darkcomet | 6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a

Analysis

max time kernel
152s
max time network
176s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe
Size

2.1MB
MD5

23985d8d800a7b82901526105f9c69bc
SHA1

41fb548fddd05c635321c380bf4440688477f9eb
SHA256

6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a
SHA512

49df2f83485f0d15c8717b804d19e5fd79e2f76f02e0ea7c839d4363b89de9eb9968392b3459dd1c17409291d69fe91d5426ab74b0fd71155684e2315823d165
SSDEEP

49152:taxIVry0xxf/AlgRKGY3ZXfxwlPs7IJVDVmLRzZj90w84aLuGv:ta2Fy0xxQI3oXjvouGv

Score

10^/10

darkcomet isrstealer guest16 collection evasion persistence rat stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

173.254.223.124 :2556

Mutex

DC_MUTEX-4RW38P4

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
GRBqclq1WLRg
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/1884-96-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1884-102-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1884-104-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1884-160-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1884-183-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	348.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	785.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/944-173-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/944-174-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/944-185-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/944-186-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 4 IoCs

resource	yara_rule
behavioral1/memory/944-173-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/944-174-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/944-185-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/944-186-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 14 IoCs

pid	Process
1100	Purchase DOCUMENT.exe
852	Sample.exe
1292	348.exe
1052	153.exe
1868	Purchase DOCUMENT.exe
1748	Purchase DOCUMENT.exe
1884	Sample.exe
968	msdcsc.exe
1260	Sample.exe
944	Sample.exe
1560	yspou.exe
1008	785.exe
1344	yspou.exe
1896	yspou.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1508	attrib.exe
1276	attrib.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1260-139-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/944-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/944-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/944-172-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/944-173-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/944-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/944-185-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/944-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 40 IoCs

pid	Process
964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe
1100	Purchase DOCUMENT.exe
964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe
1100	Purchase DOCUMENT.exe
852	Sample.exe
852	Sample.exe
852	Sample.exe
1100	Purchase DOCUMENT.exe
852	Sample.exe
1100	Purchase DOCUMENT.exe
1100	Purchase DOCUMENT.exe
852	Sample.exe
1100	Purchase DOCUMENT.exe
1292	348.exe
1292	348.exe
1052	153.exe
1052	153.exe
1748	Purchase DOCUMENT.exe
1748	Purchase DOCUMENT.exe
1884	Sample.exe
1884	Sample.exe
1884	Sample.exe
1292	348.exe
1292	348.exe
968	msdcsc.exe
968	msdcsc.exe
1884	Sample.exe
944	Sample.exe
944	Sample.exe
1748	Purchase DOCUMENT.exe
1560	yspou.exe
1560	yspou.exe
1560	yspou.exe
1560	yspou.exe
1560	yspou.exe
1560	yspou.exe
1008	785.exe
1008	785.exe
1896	yspou.exe
1896	yspou.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	785.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Sample.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	348.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 1884	852	Sample.exe	35
PID 1100 set thread context of 1748	1100	Purchase DOCUMENT.exe	34
PID 1884 set thread context of 1260	1884	Sample.exe	40
PID 1884 set thread context of 944	1884	Sample.exe	46
PID 1560 set thread context of 1896	1560	yspou.exe	49

