Malware Analysis Report

2025-06-16 06:44

Sample ID 240120-gjwyzacgcl
Target 69a54a68512b406bb10f4ee129efb0a0
SHA256 80b29c7ba8d66770d736268a9c1c145cb9e947bbba564953a63818f4b75057df
Tags
darkcomet persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80b29c7ba8d66770d736268a9c1c145cb9e947bbba564953a63818f4b75057df

Threat Level: Known bad

The file 69a54a68512b406bb10f4ee129efb0a0 was found to be: Known bad.

Malicious Activity Summary

darkcomet persistence rat trojan upx

Darkcomet

Loads dropped DLL

UPX packed file

Uses the VBS compiler for execution

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 05:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 05:50

Reported

2024-01-20 05:53

Platform

win7-20231129-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe"

Signatures

Darkcomet

trojan rat darkcomet

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2860 set thread context of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2860 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2860 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2860 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2972 wrote to memory of 2948 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2972 wrote to memory of 2948 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2972 wrote to memory of 2948 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2972 wrote to memory of 2948 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe
PID 2860 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe
PID 2860 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe
PID 2860 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 2860 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe
PID 2860 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe
PID 2860 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe
PID 2860 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe

"C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cmvrcinv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES668.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC667.tmp"

C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe

"C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe"

C:\Users\Admin\AppData\Local\Temp\vbc.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe

C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe

"C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 moi69.no-ip.biz udp

Files

memory/2860-0-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/2860-1-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/2860-2-0x0000000000C50000-0x0000000000C90000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\cmvrcinv.0.cs

MD5 ff633b592af11cb80f35b58901a1ec2d
SHA1 fb2e0a6beae8b9cd23102aabed44778e4f5eecf5
SHA256 e41802aa34ef5aae074052f7c774792cdedcd2d64cb3fed158a3a1c5554005ef
SHA512 3d4a1695af31238236a7211ce4df66b904fac151f9076972fc9e17a7b538abcaed96dc0def4e20b4d2bb9eb14ab50545bb7aa5f971c8cacf1d6243a66cc9b5c4

\??\c:\Users\Admin\AppData\Local\Temp\cmvrcinv.cmdline

MD5 195655e66248681e492aa714b0cb5ceb
SHA1 be4d9a541220ea942bf2ff6436608faf689d0b57
SHA256 897ee5d308aa871eeeb0c8bb78ce7e1c5aab235ff99f2a7a3b8dfa11f9c8f21a
SHA512 26ecaed78e953fcd6f43136d3e0468ed1a431a4a800b8efd74355c204f58845b77598dfbf4fbd4201c28ddcbe1d99c4bb7ffefd4109b9b55b8fed2e37391a10e

memory/2972-8-0x0000000001F50000-0x0000000001F90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES668.tmp

MD5 919ebf01e4911449d01584fe16df76a3
SHA1 abe420dde4785c221c90e3f8b7b21a04174a95bd
SHA256 e077d2498caccea69f261efb5105c6c0c799ca6f74c91d97fe5fa3ad0721ffd1
SHA512 f84f2a4dfa7c38e3bb3a1a809434d7f38433251570755e93673ad0938d8a02446a0b164f02e178f70829b48cf1fce74aa0526d1ae847b1ec6c0bda69672defb9

\??\c:\Users\Admin\AppData\Local\Temp\CSC667.tmp

MD5 cabe319c211b0235717de2ce3fa02ce0
SHA1 d7e876e7b1a3d957e91bd927756f782704258247
SHA256 81cda2f92eaab8bce309a65f24e1e0a5fe753e352f5f3de122c15dbd1fce4c7e
SHA512 0f6a8cc6dea5fc33389a2323c0ee43334fd73e91424dcded01d5feb700d3fc112996f9511a914552e942de7c5541d2e011aee3ae1c30b580060af4b8b5421cc6

C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe

MD5 b7ee9d4be07d48a4b41d99f0ec02dc42
SHA1 6bc608c1789ef90913f6c27d205700e956418335
SHA256 ac111b5c8b62ad65b38a90e734f88be842bba9d3d3ee10d6e6102c9b4c714552
SHA512 9a88670bd86297cdf1bfbd54dae7a6e402534886e771834b609a79725812d02e2ce90b8233e8c0fdf54583d0f4d0d4e056d074a9b02b3d82084ac22f7f06b37f

