darkcomet | 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2a4628956f5aea4b70f7

Analysis

max time kernel
149s
max time network
172s
platform
windows7_x64
resource
win7v20210410
submitted
11-06-2021 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
Size

833KB
MD5

aff59ff4873a180e497cac498323fd56
SHA1

3cb24379d8aeb29a58fddac419f8bd0fc1068c89
SHA256

445bc3da96e63745748cc4d7d14faaa80122f46bc86e2a4628956f5aea4b70f7
SHA512

cbf9ed1d90ea527bc9e8f3564d1fd2f3d1f9c92e10ba8da790f58c815f07ae11f6c5da3772b95b286867e3be124994ddc32aa1758a1d2acb8667d01dfca7b929

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

D&H.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	D&H.exe

Executes dropped EXE 2 IoCs

Processes:

D&H.exemsdcsc.exe

pid process

1652 D&H.exe
844 msdcsc.exe

pid	process
1652	D&H.exe
844	msdcsc.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\D&H.exe	upx
\Users\Admin\AppData\Local\Temp\D&H.exe	upx
C:\Users\Admin\AppData\Local\Temp\D&H.exe	upx
C:\Users\Admin\AppData\Local\Temp\D&H.exe	upx
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe	upx
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe	upx

Loads dropped DLL 4 IoCs

Processes:

445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exeD&H.exe

pid process

1668 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
1668 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
1652 D&H.exe
1652 D&H.exe

pid	process
1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
1652	D&H.exe
1652	D&H.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

D&H.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	D&H.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1536 schtasks.exe

pid	process
1536	schtasks.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

D&H.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1652	D&H.exe
Token: SeSecurityPrivilege	1652	D&H.exe
Token: SeTakeOwnershipPrivilege	1652	D&H.exe
Token: SeLoadDriverPrivilege	1652	D&H.exe
Token: SeSystemProfilePrivilege	1652	D&H.exe
Token: SeSystemtimePrivilege	1652	D&H.exe
Token: SeProfSingleProcessPrivilege	1652	D&H.exe
Token: SeIncBasePriorityPrivilege	1652	D&H.exe
Token: SeCreatePagefilePrivilege	1652	D&H.exe
Token: SeBackupPrivilege	1652	D&H.exe
Token: SeRestorePrivilege	1652	D&H.exe
Token: SeShutdownPrivilege	1652	D&H.exe
Token: SeDebugPrivilege	1652	D&H.exe
Token: SeSystemEnvironmentPrivilege	1652	D&H.exe
Token: SeChangeNotifyPrivilege	1652	D&H.exe
Token: SeRemoteShutdownPrivilege	1652	D&H.exe
Token: SeUndockPrivilege	1652	D&H.exe
Token: SeManageVolumePrivilege	1652	D&H.exe
Token: SeImpersonatePrivilege	1652	D&H.exe
Token: SeCreateGlobalPrivilege	1652	D&H.exe
Token: 33	1652	D&H.exe
Token: 34	1652	D&H.exe
Token: 35	1652	D&H.exe
Token: SeIncreaseQuotaPrivilege	844	msdcsc.exe
Token: SeSecurityPrivilege	844	msdcsc.exe
Token: SeTakeOwnershipPrivilege	844	msdcsc.exe
Token: SeLoadDriverPrivilege	844	msdcsc.exe
Token: SeSystemProfilePrivilege	844	msdcsc.exe
Token: SeSystemtimePrivilege	844	msdcsc.exe
Token: SeProfSingleProcessPrivilege	844	msdcsc.exe
Token: SeIncBasePriorityPrivilege	844	msdcsc.exe
Token: SeCreatePagefilePrivilege	844	msdcsc.exe
Token: SeBackupPrivilege	844	msdcsc.exe
Token: SeRestorePrivilege	844	msdcsc.exe
Token: SeShutdownPrivilege	844	msdcsc.exe
Token: SeDebugPrivilege	844	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	844	msdcsc.exe
Token: SeChangeNotifyPrivilege	844	msdcsc.exe
Token: SeRemoteShutdownPrivilege	844	msdcsc.exe
Token: SeUndockPrivilege	844	msdcsc.exe
Token: SeManageVolumePrivilege	844	msdcsc.exe
Token: SeImpersonatePrivilege	844	msdcsc.exe
Token: SeCreateGlobalPrivilege	844	msdcsc.exe
Token: 33	844	msdcsc.exe
Token: 34	844	msdcsc.exe
Token: 35	844	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

844 msdcsc.exe

pid	process
844	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.execmd.exeD&H.exe445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN svchost.exe /XML "C:\Users\Admin\AppData\Local\Temp\906e3b9444e74d05a4e8d74c157bad7e.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN svchost.exe /XML "C:\Users\Admin\AppData\Local\Temp\906e3b9444e74d05a4e8d74c157bad7e.xml"
3⤵
- Creates scheduled task(s)
PID:1536

