darkcomet | dc4961228ae1158818c242e7e9d5e90e4412996dda31d132f96f010b0be4594b

Analysis

max time kernel
151s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO#234323.exe
Size

2.1MB
MD5

23985d8d800a7b82901526105f9c69bc
SHA1

41fb548fddd05c635321c380bf4440688477f9eb
SHA256

6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a
SHA512

49df2f83485f0d15c8717b804d19e5fd79e2f76f02e0ea7c839d4363b89de9eb9968392b3459dd1c17409291d69fe91d5426ab74b0fd71155684e2315823d165
SSDEEP

49152:taxIVry0xxf/AlgRKGY3ZXfxwlPs7IJVDVmLRzZj90w84aLuGv:ta2Fy0xxQI3oXjvouGv

Score

10^/10

darkcomet isrstealer guest16 evasion persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

173.254.223.124 :2556

Mutex

DC_MUTEX-4RW38P4

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
GRBqclq1WLRg
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1680-112-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1680-105-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1680-115-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1680-156-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1680-175-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1680-176-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

323.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	323.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

323.exemsdcsc.exe264.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	323.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	264.exe

Executes dropped EXE 14 IoCs

Processes:

Purchase DOCUMENT.exeSample.exe323.exe323.exeSample.exeSample.exePurchase DOCUMENT.exeSample.exemsdcsc.exeSample.exeSample.exenoasa.exe264.exenoasa.exe

pid	process
1164	Purchase DOCUMENT.exe
1372	Sample.exe
804	323.exe
600	323.exe
928	Sample.exe
1996	Sample.exe
1772	Purchase DOCUMENT.exe
1680	Sample.exe
1048	msdcsc.exe
1276	Sample.exe
1912	Sample.exe
888	noasa.exe
1500	264.exe
1996	noasa.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1992 attrib.exe
1884 attrib.exe

pid	process
1992	attrib.exe
1884	attrib.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1276-155-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1276-161-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1276-166-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1276-165-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1276-167-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1276-168-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Loads dropped DLL 40 IoCs

Processes:

PO#234323.exePurchase DOCUMENT.exeSample.exe323.exe323.exePurchase DOCUMENT.exemsdcsc.exeSample.exeSample.exenoasa.exe264.exenoasa.exe

pid	process
1676	PO#234323.exe
1164	Purchase DOCUMENT.exe
1164	Purchase DOCUMENT.exe
1676	PO#234323.exe
1372	Sample.exe
1372	Sample.exe
1164	Purchase DOCUMENT.exe
1372	Sample.exe
1164	Purchase DOCUMENT.exe
1372	Sample.exe
1164	Purchase DOCUMENT.exe
1372	Sample.exe
1372	Sample.exe
1372	Sample.exe
600	323.exe
600	323.exe
804	323.exe
804	323.exe
1772	Purchase DOCUMENT.exe
1772	Purchase DOCUMENT.exe
804	323.exe
804	323.exe
1048	msdcsc.exe
1048	msdcsc.exe
1680	Sample.exe
1680	Sample.exe
1680	Sample.exe
1276	Sample.exe
1276	Sample.exe
1680	Sample.exe
1772	Purchase DOCUMENT.exe
888	noasa.exe
888	noasa.exe
888	noasa.exe
888	noasa.exe
888	noasa.exe
1500	264.exe
1500	264.exe
1996	noasa.exe
1996	noasa.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

323.exemsdcsc.exe264.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	323.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	264.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

noasa.exe323.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D624F60B-8794-B7B5-3572-75F75A66660B} = "C:\\Users\\Admin\\AppData\\Roaming\\Zuqag\\noasa.exe"	noasa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	323.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	noasa.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

Purchase DOCUMENT.exeSample.exeSample.exenoasa.exe

description	pid	process	target process
PID 1164 set thread context of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1372 set thread context of 1680	1372	Sample.exe	Sample.exe
PID 1680 set thread context of 1276	1680	Sample.exe	Sample.exe
PID 1680 set thread context of 1912	1680	Sample.exe	Sample.exe
PID 888 set thread context of 1996	888	noasa.exe	noasa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

DllHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	DllHost.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\70B862FA-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

Sample.exenoasa.exe

pid	process
1372	Sample.exe
1372	Sample.exe
1372	Sample.exe
1372	Sample.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe
1996	noasa.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Purchase DOCUMENT.exeSample.exe323.exe323.exePurchase DOCUMENT.exemsdcsc.exe

description	pid	process
Token: SeDebugPrivilege	1164	Purchase DOCUMENT.exe
Token: SeDebugPrivilege	1372	Sample.exe
Token: SeIncreaseQuotaPrivilege	804	323.exe
Token: SeSecurityPrivilege	804	323.exe
Token: SeTakeOwnershipPrivilege	804	323.exe
Token: SeLoadDriverPrivilege	804	323.exe
Token: SeSystemProfilePrivilege	804	323.exe
Token: SeSystemtimePrivilege	804	323.exe
Token: SeProfSingleProcessPrivilege	804	323.exe
Token: SeIncBasePriorityPrivilege	804	323.exe
Token: SeCreatePagefilePrivilege	804	323.exe
Token: SeBackupPrivilege	804	323.exe
Token: SeRestorePrivilege	804	323.exe
Token: SeShutdownPrivilege	804	323.exe
Token: SeDebugPrivilege	804	323.exe
Token: SeSystemEnvironmentPrivilege	804	323.exe
Token: SeChangeNotifyPrivilege	804	323.exe
Token: SeRemoteShutdownPrivilege	804	323.exe
Token: SeUndockPrivilege	804	323.exe
Token: SeManageVolumePrivilege	804	323.exe
Token: SeImpersonatePrivilege	804	323.exe
Token: SeCreateGlobalPrivilege	804	323.exe
Token: 33	804	323.exe
Token: 34	804	323.exe
Token: 35	804	323.exe
Token: SeIncreaseQuotaPrivilege	600	323.exe
Token: SeSecurityPrivilege	600	323.exe
Token: SeTakeOwnershipPrivilege	600	323.exe
Token: SeLoadDriverPrivilege	600	323.exe
Token: SeSystemProfilePrivilege	600	323.exe
Token: SeSystemtimePrivilege	600	323.exe
Token: SeProfSingleProcessPrivilege	600	323.exe
Token: SeIncBasePriorityPrivilege	600	323.exe
Token: SeCreatePagefilePrivilege	600	323.exe
Token: SeBackupPrivilege	600	323.exe
Token: SeRestorePrivilege	600	323.exe
Token: SeShutdownPrivilege	600	323.exe
Token: SeDebugPrivilege	600	323.exe
Token: SeSystemEnvironmentPrivilege	600	323.exe
Token: SeChangeNotifyPrivilege	600	323.exe
Token: SeRemoteShutdownPrivilege	600	323.exe
Token: SeUndockPrivilege	600	323.exe
Token: SeManageVolumePrivilege	600	323.exe
Token: SeImpersonatePrivilege	600	323.exe
Token: SeCreateGlobalPrivilege	600	323.exe
Token: 33	600	323.exe
Token: 34	600	323.exe
Token: 35	600	323.exe
Token: SeSecurityPrivilege	1772	Purchase DOCUMENT.exe
Token: SeIncreaseQuotaPrivilege	1048	msdcsc.exe
Token: SeSecurityPrivilege	1048	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1048	msdcsc.exe
Token: SeLoadDriverPrivilege	1048	msdcsc.exe
Token: SeSystemProfilePrivilege	1048	msdcsc.exe
Token: SeSystemtimePrivilege	1048	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1048	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1048	msdcsc.exe
Token: SeCreatePagefilePrivilege	1048	msdcsc.exe
Token: SeBackupPrivilege	1048	msdcsc.exe
Token: SeRestorePrivilege	1048	msdcsc.exe
Token: SeShutdownPrivilege	1048	msdcsc.exe
Token: SeDebugPrivilege	1048	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1048	msdcsc.exe
Token: SeChangeNotifyPrivilege	1048	msdcsc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DllHost.exeWinMail.exe

