Malware Analysis Report

2025-06-16 06:44

Sample ID 240120-mjtrhagfb4
Target 6a30b320446a423c14f5c2eb1e69bde8
SHA256 9a9d814c6d40bb1f2b5b1efb69041afff09b3c41fc618bd79bb8053205a08a24
Tags
darkcomet rsman persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a9d814c6d40bb1f2b5b1efb69041afff09b3c41fc618bd79bb8053205a08a24

Threat Level: Known bad

The file 6a30b320446a423c14f5c2eb1e69bde8 was found to be: Known bad.

Malicious Activity Summary

darkcomet rsman persistence rat trojan

Darkcomet

Loads dropped DLL

Executes dropped EXE

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Runs net.exe

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 10:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 10:30

Reported

2024-01-20 10:32

Platform

win7-20231129-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe"

Signatures

Darkcomet

trojan rat darkcomet

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif C:\Windows\InstallDir\help.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\InstallDir\help.exe N/A
N/A N/A C:\Windows\InstallDir\help.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Windows\\InstallDir\\help.exe" C:\Windows\InstallDir\help.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Windows\\InstallDir\\help.exe" C:\Windows\InstallDir\help.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2880 set thread context of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 set thread context of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe N/A
File created C:\Windows\InstallDir\help.exe C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe N/A
File opened for modification C:\Windows\InstallDir\help.exe C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe N/A
File opened for modification C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4AF0E01-B77E-11EE-8DE4-FA7CD17678B7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411908480" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe N/A
N/A N/A C:\Windows\InstallDir\help.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: 33 N/A C:\Windows\InstallDir\help.exe N/A
Token: 34 N/A C:\Windows\InstallDir\help.exe N/A
Token: 35 N/A C:\Windows\InstallDir\help.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe C:\Windows\InstallDir\help.exe
PID 3044 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe C:\Windows\InstallDir\help.exe
PID 3044 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe C:\Windows\InstallDir\help.exe
PID 3044 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 3052 N/A C:\Windows\InstallDir\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 3052 N/A C:\Windows\InstallDir\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 3052 N/A C:\Windows\InstallDir\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 3052 N/A C:\Windows\InstallDir\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2880 wrote to memory of 2116 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3052 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3052 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3052 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3052 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2116 wrote to memory of 2704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 2704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 2704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 2704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2596 wrote to memory of 2708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2596 wrote to memory of 2708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2596 wrote to memory of 2708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2596 wrote to memory of 2708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 2880 wrote to memory of 1168 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe

"C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe"

C:\Windows\InstallDir\help.exe

C:\Windows\InstallDir\help.exe

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2

C:\Windows\InstallDir\help.exe

C:\Windows\InstallDir\help.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.128.181:80 www.bing.com tcp
GB 92.123.128.181:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/3044-0-0x00000000003E0000-0x00000000003E6000-memory.dmp

\Windows\InstallDir\help.exe

MD5 6fb91119e6b33310404a75f94f12f3b3
SHA1 946698e1c2316d0216821ef762d245ccf648a606
SHA256 daad2901f22dbcd7d83a9a0bab69c5b49c69414bec162b619b1a9c80fe95ec07
SHA512 efe1eacc80b8734e46fbdccf6fe28ba7ad57055e239dee74d7496bf1ffe67198b17f28641a0a0a8f0111d2008690905e201bdd8f90e8c6607a7c476b2f2aec52

C:\Windows\InstallDir\help.exe

MD5 dd6030fb7c38259342f4126a9a134769
SHA1 10d05928aae92c22eb2349cfc4796dbff5470d9a
SHA256 1186da9bda4db829fae0fe40f00eaa5642541d132d3fa5b2c3b429019b54b497
SHA512 e8d0d58f723fd653ffbdbe0e4f9727c15bd03888508a19f6d9491ecde4fb30e9d8e734db751708feb348f43dc4fb2ba550fd9e6c52e6ca4f1d092766c6f13490