C:\Users\Admin\AppData\Local\Temp\D&H.exe
"C:\Users\Admin\AppData\Local\Temp\D&H.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:844

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
8⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
9⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
10⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
11⤵
- Suspicious use of WriteProcessMemory
PID:280

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
12⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
13⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
14⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
15⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
16⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
17⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
18⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
19⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
20⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
21⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
22⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
23⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
24⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
25⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
26⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
27⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
28⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
29⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
30⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
31⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
32⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
33⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
34⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
35⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
36⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
37⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
38⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
39⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
40⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
41⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
42⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
43⤵
PID:480

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
44⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
45⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
46⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
47⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
48⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
49⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
50⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
51⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
52⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
53⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
54⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
55⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
56⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
57⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
58⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
59⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
60⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
61⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
62⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
63⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
64⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
65⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
66⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
67⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
68⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
69⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
70⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
71⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
72⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
73⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
74⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
75⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
76⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
77⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
78⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
79⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
80⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
81⤵
PID:304

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
82⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
83⤵
PID:284

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
84⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
85⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
86⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
87⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
88⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
89⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
90⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
91⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
92⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
93⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
94⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
95⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
96⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
97⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
98⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
99⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
100⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
101⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
102⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
103⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
104⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
105⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
106⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
107⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
108⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
109⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
110⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
111⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
112⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
113⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
114⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
115⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
116⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
117⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
118⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
119⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
120⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
121⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
122⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
123⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
124⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
125⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
126⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
127⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
128⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
129⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
130⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"
131⤵
PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\906e3b9444e74d05a4e8d74c157bad7e.xml

MD5
621eee0cc11d8058f1e81a25c8a93211

SHA1
45dbb4e4092e3d11af41ced1f249a9745343f3ba

SHA256
1f4b09b413a7c22f7583da01c45286ff9a1e5d0c2a36be38e79440acf4deb2d1

SHA512
9ee1f0e3749783297ad3e822592339a564a53a518ef6e27ea356fcda16763c9f9a80d1efadc5725ed31ab80ddce999e30bec872049c510f562d8a3faf96bf61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D&H.exe

MD5
6ecfbfb290b771d5aad3a289494a7e01

SHA1
999277c449813f3292afce6e2a105e9f5331ba21

SHA256
d1d5863a9d03fe4f0d32466a06e0384a5750990343cc62c46f45fd8ea6ae644f

SHA512
9b71b3b503416f701257531247588fce8aefb21e990f1955e0cd6286686eb0f97edd43a2b8ee3af46c48d4857e2c5d09adde32e44d7a0589a5529da571b93f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\D&H.exe

MD5
6ecfbfb290b771d5aad3a289494a7e01

SHA1
999277c449813f3292afce6e2a105e9f5331ba21

SHA256
d1d5863a9d03fe4f0d32466a06e0384a5750990343cc62c46f45fd8ea6ae644f

SHA512
9b71b3b503416f701257531247588fce8aefb21e990f1955e0cd6286686eb0f97edd43a2b8ee3af46c48d4857e2c5d09adde32e44d7a0589a5529da571b93f18

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe

MD5
6ecfbfb290b771d5aad3a289494a7e01

SHA1
999277c449813f3292afce6e2a105e9f5331ba21

SHA256
d1d5863a9d03fe4f0d32466a06e0384a5750990343cc62c46f45fd8ea6ae644f

SHA512
9b71b3b503416f701257531247588fce8aefb21e990f1955e0cd6286686eb0f97edd43a2b8ee3af46c48d4857e2c5d09adde32e44d7a0589a5529da571b93f18

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe

MD5
6ecfbfb290b771d5aad3a289494a7e01

SHA1
999277c449813f3292afce6e2a105e9f5331ba21

SHA256
d1d5863a9d03fe4f0d32466a06e0384a5750990343cc62c46f45fd8ea6ae644f

SHA512
9b71b3b503416f701257531247588fce8aefb21e990f1955e0cd6286686eb0f97edd43a2b8ee3af46c48d4857e2c5d09adde32e44d7a0589a5529da571b93f18

Download Submit
\Users\Admin\AppData\Local\Temp\D&H.exe

MD5
6ecfbfb290b771d5aad3a289494a7e01

SHA1
999277c449813f3292afce6e2a105e9f5331ba21

SHA256
d1d5863a9d03fe4f0d32466a06e0384a5750990343cc62c46f45fd8ea6ae644f

SHA512
9b71b3b503416f701257531247588fce8aefb21e990f1955e0cd6286686eb0f97edd43a2b8ee3af46c48d4857e2c5d09adde32e44d7a0589a5529da571b93f18

