6cc507b1

SHA256
8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

SHA512
21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.1MB

MD5
9cb1667d78bac6997eefe37a44397558

SHA1
992651316c65ac2f6e0bd301543bea6c6cc507b1

SHA256
8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

SHA512
21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.1MB

MD5
9cb1667d78bac6997eefe37a44397558

SHA1
992651316c65ac2f6e0bd301543bea6c6cc507b1

SHA256
8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

SHA512
21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69

Download Submit
memory/1492-285-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/1492-297-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/1876-172-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1876-163-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1876-286-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1876-178-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1876-158-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1876-186-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download
memory/2020-280-0x0000000007590000-0x0000000007C0A000-memory.dmp

Filesize
6.5MB

Download
memory/2020-284-0x0000000006FC0000-0x0000000006FCA000-memory.dmp

Filesize
40KB

Download
memory/2020-290-0x0000000007290000-0x00000000072AA000-memory.dmp

Filesize
104KB

Download
memory/2020-144-0x0000000000EA0000-0x0000000000ED6000-memory.dmp

Filesize
216KB

Download
memory/2020-145-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2020-152-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/2020-282-0x000000007F170000-0x000000007F180000-memory.dmp

Filesize
64KB

Download
memory/2020-243-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2020-151-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/2020-291-0x0000000007270000-0x0000000007278000-memory.dmp

Filesize
32KB

Download
memory/2020-146-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2020-258-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

Filesize
120KB

Download
memory/2020-248-0x0000000070D30000-0x0000000070D7C000-memory.dmp

Filesize
304KB

Download
memory/2112-335-0x00000000713A0000-0x00000000713EC000-memory.dmp

Filesize
304KB

Download
memory/2112-355-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/2112-356-0x000000007F410000-0x000000007F420000-memory.dmp

Filesize
64KB

Download
memory/2112-328-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/2636-189-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3312-333-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3312-334-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3312-324-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3312-323-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3312-363-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3312-312-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3312-331-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3312-327-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3640-287-0x00000000074D0000-0x0000000007566000-memory.dmp

Filesize
600KB

Download
memory/3640-289-0x0000000007480000-0x000000000748E000-memory.dmp

Filesize
56KB

Download
memory/3640-177-0x0000000005F50000-0x0000000005F6E000-memory.dmp

Filesize
120KB

Download
memory/3640-179-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/3640-247-0x0000000006540000-0x0000000006572000-memory.dmp

Filesize
200KB

Download
memory/3640-266-0x0000000070D30000-0x0000000070D7C000-memory.dmp

Filesize
304KB

Download
memory/3640-150-0x0000000005080000-0x00000000050A2000-memory.dmp

Filesize
136KB

Download
memory/3640-283-0x000000007F1B0000-0x000000007F1C0000-memory.dmp

Filesize
64KB

Download
memory/3640-281-0x0000000007250000-0x000000000726A000-memory.dmp

Filesize
104KB

Download
memory/3640-149-0x00000000051B0000-0x00000000057D8000-memory.dmp

Filesize
6.2MB

Download
memory/3640-147-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/3840-332-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/4664-329-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4664-345-0x00000000713A0000-0x00000000713EC000-memory.dmp

Filesize
304KB

Download
memory/4664-358-0x000000007F760000-0x000000007F770000-memory.dmp

Filesize
64KB

Download
memory/4664-330-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4664-357-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4828-296-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/4828-242-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/4828-241-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/4828-295-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/5016-139-0x0000000007340000-0x00000000073DC000-memory.dmp

Filesize
624KB

Download
memory/5016-138-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/5016-135-0x0000000005300000-0x0000000005392000-memory.dmp

Filesize
584KB

Download
memory/5016-137-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/5016-136-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/5016-134-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download
memory/5016-133-0x00000000006E0000-0x00000000008FE000-memory.dmp

Filesize
2.1MB

Download