darkcomet | 329779f663386d1a42b015e55f7ae83104681453895f99e9052148de0b26c9d4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2024, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
Size

1.5MB
MD5

3342325fb9f1071ef4a2d3c9d5ece958
SHA1

02fd26ed37729c9e272c858e28a3c622f4a9e4e9
SHA256

329779f663386d1a42b015e55f7ae83104681453895f99e9052148de0b26c9d4
SHA512

e41efbe39d160262a55d9303354dc28aeb711827eb2bfb78af840d0bf7022d0878139c6a919c6513ca949174645a66c559816e588d2d6f703c21ddcb5b2e69cc
SSDEEP

24576:DDEAMjySgJfxTk8x1mWniVOHoigFKKv/5qkU78ayC:DD4Fg/k8D3iAHoigFp/skWp

Score

10^/10

darkcomet credential_access discovery rat spyware stealer trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3420	crss.exe
2700	stealer2.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 220 set thread context of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3112	3420	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealer2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3440	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	86
PID 220 wrote to memory of 3440	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	86
PID 220 wrote to memory of 3440	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	86
PID 3440 wrote to memory of 4896	3440	csc.exe	88
PID 3440 wrote to memory of 4896	3440	csc.exe	88
PID 3440 wrote to memory of 4896	3440	csc.exe	88
PID 220 wrote to memory of 2084	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	89
PID 220 wrote to memory of 2084	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	89
PID 220 wrote to memory of 2084	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	89
PID 2084 wrote to memory of 4460	2084	csc.exe	91
PID 2084 wrote to memory of 4460	2084	csc.exe	91
PID 2084 wrote to memory of 4460	2084	csc.exe	91
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 3420	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	92
PID 220 wrote to memory of 4248	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	96
PID 220 wrote to memory of 4248	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	96
PID 220 wrote to memory of 4248	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	96
PID 4248 wrote to memory of 4124	4248	csc.exe	98
PID 4248 wrote to memory of 4124	4248	csc.exe	98
PID 4248 wrote to memory of 4124	4248	csc.exe	98
PID 220 wrote to memory of 316	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	99
PID 220 wrote to memory of 316	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	99
PID 220 wrote to memory of 316	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	99
PID 316 wrote to memory of 5116	316	csc.exe	101
PID 316 wrote to memory of 5116	316	csc.exe	101
PID 316 wrote to memory of 5116	316	csc.exe	101
PID 220 wrote to memory of 2700	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	102
PID 220 wrote to memory of 2700	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	102
PID 220 wrote to memory of 2700	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	102
PID 220 wrote to memory of 452	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	103
PID 220 wrote to memory of 452	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	103
PID 220 wrote to memory of 452	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	103
PID 452 wrote to memory of 3240	452	csc.exe	105
PID 452 wrote to memory of 3240	452	csc.exe	105
PID 452 wrote to memory of 3240	452	csc.exe	105
PID 220 wrote to memory of 4448	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	106
PID 220 wrote to memory of 4448	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	106
PID 220 wrote to memory of 4448	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	106
PID 4448 wrote to memory of 540	4448	csc.exe	108
PID 4448 wrote to memory of 540	4448	csc.exe	108
PID 4448 wrote to memory of 540	4448	csc.exe	108
PID 220 wrote to memory of 1276	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	109
PID 220 wrote to memory of 1276	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	109
PID 220 wrote to memory of 1276	220	3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe	109
PID 1276 wrote to memory of 3252	1276	csc.exe	111
PID 1276 wrote to memory of 3252	1276	csc.exe	111
PID 1276 wrote to memory of 3252	1276	csc.exe	111

C:\Users\Admin\AppData\Local\Temp\3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3342325fb9f1071ef4a2d3c9d5ece958_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\swqahqq_.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3EF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB3EE.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4896
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hx6_mseb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB641.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB640.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4460
- C:\Users\Admin\AppData\Roaming\crss.exe
  C:\Users\Admin\AppData\Roaming\crss.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 12
    3⤵
    - Program crash
    PID:3112
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r7aqoqp_.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB854.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB853.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4124
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gp7kmgep.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9FA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB9EA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5116
- C:\Users\Admin\AppData\Roaming\stealer2.exe
  "C:\Users\Admin\AppData\Roaming\stealer2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rc9sukck.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB52.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBB51.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3240
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rbtue4zr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBCF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBBCE.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:540
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9u5qxspk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC6B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC6A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3420 -ip 3420
1⤵
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9u5qxspk.dll

Filesize
5KB

MD5
8335b9723347bdfe5cf1a1c8d12feb24

SHA1
94f4f41335b754978b95c9b731cca8989bf8a009

SHA256
7f489f7e0be42af9bf53c43750acf5d65416730402d2e99f05a5e3f7d2a8f09e

SHA512
1ceb2eeb5d23cfeb0df12fb9a05decaa5df317152047374800e5b1bad297b70673f895cc704ccbb38fe2b78fa68b4cc6dffc5cea8a8d1dc59ebb364248b69ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB3EF.tmp

Filesize
1KB

MD5
b64d3e8d8f20912cb1572f655c8a80a3

SHA1
ebda5f5513aa0c453b78ad1eb69dd3d15b915a20

SHA256
9ed625df9319e205ad1f211948381a85a63583453cd5f2dfa5d877afb907981d

SHA512
4526887960debe2164f85fe24c0d5671fe8544b5bd9347a4df2c435bfdda5ceefadfd4f357d8ee8db696e747ad8f273826ee5aaf38b6fbaf7e6c29418a85f154

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB641.tmp

Filesize
1KB

MD5
e8340ca9d6e66bc4ffb0b13952426f9f

SHA1
bb7459312c302d65efc709f5c4b0cab1b868bf27

SHA256
7da55d7a09c76d5455bf8d11ffb98c9012b59b1d6c548bd948696c7177316e20

SHA512
b41610d950b9c70d204dd86bc0bd00ad97d3891ef8ddf945a4e78f88857f2771a161ff555feaefa629086343d48193f66be71b3cf4d929a0b00e41247dc0fc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB854.tmp

Filesize
1KB

MD5
5907ba6b565bbbc5adf64e62452e0e5b

SHA1
e94ed3148614241763a18fb44ef87973505bbf30

SHA256
4be8d52cf05cbc7f40547f8ae8e08433e5a34a482e66c5c0e46e4d8de6cebf7b

SHA512
a9a77bcdb9fb0485eb8c824dd2412cc7c730c59d648e5410280ff7f9349e5e4bb37dfba8811bc88052502f17aad8015067dae8b41f1c24b348564dc9cfbb2b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB9FA.tmp

Filesize
1KB

MD5
48d6316cef4388e00effdf590e30f35b

SHA1
b6f9e7c0d7cd7eb129208a49425d362e6dafe97a

SHA256
93ac3eb36f3aa508949d06e6eafcd773c862d13eb99e74207701d7d51fb72303

SHA512
08a06b02dd0fa36ddec5098bddfab6edbed3aa84da47206b8667b44a47996b1b3bf903db7674d11ab4109e2bcdacbd174cc6fef2d73a3cb9255d4f6dd6ca0129

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB52.tmp

Filesize
1KB

MD5
8d95268d9592d8a0962f851d305720f7

SHA1
c25abee5c3d99ef2a9982b0b8a3351573b700a4d

SHA256
00e1aecfd6ccd5e238184b0b4452634b3531735b9cccd00405a12c805b1d17e8

SHA512
fda89e228a4e879f41fecf87c13e85c40bbdfcf048f9956e9006af9ed60ae3e155bf145d34a41002610b0e12c00317d41c729c24d93083a3245e9f2c822ffd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBBCF.tmp

Filesize
1KB

MD5
26fe68626ffdc2a3abfdccb7f46cfb41

SHA1
6657db9b8a8fbbe3c33a8ac5e8b8c11dea56d92c

SHA256
9f063892987b062ae9438fc4c63cdb369ade50dffee33475e14d3a51d0595643

SHA512
4a9ffc5ad553ce58d0bfa90253811cd6c9c0d9d26cc2975c0fac48d9e500fbe4ffe89d5f01e92958e55e1e9725aaed099ffdaa1f2dc1b7ba1cda652fc5b7d5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC6B.tmp

Filesize
1KB

MD5
fba36748e60504b6f37f7f125b041d7f

SHA1
c7c437a3975f5b56afbf0d3e6935422a8458a939

SHA256
1da28dcd24c3090328d8b92fb2fe60cafe7df924e183c4d9c099263cee89ee3b

SHA512
b064c34d47c8111abbd307c220a59a0e0d8802a05783b2c723beb8caa5f7eeba9fc08adafd79824e961079ad56090c6d0de18e099aab772745206a592be4f774

Download Submit
C:\Users\Admin\AppData\Local\Temp\gp7kmgep.dll

Filesize
3KB

MD5
d8168f56f407a7f2219f745c6425494e

SHA1
b0bfdb85cd1f0841b5580e7ac60d9665be234c9d

SHA256
c814b859c3b616ecd82a253747c756d280dc72186f0661686188bbf0bdf3f998

SHA512
8a0844b0ea1aba10fe23d21cdf7c608ae43a6374f287ac894e89dddd4bf43146efff6ac4e61912e2c944770c8fd8649c995de35909ee43a398841607f751eac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hx6_mseb.dll

Filesize
9KB

MD5
23ff345a69f2d8f9ad7124d9f3fe7a96

SHA1
021547f530e5fce76244e237feed8cfcb21f924d

SHA256
f22052922cb719ea6b8bfcdad4ea8a2d33786187b6144909e8fd136433837a92

SHA512
697a3b35edad5a9e5822e610bc1cb78b84da5424cd737d2977653e3792977a85be6a1042ef85a06ebcdaed3fe7374a76a44feb48b9f3c266a0609e2c392b2073

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7aqoqp_.dll

Filesize
3KB

MD5
e15d36c791b9e559a1cf50d6713e8544

SHA1
cac4a5eece928540ddbc2dc3030412a48d03d722

SHA256
bc5b5656df43d814ee8f38274c49c50e704b1a649dff86c0d7f536c47320906a

SHA512
f416fc8fb0b3b08421b15915cb8d4015d5baa3c22737da5919123edc429f3a7cea0ac870a65d938a18968c243ed9d86ffd92f19d4ded2a7cb46615bb61c348e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbtue4zr.dll

Filesize
3KB

MD5
59093197eccdf7e20f576b9757fb9fba

SHA1
0e8c0edc757c303a498cc18f391715524d5343fa

SHA256
995fc3a228a87d54cdb42f048cebc97f090ff8861113567e1a0f67a9bcb8477c

SHA512
004f51cab05d06bd7091b387c5171c27d7aabe4bf57799e8ea1176f79337b1d8a1d4167ebca57ff83e8a8be50c162c0b95829a7b24ebf3096e750e509afcfb14

Download Submit
C:\Users\Admin\AppData\Local\Temp\rc9sukck.dll

Filesize
5KB

MD5
598b44ea5450c6c920a97d6099859563

SHA1
394627cd2238262363a2385b8e1076204395dfce

SHA256
158fb5fa098f6c05292a71c897d6aa7e7e381bb3731bfcd4f76665fcf5969ad8

SHA512
b7536ba399457244ee55b17b0ccde69b9c93ea7ed83a728d648951a30d7354e3beb875eef471dd8f1c6712bc6276b0c4b085747cd389603c6337d4801852287a

Download Submit
C:\Users\Admin\AppData\Local\Temp\swqahqq_.dll

Filesize
3KB

MD5
18331a6c908d13d706db743803b4583c

SHA1
49cc82001b6a6d9057d5d2624484c5740783285b

SHA256
7114ba0c3bf0cb6eb51c22af8ce7fab14554f318a61829dab1b3ce4f0248b3c3

SHA512
8bb8da02da5bdb4eecd1fe629fd7150417171a30c6a01fb0782291cadfb2a28a2e569f003c0a3358586339bfd060130fea2c5f2c0ffcf498732227524b0f1ffb

Download Submit
C:\Users\Admin\AppData\Roaming\crss.exe

Filesize
1024B

MD5
5680aa2cc0b5884b9fc96b8a3e1379eb

SHA1
912ee1aec2d6532af837a5deb3b31bc82988b864

SHA256
1dd485f826b051aff3788bf3f2b7a055b62378bd3501f5d2eece9eb2b34e9999

SHA512
5d4382d008de4513349f5c464e2807fd214e193b43e58e024e2fb131650c94e92dbec02aec4eae3bca9bbf2405baa1c1aaf71841a69eda6a163fd6cfb5e12aa4

Download Submit
C:\Users\Admin\AppData\Roaming\stealer2.exe

Filesize
344KB

MD5
54a20840ac82e360079d766acaee20e1

SHA1
c65b317c6820aad0985cea797ab1fbb41b94749f

SHA256
2ef097e4d759cb84d493f6901846006ae720ab72b05f4b7393773f2636fff920

SHA512
8c1191f84dc92480838afe4a8a936a8a8a5acfac8c512db65cab5b1a4a3351e80640e595d5d24301321fcd11a6edc1af63d22e74ad2d7c46a2e0fb05606facf9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9u5qxspk.0.cs

Filesize
3KB

MD5
7e25c02bfdcb0066abca03e52b9aa29e

SHA1
3a7a17a202290396bbdffa1d2b6f9ae4d1ea9653

SHA256
57a42b15fb9c91aeed466a92148cd64f61a20338383fc4a40989e86703f0b7e9

SHA512
c881b3951cfa94af6537ccbf563ce032e1732d61915abff0186cc6dfc44d507c52e89cdff892a4d13d35fe83611b2ede6247a4447931d40a9dbc3f30088a0b21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9u5qxspk.cmdline

Filesize
187B

MD5
d0dc8be1175324519fe69ccd79a10194

SHA1
64dcf257b1afa92177c6ec5bd224d1f1097fe9e4

SHA256
3f63325c40a24de2ad2aa8437c73795cb3d68856a452c4be118ffb41aae70e88

SHA512
58ea5c0e41f27dc6387d925589530c57d99c30f218bae9997bf40bf9e1e681fd92cde028861e4f431cb2a2b873796123e00e16d42b7e9de4f18160e709095a30

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB3EE.tmp

Filesize
652B

MD5
d36cbcc7ec1e969661650e56a94418d4

SHA1
e70e0a4c656364033065d3ae276e1c082331399b

SHA256
527a94ca75a5f77ac0bb865f7ecb0d9d6df5ae19cad0b7bd699dc4556b1182cc

SHA512
bcb30eeb74fbb45f52bcdc953994cc1789bb39264a61c3c683012919a7fcd8a6168d743afd88f1d7e0390d65e8c5df9329abd4d3158c4cefc7aa521b8cf3bb9c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB640.tmp

Filesize
652B

MD5
31af719bc4155220dddbce7cd95babc4

SHA1
edee72cdb609d20954c529a21efaf0ecfdbb2d66

SHA256
634d6b10fef4a9fc378e38a75abf1b2e5d1e59677b2dc6c29829220499a070cb

SHA512
16e10fd54263e9b8069211cdd17e95cb502b0c5519dde54fb5f36ac0b828c93a080bc9afefc89fd0078cfa6f247c96e29fccb60ef9694f9b0224781c02ac8460

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB853.tmp

Filesize
652B

MD5
766920bb4147adcc2a0e02b849abd1ad

SHA1
e8493df9f8227a2a381b4ae5f531a67bfd06a28a

SHA256
0312bf9949266ae21e92bbcd0e6931029610c538326d19a93b3b2a56d42ce718

SHA512
5a28c1af49e89aa46d7dad4ad960f459092de163a387580156f38807b5bb3e061e8fc11e17b5382c265eff097cdc5908a22f9495c1d2c35f794970617931f419

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB9EA.tmp

Filesize
652B

MD5
296d28eb9e0ca3c9635bcbbe106d8095

SHA1
bae4ecede8b122ad2a10fe2719897333c42d6239

SHA256
5e7c1aeea82a14827ad96b8df0d86f5f95d2b4a9c1e6250e3e3edc6d36296600

SHA512
677320ca2ae16367a668ad74e5c3ba68863e570ab5b6e2a8e522e1095ee0fd6debf41d0822da5096d2d1310a288255e87a6c6bb78633f34f463afa70747a886c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBB51.tmp

Filesize
652B

MD5
f58c75d96c2cd2d6e587294b1939dad5

SHA1
3591480f05d0637bb94bfb60a2188c15d42f5deb

SHA256
7a30f366fba160fddccd449b0f93c4e5ea5f3f94c58e30e831e9fab24d16d64d

SHA512
a92d92bbb620d6d5eca6b2e4516be4aa3a80f34ca7f3de1fbfb91e4fcbc42bee0f8cec281d63fd188728bf01486ddade7971583788c0eba8e496e447e5a8e3a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBBCE.tmp

Filesize
652B

MD5
1493ffb661df5fc774b79e69958bddb0

SHA1
82e3155c04281ee31acead50248d5418d3b1251a

SHA256
f640b0c6f889933ed235d0682843b1f22d3f5bb79b80fc9c5c7339a217eeb65d

SHA512
d54fa42517d11147bba1efef0cb35bea86e8f2ab9f4a872f980cfd1bb981407a0d8d645f9434639fd717646b8c8840aa60cb9742f72c85f1feb7503f02aa897e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBC6A.tmp

Filesize
652B

MD5
4c11d209834a2ab22f36ea985bd119e7

SHA1
a020a2417884dcea6c5ab498dd7390de4f190798

SHA256
c9f5e9715df59791e2df27bec59629e8245703e2ffef712bf77d262b545ad355

SHA512
1b67b30b118022c30dd9db6aa39fa4b9d9f4453f881b2bedc8dc1364ce4bec3dbbd626f7525a551dd830d79ed930ddbb144e6e66fd46af7a81f7de7939b8ee99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gp7kmgep.0.cs

Filesize
136B

MD5
fc0140fcdfbc50c259b91b5d3b87e709

SHA1
34f216df9348848e0d5689b5cc93709115b0aa52

SHA256
82695ae847a36e9bb81237a19d8c6246bab58b51ee79dd6e6b9832e669e1f88b

SHA512
6b4a24003dbcf763bf06cf38b0106913644e7e1131e6ae4958b5b22009c6d572f500c15d4ab9b06e00ee1535d6610b48858d9cc6b0e06756abf7a1da002cbb55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gp7kmgep.cmdline

Filesize
187B

MD5
e1f78fd5dfc9948eb8e56277342aa590

SHA1
956259fc205ae1daa9c90442c62708cc4122d2cf

SHA256
cd9c21e32ab9e88029e6fecce24d283116fcd6c068eefc57c9bc54cd442f9f39

SHA512
b4db1d6828f926f1f755e657276d0d69c8d693114fb358f3786778f08bbdce41f5ac69a32215136918a306b89c48ff5fc8a83048d8c3fcc0fc84991eab19ccc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hx6_mseb.0.cs

Filesize
7KB

MD5
c79c02b8be614ba0ad11b9a2deac9067

SHA1
5338181abf8d8436df240ec8bfe8699ed40eac83

SHA256
aeb41fe4117e42c32d7c61fe9caa02f2ec937418a3ffb6ee64b5a8309e0d7b78

SHA512
4b0efe655b237185454a41c79c1b5cd9b8e80cfa36f7abb8a5d63629f400bb73d58f196584ec5421a8b2e6608b9c00d44514ada9651bcf19aea8ba4cce5b4a4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hx6_mseb.cmdline

Filesize
187B

MD5
674fa6adafc91a4ee0e7f9f208074c61

SHA1
6add4958c3e737359f5a1e3db45ef436ab255357

SHA256
2c1641a9d4f9b01b77d2ce27b487fb9f31ae77ded5b667237a6329c9c213e343

SHA512
211d0777cf94cec36c8fab6533962e1a013831ee0afc479b80176dc88b2af7ae53657a0c960a988e1386878b34dc5bd4364f1b0abc77341565a8a665f68ebec7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r7aqoqp_.0.cs

Filesize
134B

MD5
05a4c3ccd28742453c82fa82cbe4a0a1

SHA1
c929c7b0ced33ff8fad826d71c035e810cfc4766

SHA256
e342f43240b4e58557941be67f478ecef6f2b0dd8b66c2e1d95127cadfd0f409

SHA512
2cd7acc7b5cfe76b75a7ca8b27e820458722405c3486618915ece7b1e288961071229cd0583c72f7d4f2f8b57074495116afa91c185ec4fcbb9bb01d3cc7a203

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r7aqoqp_.cmdline

Filesize
187B

MD5
9a5ccc03d310b14563624e2a1c102ebe

SHA1
7652a9f8997ce8be02043e3a6c4fdbcbe8e5f8a8

SHA256
343c7601c285a815f5c5dafdd431f2be2fbfa00580d51040804b67bc50662674

SHA512
81bf78371e09cf2605be9f9ab0a521b1058ac136d1bd630814375f14df269d7d903e20db617d140533902bc0d42f7e8932e355b329611802ead8df0517a3ced8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rbtue4zr.0.cs

Filesize
106B

MD5
7b2710d3c14f50327d82682f1788ac9c

SHA1
db6323843b42649f002accea370f951ad10452bd

SHA256
cf3742c2d19768ac180864c89a57abffca72120fa2fa3d2872ddc5fb9901704f

SHA512
7f0c429790ac2a29c37fa802e150ec6cb96f906c6b33d6b61bda74690a06a68be016e062d141a1499d5bf521ef379f6531e7274e270bbf20aac8af49710d6479

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rbtue4zr.cmdline

Filesize
187B

MD5
096a8fd24ce0d9ff92ca0a6be1aa3a5f

SHA1
dc4757e0ae39881e4b3f7a036e20c6d82038ffc7

SHA256
ac7869191504ed33051b6cccc3a2d1eb21b37d8b29307907a5dc2b0d1c51ccec

SHA512
c3ffadc6c02e364c8edde38d3904ae59a6857cfffe38d92318fc93b074c646088eda5df9e8665f0f252f2a9dc6e833cb058f0467269e0f15007c49bbd664c3f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rc9sukck.0.cs

Filesize
1KB

MD5
5a8beeb82a07820973f62f31eec9eaba

SHA1
5fbfa6c909b78dc16710f5958313c2d97fc31e6a

SHA256
587c674d7815f9fa46f51bc872d1579c26954f9251dbf643d0c58ed55717f634

SHA512
0c554fa39a75884d9022eb16d457d552465605b9fa373d786a99d6c7aaa503447d207269c8adc0929f7d1b1d4da3272a2d69ee562bedc055f2568a5387eeeff0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rc9sukck.cmdline

Filesize
187B

MD5
cbe3564969508f7471cee4d0fc91fe3a

SHA1
248ed7492e00561d91f26eee15d28c87616d7d92

SHA256
630da4e0b869f8d12308e8cc0a4b50ea62cf912646e0d9444e721450304acfdb

SHA512
af72a3c7211b0aca1a4009303e376e91cff4a8d8c4b755facda33265a2afc748626b739b410827014273a0d82cd877549ece2329826d26f615765939599efe5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\swqahqq_.0.cs

Filesize
523B

MD5
e1135b80feeed3010044dba3ac1833fe

SHA1
f64747faba4c6d227b8e2205731c184391bee3e2

SHA256
7357bc6052437f0dacc4662e07ca246205b6b3e124925ffe126ab0909121a35f

SHA512
c466a525b22cb0245762a6522c51095c9efb52faf428add0aff1dbc5d23935aa5232be72ba519e4a963b75f5c94202b282b432a0f735aae6833c4cb2937b99be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\swqahqq_.cmdline

Filesize
187B

MD5
fbcfbaa977ecbdac3c8e899ece4a1396

SHA1
344c9378004c99297b1b7447a3229915257d5498

SHA256
20f30982d5d19ffb09eb3f6313df5af811868986a1ae3660826711c922ff197d

SHA512
8f4e550f2bed3d04cfebc58f8211c47cac154b98a476a7f81a98321ed658e5a2837f8de28b0c47bdab96b00b7f4e8d17b59ac3edc2ac65b4edd786833a9f00de

Download Submit
memory/220-1-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/220-0-0x0000000074C62000-0x0000000074C63000-memory.dmp

Filesize
4KB

Download
memory/220-118-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/220-116-0x0000000074C62000-0x0000000074C63000-memory.dmp

Filesize
4KB

Download
memory/220-117-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/220-2-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/2084-31-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/2084-26-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3420-35-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/3440-8-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3440-15-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4248-44-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4248-49-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download