Download Submit
\Users\Admin\AppData\Local\Temp\D&H.exe

MD5
6ecfbfb290b771d5aad3a289494a7e01

SHA1
999277c449813f3292afce6e2a105e9f5331ba21

SHA256
d1d5863a9d03fe4f0d32466a06e0384a5750990343cc62c46f45fd8ea6ae644f

SHA512
9b71b3b503416f701257531247588fce8aefb21e990f1955e0cd6286686eb0f97edd43a2b8ee3af46c48d4857e2c5d09adde32e44d7a0589a5529da571b93f18

Download Submit
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe

MD5
6ecfbfb290b771d5aad3a289494a7e01

SHA1
999277c449813f3292afce6e2a105e9f5331ba21

SHA256
d1d5863a9d03fe4f0d32466a06e0384a5750990343cc62c46f45fd8ea6ae644f

SHA512
9b71b3b503416f701257531247588fce8aefb21e990f1955e0cd6286686eb0f97edd43a2b8ee3af46c48d4857e2c5d09adde32e44d7a0589a5529da571b93f18

Download Submit
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe

MD5
6ecfbfb290b771d5aad3a289494a7e01

SHA1
999277c449813f3292afce6e2a105e9f5331ba21

SHA256
d1d5863a9d03fe4f0d32466a06e0384a5750990343cc62c46f45fd8ea6ae644f

SHA512
9b71b3b503416f701257531247588fce8aefb21e990f1955e0cd6286686eb0f97edd43a2b8ee3af46c48d4857e2c5d09adde32e44d7a0589a5529da571b93f18

Download Submit
memory/280-95-0x0000000000000000-mapping.dmp

Download
memory/292-85-0x0000000000000000-mapping.dmp

Download
memory/324-83-0x0000000000000000-mapping.dmp

Download
memory/368-173-0x0000000000000000-mapping.dmp

Download
memory/384-87-0x0000000000000000-mapping.dmp

Download
memory/480-159-0x0000000000000000-mapping.dmp

Download
memory/544-93-0x0000000000000000-mapping.dmp

Download
memory/652-185-0x0000000000000000-mapping.dmp

Download
memory/668-121-0x0000000000000000-mapping.dmp

Download
memory/668-179-0x0000000000000000-mapping.dmp

Download
memory/748-161-0x0000000000000000-mapping.dmp

Download
memory/756-91-0x0000000000000000-mapping.dmp

Download
memory/780-109-0x0000000000000000-mapping.dmp

Download
memory/844-80-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/844-74-0x0000000000000000-mapping.dmp

Download
memory/876-141-0x0000000000000000-mapping.dmp

Download
memory/904-195-0x0000000000000000-mapping.dmp

Download
memory/932-165-0x0000000000000000-mapping.dmp

Download
memory/940-137-0x0000000000000000-mapping.dmp

Download
memory/972-107-0x0000000000000000-mapping.dmp

Download
memory/1052-193-0x0000000000000000-mapping.dmp

Download
memory/1084-187-0x0000000000000000-mapping.dmp

Download
memory/1092-131-0x0000000000000000-mapping.dmp

Download
memory/1092-81-0x0000000000000000-mapping.dmp

Download
memory/1096-105-0x0000000000000000-mapping.dmp

Download
memory/1172-151-0x0000000000000000-mapping.dmp

Download
memory/1208-145-0x0000000000000000-mapping.dmp

Download
memory/1268-167-0x0000000000000000-mapping.dmp

Download
memory/1292-183-0x0000000000000000-mapping.dmp

Download
memory/1312-89-0x0000000000000000-mapping.dmp

Download
memory/1316-143-0x0000000000000000-mapping.dmp

Download
memory/1328-60-0x0000000000000000-mapping.dmp

Download
memory/1332-139-0x0000000000000000-mapping.dmp

Download
memory/1440-101-0x0000000000000000-mapping.dmp

Download
memory/1476-123-0x0000000000000000-mapping.dmp

Download
memory/1484-78-0x0000000000000000-mapping.dmp

Download
memory/1504-149-0x0000000000000000-mapping.dmp

Download
memory/1508-147-0x0000000000000000-mapping.dmp

Download
memory/1532-177-0x0000000000000000-mapping.dmp

Download
memory/1532-119-0x0000000000000000-mapping.dmp

Download
memory/1536-68-0x0000000000000000-mapping.dmp

Download
memory/1540-66-0x0000000000000000-mapping.dmp

Download
memory/1556-113-0x0000000000000000-mapping.dmp

Download
memory/1568-99-0x0000000000000000-mapping.dmp

Download
memory/1584-189-0x0000000000000000-mapping.dmp

Download
memory/1592-115-0x0000000000000000-mapping.dmp

Download
memory/1604-175-0x0000000000000000-mapping.dmp

Download
memory/1604-117-0x0000000000000000-mapping.dmp

Download
memory/1608-135-0x0000000000000000-mapping.dmp

Download
memory/1616-133-0x0000000000000000-mapping.dmp

Download
memory/1636-125-0x0000000000000000-mapping.dmp

Download
memory/1652-129-0x0000000000000000-mapping.dmp

Download
memory/1652-71-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1652-63-0x0000000000000000-mapping.dmp