pid process

948 DllHost.exe
756 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

756 WinMail.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

323.exeSample.exeWinMail.exe

pid process

600 323.exe
1680 Sample.exe
756 WinMail.exe

pid	process
948	DllHost.exe
756	WinMail.exe

pid	process
756	WinMail.exe

pid	process
600	323.exe
1680	Sample.exe
756	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PO#234323.exePurchase DOCUMENT.exeSample.exe323.exe

description	pid	process	target process
PID 1676 wrote to memory of 1164	1676	PO#234323.exe	Purchase DOCUMENT.exe
PID 1676 wrote to memory of 1164	1676	PO#234323.exe	Purchase DOCUMENT.exe
PID 1676 wrote to memory of 1164	1676	PO#234323.exe	Purchase DOCUMENT.exe
PID 1676 wrote to memory of 1164	1676	PO#234323.exe	Purchase DOCUMENT.exe
PID 1676 wrote to memory of 1164	1676	PO#234323.exe	Purchase DOCUMENT.exe
PID 1676 wrote to memory of 1164	1676	PO#234323.exe	Purchase DOCUMENT.exe
PID 1676 wrote to memory of 1164	1676	PO#234323.exe	Purchase DOCUMENT.exe
PID 1676 wrote to memory of 1372	1676	PO#234323.exe	Sample.exe
PID 1676 wrote to memory of 1372	1676	PO#234323.exe	Sample.exe
PID 1676 wrote to memory of 1372	1676	PO#234323.exe	Sample.exe
PID 1676 wrote to memory of 1372	1676	PO#234323.exe	Sample.exe
PID 1676 wrote to memory of 1372	1676	PO#234323.exe	Sample.exe
PID 1676 wrote to memory of 1372	1676	PO#234323.exe	Sample.exe
PID 1676 wrote to memory of 1372	1676	PO#234323.exe	Sample.exe
PID 1164 wrote to memory of 804	1164	Purchase DOCUMENT.exe	323.exe
PID 1164 wrote to memory of 804	1164	Purchase DOCUMENT.exe	323.exe
PID 1164 wrote to memory of 804	1164	Purchase DOCUMENT.exe	323.exe
PID 1164 wrote to memory of 804	1164	Purchase DOCUMENT.exe	323.exe
PID 1164 wrote to memory of 804	1164	Purchase DOCUMENT.exe	323.exe
PID 1164 wrote to memory of 804	1164	Purchase DOCUMENT.exe	323.exe
PID 1164 wrote to memory of 804	1164	Purchase DOCUMENT.exe	323.exe
PID 1372 wrote to memory of 600	1372	Sample.exe	323.exe
PID 1372 wrote to memory of 600	1372	Sample.exe	323.exe
PID 1372 wrote to memory of 600	1372	Sample.exe	323.exe
PID 1372 wrote to memory of 600	1372	Sample.exe	323.exe
PID 1372 wrote to memory of 600	1372	Sample.exe	323.exe
PID 1372 wrote to memory of 600	1372	Sample.exe	323.exe
PID 1372 wrote to memory of 600	1372	Sample.exe	323.exe
PID 1164 wrote to memory of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1164 wrote to memory of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1164 wrote to memory of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1164 wrote to memory of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1164 wrote to memory of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1164 wrote to memory of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1164 wrote to memory of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1164 wrote to memory of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1372 wrote to memory of 1996	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1996	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1996	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1996	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1996	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1996	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1996	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 928	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 928	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 928	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 928	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 928	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 928	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 928	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1680	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1680	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1680	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1680	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1680	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1680	1372	Sample.exe	Sample.exe
PID 1372 wrote to memory of 1680	1372	Sample.exe	Sample.exe
PID 1164 wrote to memory of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1164 wrote to memory of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1372 wrote to memory of 1680	1372	Sample.exe	Sample.exe
PID 1164 wrote to memory of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1164 wrote to memory of 1772	1164	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1372 wrote to memory of 1680	1372	Sample.exe	Sample.exe
PID 804 wrote to memory of 624	804	323.exe	cmd.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1992 attrib.exe
1884 attrib.exe

pid	process
1992	attrib.exe
1884	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\PO#234323.exe
  "C:\Users\Admin\AppData\Local\Temp\PO#234323.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\323.exe
      "C:\Users\Admin\AppData\Local\Temp\323.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:804
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        5⤵
        