C:\Windows\InstallDir\help.exe

MD5 f224613e7b89f62322a29c43e1b3e5ec
SHA1 7253ccf10f263c15ed45018c51da19ef7b1b514b
SHA256 f83781b473a464d63dd0583e75a982cbc20575a12e2ae557101aa20f95168fe1
SHA512 aedb137f7ea3e7b722cf680baf8efc26a263c80f64738212f3d8dee927f7b59841c1b1260c35291c2714cd33da88c5168e6892e9be9caa95520bf90c4b6895a7

C:\Windows\InstallDir\help.exe

MD5 6a30b320446a423c14f5c2eb1e69bde8
SHA1 5eb9991fbdd44574984b569498eb71586cde8c9b
SHA256 9a9d814c6d40bb1f2b5b1efb69041afff09b3c41fc618bd79bb8053205a08a24
SHA512 ea43756d7a3d1b55d9cc86cec0bba3e8bd4e7a59a8841d29ddfc53091791c1e61e3e66c55c17adfddc510892f518685f4b4e1984ed6350191d5f85c2f9172140

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

MD5 fce0e8e57d87a9797f0b3d81a08c0776
SHA1 4a72aa0562c6bf4fb008c505ed19f1501cbbc585
SHA256 c88d248e006c8ed150cfca68f5a1b9ba1c2dc679001b5f2136780f42df9b8555
SHA512 5c08ca673c3b02c58ec3d55b2fcd719d83c718306312e1cdf70b80e8044775875dac1622655b995023758f8ebe3cb3e88e135b71882b675658557a076e45f2b4

memory/2116-14-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-27-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1168-29-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-35-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Windows\InstallDir\help.exe

MD5 6a4f89674d668df1e3a77f0280713a4b
SHA1 908f436a6b8ae31e52ea29f992ee4e87b1836ba5
SHA256 6ebac90a59fa8abd3e977f68876ba3185c264432293977b1daa39c8becae38c6
SHA512 d321fa2ca76fca22896c6c0e835016df07dfe15089970881cc111de918ab3e66d41e9ead6a569c16b6a8e2f86357effee0e40c27d73205283c1cec9476a87d3f

memory/1168-25-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-36-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-23-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-21-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-19-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-17-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-15-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-37-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-39-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-41-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-40-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1168-38-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab283A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar2996.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33b92d8c4606a89b6dac6998250e4b04
SHA1 3943c9719370e6c97cc099251ba3f05a6ebbe409
SHA256 ab4ff412188b6067fd6fd41aa131ec168f82bb724f7be248e013cdcb2b47e087
SHA512 ec316e0d5c9780d7d6a9170eae3198ea51c392b5d2cd9528d270c5560cc5e8c237a00a0d788e64c3308081188bdf20357aae77e6ba61b73215e1e994057271d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 accba1109338bec2c9e0662b56bdcd07
SHA1 f52f9dbc2e035f3b0ab7c7e1593d778f11a26f1a
SHA256 cd75aedc79606816d4439f907a04a961b72d11243034ed16cb668aa44bb31aaa
SHA512 ef5fb4112312c85ed843d87e09bbe7aa7c43abb026d5789fc14d286c16e0c1d7ceeeefd5c0b0d039f4839705160cfbe8e75306207f6654cee1064f0d918b12cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b7a358b683f73254a64b4d9fa1774699
SHA1 a96e91d44602c15dbb92447b43de815bfb96de76
SHA256 350c78154fe1d6a4674c765664dfa3bb925ee8a385206ddd13680db8475678fc
SHA512 ca4c06bdaf8036f435ae178134a3d2d117606a3fdf123660fb9d6ba144c1b303d499dc29518ff62d4bc137d3cec9177dd7e5b6a3f22abe02b1339c99a7e97d26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbb05b64c67a1d3b31ddc4d8f4bbb1b8
SHA1 7653d6f741542c9586a14a412c007ad0d3b2c289
SHA256 e697a66a92e424c9ae9ead7350e2e7dce58ede6617263aab8c2fdf20442b7d43
SHA512 da68fd0d347c17096b89d79292d6b7826adee9a361504629624a971d311b58374eb25c80c07a9378ed6c3e9dd39cc3a001101acfc1cc24f15bd37932dc23a3f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c347d2e38640493513fc584a4ed162f4
SHA1 138fe1231f09f571ff5d3088a7b33b1bac805f73
SHA256 61f39e810fee3477d2be0c69c5f738dcfe50d637285e41a27e81169634ffe970
SHA512 3448331b3468ae6fbdfc6eebc41cc410b41e14dbecda03c1c799c745929239c6baa52913ebfa26c3ff348c56ff4aa32ca963ccce5a2df56e66949e4495fbb28e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a42d45cf957c326e78ed915abc99611a
SHA1 c5e6684c3331ee276b8f9b23d51c35f641ef3685
SHA256 d774bdca0ed1f10e9bcc3d177f8d70478ea1a999557135093beb4da5da25496d
SHA512 a846d9d4e32cf12310e26e686d9561e98bada4d8466075c6517e4425a68ebb60df760686009ce7f38fd421f52aeb7a673d99b20e51f2b9e74ddfca0cfb0ea99b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad091bde8c5f03ccf66dc5a42f47ce75
SHA1 232abc8e16aee379338e685acea7a257d9ca7b1f
SHA256 7d15d59ef24d68020be59636a28d86ed3ab66fd17fb691f5532e80823aba3fe8
SHA512 2ad740d3b76d44fa133f079836bd20d4df67996f8ab4dc63d210ffb981ff899cd710b685259c461d95ac8ee988f167f7f19d2818319d04be1eb5df51a6896de8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b124c90ab748cab710e2a24d3542741
SHA1 726e6f83e8fa1940dcbe6f0b41dfb4a305aadb04
SHA256 f06416e900f08d2618c01c9615fa7ab365c1a724f739e35ee8a23d5e6c837132
SHA512 38a2a0fbc79843e71b4a4c0878014967144da3db9fb7a7452c4e0fd5ee039a710b96b5a2e618c5730c16f55c88fcc2e95eaf261df0ae709f00a155774f594b86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 ea5664d6e5bbacf32b86a7895bbe06a8
SHA1 c476af990ebcea8df47fc2196f62da6e8b25e149
SHA256 58408b59062440d7354affd690d72da1e5cd8aa80fec2389c2e99f858a4b5ecb
SHA512 7ab8e005f9f9a71bbcd89520d6d001679ce66ad25b3fe8d9a4ee1eaba240fc17b416c661203dfaf1c017ac8c62eddc91aa2decd96599cb0548cd1ef98822aa30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 665aa24c84222e82855ee5e9dab22eef
SHA1 4db024dd84cc1e94a2732852fccf6e0259671f16
SHA256 8644d8b4de8a5b1790d40f68a58963f7bcad083b0d79c4c47e74cbd79c88f892
SHA512 d395c2dd1b0019ad0c7231d7424bf28957bf9496759a0bf2cab8c3cff3940e81b6c9e1fe3de5445339357b1085cde8b3c8998ea878bb0551f7813ff23692f863

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66f5aa08caeac3120051b70f5ec26aae
SHA1 81119ae239164631fe53a5c8c998ac361e9d52c0
SHA256 8960baa7f0024542b3c94e11748d051744924e610e18f4dad9b6b077cb9b311c
SHA512 688f2259bf44e9ac33c2bc568c280729ca48c2be228634bd59dc5a1d7f4c01bb8eaafed5e45517bfcd7994245ae5ea6ccfd8f11220c84457d0203dfe8ae78172

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

memory/1168-618-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-619-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-620-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-621-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-622-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-623-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a71e953b3ea31e45ef77a1a4cc2ee6a0
SHA1 6e92733b7425b9c44511bbcb9715554254b252fa
SHA256 afc236a453a226eeb2fe15c796a48e43c811a2659575d513074545c66417cdc9
SHA512 0caa79c13d3e7a9abb1ba75d6901d4c5780b25d687ae96df1d82ff12927db7da721b845b190f545d96ada75189b53ce8770a8233c970fff8918d60f1530e1437

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fe38369eebf773a65f3e0fb9ca440d3
SHA1 8bf668bed4c1221e5340282a0a63590f7c2e82f5
SHA256 2a8eb72a23c17d2e1a60815699e96a54a098b1d4c26df51b4480fb493d59b996
SHA512 561ee123019459f8c5d285fbc9ac1f06e5d652bfb6b249800a2754bae2867f71ceec6983c71eb15d3e3c60c9ce7633124bbf08ad42f90777524025a4eaa06ec9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 683d84636a6063c00de6551ead176350
SHA1 c6b31189a57f1bd918d5523d9ba5d7bf2101eaeb
SHA256 f12b4b050533167acc2acbe784ee477b022e26e8341c663c9666cad4aed00cf2
SHA512 0c21fe24a90f768fb8f0926bd9531b96a4700eff029fbf587be68975f575fd0aeb1320e3053a52fe62f6dadb2a0a17221ceb896ed1da22df36de606db75810b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b55f936432b095389baf253171be8d3a
SHA1 c318b217962b1d276964a4284f00fe1bd777fe03
SHA256 5e6510a934f16591655cd194125bf625399e2a903cdd37f8a469e111c5874bde
SHA512 f5143fa288a379b8050314d9fdf3082c78e3e984bde4a13ee402d993c0099d3b3eb1834a5507cfdc51197be9e3b36db95e90d8f9951f8958abee935d042591bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7239e61b04035c74d8eb6414b4a1ab80
SHA1 34e5bc57b983e5c909a7f84287fa644bb4a086b4
SHA256 ed038a599ce6e7e712b115093a4eb46592556de13358f52741de2a3758163b8b
SHA512 3fd0033b0ed6c796f994256aba73314cbc20d5301244d518d81c2e003965b09c6418e4786e0368c996a23aad8b03c7b27aaf52c4fe91dc7bc6bf349e78efda02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55a7c3e86d7dd5628af518086a30f840
SHA1 2a826d7d260c519b6aafdd0e84b0a6655f175aaa
SHA256 50288f60ba1a9195e2dc1e90dbcba7d85518b6e8683e3c8938d97add5ee8e826
SHA512 18fc0a6551bf14fc66831c54ee16967bb3de0759cb49ac9fea35de8aaabb05c4ce6e7bc0219a7690b3caf87e1ad287c4332c542234553cb40293db33b6ad0bc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62acc775bceeeca5d3953ec420eb7a0f
SHA1 a9e59d6d51206253cef38e580243b1755cac3217
SHA256 ccb6f1a154152dc4bd5d96e093bbe9da3c2928d38fec3db42999f4ab1bde39de
SHA512 a97e8f4f5d30252d3833ebba4e9c671ba7f9b037cd84abac14e5181d76390a6525318cf248adea6cbcd7479682c2b1071e2510f0b28477e474554a99a02a602b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d24cde1475b7772218da9729fa11dde
SHA1 eb4d0cc3024d63308b56d05c3145a0a25db91e58
SHA256 c25857f9507ae7a4a05b41f6e1394188147c75c06e9d9abf672d2a1754676f11
SHA512 6235306b4109815aa753fce96f46577e16a6bc65e98cfb5daa6665b52f0599963c4ee55321f40f6d4e0694e2e45ac5493b6425d9c320d25e611d67e7b1a2e3ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7ff72b5c07e070bba6c88b22fdf38a9
SHA1 b41905b4c096178f3779dd9ef6cf2796988e014d
SHA256 b331d71b91f62d409aaa7cac6a4dcec5482a22a409c53eac8578e890fed0a9d4
SHA512 3423d635ce1d6b3d53069f0ec7db61572e3fd5b98549cd93284b5d85db535499260dfb3e050ad2bfceaf806faa1ddd9b482dd72a1bdc8e626f7976b66d70c6ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efeedd1f85030b1fafc1eefc71b85ff4
SHA1 6f2e2c2736c8ab552bd2a413d64cf57f033aad83
SHA256 0254b72a41342e4fa727118dfd10dc69c54a0e97aa968b3270d5cbc6a5ca781c
SHA512 64a94233174b7dccf6e0964919372339ad016faee7120eba8258548e005faeab68730517cdfa8280c23d042481c6c7475408610b54ade04060a453fa6057766b

memory/1168-1216-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-1217-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-1218-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-1219-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-1220-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-1221-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-1222-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1168-1223-0x0000000000400000-0x00000000004B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 10:30

Reported

2024-01-20 10:32

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe"