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	DllHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\302F1EE0-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1100	Purchase DOCUMENT.exe
1100	Purchase DOCUMENT.exe
1560	yspou.exe
1560	yspou.exe
1896	yspou.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	Purchase DOCUMENT.exe
Token: SeDebugPrivilege	852	Sample.exe
Token: SeIncreaseQuotaPrivilege	1292	348.exe
Token: SeSecurityPrivilege	1292	348.exe
Token: SeTakeOwnershipPrivilege	1292	348.exe
Token: SeLoadDriverPrivilege	1292	348.exe
Token: SeSystemProfilePrivilege	1292	348.exe
Token: SeSystemtimePrivilege	1292	348.exe
Token: SeProfSingleProcessPrivilege	1292	348.exe
Token: SeIncBasePriorityPrivilege	1292	348.exe
Token: SeCreatePagefilePrivilege	1292	348.exe
Token: SeBackupPrivilege	1292	348.exe
Token: SeRestorePrivilege	1292	348.exe
Token: SeShutdownPrivilege	1292	348.exe
Token: SeDebugPrivilege	1292	348.exe
Token: SeSystemEnvironmentPrivilege	1292	348.exe
Token: SeChangeNotifyPrivilege	1292	348.exe
Token: SeRemoteShutdownPrivilege	1292	348.exe
Token: SeUndockPrivilege	1292	348.exe
Token: SeManageVolumePrivilege	1292	348.exe
Token: SeImpersonatePrivilege	1292	348.exe
Token: SeCreateGlobalPrivilege	1292	348.exe
Token: 33	1292	348.exe
Token: 34	1292	348.exe
Token: 35	1292	348.exe
Token: SeIncreaseQuotaPrivilege	1052	153.exe
Token: SeSecurityPrivilege	1052	153.exe
Token: SeTakeOwnershipPrivilege	1052	153.exe
Token: SeLoadDriverPrivilege	1052	153.exe
Token: SeSystemProfilePrivilege	1052	153.exe
Token: SeSystemtimePrivilege	1052	153.exe
Token: SeProfSingleProcessPrivilege	1052	153.exe
Token: SeIncBasePriorityPrivilege	1052	153.exe
Token: SeCreatePagefilePrivilege	1052	153.exe
Token: SeBackupPrivilege	1052	153.exe
Token: SeRestorePrivilege	1052	153.exe
Token: SeShutdownPrivilege	1052	153.exe
Token: SeDebugPrivilege	1052	153.exe
Token: SeSystemEnvironmentPrivilege	1052	153.exe
Token: SeChangeNotifyPrivilege	1052	153.exe
Token: SeRemoteShutdownPrivilege	1052	153.exe
Token: SeUndockPrivilege	1052	153.exe
Token: SeManageVolumePrivilege	1052	153.exe
Token: SeImpersonatePrivilege	1052	153.exe
Token: SeCreateGlobalPrivilege	1052	153.exe
Token: 33	1052	153.exe
Token: 34	1052	153.exe
Token: 35	1052	153.exe
Token: SeSecurityPrivilege	1748	Purchase DOCUMENT.exe
Token: SeIncreaseQuotaPrivilege	968	msdcsc.exe
Token: SeSecurityPrivilege	968	msdcsc.exe
Token: SeTakeOwnershipPrivilege	968	msdcsc.exe
Token: SeLoadDriverPrivilege	968	msdcsc.exe
Token: SeSystemProfilePrivilege	968	msdcsc.exe
Token: SeSystemtimePrivilege	968	msdcsc.exe
Token: SeProfSingleProcessPrivilege	968	msdcsc.exe
Token: SeIncBasePriorityPrivilege	968	msdcsc.exe
Token: SeCreatePagefilePrivilege	968	msdcsc.exe
Token: SeBackupPrivilege	968	msdcsc.exe
Token: SeRestorePrivilege	968	msdcsc.exe
Token: SeShutdownPrivilege	968	msdcsc.exe
Token: SeDebugPrivilege	968	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	968	msdcsc.exe
Token: SeChangeNotifyPrivilege	968	msdcsc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1664	DllHost.exe
608	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
608	WinMail.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1052	153.exe
1884	Sample.exe
608	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 1100	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	29
PID 964 wrote to memory of 1100	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	29
PID 964 wrote to memory of 1100	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	29
PID 964 wrote to memory of 1100	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	29
PID 964 wrote to memory of 1100	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	29