        PID:2008
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1884
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\323.exe" +s +h
        5⤵
        
        PID:624
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\323.exe" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1992
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:2024
    - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        5⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1772
    - - C:\Users\Admin\AppData\Roaming\Zuqag\noasa.exe
        
        "C:\Users\Admin\AppData\Roaming\Zuqag\noasa.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:888
      - C:\Users\Admin\AppData\Local\Temp\264.exe
        
        "C:\Users\Admin\AppData\Local\Temp\264.exe"
        6⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        
        PID:1500
      - C:\Users\Admin\AppData\Roaming\Zuqag\noasa.exe
        
        "C:\Users\Admin\AppData\Roaming\Zuqag\noasa.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:1996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp22885e33.bat"
        5⤵
        
        PID:1456
- - C:\Users\Admin\AppData\Local\Temp\Sample.exe
    "C:\Users\Admin\AppData\Local\Temp\Sample.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\323.exe
      "C:\Users\Admin\AppData\Local\Temp\323.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:600
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:684
  - - C:\Users\Admin\AppData\Local\Temp\Sample.exe
      "C:\Users\Admin\AppData\Local\Temp\Sample.exe"
      4⤵
      Executes dropped EXE
      PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\Sample.exe
      "C:\Users\Admin\AppData\Local\Temp\Sample.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1680
    - - C:\Users\Admin\AppData\Local\Temp\Sample.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\vHZ7w2Cle7.ini"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\Sample.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\0NvBui5Wng.ini"
        5⤵
        Executes dropped EXE
        
        PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\Sample.exe
      "C:\Users\Admin\AppData\Local\Temp\Sample.exe"
      4⤵
      Executes dropped EXE
      PID:928

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1221205694456735142-2397942661054477621978934422-1994529867-847211362-1468826714"
1⤵
PID:1948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "631478894-188364418-11822418892082683818-1945948582-814391710-845194523795057104"
1⤵
PID:112

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\264.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\264.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\323.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\323.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\323.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\323.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\P-Opng_Page1.png

Filesize
351KB

MD5
2d1b666e7214234ae4d20f3e9baa7c42

SHA1
385b93247adf5aefa2d19ea6164edea1df77f58d

SHA256
82af660147d1de905cf2345e40f506cc0cbb19e786cfcc921cca039424656cb4

SHA512
3d0479681e7662ea767fca8b8c96f2a505dd96ed7b1fc95f8b4297f4b9d425a7bdfe0c91804279d91d75e749fd98b03bd9f049cbe477d4e343683497234f0591

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp22885e33.bat

Filesize
213B

MD5
4318381075d0b522d590ed15f0fc430f

SHA1
7a815cd20b7fc87833ef4534fa1ccde06c687b96

SHA256
c9d7ff473863f1484ee12763099bf0da563a0c90c92a0a6b1a65bd82cacde156

SHA512
da8f0deedfb64df8ddcbbe600749a18eff5184f3a1731bc97d3026b15551cc68d989d10fcea1b2599fcac7386820c2a40b278039fd19f1b0d30a69351beb653e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vHZ7w2Cle7.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Roaming\Zuqag\noasa.exe

Filesize
775KB

MD5
f2ee3c486f5486ba4fb93a7018a158f6

SHA1
52f9849490352347c790f55925a0c882a1808f9b

SHA256
2c1d717ae75dd42d53848d4d9fb4a4e90c19ec788025e32f8d28befe223e8a61

SHA512
e4c98336dd3d10d195eb66b397edffeda3435699cb3f3706d06b1a70e416da7f69c04478a2e44c3cb4e2a1fd7c97f47fb7490a7da33a2152f95538cf6d6d94db