\Users\Admin\AppData\Local\Temp\vbc.exe

MD5 ed797d8dc2c92401985d162e42ffa450
SHA1 0f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256 b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512 e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

memory/2656-30-0x0000000000400000-0x00000000004AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe

MD5 7b97cc65c5465e94e4c8632e0e1acc48
SHA1 eb679fc31f950f379adfcfec039a86daf79a9479
SHA256 c98f2af7f1bdf11ac161e2729dd5983198e555f8e81bd7a1bb316892008dcfc0
SHA512 7d6e303286561da2395c93b5ede41bb8aeb677a59ee1d5548690a261d33f4e36a586ed1e8bc044cd09c9130572b9ac80a1c69a187fa0deca03a1d2a15b5add43

memory/2860-51-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/2656-50-0x0000000000400000-0x00000000004AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe

MD5 8b137430dddea88b60742a906d22ca17
SHA1 0e58357fbc55f42dbbf635b7223eab78f3a3c3e8
SHA256 b6899a5cb99345abb8977df3963f5830db680b927104ad5bb108a0e8488194c5
SHA512 c576a362d6a14ce9ed7f008b1cd19ec9df97b449aba34238253778cb5ecc0c2aeb47d3770a0af89a478b3dc41960c811f38021001613eb943d27062374113966

memory/2656-57-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-58-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-56-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-55-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2656-54-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-52-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2860-49-0x0000000006C60000-0x0000000006D21000-memory.dmp

\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe

MD5 40e601c5fb301d9d80341863a9424920
SHA1 3142dde9db2f6ca5f5c6d09f301baabb52dcb4cd
SHA256 e0b88ac46fa199c54e47bea5ae8effb1a2da48bced2217b5fd13955210d9be26
SHA512 1e23d116036f58b8a55304d6a3206fca8ebf9c254e1ff63a69ce5b13f0dd34d8c7554b5659477aca8de7f1be7868222e5ac3bcf60f693c0413a590dc741bfa1a

memory/2656-40-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-38-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2656-35-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-34-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-33-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-32-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-31-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-28-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-26-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2652-21-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/2652-20-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/2656-59-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-60-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2652-61-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/2764-62-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2656-63-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-64-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2656-65-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-67-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2656-66-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-69-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2656-68-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-71-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2656-70-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-72-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-73-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2656-74-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-75-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2656-76-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-77-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2764-79-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2656-78-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-81-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2656-80-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-83-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2656-82-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-85-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2656-84-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2656-86-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-87-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2656-88-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2764-89-0x0000000000400000-0x00000000004C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 05:50

Reported

2024-01-20 05:53

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe"

Signatures

Darkcomet

trojan rat darkcomet

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4160 set thread context of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4160 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4160 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4160 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2620 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2620 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2620 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4160 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe
PID 4160 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe
PID 4160 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\vbc.exe
PID 4160 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe
PID 4160 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe
PID 4160 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe

"C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4jxwvv0c.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES692B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC692A.tmp"

C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe

"C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe"

C:\Users\Admin\AppData\Local\Temp\vbc.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe

C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe

"C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 moi69.no-ip.biz udp
US 8.8.8.8:53 moi69.no-ip.biz udp

Files

memory/4160-0-0x0000000074740000-0x0000000074CF1000-memory.dmp

memory/4160-1-0x0000000074740000-0x0000000074CF1000-memory.dmp

memory/4160-2-0x0000000000E00000-0x0000000000E10000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4jxwvv0c.cmdline

MD5 b2912fc010d5c5fd0e6df63667aecc8d
SHA1 2481efa02d421543f908cd85031dea5c0949267e
SHA256 ec4886c588c2b3da16674faaa8e1efaecbdf0ce25b2531435aaf8b76e43cabca
SHA512 d5bf248de81683183ac551c000b1a0afd0ca8d05b08465e9eb85e408cb99683aef6b6258b7332ec80e4cd1353c671ec6e87a3dae83500668d3d8212431b48d4b

\??\c:\Users\Admin\AppData\Local\Temp\4jxwvv0c.0.cs

MD5 ff633b592af11cb80f35b58901a1ec2d
SHA1 fb2e0a6beae8b9cd23102aabed44778e4f5eecf5
SHA256 e41802aa34ef5aae074052f7c774792cdedcd2d64cb3fed158a3a1c5554005ef
SHA512 3d4a1695af31238236a7211ce4df66b904fac151f9076972fc9e17a7b538abcaed96dc0def4e20b4d2bb9eb14ab50545bb7aa5f971c8cacf1d6243a66cc9b5c4

memory/2620-8-0x00000000024D0000-0x00000000024E0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC692A.tmp