PID 964 wrote to memory of 1100	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	29
PID 964 wrote to memory of 1100	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	29
PID 964 wrote to memory of 852	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	30
PID 964 wrote to memory of 852	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	30
PID 964 wrote to memory of 852	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	30
PID 964 wrote to memory of 852	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	30
PID 964 wrote to memory of 852	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	30
PID 964 wrote to memory of 852	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	30
PID 964 wrote to memory of 852	964	6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe	30
PID 852 wrote to memory of 1292	852	Sample.exe	32
PID 852 wrote to memory of 1292	852	Sample.exe	32
PID 852 wrote to memory of 1292	852	Sample.exe	32
PID 852 wrote to memory of 1292	852	Sample.exe	32
PID 852 wrote to memory of 1292	852	Sample.exe	32
PID 852 wrote to memory of 1292	852	Sample.exe	32
PID 852 wrote to memory of 1292	852	Sample.exe	32
PID 1100 wrote to memory of 1052	1100	Purchase DOCUMENT.exe	31
PID 1100 wrote to memory of 1052	1100	Purchase DOCUMENT.exe	31
PID 1100 wrote to memory of 1052	1100	Purchase DOCUMENT.exe	31
PID 1100 wrote to memory of 1052	1100	Purchase DOCUMENT.exe	31
PID 1100 wrote to memory of 1052	1100	Purchase DOCUMENT.exe	31
PID 1100 wrote to memory of 1052	1100	Purchase DOCUMENT.exe	31
PID 1100 wrote to memory of 1052	1100	Purchase DOCUMENT.exe	31
PID 1100 wrote to memory of 1868	1100	Purchase DOCUMENT.exe	33
PID 1100 wrote to memory of 1868	1100	Purchase DOCUMENT.exe	33
PID 1100 wrote to memory of 1868	1100	Purchase DOCUMENT.exe	33
PID 1100 wrote to memory of 1868	1100	Purchase DOCUMENT.exe	33
PID 1100 wrote to memory of 1868	1100	Purchase DOCUMENT.exe	33
PID 1100 wrote to memory of 1868	1100	Purchase DOCUMENT.exe	33
PID 1100 wrote to memory of 1868	1100	Purchase DOCUMENT.exe	33
PID 852 wrote to memory of 1884	852	Sample.exe	35
PID 852 wrote to memory of 1884	852	Sample.exe	35
PID 852 wrote to memory of 1884	852	Sample.exe	35
PID 852 wrote to memory of 1884	852	Sample.exe	35
PID 852 wrote to memory of 1884	852	Sample.exe	35
PID 852 wrote to memory of 1884	852	Sample.exe	35
PID 852 wrote to memory of 1884	852	Sample.exe	35
PID 1100 wrote to memory of 1748	1100	Purchase DOCUMENT.exe	34
PID 1100 wrote to memory of 1748	1100	Purchase DOCUMENT.exe	34
PID 1100 wrote to memory of 1748	1100	Purchase DOCUMENT.exe	34
PID 1100 wrote to memory of 1748	1100	Purchase DOCUMENT.exe	34
PID 1100 wrote to memory of 1748	1100	Purchase DOCUMENT.exe	34
PID 1100 wrote to memory of 1748	1100	Purchase DOCUMENT.exe	34
PID 1100 wrote to memory of 1748	1100	Purchase DOCUMENT.exe	34
PID 1100 wrote to memory of 1748	1100	Purchase DOCUMENT.exe	34
PID 852 wrote to memory of 1884	852	Sample.exe	35
PID 1100 wrote to memory of 1748	1100	Purchase DOCUMENT.exe	34
PID 852 wrote to memory of 1884	852	Sample.exe	35
PID 1100 wrote to memory of 1748	1100	Purchase DOCUMENT.exe	34
PID 852 wrote to memory of 1884	852	Sample.exe	35
PID 852 wrote to memory of 1884	852	Sample.exe	35
PID 1100 wrote to memory of 1748	1100	Purchase DOCUMENT.exe	34
PID 1100 wrote to memory of 1748	1100	Purchase DOCUMENT.exe	34
PID 1052 wrote to memory of 1420	1052	153.exe	36
PID 1052 wrote to memory of 1420	1052	153.exe	36
PID 1052 wrote to memory of 1420	1052	153.exe	36
PID 1052 wrote to memory of 1420	1052	153.exe	36
PID 1052 wrote to memory of 1420	1052	153.exe	36
PID 1052 wrote to memory of 1420	1052	153.exe	36