Download
memory/1660-169-0x0000000000000000-mapping.dmp

Download
memory/1668-59-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1688-171-0x0000000000000000-mapping.dmp

Download
memory/1700-153-0x0000000000000000-mapping.dmp

Download
memory/1832-155-0x0000000000000000-mapping.dmp

Download
memory/1904-157-0x0000000000000000-mapping.dmp

Download
memory/1908-103-0x0000000000000000-mapping.dmp

Download
memory/1912-191-0x0000000000000000-mapping.dmp

Download
memory/1932-181-0x0000000000000000-mapping.dmp

Download
memory/1936-127-0x0000000000000000-mapping.dmp

Download
memory/1940-97-0x0000000000000000-mapping.dmp

Download
memory/1956-111-0x0000000000000000-mapping.dmp

Download
memory/1996-163-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1668 wrote to memory of 1328	1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	cmd.exe
PID 1668 wrote to memory of 1328	1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	cmd.exe
PID 1668 wrote to memory of 1328	1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	cmd.exe
PID 1668 wrote to memory of 1328	1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	cmd.exe
PID 1668 wrote to memory of 1652	1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	D&H.exe
PID 1668 wrote to memory of 1652	1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	D&H.exe
PID 1668 wrote to memory of 1652	1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	D&H.exe
PID 1668 wrote to memory of 1652	1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	D&H.exe
PID 1668 wrote to memory of 1540	1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1668 wrote to memory of 1540	1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1668 wrote to memory of 1540	1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1668 wrote to memory of 1540	1668	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1328 wrote to memory of 1536	1328	cmd.exe	schtasks.exe
PID 1328 wrote to memory of 1536	1328	cmd.exe	schtasks.exe
PID 1328 wrote to memory of 1536	1328	cmd.exe	schtasks.exe
PID 1328 wrote to memory of 1536	1328	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 844	1652	D&H.exe	msdcsc.exe
PID 1652 wrote to memory of 844	1652	D&H.exe	msdcsc.exe
PID 1652 wrote to memory of 844	1652	D&H.exe	msdcsc.exe
PID 1652 wrote to memory of 844	1652	D&H.exe	msdcsc.exe
PID 1540 wrote to memory of 1484	1540	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1540 wrote to memory of 1484	1540	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1540 wrote to memory of 1484	1540	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1540 wrote to memory of 1484	1540	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1484 wrote to memory of 1092	1484	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1484 wrote to memory of 1092	1484	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1484 wrote to memory of 1092	1484	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1484 wrote to memory of 1092	1484	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1092 wrote to memory of 324	1092	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1092 wrote to memory of 324	1092	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1092 wrote to memory of 324	1092	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1092 wrote to memory of 324	1092	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 324 wrote to memory of 292	324	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 324 wrote to memory of 292	324	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 324 wrote to memory of 292	324	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 324 wrote to memory of 292	324	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 292 wrote to memory of 384	292	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 292 wrote to memory of 384	292	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 292 wrote to memory of 384	292	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 292 wrote to memory of 384	292	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 384 wrote to memory of 1312	384	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 384 wrote to memory of 1312	384	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 384 wrote to memory of 1312	384	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 384 wrote to memory of 1312	384	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1312 wrote to memory of 756	1312	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1312 wrote to memory of 756	1312	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1312 wrote to memory of 756	1312	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1312 wrote to memory of 756	1312	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 756 wrote to memory of 544	756	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 756 wrote to memory of 544	756	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 756 wrote to memory of 544	756	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 756 wrote to memory of 544	756	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 544 wrote to memory of 280	544	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 544 wrote to memory of 280	544	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 544 wrote to memory of 280	544	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 544 wrote to memory of 280	544	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 280 wrote to memory of 1940	280	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 280 wrote to memory of 1940	280	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 280 wrote to memory of 1940	280	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 280 wrote to memory of 1940	280	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1940 wrote to memory of 1568	1940	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1940 wrote to memory of 1568	1940	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1940 wrote to memory of 1568	1940	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
PID 1940 wrote to memory of 1568	1940	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe	445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe