darkcomet | 3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2025, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Size

659KB
MD5

2767d03d18bb350f7a79727d88ed6055
SHA1

319636dd0a845cca392706ed3668eec3681c99fa
SHA256

3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784
SHA512

634e4ae7e2ff933ba40ea69e35332021923ce8c715c1b2d384241f1b8dc8aba894df511cea320545a2a3e6e01437752955bbdcfe8263833976d6054a46744e47
SSDEEP

12288:OQ50wlFE0Zen1Rm8bvfShkU0n4eujffBjmcXI2L2WoH6HCGePcatHl9/+:TWJm8bvK+U0MjRjmcXp2BoCGmn9

Score

10^/10

darkcomet stdeb discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

STDeb

127.0.0.1:1604

allseeingeyes.ddns.net:1604

allseeingeyes.ddns.net:50

allseeingeyes.ddns.net:51

allseeingeyes.ddns.net:52

allseeingeyes.ddns.net:139

Mutex

DC_MUTEX-BH7SGT0

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
J6rFjSkS7kJD
install
true
offline_keylogger
true
persistence
true
reg_key
winupdate

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Executes dropped EXE 2 IoCs

pid	Process
2064	msdcsc.exe
3456	msdcsc.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\BFHgWLkd.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\KseFOhus.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\KseFOhus.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\BFHgWLkd.exe"	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 3756 set thread context of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 2064 set thread context of 3456	2064	msdcsc.exe	98
PID 3756 set thread context of 2924	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	105
PID 3756 set thread context of 1020	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	110
PID 3756 set thread context of 3488	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	111
PID 3756 set thread context of 1692	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	113
PID 3756 set thread context of 608	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	114
PID 3756 set thread context of 4236	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	116
PID 3756 set thread context of 3852	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	120
PID 3756 set thread context of 2972	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	121
PID 3756 set thread context of 3712	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	122

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
2064	msdcsc.exe
3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
2064	msdcsc.exe
3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
2064	msdcsc.exe
3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
2064	msdcsc.exe
3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
2064	msdcsc.exe
3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
2064	msdcsc.exe
3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
2064	msdcsc.exe
3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
2064	msdcsc.exe
3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
2064	msdcsc.exe
3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
2064	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeIncreaseQuotaPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSecurityPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeTakeOwnershipPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeLoadDriverPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemProfilePrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemtimePrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeProfSingleProcessPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeIncBasePriorityPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeCreatePagefilePrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeBackupPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeRestorePrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeShutdownPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeDebugPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemEnvironmentPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeChangeNotifyPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeRemoteShutdownPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeUndockPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeManageVolumePrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeImpersonatePrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeCreateGlobalPrivilege	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: 33	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: 34	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: 35	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: 36	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeDebugPrivilege	2064	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	3456	msdcsc.exe
Token: SeSecurityPrivilege	3456	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3456	msdcsc.exe
Token: SeLoadDriverPrivilege	3456	msdcsc.exe
Token: SeSystemProfilePrivilege	3456	msdcsc.exe
Token: SeSystemtimePrivilege	3456	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3456	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3456	msdcsc.exe
Token: SeCreatePagefilePrivilege	3456	msdcsc.exe
Token: SeBackupPrivilege	3456	msdcsc.exe
Token: SeRestorePrivilege	3456	msdcsc.exe
Token: SeShutdownPrivilege	3456	msdcsc.exe
Token: SeDebugPrivilege	3456	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3456	msdcsc.exe
Token: SeChangeNotifyPrivilege	3456	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3456	msdcsc.exe
Token: SeUndockPrivilege	3456	msdcsc.exe
Token: SeManageVolumePrivilege	3456	msdcsc.exe
Token: SeImpersonatePrivilege	3456	msdcsc.exe
Token: SeCreateGlobalPrivilege	3456	msdcsc.exe
Token: 33	3456	msdcsc.exe
Token: 34	3456	msdcsc.exe
Token: 35	3456	msdcsc.exe
Token: 36	3456	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSecurityPrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeTakeOwnershipPrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeLoadDriverPrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemProfilePrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemtimePrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeProfSingleProcessPrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeIncBasePriorityPrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeCreatePagefilePrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeBackupPrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeRestorePrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeShutdownPrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeDebugPrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemEnvironmentPrivilege	2924	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3456	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 4156	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	86
PID 3756 wrote to memory of 4156	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	86
PID 3756 wrote to memory of 4156	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	86
PID 4156 wrote to memory of 3664	4156	csc.exe	89
PID 4156 wrote to memory of 3664	4156	csc.exe	89
PID 4156 wrote to memory of 3664	4156	csc.exe	89
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 748	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	90
PID 3756 wrote to memory of 1456	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	91
PID 3756 wrote to memory of 1456	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	91
PID 3756 wrote to memory of 1456	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	91
PID 1456 wrote to memory of 5100	1456	cmd.exe	93
PID 1456 wrote to memory of 5100	1456	cmd.exe	93
PID 1456 wrote to memory of 5100	1456	cmd.exe	93
PID 748 wrote to memory of 2064	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	94
PID 748 wrote to memory of 2064	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	94
PID 748 wrote to memory of 2064	748	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	94
PID 2064 wrote to memory of 3236	2064	msdcsc.exe	95
PID 2064 wrote to memory of 3236	2064	msdcsc.exe	95
PID 2064 wrote to memory of 3236	2064	msdcsc.exe	95
PID 3236 wrote to memory of 2880	3236	csc.exe	97
PID 3236 wrote to memory of 2880	3236	csc.exe	97
PID 3236 wrote to memory of 2880	3236	csc.exe	97
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3456	2064	msdcsc.exe	98
PID 2064 wrote to memory of 3184	2064	msdcsc.exe	99
PID 2064 wrote to memory of 3184	2064	msdcsc.exe	99
PID 2064 wrote to memory of 3184	2064	msdcsc.exe	99
PID 3184 wrote to memory of 2340	3184	cmd.exe	102
PID 3184 wrote to memory of 2340	3184	cmd.exe	102
PID 3184 wrote to memory of 2340	3184	cmd.exe	102
PID 3756 wrote to memory of 2520	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	104
PID 3756 wrote to memory of 2520	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	104
PID 3756 wrote to memory of 2520	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	104
PID 3756 wrote to memory of 2924	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	105
PID 3756 wrote to memory of 2924	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	105
PID 3756 wrote to memory of 2924	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	105
PID 3756 wrote to memory of 2924	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	105
PID 3756 wrote to memory of 2924	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	105
PID 3756 wrote to memory of 2924	3756	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	105

