darkcomet | 4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2023 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO091K43Z9.exe
Size

1.9MB
MD5

543dc2f0c0753a513107e1a927ae99d5
SHA1

d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0
SHA256

4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470
SHA512

7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9
SSDEEP

49152:NezI7YEYMFigIlrrVdp7CEmUxvKAfOi/6hH13:ECjOrTAoHmi/E

Score

10^/10

darkcomet nanocore febuary 2023 evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

FEBUARY 2023

mjosh6995.ddns.net:55665

Mutex

DC_MUTEX-S83UYVQ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
TYztkTZwyasi
install
true
offline_keylogger
true
persistence
true
reg_key
chrome

Extracted

Family

nanocore

Version

1.2.2.0

lisajennyjohn.ddns.net:22233

mjosh6995.ddns.net:22233

Mutex

be639d6f-221e-4487-9b18-8bcd5185dfbf

Attributes

activate_away_mode
true
backup_connection_host
mjosh6995.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-12-08T16:24:55.881679736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
22233
default_group
FEBUARY 2023
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
be639d6f-221e-4487-9b18-8bcd5185dfbf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
lisajennyjohn.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

PO091K43Z9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	PO091K43Z9.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe

Disables Task Manager via registry modification
evasion
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2920 attrib.exe
4928 attrib.exe

pid	process
2920	attrib.exe
4928	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PO091K43Z9.exePO091K43Z9.exemsdcsc.exemsdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	PO091K43Z9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	PO091K43Z9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Executes dropped EXE 5 IoCs

Processes:

STUB01.EXEmsdcsc.exemsdcsc.exemsdcsc.exeSTUB01.EXE

pid process

5088 STUB01.EXE
1152 msdcsc.exe
3792 msdcsc.exe
3036 msdcsc.exe
4244 STUB01.EXE

pid	process
5088	STUB01.EXE
1152	msdcsc.exe
3792	msdcsc.exe
3036	msdcsc.exe
4244	STUB01.EXE

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PO091K43Z9.exeSTUB01.EXEmsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	PO091K43Z9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAAS Monitor = "C:\\Program Files (x86)\\SAAS Monitor\\saasmon.exe"	STUB01.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

STUB01.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA STUB01.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	STUB01.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

PO091K43Z9.exemsdcsc.exe

description	pid	process	target process
PID 4288 set thread context of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 1152 set thread context of 3036	1152	msdcsc.exe	msdcsc.exe

Drops file in Program Files directory 2 IoCs

Processes:

STUB01.EXE

description	ioc	process
File created	C:\Program Files (x86)\SAAS Monitor\saasmon.exe	STUB01.EXE
File opened for modification	C:\Program Files (x86)\SAAS Monitor\saasmon.exe	STUB01.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3480 schtasks.exe
4348 schtasks.exe
1260 schtasks.exe
2588 schtasks.exe
Modifies registry class 1 IoCs

Processes:

PO091K43Z9.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ PO091K43Z9.exe

pid	process
3480	schtasks.exe
4348	schtasks.exe
1260	schtasks.exe
2588	schtasks.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PO091K43Z9.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

PO091K43Z9.exepowershell.exepowershell.exeSTUB01.EXEmsdcsc.exepowershell.exepowershell.exe

pid	process
4288	PO091K43Z9.exe
4288	PO091K43Z9.exe
4288	PO091K43Z9.exe
4288	PO091K43Z9.exe
4288	PO091K43Z9.exe
4288	PO091K43Z9.exe
4288	PO091K43Z9.exe
4288	PO091K43Z9.exe
4288	PO091K43Z9.exe
2300	powershell.exe
4912	powershell.exe
4288	PO091K43Z9.exe
4288	PO091K43Z9.exe
4288	PO091K43Z9.exe
2300	powershell.exe
4912	powershell.exe
5088	STUB01.EXE
5088	STUB01.EXE
5088	STUB01.EXE
5088	STUB01.EXE
5088	STUB01.EXE
5088	STUB01.EXE
1152	msdcsc.exe
1152	msdcsc.exe
1152	msdcsc.exe
1152	msdcsc.exe
1152	msdcsc.exe
1152	msdcsc.exe
1152	msdcsc.exe
1152	msdcsc.exe
1368	powershell.exe
2248	powershell.exe
1152	msdcsc.exe
1152	msdcsc.exe
1152	msdcsc.exe
2248	powershell.exe
1368	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