Signatures

Darkcomet

trojan rat darkcomet

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif C:\Windows\InstallDir\help.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\InstallDir\help.exe N/A
N/A N/A C:\Windows\InstallDir\help.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Windows\\InstallDir\\help.exe" C:\Windows\InstallDir\help.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Windows\\InstallDir\\help.exe" C:\Windows\InstallDir\help.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5016 set thread context of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 set thread context of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe N/A
File opened for modification C:\Windows\InstallDir C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe N/A
File created C:\Windows\InstallDir\help.exe C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe N/A
File opened for modification C:\Windows\InstallDir\help.exe C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412511597" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E9DB9F90-B77E-11EE-B6AD-F68B0B0A1028} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31083403" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3210954794" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31083403" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3194236489" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3194236489" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31083403" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\InstallDir\help.exe N/A
Token: 33 N/A C:\Windows\InstallDir\help.exe N/A
Token: 34 N/A C:\Windows\InstallDir\help.exe N/A
Token: 35 N/A C:\Windows\InstallDir\help.exe N/A
Token: 36 N/A C:\Windows\InstallDir\help.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe C:\Windows\InstallDir\help.exe
PID 3992 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe C:\Windows\InstallDir\help.exe
PID 3992 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3924 N/A C:\Windows\InstallDir\help.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 3924 N/A C:\Windows\InstallDir\help.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 3924 N/A C:\Windows\InstallDir\help.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4328 N/A C:\Windows\InstallDir\help.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3924 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3924 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3924 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1632 wrote to memory of 4812 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1632 wrote to memory of 4812 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1632 wrote to memory of 4812 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4328 wrote to memory of 1524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4328 wrote to memory of 1524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4328 wrote to memory of 1524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe
PID 5016 wrote to memory of 3840 N/A C:\Windows\InstallDir\help.exe C:\Windows\InstallDir\help.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe

"C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe"

C:\Windows\InstallDir\help.exe

C:\Windows\InstallDir\help.exe

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4328 CREDAT:17410 /prefetch:2

C:\Windows\InstallDir\help.exe

C:\Windows\InstallDir\help.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp
US 8.8.8.8:53 internetconnection.no-ip.info udp

Files

memory/3992-0-0x0000000002280000-0x0000000002286000-memory.dmp

C:\Windows\InstallDir\help.exe

MD5 6a30b320446a423c14f5c2eb1e69bde8
SHA1 5eb9991fbdd44574984b569498eb71586cde8c9b
SHA256 9a9d814c6d40bb1f2b5b1efb69041afff09b3c41fc618bd79bb8053205a08a24
SHA512 ea43756d7a3d1b55d9cc86cec0bba3e8bd4e7a59a8841d29ddfc53091791c1e61e3e66c55c17adfddc510892f518685f4b4e1984ed6350191d5f85c2f9172140

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4328-12-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-15-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-16-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-17-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-18-0x00000000007E0000-0x00000000007E1000-memory.dmp

memory/3840-19-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-20-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-21-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-22-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-23-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-24-0x00000000007E0000-0x00000000007E1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 dd36d6dc06c6c289c31e35f398170a2e
SHA1 e375b39a129249b04977a0d541197dd21569074b
SHA256 12fe7b98965525cd62ea653f3e895e55b9eaf0109b819a860f3d98805df41ed2
SHA512 6832bb0130ce122c80a33da82acd1c2a7ecca8f7bc144e513ef923559166b793fb01f9461e71e1b8d4238f51cc11ca24af3d5e3cfe7223088d4aad37b7d7fcd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 062fdbb9bb3c118fcc66827cdc26e6f0
SHA1 2033529788108b0514b5acae2b0ed3b7e051c318
SHA256 10a79f11b599e86eb9a03e62f1969485589597cef2b4d8b2a7f1133736e97c22
SHA512 33ecbc35c98d8aa24f24e420dd352fb35048696fdc96cafe15bdae131cc18f81426bc515393a3b940519f289d3b0585516eced7b692ff607bd9ef366db098810

memory/3840-34-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-35-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-36-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-37-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M8F18HYR\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/3840-48-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-49-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-50-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-51-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-52-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-53-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-54-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3840-55-0x0000000000400000-0x00000000004B2000-memory.dmp