Malware Analysis Report

2025-06-16 06:44

Sample ID 240119-3heh7agaf6
Target 68e9767a80e49cdbca8e6d8cb26867aa
SHA256 f91fa2953c6f7d35429a38ff474e1345da76a29c7a90c1c9b9380d9b09d8eead
Tags
darkcomet main evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f91fa2953c6f7d35429a38ff474e1345da76a29c7a90c1c9b9380d9b09d8eead

Threat Level: Known bad

The file 68e9767a80e49cdbca8e6d8cb26867aa was found to be: Known bad.

Malicious Activity Summary

darkcomet main evasion persistence rat trojan

Modifies WinLogon for persistence

Darkcomet

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks computer location settings

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-19 23:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-19 23:30

Reported

2024-01-19 23:33

Platform

win7-20231215-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\MSDCSC\main.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine C:\Users\Admin\Documents\MSDCSC\main.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1932 set thread context of 536 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe
PID 3048 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe
PID 3048 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe
PID 3048 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe
PID 3048 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3048 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3048 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3048 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2832 wrote to memory of 2624 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2832 wrote to memory of 2624 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2832 wrote to memory of 2624 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2832 wrote to memory of 2624 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 2764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 2764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 2764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 2764 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 2764 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 2764 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 2764 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 1932 wrote to memory of 536 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1932 wrote to memory of 536 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1932 wrote to memory of 536 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1932 wrote to memory of 536 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1932 wrote to memory of 536 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1932 wrote to memory of 536 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2624 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 2624 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 2624 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 2624 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 2624 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 2624 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 2624 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 2624 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 536 wrote to memory of 1096 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe

"C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\MAIN.EXE

"C:\Users\Admin\AppData\Local\Temp\MAIN.EXE"

C:\Users\Admin\Documents\MSDCSC\main.exe

"C:\Users\Admin\Documents\MSDCSC\main.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.EXE

"C:\Users\Admin\AppData\Local\Temp\MAIN.EXE"

C:\Users\Admin\Documents\MSDCSC\main.exe

"C:\Users\Admin\Documents\MSDCSC\main.exe"

C:\Windows\SysWOW64\notepad.exe

notepad

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 174.128.246.100:80 freedns.afraid.org tcp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.187.206:443 docs.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.200.33:443 drive.usercontent.google.com tcp

Files

memory/3048-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe

MD5 adf43260a99ad4ad02f71dc4bb4a6fb4
SHA1 c913da7b00ec6c73e29c4bd26ca46a07af531a60
SHA256 b0dea29e2862732605642902983b4f6f067937b7335fa09a4ecb8c81222d61df
SHA512 8ec38afa0787fc9dbf5964bab7fe3975387c15ad29a5c7e4ada51872a9e10c2b9992c6bafa866ee9a8406775f40912f1e27e27bfebf7ae3574798d5503169acb

memory/3048-19-0x0000000005250000-0x0000000005A69000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 c20232f07e982da1550deaee45533d7d
SHA1 1cf678f200e473b8fa83c1c8644f71779e61f9bf
SHA256 50965fb146fc424bfaaccf076b510ad30dd401015a60d85a8e0377735735aa7d
SHA512 d318bcf1fd6406995e98b43390e589fa75c06f5657cfd5e074d2f9afc5ba1bb002d689124b37092a77239303dda684e0821bfdafd2116dad291e8995feaae532

memory/2764-21-0x0000000000400000-0x0000000000C19000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe

MD5 d594daf93080a00e040d705c1c78c5dd
SHA1 16d488e4bf69441e89ce38b88657ff333560ea45
SHA256 6d5e0e661fa8abf437ffcbd883b76a75eb3f8ba245af5dc5eb39539c3798dda7
SHA512 fc711cf0248e1cb997e3e6e00cbbfd7cb5a86efeb3308907a7dbea4184736b99ef90a89038b88313ff9b2617cf9585218b32e10d447ef5cd0656e730d27a76b7

memory/3048-22-0x0000000005250000-0x0000000005A69000-memory.dmp

memory/3048-30-0x0000000000400000-0x00000000007F6000-memory.dmp

memory/2832-32-0x0000000000220000-0x0000000000221000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 7d0fc7bd97229713c4a3c9e962f57c56
SHA1 d7e529a936361f0e14b6c9822fea1b6fcfe096fd
SHA256 d4469b7f98b21dba49be9ca19ea8afed0a2048b27c0f004d6ecd182f380c6cde
SHA512 6bcd4ddaf020d06ce489b06d4ed82b5c9f18d2c7edc07c1eac310199199303db14456d6806fa11f7480f3a1d54e2861c71e32ee43eaa8b54ed7f3763f46ce05d