STUB01.EXE

pid process

5088 STUB01.EXE

pid	process
5088	STUB01.EXE

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

PO091K43Z9.exepowershell.exepowershell.exePO091K43Z9.exeSTUB01.EXEmsdcsc.exepowershell.exepowershell.exemsdcsc.exe

description	pid	process
Token: SeDebugPrivilege	4288	PO091K43Z9.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeIncreaseQuotaPrivilege	2572	PO091K43Z9.exe
Token: SeSecurityPrivilege	2572	PO091K43Z9.exe
Token: SeTakeOwnershipPrivilege	2572	PO091K43Z9.exe
Token: SeLoadDriverPrivilege	2572	PO091K43Z9.exe
Token: SeSystemProfilePrivilege	2572	PO091K43Z9.exe
Token: SeSystemtimePrivilege	2572	PO091K43Z9.exe
Token: SeProfSingleProcessPrivilege	2572	PO091K43Z9.exe
Token: SeIncBasePriorityPrivilege	2572	PO091K43Z9.exe
Token: SeCreatePagefilePrivilege	2572	PO091K43Z9.exe
Token: SeBackupPrivilege	2572	PO091K43Z9.exe
Token: SeRestorePrivilege	2572	PO091K43Z9.exe
Token: SeShutdownPrivilege	2572	PO091K43Z9.exe
Token: SeDebugPrivilege	2572	PO091K43Z9.exe
Token: SeSystemEnvironmentPrivilege	2572	PO091K43Z9.exe
Token: SeChangeNotifyPrivilege	2572	PO091K43Z9.exe
Token: SeRemoteShutdownPrivilege	2572	PO091K43Z9.exe
Token: SeUndockPrivilege	2572	PO091K43Z9.exe
Token: SeManageVolumePrivilege	2572	PO091K43Z9.exe
Token: SeImpersonatePrivilege	2572	PO091K43Z9.exe
Token: SeCreateGlobalPrivilege	2572	PO091K43Z9.exe
Token: 33	2572	PO091K43Z9.exe
Token: 34	2572	PO091K43Z9.exe
Token: 35	2572	PO091K43Z9.exe
Token: 36	2572	PO091K43Z9.exe
Token: SeDebugPrivilege	5088	STUB01.EXE
Token: SeDebugPrivilege	1152	msdcsc.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeIncreaseQuotaPrivilege	3036	msdcsc.exe
Token: SeSecurityPrivilege	3036	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3036	msdcsc.exe
Token: SeLoadDriverPrivilege	3036	msdcsc.exe
Token: SeSystemProfilePrivilege	3036	msdcsc.exe
Token: SeSystemtimePrivilege	3036	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3036	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3036	msdcsc.exe
Token: SeCreatePagefilePrivilege	3036	msdcsc.exe
Token: SeBackupPrivilege	3036	msdcsc.exe
Token: SeRestorePrivilege	3036	msdcsc.exe
Token: SeShutdownPrivilege	3036	msdcsc.exe
Token: SeDebugPrivilege	3036	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3036	msdcsc.exe
Token: SeChangeNotifyPrivilege	3036	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3036	msdcsc.exe
Token: SeUndockPrivilege	3036	msdcsc.exe
Token: SeManageVolumePrivilege	3036	msdcsc.exe
Token: SeImpersonatePrivilege	3036	msdcsc.exe
Token: SeCreateGlobalPrivilege	3036	msdcsc.exe
Token: 33	3036	msdcsc.exe
Token: 34	3036	msdcsc.exe
Token: 35	3036	msdcsc.exe
Token: 36	3036	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

3036 msdcsc.exe

pid	process
3036	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PO091K43Z9.exePO091K43Z9.exeSTUB01.EXEcmd.execmd.exe

description	pid	process	target process
PID 4288 wrote to memory of 4912	4288	PO091K43Z9.exe	powershell.exe
PID 4288 wrote to memory of 4912	4288	PO091K43Z9.exe	powershell.exe
PID 4288 wrote to memory of 4912	4288	PO091K43Z9.exe	powershell.exe
PID 4288 wrote to memory of 2300	4288	PO091K43Z9.exe	powershell.exe
PID 4288 wrote to memory of 2300	4288	PO091K43Z9.exe	powershell.exe
PID 4288 wrote to memory of 2300	4288	PO091K43Z9.exe	powershell.exe
PID 4288 wrote to memory of 3480	4288	PO091K43Z9.exe	schtasks.exe
PID 4288 wrote to memory of 3480	4288	PO091K43Z9.exe	schtasks.exe
PID 4288 wrote to memory of 3480	4288	PO091K43Z9.exe	schtasks.exe
PID 4288 wrote to memory of 5068	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 5068	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 5068	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 4288 wrote to memory of 2572	4288	PO091K43Z9.exe	PO091K43Z9.exe
PID 2572 wrote to memory of 3484	2572	PO091K43Z9.exe	cmd.exe
PID 2572 wrote to memory of 3484	2572	PO091K43Z9.exe	cmd.exe
PID 2572 wrote to memory of 3484	2572	PO091K43Z9.exe	cmd.exe
PID 2572 wrote to memory of 4172	2572	PO091K43Z9.exe	cmd.exe
PID 2572 wrote to memory of 4172	2572	PO091K43Z9.exe	cmd.exe
PID 2572 wrote to memory of 4172	2572	PO091K43Z9.exe	cmd.exe
PID 2572 wrote to memory of 5088	2572	PO091K43Z9.exe	STUB01.EXE
PID 2572 wrote to memory of 5088	2572	PO091K43Z9.exe	STUB01.EXE
PID 2572 wrote to memory of 5088	2572	PO091K43Z9.exe	STUB01.EXE
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 2572 wrote to memory of 4344	2572	PO091K43Z9.exe	notepad.exe
PID 5088 wrote to memory of 4348	5088	STUB01.EXE	schtasks.exe
PID 5088 wrote to memory of 4348	5088	STUB01.EXE	schtasks.exe
PID 5088 wrote to memory of 4348	5088	STUB01.EXE	schtasks.exe
PID 3484 wrote to memory of 2920	3484	cmd.exe	attrib.exe
PID 3484 wrote to memory of 2920	3484	cmd.exe	attrib.exe
PID 3484 wrote to memory of 2920	3484	cmd.exe	attrib.exe
PID 4172 wrote to memory of 4928	4172	cmd.exe	attrib.exe
PID 4172 wrote to memory of 4928	4172	cmd.exe	attrib.exe
PID 4172 wrote to memory of 4928	4172	cmd.exe	attrib.exe
PID 5088 wrote to memory of 1260	5088	STUB01.EXE	schtasks.exe
PID 5088 wrote to memory of 1260	5088	STUB01.EXE	schtasks.exe
PID 5088 wrote to memory of 1260	5088	STUB01.EXE	schtasks.exe
PID 2572 wrote to memory of 1152	2572	PO091K43Z9.exe	msdcsc.exe
PID 2572 wrote to memory of 1152	2572	PO091K43Z9.exe	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2920 attrib.exe
4928 attrib.exe

pid	process
2920	attrib.exe
4928	attrib.exe

C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe
"C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uawdcNde.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uawdcNde" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA690.tmp"
2⤵
- Creates scheduled task(s)
PID:3480

C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe
"C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe"
2⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe
"C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4928

C:\Users\Admin\AppData\Local\Temp\STUB01.EXE
"C:\Users\Admin\AppData\Local\Temp\STUB01.EXE"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SAAS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB277.tmp"
4⤵
- Creates scheduled task(s)
PID:4348

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SAAS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB45D.tmp"
4⤵
- Creates scheduled task(s)
PID:1260

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:4344

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uawdcNde.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uawdcNde" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA41B.tmp"
4⤵
- Creates scheduled task(s)
PID:2588

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Executes dropped EXE
PID:3792

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Users\Admin\AppData\Local\Temp\STUB01.EXE
"C:\Users\Admin\AppData\Local\Temp\STUB01.EXE"
5⤵
- Executes dropped EXE
PID:4244

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d9a21ce7b3512cd8757294413379fc0c

SHA1
eefcefb496d2d2bf2ea12aa96bd214a4b0e893c7

SHA256
13a2260ef3a2adfe6756b6a80b96e306fa793f4743f05c77ada317eb0c25821f

SHA512
715f354f452540f4f88055e49f307c45f77e7475063f49ca8662d55487e959b29c6ce9b2d6bebf5591920de32bab8dceaabd55ca822f63d0b80816c0f9824861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
6945d91e600de3b45667584f49b3367a

SHA1
03e7b6048700c609f2299d0f993b3a64444ef83a

SHA256
c9de89ef55cc94a0a12a354a0a2a4365e6a5616b345625d420f0a9b31b0069ae

SHA512
25b0ee1abcb637afbfd651600fcdb2e3faccceb54b5cff1f9fc4ed743c198eb7bd240f35d8e5ea37a0b20dc7d0f2bf578bc2787c1aca6098570d89d811ee2a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB01.EXE
Filesize
203KB

MD5
fe99ea6d3ec88c3559aabf7ff17fe01a

SHA1
da8c19d38a772c10a450ed20ee3eade532b7faf6

SHA256
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35

SHA512
82318cb0e613362b55ca807988665fb759652bff7029175ca7cd7942534da31700ae3dfbcf141c52581ebd463734cf36f117141d3933cce7af537988310ed55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB01.EXE
Filesize
203KB

MD5
fe99ea6d3ec88c3559aabf7ff17fe01a

SHA1
da8c19d38a772c10a450ed20ee3eade532b7faf6

SHA256
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35

SHA512
82318cb0e613362b55ca807988665fb759652bff7029175ca7cd7942534da31700ae3dfbcf141c52581ebd463734cf36f117141d3933cce7af537988310ed55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB01.EXE
Filesize
203KB

MD5
fe99ea6d3ec88c3559aabf7ff17fe01a

SHA1
da8c19d38a772c10a450ed20ee3eade532b7faf6

SHA256
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35

SHA512
82318cb0e613362b55ca807988665fb759652bff7029175ca7cd7942534da31700ae3dfbcf141c52581ebd463734cf36f117141d3933cce7af537988310ed55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB01.EXE
Filesize
203KB

MD5
fe99ea6d3ec88c3559aabf7ff17fe01a

SHA1
da8c19d38a772c10a450ed20ee3eade532b7faf6

SHA256
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35

SHA512
82318cb0e613362b55ca807988665fb759652bff7029175ca7cd7942534da31700ae3dfbcf141c52581ebd463734cf36f117141d3933cce7af537988310ed55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xaico5cf.oce.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA41B.tmp
Filesize
1KB

MD5
bd1c0d4fed16706ffc0e5de00e142fea

SHA1
31d8c0c5b8b233388c717efa95a40763623953b3

SHA256
66a4918f6242b5760e5b2472970cc68a4e07cde1c52dc682b2b039d57f421069

SHA512
7f4cffd7db5bcf3928da8158ff287d19626590e72f11458829d2c5b4abce07a9854e528607cbd41fba49bcc65d296bd0d7f9789cba27858eadba52e79ae45662

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA690.tmp
Filesize
1KB

MD5
bd1c0d4fed16706ffc0e5de00e142fea

SHA1
31d8c0c5b8b233388c717efa95a40763623953b3

SHA256
66a4918f6242b5760e5b2472970cc68a4e07cde1c52dc682b2b039d57f421069

SHA512
7f4cffd7db5bcf3928da8158ff287d19626590e72f11458829d2c5b4abce07a9854e528607cbd41fba49bcc65d296bd0d7f9789cba27858eadba52e79ae45662

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB277.tmp
Filesize
1KB

MD5
8e8f38062552037fe3db0187e34e78cb

SHA1
29e3c548ef2b77280bfc22c9ea9d382bb845a833

SHA256
3c91b8a6a2dc27e175c16a7e79ac0d182ca5c093cc3882267b92f8c9e53d931b

SHA512
523242466e3cc08f20de35539091a54455755273d03156e2f0262e1554f0d2326e5c7b8b62355d9bb0078f9a0f6b44db5b537bea214fe99a466837d90c3c6d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB45D.tmp
Filesize
1KB

MD5
8a92e4176a36b704a55c4888e04853e2

SHA1
6efbd8d0097e2632ca90083974b845f93e5b6a5c

SHA256
91f88494715f51246ed7255ad4bba50e2f5dec26bef203f31450a6a8e1443cdd

SHA512
4ea87f28391b022cfad5e0f695c2413a5addb18a6e9fdf9c56c4121253cf6e532110da8200b1c57b43ee85ed047f1530b1516a7c689c9574af069176114fa157