MD5 cabe319c211b0235717de2ce3fa02ce0
SHA1 d7e876e7b1a3d957e91bd927756f782704258247
SHA256 81cda2f92eaab8bce309a65f24e1e0a5fe753e352f5f3de122c15dbd1fce4c7e
SHA512 0f6a8cc6dea5fc33389a2323c0ee43334fd73e91424dcded01d5feb700d3fc112996f9511a914552e942de7c5541d2e011aee3ae1c30b580060af4b8b5421cc6

C:\Users\Admin\AppData\Local\Temp\RES692B.tmp

MD5 1de1f6498e67a0a66fe8c822babe6106
SHA1 a1b5d2ad0df40b8b67bb7a088e58091bd68c711e
SHA256 c0f178b69a450268b4414fee38fb724a8cab206acd9f9e70e1a18fe74cf6715c
SHA512 61fc957f85083451ed8df88caab5a0c07262692ce9091abf89ff39710f3f0a2f04ebbd3fd66cf5fb0bb26a942baecc0056a95deade9a1464aa23d0e9531bfc1c

C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe

MD5 7a2f72f37f477545307762f6d11273c0
SHA1 ffb4821621df853d8fa41b08648d0f0c648ef558
SHA256 06e6da1d819eb732fd880a4bd582fc97cfdeaa40dbcc4e569e5af4952771a00f
SHA512 af88afa5480b786fb765e836aed3ebddec138de701aad314f4832f27d185dec09447ac6bbf43a6a15cc3bfc8c7200b330647478d91fa4394d5c7d1792591263a

memory/4980-22-0x0000000000400000-0x00000000004AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc.exe

MD5 e118330b4629b12368d91b9df6488be0
SHA1 ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA256 3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512 ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

memory/3060-21-0x0000000074740000-0x0000000074CF1000-memory.dmp

memory/4980-27-0x0000000000400000-0x00000000004AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe

MD5 140b803258b99fbca65c7b53eac293a9
SHA1 4d5e4977d2e4172fdc84d7097c867587c7ebc2ac
SHA256 6be5cd2f2ad1149373fa258e0dda41ec229c9bf93738bbf443cc8998d7e049fe
SHA512 adb95d332298fe87aab6b57aa733f6954701a6ccd5c4354033e553f047e7bdcbca82e306bed30575b4fed422f3f1d5fd8338456bc719105e0297b617b3add0a4

memory/4980-38-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/4160-41-0x0000000074740000-0x0000000074CF1000-memory.dmp

memory/4980-42-0x0000000000400000-0x00000000004AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe

MD5 3810438caa24ade28b6a997c3e768a4a
SHA1 229d27515421dd270bb562c8edc65b40812ccf48
SHA256 ea836626b803640aa0eb813040f4880d075ba77e38f92d2009e5e109e375ea0a
SHA512 70130ffcc326d49169baf80640e75b3d0d5aa4381bf66f1f52e005f39bd9d3b4d3adb89e29e3dfbe665dded8e1e0dcb2c2ab529b3bc9df66426fc2b71616f5d2

memory/4980-46-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/4980-45-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/4980-44-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/4980-43-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-39-0x0000000000400000-0x00000000004C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe

MD5 8efa6f5ede96903a18dc0523984a0175
SHA1 70dc1afa52a42d7049ec4b7b4b6c8d229f77b081
SHA256 e1d9ccab412ac2cb12ee0cb9ad876b8fc402ddfdf30143e27ff1ce3013e16020
SHA512 9569dd021a826ac611b5c2564e0f96bc3f98098e806938ad4221449578a046cd521187dcd604d351e079fe3dc63acbe2c200fdcf15d61f4065a2d3cbf6fc725d

memory/4980-47-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-48-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-49-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-50-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/548-51-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-52-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-53-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-54-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-55-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-56-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-57-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-58-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-59-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-60-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-61-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-62-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-63-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-64-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-65-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-66-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-67-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-68-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-69-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-70-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-71-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-72-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-73-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4980-74-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/548-75-0x0000000000400000-0x00000000004C1000-memory.dmp