\ProgramData\Synaptics\Synaptics.exe

MD5 88bbb2eab7fe13c118d08f44c4750379
SHA1 b0755cb88fe4fa81cbd3bc45b4b5530549760293
SHA256 b5c26a209ee62d36f37eb6e387100fa72b39923556d49be2d91fca85e6795b06
SHA512 de768f7b15df8ac836a7b1c0531041121228d2946838d9a40704ec1e7dfe648eb252ba38ead59b1d704985250a5b276f3b90613f0e75b48ba1fa7bb767cd55b7

\ProgramData\Synaptics\Synaptics.exe

MD5 413268aaed96490ef3a7dd1ac3e76095
SHA1 2c251af1d00e64683af7c798b9e3149e856b67a9
SHA256 31484bd33380e7b5fbb47cd38ce94dec8074b7d815d21a767fdd29f8d426305e
SHA512 13ec0b2c8c05a2bed26c3e5f3284e282508567c74ae895d1eeccbbf2c55089398292b60d429ce5ac4e7aa7ad6a3e7044598463e2d6c21061c05b0f857ec26008

memory/2764-35-0x00000000779F0000-0x00000000779F2000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

MD5 4bf6a6f7a04286ab3fb18582fcd8a96d
SHA1 36780cbc76d1ca2d9ccb4ddcde87f7d2e40529d3
SHA256 eef109a0f7ea1ce54933fb66e763dc8e9980ce4b823ea4b1e32ac4f10b4806cc
SHA512 09dda82289816d5a4a7d120fc2e923b28293b70f436ed080e53f8aa80b8453218a38f7d1179c9081edc554547fbf418f37fed6b5f209312233c74b685277ae28

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

MD5 8912620694ec1beeb7acc27cc2e8ce39
SHA1 78e4ad8366afe9ddf315c223e09600378db9c5bd
SHA256 2a8f062660e0b392fd2654f27c5324ed1b503135baf9238569ac5694236af4ee
SHA512 8759b5c374eae372c4eac0d62016ed4a0ff109d36b5032f2ec1ce30ebcbf075e1e0794deb2938f71149375bc37dfc329c93170b1fc5f3df315b28169d7e378fb

\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

MD5 60c6bc223bf367d058cee3599410015a
SHA1 abcc359bf749877b6b2aa8496f740c2f40da10a9
SHA256 da6ef579db04639d7732e5bca2799d4558796e162d497c47fbb7f32cca89a924
SHA512 cf2f91104a68ba9910c0c575d62b0f32735d11c2fb46d13f2213720c065cfa87562fb54eae7e7c541060b23af980dd5ad203c15fd342b5651a34bc882370474f

\ProgramData\Synaptics\Synaptics.exe

MD5 d14e1534ba4d2b73467f5339e27f247f
SHA1 9b044e8b544c8b315244fa1489f045e226e56a3f
SHA256 e37168d09980d6235e679968f9d5e9a7c3e5140f1c5571bce28471ba259d234d
SHA512 f1707d97e1bfd1013808538e8bbc89b802c65e01ba3bddab3580cc1d900e888148fc810c5c97c7e6267eb7ac9ffef3b5fc7557cb0598077299c35e8919e42c88

C:\ProgramData\Synaptics\Synaptics.exe

MD5 68e9767a80e49cdbca8e6d8cb26867aa
SHA1 b6125fdec846e62cde9d65b6af224d9495cd190d
SHA256 f91fa2953c6f7d35429a38ff474e1345da76a29c7a90c1c9b9380d9b09d8eead
SHA512 510f4a2d309a3fdbcf40e4652b7ad5402a57fd11bd03a4966fb66c0ecf6ce49c93680d49a18afa99cc31871ac0381ccb64bc39d912f2c16d7f43161042cf7220

memory/2832-46-0x0000000005290000-0x0000000005AA9000-memory.dmp

memory/2832-47-0x0000000005290000-0x0000000005AA9000-memory.dmp

memory/2624-48-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/2764-53-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/2764-54-0x00000000049D0000-0x00000000049D1000-memory.dmp

memory/2764-55-0x0000000004510000-0x0000000004511000-memory.dmp

memory/2764-56-0x0000000004530000-0x0000000004532000-memory.dmp

memory/2764-59-0x0000000004C40000-0x0000000004C41000-memory.dmp

memory/2764-58-0x0000000004520000-0x0000000004521000-memory.dmp

memory/2764-60-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/2764-61-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

memory/2764-62-0x0000000004B70000-0x0000000004B71000-memory.dmp

memory/2764-68-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

memory/2764-67-0x0000000004B00000-0x0000000004B01000-memory.dmp

memory/2764-66-0x0000000004E60000-0x0000000004E62000-memory.dmp

memory/2764-65-0x0000000004540000-0x0000000004541000-memory.dmp

\Users\Admin\AppData\Local\Temp\MAIN.EXE

MD5 bf67ef380ad9b149254d40391e48fc1e
SHA1 cb1afc3745e451f82626c66b21ead9565c6df172
SHA256 819d032ad83c14788ccd9b3bd264d1aad0f2ad47531acffc0069a851d9fecd4d
SHA512 ed0f1cc0376f809b00f507592b3bbc1e217b24f33ffffbfeac341354a6e7504c685724c83b220b89f5ccba9752f751ccf63fc57b5c97ee844df86d7d9daeeead

memory/2764-69-0x0000000004B10000-0x0000000004B11000-memory.dmp

memory/2764-70-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/2764-73-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/2764-72-0x0000000004B40000-0x0000000004B41000-memory.dmp

memory/2764-71-0x00000000003E0000-0x00000000003E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MAIN.EXE

MD5 8651f8ad64fb786a11db7076c7c3dce0
SHA1 7efdba6f0eb41452528fa543a89e4a8ac910b1c6
SHA256 5bb9e200747c45f54a9ea47c630ada69f65480bcabc6aa98b2028b403bdaef53
SHA512 8aa6c2ef95297f70b40b701dcd059a937b872ea76ecfd8dd5e1dfb9581bcad3b23b19525993708a0363aa50c8bc9ca3618228b25556381026f9d93b4f9389a7b

\Users\Admin\AppData\Local\Temp\MAIN.EXE

MD5 b624f14f06b542e18c3fc019570a8e49
SHA1 525b60df4383e5dda20137f9066ffb5b0ead9032
SHA256 6118b65fee353766a0bae8c11deed55568cc13269eb975acbe1f2d2069275b3f
SHA512 2c236a3cfde62799ae2afb2802295a0e155015c5bad7ba9e5f336b338cb855a614d75afc43fe9df5d4ffab858935855121c62d2fc635bbc1cafbfc9d879e90ed

C:\Users\Admin\AppData\Local\Temp\MAIN.EXE

MD5 79c6a4894283d3925ccb74b3168b5fd2
SHA1 196c0d71ab7439d58127afd8634ffee29275597b
SHA256 2ca817ae6d29f1170c72a9363fe1fb9337b749d95cca5982aa098c07cebeb284
SHA512 4153a6cf226d7dd366fa9ffc7de01a885a34fcd5a51c02b11e7c144f3073de834ffc13ae32240f1dd577407b4566cbd7435b9ada3061ea3990dc95d80f8ff7eb

C:\Users\Admin\Documents\MSDCSC\main.exe

MD5 fdca23190241667981a746051a66ef58
SHA1 2e63abb29719ee2caed1adc5a8e81179dd66e3e1
SHA256 e6de2aad745d94d1408c68240effa10ec06b258daa6d0801a5ff5a79fc9762ce
SHA512 488a20cb79a887b902d03abe6afab1590242fdaa9c38a4f20e50e3ae1f35298c537e304d26a100de6344bfbea1d00eee2a26ccd4f6f26aec1716b50dd17341bd

\Users\Admin\Documents\MSDCSC\main.exe

MD5 45497da2fcda9ca1ef9b493fd6b85307
SHA1 495e21ff9210dde23f318f9e36fd7ad4222f977d
SHA256 a9cf508e72fe053ee6a70404f343ea6e00839ef3206895e67097c0b3a64bd41e
SHA512 89e8409d7e9419e1c7a109af4819c439d86a0463cf59e10f1a53179bc927b7274892daad017f4924d84e94300ec9f9cc74fa9f11c74f6730810a0d0d6821b766

memory/2764-87-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/2764-88-0x0000000005790000-0x0000000005FA9000-memory.dmp

memory/2764-89-0x0000000005790000-0x0000000005FA9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MAIN.EXE

MD5 f4d2cfb5b87e98146adec783a48716a8
SHA1 20b08e09acda0501a3c427d8413d837114859ca7
SHA256 fe15cf1a319583071013e07a412eaa43f5ecfb6a6b93a4f4aeb9e8d2f3555405
SHA512 4159cd20d5d901e22fac628e8da4b3d3481898aa586526d221d7f743125fb0a9d05e416e98898d41e6343a60de32c2136a4ba314c775d531be17e0c178ec4d74

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

MD5 fcdbdc888e2a47c2fba1eeacc939ca8c
SHA1 242e43d37c87804bd89f53ae392a8539564ddc83
SHA256 43f7f1beca14031a08fa255720c5e051321e1f0d263a05bd3f3073916002ba3b
SHA512 d42b26eda2c731945502d527deb51210ec41b9643619d3f925d557ddf09e7277fd7f313341660947a9bd53a80623b40253c92912b1026bff8304cf80bda14ad1

memory/2764-90-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/1932-95-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/2832-97-0x0000000000400000-0x00000000007F6000-memory.dmp

memory/2624-100-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MAIN.EXE

MD5 0b93507475b24d11d7844837f55db512
SHA1 9f42a6c78c5fd5d1d6e5c0132e1a5408a354c46f
SHA256 29a94b8d47d6180575dc57be51e7fd68a1bf8b181bc7b4a2efdcdc1cb0588830
SHA512 0c2124e8dfb6f05f1c2aa2ff7cc3cef3434c243379277927d06211424dcec813e7d9afa2317efc0d3341d45222b0c33acad545580df9b7ac4c7bf965d9deb0e2

memory/2624-107-0x0000000004610000-0x0000000004611000-memory.dmp

\Users\Admin\AppData\Local\Temp\MAIN.EXE

MD5 a88dc7e09b9f0bf848f573876330fa82
SHA1 1768fec9a20d15eb9928b8bc509c27ee489035b0
SHA256 508df82e23ec52765d98e2c02e6a0268b6c2aaf11aca8a3539e25156b86491bd
SHA512 c775b2bf8c5726ecea06223f00a79b2b826a7d0f1fc7901e04ad5749004449ea8f3fc55183189767e521590bfdeb40416bf5c196e0b00f70092ef5942c34eabe

memory/536-99-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/2624-98-0x0000000000400000-0x0000000000C19000-memory.dmp

C:\Users\Admin\Documents\MSDCSC\main.exe

MD5 6a413037fc2b1de7912f13ec2a4d046f
SHA1 6bf51b46dce10ae548130e994ae946b64c8fa5c0
SHA256 d01d51179abbbacc10600684e874d38cfef0bc04a91e3cccae4a0c91dfff2c89
SHA512 7c89e054f7a63972364685a3cbce98703ec52cfcfb8005a4dca5d19ed7c3f056b374ac68596221ac970f53fbc6f4b1b4db8633d07de79f3ed7207db259981742

\Users\Admin\Documents\MSDCSC\main.exe

MD5 a15c661358ba7256b2cd4ada427c55db
SHA1 3fc2fc27dfd14d89e526765fda10c5f656603d97
SHA256 fa922077ad8bae4b16616a134f43427a9731fe0009f0dc9c40ff08d0443460f0
SHA512 4000eba1f7fda9b047a6f840782064f7227aafc29af0b43aad4d661618a873985e497a4280e968b4fd15524f7b5aff4c6d3925ff1f13b1a28ff3e93fa9eb042a

memory/2624-110-0x0000000004A90000-0x0000000004A92000-memory.dmp

memory/2624-115-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

memory/2624-114-0x0000000004C40000-0x0000000004C41000-memory.dmp

memory/1932-108-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/2624-111-0x0000000004A80000-0x0000000004A81000-memory.dmp

memory/2624-116-0x0000000004B80000-0x0000000004B81000-memory.dmp

memory/2624-118-0x0000000004B10000-0x0000000004B11000-memory.dmp

memory/2624-117-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

memory/2624-120-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

memory/2624-119-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

memory/2624-123-0x0000000000380000-0x0000000000381000-memory.dmp

memory/2624-122-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/2624-121-0x0000000004B20000-0x0000000004B21000-memory.dmp

memory/2624-124-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/2624-125-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

memory/2624-126-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/2624-127-0x0000000004B70000-0x0000000004B71000-memory.dmp

memory/2624-128-0x00000000057C0000-0x0000000005FD9000-memory.dmp

memory/2500-129-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/1096-130-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1096-165-0x0000000000920000-0x0000000000921000-memory.dmp

memory/2832-164-0x0000000000400000-0x00000000007F6000-memory.dmp

memory/2500-166-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/2832-168-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2500-167-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/2832-169-0x0000000005290000-0x0000000005AA9000-memory.dmp

memory/2832-170-0x0000000005290000-0x0000000005AA9000-memory.dmp

memory/2832-204-0x0000000000400000-0x00000000007F6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-19 23:30

Reported

2024-01-19 23:33

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\Documents\MSDCSC\main.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Documents\MSDCSC\main.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe
PID 1316 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe
PID 1316 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe
PID 1316 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1316 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1316 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3848 wrote to memory of 4120 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3848 wrote to memory of 4120 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3848 wrote to memory of 4120 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1156 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 1156 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 1156 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 4120 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 4120 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 4120 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
PID 1156 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 1156 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 1156 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 4120 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 4120 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 4120 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\Documents\MSDCSC\main.exe
PID 456 wrote to memory of 2252 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 456 wrote to memory of 2252 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 456 wrote to memory of 2252 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 456 wrote to memory of 316 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\explorer.exe
PID 456 wrote to memory of 316 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\explorer.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe
PID 456 wrote to memory of 1612 N/A C:\Users\Admin\Documents\MSDCSC\main.exe C:\Windows\SysWOW64\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe

"C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Users\Admin\AppData\Local\Temp\MAIN.EXE

"C:\Users\Admin\AppData\Local\Temp\MAIN.EXE"

C:\Users\Admin\AppData\Local\Temp\MAIN.EXE

"C:\Users\Admin\AppData\Local\Temp\MAIN.EXE"

C:\Users\Admin\Documents\MSDCSC\main.exe

"C:\Users\Admin\Documents\MSDCSC\main.exe"

C:\Users\Admin\Documents\MSDCSC\main.exe

"C:\Users\Admin\Documents\MSDCSC\main.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 174.128.246.100:80 freedns.afraid.org tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 100.246.128.174.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.187.206:443 docs.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.200.33:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 33.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp
US 8.8.8.8:53 whp.sytes.net udp

Files

memory/1316-0-0x0000000002590000-0x0000000002591000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe

MD5 adf43260a99ad4ad02f71dc4bb4a6fb4
SHA1 c913da7b00ec6c73e29c4bd26ca46a07af531a60
SHA256 b0dea29e2862732605642902983b4f6f067937b7335fa09a4ecb8c81222d61df
SHA512 8ec38afa0787fc9dbf5964bab7fe3975387c15ad29a5c7e4ada51872a9e10c2b9992c6bafa866ee9a8406775f40912f1e27e27bfebf7ae3574798d5503169acb

C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe

MD5 739d8ce16d7a529d26e5b64597094eea
SHA1 479ff6dad45d938ef5378ec6eb09405f20d63f8b
SHA256 677d6f54f4f33592b8a395caa9e41d024ff7470c3122c468ea7181e0ebd3cabc
SHA512 f65858dec3747fc559afc6971a820741c2799134657e022959f692a2f4324872cbedf0104f91fbf60f8fd2ca561c5f119e0560f8f370a2871721e80c8d025f75

C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe

MD5 29f7dec13017a0500b293803fd6566cb
SHA1 dd68bcbcf7119da919dd7a0099124ba843d24d86
SHA256 31775efea945ba1d7b2456365f6404a99fc9675b9eb57121f051a7cd05ff4185
SHA512 c441e5750ee3dccef30fc1b20e57895a27975fe729deda2731e5968493e65226258f82f52ddb0617237e500596a1d2da85716c9503bdee4de65e5d181f001571

C:\ProgramData\Synaptics\Synaptics.exe

MD5 afe8e5457ffdba7fd71be9790d76a820
SHA1 b0618fa870c6103442619b1bf566de43d5c6a4b0
SHA256 57ce4d76c4ef09b47c69fdc8573f8a92dd394eb2d4466f6399a850d5aea9c851
SHA512 e8ef6bb158396fcd4e23b2988456440f600382cbe9861e33cf88d44e1ad45c823498268caf62e89709b31ca8f31e5817d36c3fae052023d92a4664a758f5725c

memory/1156-71-0x0000000000400000-0x0000000000C19000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 abbe4634d9a892d56ca7d3a94b38caba
SHA1 5f471e405f8a44b5e5c8667eed8fd275f77d0900
SHA256 e0da48deee7d7b2fbd030ce197ea85a7ccf4f7f937604e017b50407d602a5a31
SHA512 b5046dcae7045b09aa146c2815e3445ec93575b20acde146cdcea338841c00ada64489e4fd6a61dd41d72aa7aced70af65b2d578f220bd2ee9b96e22835156e6

C:\ProgramData\Synaptics\Synaptics.exe

MD5 fd62b0384996c724274436a14eb2014a
SHA1 50013197b3565e778e0d0e3bb267f2bf18cba10b
SHA256 42487ee73087367b001278541879efbcfdc7118a84fccab05441cdb7d7901858
SHA512 7203b85858e697dc6ebb4634f5f67cbb25317796e45a5ba51ff53e3f40db7061e9509d049914c7d98033ad5ee16ef423642b39d98870920081db2c58bd356863

memory/1316-129-0x0000000000400000-0x00000000007F6000-memory.dmp

memory/3848-130-0x0000000002460000-0x0000000002461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

MD5 c1ea12304ef7577300d15fb160993d5a
SHA1 4cdf4162e2ad3dafab1f77492ee03b5987d60874
SHA256 2bafa92794aa41de575c8bed50dd58a575be60f9fe379279776777c576a648d5
SHA512 f438fc91cf1526681156b3fb5dcb664942db829c22fe4e6926a6d92a9c3e7bdf6406cdfcd6abac060a2e9d57047e54ac223f29b3855bb1255b3f42baff7cc166

memory/4120-191-0x0000000000400000-0x0000000000C19000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

MD5 a3e88f99627a815228015311e7936c8c
SHA1 3c953bf628b9f7dd8a225183eca3e100918666bb
SHA256 02b068912be3a6791d205e740db1d23b65d9962a49dc4ee08a5ef292c2869b72
SHA512 32fe948fe92baf17ab1966841863a203ae9b684cf282440d0a094097d6d418d780ca8a1c65b00fe1fddb80ec21e4374b9d4c85336cd5adc968cab4b50135dd90

memory/4924-192-0x00007FFEA1DD0000-0x00007FFEA1DE0000-memory.dmp

memory/4924-193-0x00007FFEE1D50000-0x00007FFEE1F45000-memory.dmp

memory/4924-195-0x00007FFEE1D50000-0x00007FFEE1F45000-memory.dmp

memory/4924-197-0x00007FFEE1D50000-0x00007FFEE1F45000-memory.dmp

memory/4924-198-0x00007FFEA1DD0000-0x00007FFEA1DE0000-memory.dmp

memory/4924-199-0x00007FFEE1D50000-0x00007FFEE1F45000-memory.dmp

memory/4924-194-0x00007FFEA1DD0000-0x00007FFEA1DE0000-memory.dmp

memory/4924-201-0x00007FFEA1DD0000-0x00007FFEA1DE0000-memory.dmp

memory/4924-202-0x00007FFEE1D50000-0x00007FFEE1F45000-memory.dmp

memory/1156-200-0x00000000776F4000-0x00000000776F6000-memory.dmp

memory/4924-196-0x00007FFEA1DD0000-0x00007FFEA1DE0000-memory.dmp

memory/4924-203-0x00007FFE9FC50000-0x00007FFE9FC60000-memory.dmp

memory/4924-204-0x00007FFE9FC50000-0x00007FFE9FC60000-memory.dmp

memory/1156-206-0x0000000005030000-0x0000000005031000-memory.dmp

memory/1156-205-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/1156-207-0x0000000005000000-0x0000000005001000-memory.dmp

memory/1156-213-0x0000000005140000-0x0000000005141000-memory.dmp

memory/1156-212-0x0000000005010000-0x0000000005011000-memory.dmp

memory/1156-215-0x0000000005150000-0x0000000005151000-memory.dmp

memory/1156-214-0x0000000005060000-0x0000000005061000-memory.dmp

memory/1156-208-0x0000000005020000-0x0000000005022000-memory.dmp

memory/1156-224-0x0000000005040000-0x0000000005041000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MAIN.EXE

MD5 62daab2ece893c95ab28780f7a398e32
SHA1 3ace80e06dab248783dc5c37e77e78ab866c1541
SHA256 ab68ac8d079e0b172e9648113b97f8d4daec7de9b19d82eb2c0c3330af9ccaf1
SHA512 db09ddff42c07bf290a710aee0dd4e2f5bbc5e0be84394598679840fdf2984d0e2d4dc154d675756095bae5fec9f379f7e315c2e0468fca74966e6aae8cea2b6

C:\Users\Admin\AppData\Local\Temp\MAIN.EXE

MD5 4a27c90a68489f3ae6bf018dca18a61d
SHA1 f1d242f6c3077d46f56ec716b9b44be3c05ab58d
SHA256 4c76da09caab4640dd3960fd1b67afb32361a199e97a0f1b56d8ae11d8b12827
SHA512 c6b13d26444a55c70e25543ab20beed1b2bad957f8cff8bfe3986d8802c895433f39bba44155649a9e642742462abdef94483f1794cda18e4e17497c679fd120

memory/1156-229-0x0000000005320000-0x0000000005321000-memory.dmp

memory/1156-226-0x00000000052E0000-0x00000000052E2000-memory.dmp

memory/1156-231-0x00000000050B0000-0x00000000050B1000-memory.dmp

memory/4120-238-0x0000000005010000-0x0000000005011000-memory.dmp

memory/1156-255-0x00000000050D0000-0x00000000050D1000-memory.dmp

memory/4120-254-0x00000000050A0000-0x00000000050A1000-memory.dmp

memory/4120-256-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/4120-253-0x0000000004B40000-0x0000000004B41000-memory.dmp

C:\Users\Admin\Documents\MSDCSC\main.exe

MD5 9921bdf03e25219e6e8cab4ab97ef00d
SHA1 297d75d5aea9a968119471e625a17714fb87dc8d
SHA256 aa7e3b7cda06a37a32c51d85798a03cac4997f01e945fc237dc76150906b565d
SHA512 41a95ffe2c5d0b9294ec541a57c34bafc62e1b840d0a68fc4e1178f8f51e29af5d3ca197a11ad6bd5c4dbff82a40e1dd7280184a9d76c0c523bbeff6ed66af10

memory/4120-257-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/456-259-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/4120-252-0x00000000050B0000-0x00000000050B1000-memory.dmp

memory/4120-251-0x0000000005070000-0x0000000005071000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MAIN.EXE

MD5 369ef80d2852218edff9c20ae3e2f03f
SHA1 80fda0d08a6d78a0f3e2919e5d53e2f177aa9382
SHA256 511f7a9f74832f33597b44c1c226dcf9ce663e19d0a8fad03a606360ac446b64
SHA512 6670cee9ce74fee456b443953859c39a4f96a9cbe4eec423fb87bd76e21cef34961bd9ecc570390ae096bcffee8e167c3d506de4138fd071e41156536c5b5317

memory/4120-249-0x00000000052F0000-0x00000000052F1000-memory.dmp

C:\Users\Admin\Documents\MSDCSC\main.exe

MD5 bca99288d93b3a82f3796d17547f9f69
SHA1 1b0d8f740844d8a7fb1d0b6130d7347b78a08fd5
SHA256 f4351496d8f5f242985e5936db667159f03de0addc44ce2142ee7e4ccca395a5
SHA512 182871bc95365709002fc1417ac9adfe7d1b5d0693f9f85654238feca17e6c41f50e27da2006f2e2d456003544f2af0c0a88f0082157aa0cb82c9176de897654

memory/4120-248-0x00000000052B0000-0x00000000052B2000-memory.dmp

memory/5076-266-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/4120-247-0x0000000005040000-0x0000000005041000-memory.dmp

memory/4120-246-0x0000000005110000-0x0000000005111000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\I95WSgqb.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

memory/4120-244-0x0000000005140000-0x0000000005141000-memory.dmp

memory/4120-243-0x0000000005060000-0x0000000005061000-memory.dmp

memory/4120-242-0x00000000050D0000-0x00000000050D1000-memory.dmp

memory/4120-241-0x0000000005130000-0x0000000005131000-memory.dmp

memory/1156-267-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/4120-239-0x00000000051C0000-0x00000000051C1000-memory.dmp

memory/4120-237-0x0000000005020000-0x0000000005022000-memory.dmp

memory/4120-236-0x0000000005000000-0x0000000005001000-memory.dmp

C:\Users\Admin\Documents\MSDCSC\main.exe

MD5 752bf0e6a7036444112523431fb1a818
SHA1 494c0be8082f37403e9aa99c25e245cdf90631bd
SHA256 5ed6d61ca696af95ea6f1b0ff54b576fa664b178582366caaa53c3b8342cbf91
SHA512 df22de217a8d0a2f66af9ae0aed297f5c93f9a8804e888bb012f0ddf1fec8d611da807dd7927abf835084f01f44c8b282763ad770bc6ba87624902f3b774a6d5

memory/4120-234-0x0000000005030000-0x0000000005031000-memory.dmp

memory/1156-233-0x00000000050A0000-0x00000000050A1000-memory.dmp

memory/1156-232-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

memory/1156-230-0x0000000005070000-0x0000000005071000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MAIN.EXE

MD5 2a6ead88f1f1565757db18c979382c91
SHA1 74e7b50e614e77c74f10c3998f955573326ed0c0
SHA256 fb9be7092ed298f531d49f3042c5594ff08d5db2f636a20dedefe795e260ddff
SHA512 8218786b07e3ea3f98aa90a4c63ba8278acd56a130696bc7e67c45deba23c78479fcb0cfe82cfad82cc53f4005965dc160a68b9be5f01ae112ba5fb41160228b

memory/1156-218-0x0000000005110000-0x0000000005111000-memory.dmp

memory/4120-269-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/3848-272-0x0000000002460000-0x0000000002461000-memory.dmp

memory/4924-273-0x00007FFEE1D50000-0x00007FFEE1F45000-memory.dmp

memory/456-274-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-277-0x0000000005060000-0x0000000005062000-memory.dmp

memory/456-282-0x00000000050B0000-0x00000000050B1000-memory.dmp

memory/456-287-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/456-286-0x0000000005320000-0x0000000005321000-memory.dmp

memory/5076-293-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-285-0x00000000052E0000-0x00000000052E2000-memory.dmp

memory/456-284-0x0000000005080000-0x0000000005081000-memory.dmp

memory/456-283-0x0000000005150000-0x0000000005151000-memory.dmp

memory/456-281-0x0000000005170000-0x0000000005171000-memory.dmp

memory/456-280-0x0000000005200000-0x0000000005201000-memory.dmp

memory/1612-279-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/456-278-0x0000000005050000-0x0000000005051000-memory.dmp

memory/456-276-0x0000000005040000-0x0000000005041000-memory.dmp

memory/456-275-0x0000000005070000-0x0000000005071000-memory.dmp

memory/3848-312-0x0000000000400000-0x00000000007F6000-memory.dmp

memory/456-316-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-319-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-322-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-324-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-326-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-330-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/3848-351-0x0000000000400000-0x00000000007F6000-memory.dmp

memory/456-352-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-354-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-356-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-358-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-361-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-363-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-365-0x0000000000400000-0x0000000000C19000-memory.dmp

memory/456-367-0x0000000000400000-0x0000000000C19000-memory.dmp