Malware Analysis Report

2025-08-10 21:13

Sample ID 221011-g7zd1aachp
Target e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
Tags
darkcomet securityy ;3 persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

Threat Level: Known bad

The file e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec was found to be: Known bad.

Malicious Activity Summary

darkcomet securityy ;3 persistence rat trojan

Modifies WinLogon for persistence

Darkcomet

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-11 06:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 06:27

Reported

2022-10-11 08:08

Platform

win7-20220812-en

Max time kernel

130s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\DCSCMIN\\IMDCSC.exe" C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\DCSCMIN\\IMDCSC.exe" C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372247756" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5329AE00-494C-11ED-B390-DA7E66F9F45D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F60DE61-494C-11ED-B390-DA7E66F9F45D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1940 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1940 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1940 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1940 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1940 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1940 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1940 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1940 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1488 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1488 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1488 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1488 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1940 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1940 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1940 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1940 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1940 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1940 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1940 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1940 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1940 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1940 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2008 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2008 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2008 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1756 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 1684 wrote to memory of 1828 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1684 wrote to memory of 1828 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1684 wrote to memory of 1828 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1684 wrote to memory of 1828 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

"C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:275457 /prefetch:2

C:\DCSCMIN\IMDCSC.exe

"C:\DCSCMIN\IMDCSC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1940-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

memory/1488-55-0x0000000000000000-mapping.dmp

memory/1940-56-0x0000000000230000-0x0000000000234000-memory.dmp

memory/1476-57-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/1756-59-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/1756-60-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/1756-62-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/1756-64-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/1756-65-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/1756-67-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/1756-68-0x0000000000407BC0-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/1756-71-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/1756-73-0x0000000000400000-0x00000000004D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallDir\help.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/2008-75-0x0000000000000000-mapping.dmp

memory/1684-76-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/1700-78-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1700-79-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1700-81-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1700-83-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1700-85-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1700-87-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1700-88-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1700-90-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1700-92-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/1700-96-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1700-93-0x000000000048F888-mapping.dmp

memory/1756-95-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/1920-98-0x0000000000000000-mapping.dmp

memory/1828-97-0x0000000000000000-mapping.dmp

memory/1700-100-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1700-101-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5329AE00-494C-11ED-B390-DA7E66F9F45D}.dat

MD5 91d21db0e0cafda9d5475f5fb6627408
SHA1 420766a367195062b1fcfca05922f2dd5eaa9aab
SHA256 e6415d9835ccafc6ae361c9f941d726954570abd113270aa3be24c50204b6d39
SHA512 0eee044b3e658db66bfd38fe302518ff8f428227b631985c5d8036121565330fde2a1ac56f2a7f92435720e5289173ea6b95209aeb239d93dabfcc51fe554879

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4F60DE61-494C-11ED-B390-DA7E66F9F45D}.dat

MD5 c90caf548ac0d2da88241a29c62882fc
SHA1 ed991c35d69fbbfd3231da0de2923e036fb9a4eb
SHA256 394bffb11ce581027681f2f05f6f5823bf76538e47aed5a5dacec31f79f5e7ee
SHA512 771e2974bd6dc98cee73ea5a6d5dbe4b421dcdf3efec9ba62ec4e1a696ca96eb0594326a07b3c13c1c53ea464b97bfacf0c60cbbe926ef26b1e42186d62ce3ee

\DCSCMIN\IMDCSC.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/808-106-0x0000000000000000-mapping.dmp

\DCSCMIN\IMDCSC.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/1700-107-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N6IEFYFA.txt

MD5 101a22a401f33e942d75e2cdd46b380b
SHA1 c39dccb7d5942dad34d08875df1c81f8901660be
SHA256 191be43a8b2c3b38c4b0cc43b4acff30c417f2b047acbf3325e136f5aaa21fbf
SHA512 eabaa97fda457dab702ed002e950a80cfda04e8b965ec2ba51c82cb95398c552c737f0b9c85a09635e6fcb53a2aaa6b0e025e991831b7cf03ff4aae562b9ae0a