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1508	attrib.exe
1276	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe
  "C:\Users\Admin\AppData\Local\Temp\6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\153.exe
      "C:\Users\Admin\AppData\Local\Temp\153.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe"
      4⤵
      Executes dropped EXE
      PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1748
    - - C:\Users\Admin\AppData\Roaming\Vibuot\yspou.exe
        
        "C:\Users\Admin\AppData\Roaming\Vibuot\yspou.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
      - C:\Users\Admin\AppData\Local\Temp\785.exe
        
        "C:\Users\Admin\AppData\Local\Temp\785.exe"
        6⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        
        PID:1008
      - C:\Users\Admin\AppData\Roaming\Vibuot\yspou.exe
        
        "C:\Users\Admin\AppData\Roaming\Vibuot\yspou.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1896
      - C:\Users\Admin\AppData\Roaming\Vibuot\yspou.exe
        
        "C:\Users\Admin\AppData\Roaming\Vibuot\yspou.exe"
        6⤵
        Executes dropped EXE
        
        PID:1344
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe010f3a2.bat"
        5⤵
        
        PID:1496
- - C:\Users\Admin\AppData\Local\Temp\Sample.exe
    "C:\Users\Admin\AppData\Local\Temp\Sample.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\348.exe
      "C:\Users\Admin\AppData\Local\Temp\348.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:1292
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\348.exe" +s +h
        5⤵
        
        PID:984
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\348.exe" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1276
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        5⤵
        
        PID:1696
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1508
    - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        5⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\Sample.exe
      "C:\Users\Admin\AppData\Local\Temp\Sample.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1884
    - - C:\Users\Admin\AppData\Local\Temp\Sample.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\eIyaTcuKvU.ini"
        5⤵
        Executes dropped EXE
        
        PID:1260
    - - C:\Users\Admin\AppData\Local\Temp\Sample.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\z1IIzItZHH.ini"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook accounts
        
        PID:944

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1196

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "738186829-9934083445693677161457835541-11186954481883175984-1517808552-582866271"
1⤵
PID:1920

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\153.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\153.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\348.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\348.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\785.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\785.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\P-Opng_Page1.png

Filesize
351KB

MD5
2d1b666e7214234ae4d20f3e9baa7c42

SHA1
385b93247adf5aefa2d19ea6164edea1df77f58d

SHA256
82af660147d1de905cf2345e40f506cc0cbb19e786cfcc921cca039424656cb4

SHA512
3d0479681e7662ea767fca8b8c96f2a505dd96ed7b1fc95f8b4297f4b9d425a7bdfe0c91804279d91d75e749fd98b03bd9f049cbe477d4e343683497234f0591

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpe010f3a2.bat

Filesize
213B

MD5
3cf1d06d130b4d970f8351e0eedc9df3

SHA1
c9996c2f61fc6d9913bbd19ca56a0b72925113d0

SHA256
e1f0de11f89c396bef3b29c3054215a51e970cffe8289f00cc279ecb21214d6a

SHA512
0ef90edb10f8eb45d1d4b5a5a078edd4a117e996f438d8f244a88f9314b64fcb3e51393d3e343bd9140ea525d9d75fa5777a5fec32d72e6827dfb946320b4cb6

Download Submit
C:\Users\Admin\AppData\Roaming\Vibuot\yspou.exe

Filesize
775KB

MD5
593e06a112bbb9ce9d6715b6bdbb467d

SHA1
7068d1e44107dc1a00c1618fe31c91c25b31d008

SHA256
02a180cc819dd9c30375b1389abf84366bbbe815f77697173c5a27eb415f871f

SHA512
c35a36adc705ea1936f73ed05a129c5dab74e8ec3bda565c6ab91e41a825db5dcc730423d78730e8908b71a19b21d0b2e8eb849b27cb6ee771e8fc0631231d99

Download Submit
C:\Users\Admin\AppData\Roaming\Vibuot\yspou.exe

Filesize
775KB

MD5
593e06a112bbb9ce9d6715b6bdbb467d

SHA1
7068d1e44107dc1a00c1618fe31c91c25b31d008

SHA256
02a180cc819dd9c30375b1389abf84366bbbe815f77697173c5a27eb415f871f

SHA512
c35a36adc705ea1936f73ed05a129c5dab74e8ec3bda565c6ab91e41a825db5dcc730423d78730e8908b71a19b21d0b2e8eb849b27cb6ee771e8fc0631231d99

Download Submit
C:\Users\Admin\AppData\Roaming\Vibuot\yspou.exe

Filesize
775KB

MD5
593e06a112bbb9ce9d6715b6bdbb467d

SHA1
7068d1e44107dc1a00c1618fe31c91c25b31d008

SHA256
02a180cc819dd9c30375b1389abf84366bbbe815f77697173c5a27eb415f871f

SHA512
c35a36adc705ea1936f73ed05a129c5dab74e8ec3bda565c6ab91e41a825db5dcc730423d78730e8908b71a19b21d0b2e8eb849b27cb6ee771e8fc0631231d99

Download Submit
C:\Users\Admin\AppData\Roaming\Vibuot\yspou.exe

Filesize
775KB

MD5
593e06a112bbb9ce9d6715b6bdbb467d

SHA1
7068d1e44107dc1a00c1618fe31c91c25b31d008

SHA256
02a180cc819dd9c30375b1389abf84366bbbe815f77697173c5a27eb415f871f

SHA512
c35a36adc705ea1936f73ed05a129c5dab74e8ec3bda565c6ab91e41a825db5dcc730423d78730e8908b71a19b21d0b2e8eb849b27cb6ee771e8fc0631231d99

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\153.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\153.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\153.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\153.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\348.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\348.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\348.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\348.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\785.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\785.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\785.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\785.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Roaming\Vibuot\yspou.exe

Filesize
775KB

MD5
593e06a112bbb9ce9d6715b6bdbb467d

SHA1
7068d1e44107dc1a00c1618fe31c91c25b31d008

SHA256
02a180cc819dd9c30375b1389abf84366bbbe815f77697173c5a27eb415f871f

SHA512
c35a36adc705ea1936f73ed05a129c5dab74e8ec3bda565c6ab91e41a825db5dcc730423d78730e8908b71a19b21d0b2e8eb849b27cb6ee771e8fc0631231d99

Download Submit
\Users\Admin\AppData\Roaming\Vibuot\yspou.exe

Filesize
775KB

MD5
593e06a112bbb9ce9d6715b6bdbb467d

SHA1
7068d1e44107dc1a00c1618fe31c91c25b31d008

SHA256
02a180cc819dd9c30375b1389abf84366bbbe815f77697173c5a27eb415f871f

SHA512
c35a36adc705ea1936f73ed05a129c5dab74e8ec3bda565c6ab91e41a825db5dcc730423d78730e8908b71a19b21d0b2e8eb849b27cb6ee771e8fc0631231d99

Download Submit
\Users\Admin\AppData\Roaming\Vibuot\yspou.exe

Filesize
775KB

MD5
593e06a112bbb9ce9d6715b6bdbb467d

SHA1
7068d1e44107dc1a00c1618fe31c91c25b31d008

SHA256
02a180cc819dd9c30375b1389abf84366bbbe815f77697173c5a27eb415f871f

SHA512
c35a36adc705ea1936f73ed05a129c5dab74e8ec3bda565c6ab91e41a825db5dcc730423d78730e8908b71a19b21d0b2e8eb849b27cb6ee771e8fc0631231d99

Download Submit
\Users\Admin\AppData\Roaming\Vibuot\yspou.exe

Filesize
775KB

MD5
593e06a112bbb9ce9d6715b6bdbb467d

SHA1
7068d1e44107dc1a00c1618fe31c91c25b31d008

SHA256
02a180cc819dd9c30375b1389abf84366bbbe815f77697173c5a27eb415f871f

SHA512
c35a36adc705ea1936f73ed05a129c5dab74e8ec3bda565c6ab91e41a825db5dcc730423d78730e8908b71a19b21d0b2e8eb849b27cb6ee771e8fc0631231d99