C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
"C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f6st0vxp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94DE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC94DD.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3664
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ic8kyx_.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9878.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9877.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
  - - C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
      "C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3456
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\KseFOhus.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3184
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\KseFOhus.exe
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2340
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\BFHgWLkd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\BFHgWLkd.exe
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5100
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1020
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3488
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:184
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:608
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:4712
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4236
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:912
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3852
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2972
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ic8kyx_.dll

Filesize
1.3MB

MD5
7386d2812dc9f7cf49242729c8094f9a

SHA1
25a3d84deb66b2b3c0813e4f675213dd54545693

SHA256
dc0288ed3dba4c25ba2824ad0c16efa5b6c8e7375b19a69cc7f6eda42133a429

SHA512
267375f122a52ee3d3cf92f07a7233f6b1a005b3b7170a8f52eb77ec8991194dd1408d5b47ecec1fcc2597e994a26314a72bf20b0bb25e1ea6d0ec7484d069b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES94DE.tmp

Filesize
1KB

MD5
6c8bb6abb2d1d82ca82bf909f32414fe

SHA1
8452c8bb075413b3e931d3adf50460acea000255

SHA256
7660ac0c036a0aaea15c5a2772ec66a47f2d2fa62c265f8621066076d0b796ce

SHA512
3ee2c72f92c160f8b7fc1bdbc917b46d24a45993df312ff21355730420e1f8fa99346c50e315a51166f10f1259f75b4faa219011e5f94fa1a31e0094d88f18cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9878.tmp

Filesize
1KB

MD5
d1c2592176fb6ade2109c5c221102552

SHA1
b5a800d5e9c76d6b2a957a4b12a907316847eb43

SHA256
43d4ccfaa0b57a06f5f165d8ad5a678661c1338e18752c8f029256b60fd6dd6c

SHA512
5338b1016a4231bfba9e4d8b818d5ffe8d809a7f969d5b99e93d8c3297f7350304b541b7a6fee09731b0104f10975017382bb133aa2c9ec2b881054061c25834

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6st0vxp.dll

Filesize
1.3MB

MD5
d4f3453acb6cfe026af69e923892273d

SHA1
425e74f41bc73ac8f47f88dec49a43ee716fdbcc

SHA256
801b763f530494d56b7344c26cf716357e774c8750ced53df2ac6ffdca3c9074

SHA512
b67be5be11a49a5c5b1c135af5b626f0e7b23d2e48d5dca4617fbe5325e756f9658f67067034f221e31b8b62df241a88fad0ada68ea607ba304fe0e695c715dd

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe

Filesize
659KB

MD5
2767d03d18bb350f7a79727d88ed6055

SHA1
319636dd0a845cca392706ed3668eec3681c99fa

SHA256
3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784

SHA512
634e4ae7e2ff933ba40ea69e35332021923ce8c715c1b2d384241f1b8dc8aba894df511cea320545a2a3e6e01437752955bbdcfe8263833976d6054a46744e47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1ic8kyx_.cmdline

Filesize
196B

MD5
162fc63f59e9f8dad535ce1c0f18ad31

SHA1
fa045d6719116d87416de78edf42bfcfc6e26f89

SHA256
0843a9ac2ba088cc6dafe151785589c0b8533f07bf554493a9246def8a4bdcd0

SHA512
b2ae5979cd5de65406ca40b00c96f64cf52c7854674b9545c1298329618200f2ec7137527b7274af059a877f4bf51f7fcc31f0dbba5b671d3721376101f3acbf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC94DD.tmp

Filesize
652B

MD5
8414c83c6c2cca84c4f53bc5103324a0

SHA1
6e3fb6ecd3f2129a85f122a9aa50c3f986bbc697

SHA256
ee6b08c830ce7ce4c5155ac12f83ef64f22b3edc398a14da5a8f14d480ea373e

SHA512
e6429ab9f69f4d916b99597b22342a6790a2f898a0aea920abbbd39f45a90176970233ba4dd7fea24e8523c48562e735bd6f471152cc981f60930aa30e056b5e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9877.tmp

Filesize
652B

MD5
ab8a4ed3bcf643d19e7cfa6ea456d99b

SHA1
1033da889f594392a5b934aafdf46bf89fc12e7d

SHA256
f761ae3004c80b22ae1a16f3148be9f9a63e4dfd740dd3ee095707690b20e533

SHA512
7ae242e86f84e105e2bed74c12140be91e343fe2eec4345c0a9ccca7b3bbba8307634ce12f238324977fb24882b3ec815c1de47e3736620b489759ace096dd16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f6st0vxp.cmdline

Filesize
196B

MD5
b408d0e3993e4181424efa6c3a16d454

SHA1
00ad0c26f2cebc491e30daba668538c5593932c6

SHA256
097f2cc3b28870b943306b9844307bc36d436843d70b167483337f206b8fca78

SHA512
3bcaa5985e15a815691ea15b144bacbfdf29b31fc2b9a80818c11b8eeb774349c181ba3f5a6b02f913718dae396ff6fb8733443bca04212c1935858f7f194184

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp929B.tmp.txt

Filesize
649KB

MD5
7120e9abe458cf85d553fe8ba1829632

SHA1
a5c9afe205d92681fdcae316c25a21d8bd0b63a2

SHA256
094a826cc6904668cf2894ed5f71c8d6240bd5e85b0cb6cb500c9cbbbbdb5007

SHA512
c3d912ecdfb8ab7c78867a1f65fbce42a4d48cf5f04be5a48dfc4828b44c5b63bcdc4d822c5fd1e03d69b68babd50fec7fa62f4df26269bdf0018c2053b7e706

Download Submit
memory/748-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/748-124-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/748-20-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/748-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/748-33-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/748-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/748-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/748-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/748-21-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/748-23-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/748-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/748-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-153-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-152-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2924-139-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2924-140-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3456-123-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3456-122-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3456-121-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3488-165-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3756-0-0x00000000753A2000-0x00000000753A3000-memory.dmp

Filesize
4KB

Download
memory/3756-125-0x00000000753A2000-0x00000000753A3000-memory.dmp

Filesize
4KB

Download
memory/3756-126-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3756-127-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3756-2-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3756-1-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4156-9-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4156-16-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download