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 06:27

Reported

2022-10-11 08:06

Platform

win10v2004-20220901-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\DCSCMIN\\IMDCSC.exe" C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\DCSCMIN\IMDCSC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\DCSCMIN\IMDCSC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\DCSCMIN\IMDCSC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\DCSCMIN\\IMDCSC.exe" C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\DCSCMIN\IMDCSC.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989640" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "251067352" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989640" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "167940128" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "277159833" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989640" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3572DFFB-493B-11ED-A0EE-4A7057C3C021} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989640" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "167940128" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372240397" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989640" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3A817CA1-493B-11ED-A0EE-4A7057C3C021} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989640" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "232003664" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "253253724" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeSecurityPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeSystemtimePrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeBackupPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeRestorePrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeShutdownPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeDebugPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeUndockPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeManageVolumePrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeImpersonatePrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: 33 N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: 34 N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: 35 N/A C:\DCSCMIN\IMDCSC.exe N/A
Token: 36 N/A C:\DCSCMIN\IMDCSC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3400 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3400 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3400 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3400 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3400 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3400 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3400 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4768 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4768 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4768 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 804 wrote to memory of 512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 804 wrote to memory of 512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 804 wrote to memory of 512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3400 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 3400 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 3400 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 3400 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 3400 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 3400 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 3400 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 3400 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 3400 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 360 wrote to memory of 3408 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 360 wrote to memory of 3408 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 360 wrote to memory of 3408 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4084 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1848 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1848 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1848 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 372 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 372 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 372 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4084 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
PID 4136 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe C:\DCSCMIN\IMDCSC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

"C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

C:\DCSCMIN\IMDCSC.exe

"C:\DCSCMIN\IMDCSC.exe"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3696 CREDAT:17410 /prefetch:2

C:\DCSCMIN\IMDCSC.exe

C:\DCSCMIN\IMDCSC.exe

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3696 CREDAT:17414 /prefetch:2

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\DCSCMIN\IMDCSC.exe

C:\DCSCMIN\IMDCSC.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 api.bing.com udp
BG 89.215.253.73:1605 tcp
BG 89.215.253.73:1605 tcp
US 20.42.73.24:443 tcp
FR 2.18.109.224:443 tcp
BG 89.215.253.73:1605 tcp
NL 87.248.202.1:80 tcp
NL 88.221.25.155:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
BG 89.215.253.73:1605 tcp
BG 89.215.253.73:1605 tcp
BG 89.215.253.73:1605 tcp
BG 89.215.253.73:1605 tcp

Files

memory/3400-132-0x00000000005B0000-0x00000000005B4000-memory.dmp

memory/4768-133-0x0000000000000000-mapping.dmp

memory/804-134-0x0000000000000000-mapping.dmp

memory/512-135-0x0000000000000000-mapping.dmp

memory/4084-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/4084-137-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/4084-139-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/4084-140-0x0000000000400000-0x00000000004D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallDir\help.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/1848-142-0x0000000000000000-mapping.dmp

memory/372-143-0x0000000000000000-mapping.dmp

memory/4084-144-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/2652-145-0x0000000000000000-mapping.dmp

memory/4136-146-0x0000000000000000-mapping.dmp

memory/4136-147-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4136-149-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/4084-150-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/4136-151-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4136-152-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/432-153-0x0000000000000000-mapping.dmp

C:\DCSCMIN\IMDCSC.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

C:\DCSCMIN\IMDCSC.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

C:\Users\Admin\AppData\Roaming\InstallDir\help.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/1500-157-0x0000000000000000-mapping.dmp

memory/1016-158-0x0000000000000000-mapping.dmp

memory/1152-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3572DFFB-493B-11ED-A0EE-4A7057C3C021}.dat

MD5 f63725c0920a9d9ec62fe989432e8d18
SHA1 c567d6d7c8aa0214114d5528ebd7c197421caed7
SHA256 c0f1e1f1e2233333e0a31e2a82ae44d9fad08998ab0dde798c22c7986db89e74
SHA512 895205e131144c614c8fa8832aa30753760f8007f32b0703ef4457f4edfebbe189dad4baec549d3f2883e7dbd6f6929cad09a180f269825fd1f8d71c3aed2405

memory/4164-161-0x0000000000000000-mapping.dmp

C:\DCSCMIN\IMDCSC.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/4164-164-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/4164-165-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/2000-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\InstallDir\help.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/4164-168-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/3724-169-0x0000000000000000-mapping.dmp

memory/1280-170-0x0000000000000000-mapping.dmp

memory/4728-171-0x0000000000000000-mapping.dmp

C:\DCSCMIN\IMDCSC.exe

MD5 49357de181571d86ef91c9225b95b474
SHA1 8f74e682dfe7072d026d88ef84f32dadaa977461
SHA256 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA512 56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

memory/4164-175-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/4728-177-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 e91d0ccc141e8cd3c1acd1d37cba31ff
SHA1 1d1885a33fc9d53076cbf08ed18822c9a4d9f77e
SHA256 90d72dc1d0ef5fe6f19629e673a49c05f15f8c7612bbb49f1aa127b7e927c957
SHA512 b191defda59e6b427525ae1e84b8683cae9fb3d2e18d8e70af52feff9e7199d7c37871a007576024dc3e2030f9dcdd3096cdff53d44d43506b2c51b7f4ba780d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 fceed7a5f76725fb398c6a91ff552899
SHA1 237aec000ae7c7c35a639664b1ad6c0d842a0749
SHA256 2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383
SHA512 adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3