Download Submit
\Users\Admin\AppData\Roaming\Vibuot\yspou.exe

Filesize
775KB

MD5
593e06a112bbb9ce9d6715b6bdbb467d

SHA1
7068d1e44107dc1a00c1618fe31c91c25b31d008

SHA256
02a180cc819dd9c30375b1389abf84366bbbe815f77697173c5a27eb415f871f

SHA512
c35a36adc705ea1936f73ed05a129c5dab74e8ec3bda565c6ab91e41a825db5dcc730423d78730e8908b71a19b21d0b2e8eb849b27cb6ee771e8fc0631231d99

Download Submit
\Users\Admin\AppData\Roaming\Vibuot\yspou.exe

Filesize
775KB

MD5
593e06a112bbb9ce9d6715b6bdbb467d

SHA1
7068d1e44107dc1a00c1618fe31c91c25b31d008

SHA256
02a180cc819dd9c30375b1389abf84366bbbe815f77697173c5a27eb415f871f

SHA512
c35a36adc705ea1936f73ed05a129c5dab74e8ec3bda565c6ab91e41a825db5dcc730423d78730e8908b71a19b21d0b2e8eb849b27cb6ee771e8fc0631231d99

Download Submit
\Users\Admin\AppData\Roaming\Vibuot\yspou.exe

Filesize
775KB

MD5
593e06a112bbb9ce9d6715b6bdbb467d

SHA1
7068d1e44107dc1a00c1618fe31c91c25b31d008

SHA256
02a180cc819dd9c30375b1389abf84366bbbe815f77697173c5a27eb415f871f

SHA512
c35a36adc705ea1936f73ed05a129c5dab74e8ec3bda565c6ab91e41a825db5dcc730423d78730e8908b71a19b21d0b2e8eb849b27cb6ee771e8fc0631231d99

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
memory/852-132-0x0000000000706000-0x0000000000717000-memory.dmp

Filesize
68KB

Download
memory/852-73-0x0000000073060000-0x000000007360B000-memory.dmp

Filesize
5.7MB

Download
memory/852-131-0x0000000073060000-0x000000007360B000-memory.dmp

Filesize
5.7MB

Download
memory/852-76-0x0000000000706000-0x0000000000717000-memory.dmp

Filesize
68KB

Download
memory/852-71-0x0000000073060000-0x000000007360B000-memory.dmp

Filesize
5.7MB

Download
memory/944-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/984-274-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1052-245-0x0000000002530000-0x0000000002557000-memory.dmp

Filesize
156KB

Download
memory/1100-70-0x0000000073060000-0x000000007360B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-121-0x00000000005C6000-0x00000000005D7000-memory.dmp

Filesize
68KB

Download
memory/1100-75-0x00000000005C6000-0x00000000005D7000-memory.dmp

Filesize
68KB

Download
memory/1100-119-0x0000000073060000-0x000000007360B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-72-0x0000000073060000-0x000000007360B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-220-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/1120-216-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/1120-218-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/1120-219-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/1260-139-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1420-267-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1560-184-0x0000000000C46000-0x0000000000C57000-memory.dmp

Filesize
68KB

Download
memory/1560-215-0x0000000072AB0000-0x000000007305B000-memory.dmp

Filesize
5.7MB

Download
memory/1560-182-0x0000000072AB0000-0x000000007305B000-memory.dmp

Filesize
5.7MB

Download
memory/1560-217-0x0000000000C46000-0x0000000000C57000-memory.dmp

Filesize
68KB

Download
memory/1664-260-0x00000000001F0000-0x0000000000217000-memory.dmp

Filesize
156KB

Download
memory/1664-237-0x00000000001F0000-0x0000000000217000-memory.dmp

Filesize
156KB

Download
memory/1748-134-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-95-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-90-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-120-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-161-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-91-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-141-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-224-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-103-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-97-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-133-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1884-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1884-102-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1884-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1884-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1884-92-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1884-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-238-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download