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.9MB

MD5
543dc2f0c0753a513107e1a927ae99d5

SHA1
d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0

SHA256
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

SHA512
7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.9MB

MD5
543dc2f0c0753a513107e1a927ae99d5

SHA1
d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0

SHA256
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

SHA512
7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.9MB

MD5
543dc2f0c0753a513107e1a927ae99d5

SHA1
d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0

SHA256
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

SHA512
7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.9MB

MD5
543dc2f0c0753a513107e1a927ae99d5

SHA1
d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0

SHA256
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

SHA512
7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.9MB

MD5
543dc2f0c0753a513107e1a927ae99d5

SHA1
d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0

SHA256
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

SHA512
7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9

Download Submit
memory/996-340-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1152-259-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1152-301-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1368-334-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1368-335-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1368-355-0x0000000070540000-0x000000007058C000-memory.dmp

Filesize
304KB

Download
memory/1368-365-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1368-367-0x000000007FDF0000-0x000000007FE00000-memory.dmp

Filesize
64KB

Download
memory/2248-336-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/2248-337-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/2248-344-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/2248-345-0x0000000070540000-0x000000007058C000-memory.dmp

Filesize
304KB

Download
memory/2248-366-0x000000007F470000-0x000000007F480000-memory.dmp

Filesize
64KB

Download
memory/2300-175-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2300-287-0x000000007F5E0000-0x000000007F5F0000-memory.dmp

Filesize
64KB

Download
memory/2300-174-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2300-186-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/2300-292-0x0000000007970000-0x000000000798A000-memory.dmp

Filesize
104KB

Download
memory/2300-258-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2300-148-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/2300-260-0x00000000072D0000-0x0000000007302000-memory.dmp

Filesize
200KB

Download
memory/2300-261-0x000000006FCE0000-0x000000006FD2C000-memory.dmp

Filesize
304KB

Download
memory/2300-271-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/2300-289-0x00000000078B0000-0x0000000007946000-memory.dmp

Filesize
600KB

Download
memory/2300-149-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/2300-284-0x0000000007630000-0x000000000764A000-memory.dmp

Filesize
104KB

Download
memory/2300-145-0x00000000054C0000-0x0000000005AE8000-memory.dmp

Filesize
6.2MB

Download
memory/2572-256-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2572-161-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2572-171-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2572-189-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/2572-188-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2572-155-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3036-333-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3036-330-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3036-372-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3036-342-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3036-341-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3036-332-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3036-331-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3036-338-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4244-343-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/4288-133-0x0000000000380000-0x0000000000578000-memory.dmp

Filesize
2.0MB

Download
memory/4288-134-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/4288-135-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/4288-136-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/4288-137-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/4288-138-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/4288-139-0x0000000008EA0000-0x0000000008F3C000-memory.dmp

Filesize
624KB

Download
memory/4344-187-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4912-293-0x00000000072E0000-0x00000000072E8000-memory.dmp

Filesize
32KB

Download
memory/4912-291-0x00000000071F0000-0x00000000071FE000-memory.dmp

Filesize
56KB

Download
memory/4912-257-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/4912-285-0x0000000007030000-0x000000000703A000-memory.dmp

Filesize
40KB

Download
memory/4912-283-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/4912-272-0x000000006FCE0000-0x000000006FD2C000-memory.dmp

Filesize
304KB

Download
memory/4912-144-0x0000000004710000-0x0000000004746000-memory.dmp

Filesize
216KB

Download
memory/4912-288-0x000000007FC90000-0x000000007FCA0000-memory.dmp

Filesize
64KB

Download
memory/4912-147-0x0000000004BE0000-0x0000000004C02000-memory.dmp

Filesize
136KB

Download
memory/4912-172-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/4912-173-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/5088-302-0x0000000001340000-0x0000000001350000-memory.dmp

Filesize
64KB

Download
memory/5088-232-0x0000000001340000-0x0000000001350000-memory.dmp

Filesize
64KB

Download
memory/5088-300-0x0000000001340000-0x0000000001350000-memory.dmp

Filesize
64KB

Download
memory/5088-286-0x0000000001340000-0x0000000001350000-memory.dmp

Filesize
64KB

Download