Download Submit
C:\Users\Admin\AppData\Roaming\Zuqag\noasa.exe

Filesize
775KB

MD5
f2ee3c486f5486ba4fb93a7018a158f6

SHA1
52f9849490352347c790f55925a0c882a1808f9b

SHA256
2c1d717ae75dd42d53848d4d9fb4a4e90c19ec788025e32f8d28befe223e8a61

SHA512
e4c98336dd3d10d195eb66b397edffeda3435699cb3f3706d06b1a70e416da7f69c04478a2e44c3cb4e2a1fd7c97f47fb7490a7da33a2152f95538cf6d6d94db

Download Submit
C:\Users\Admin\AppData\Roaming\Zuqag\noasa.exe

Filesize
775KB

MD5
f2ee3c486f5486ba4fb93a7018a158f6

SHA1
52f9849490352347c790f55925a0c882a1808f9b

SHA256
2c1d717ae75dd42d53848d4d9fb4a4e90c19ec788025e32f8d28befe223e8a61

SHA512
e4c98336dd3d10d195eb66b397edffeda3435699cb3f3706d06b1a70e416da7f69c04478a2e44c3cb4e2a1fd7c97f47fb7490a7da33a2152f95538cf6d6d94db

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\264.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\264.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\264.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\264.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\323.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\323.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\323.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\323.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\323.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\323.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\323.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\323.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
\Users\Admin\AppData\Roaming\Zuqag\noasa.exe

Filesize
775KB

MD5
f2ee3c486f5486ba4fb93a7018a158f6

SHA1
52f9849490352347c790f55925a0c882a1808f9b

SHA256
2c1d717ae75dd42d53848d4d9fb4a4e90c19ec788025e32f8d28befe223e8a61

SHA512
e4c98336dd3d10d195eb66b397edffeda3435699cb3f3706d06b1a70e416da7f69c04478a2e44c3cb4e2a1fd7c97f47fb7490a7da33a2152f95538cf6d6d94db

Download Submit
\Users\Admin\AppData\Roaming\Zuqag\noasa.exe

Filesize
775KB

MD5
f2ee3c486f5486ba4fb93a7018a158f6

SHA1
52f9849490352347c790f55925a0c882a1808f9b

SHA256
2c1d717ae75dd42d53848d4d9fb4a4e90c19ec788025e32f8d28befe223e8a61

SHA512
e4c98336dd3d10d195eb66b397edffeda3435699cb3f3706d06b1a70e416da7f69c04478a2e44c3cb4e2a1fd7c97f47fb7490a7da33a2152f95538cf6d6d94db

Download Submit
\Users\Admin\AppData\Roaming\Zuqag\noasa.exe

Filesize
775KB

MD5
f2ee3c486f5486ba4fb93a7018a158f6

SHA1
52f9849490352347c790f55925a0c882a1808f9b

SHA256
2c1d717ae75dd42d53848d4d9fb4a4e90c19ec788025e32f8d28befe223e8a61

SHA512
e4c98336dd3d10d195eb66b397edffeda3435699cb3f3706d06b1a70e416da7f69c04478a2e44c3cb4e2a1fd7c97f47fb7490a7da33a2152f95538cf6d6d94db

Download Submit
\Users\Admin\AppData\Roaming\Zuqag\noasa.exe

Filesize
775KB

MD5
f2ee3c486f5486ba4fb93a7018a158f6

SHA1
52f9849490352347c790f55925a0c882a1808f9b

SHA256
2c1d717ae75dd42d53848d4d9fb4a4e90c19ec788025e32f8d28befe223e8a61

SHA512
e4c98336dd3d10d195eb66b397edffeda3435699cb3f3706d06b1a70e416da7f69c04478a2e44c3cb4e2a1fd7c97f47fb7490a7da33a2152f95538cf6d6d94db

Download Submit
\Users\Admin\AppData\Roaming\Zuqag\noasa.exe

Filesize
775KB

MD5
f2ee3c486f5486ba4fb93a7018a158f6

SHA1
52f9849490352347c790f55925a0c882a1808f9b

SHA256
2c1d717ae75dd42d53848d4d9fb4a4e90c19ec788025e32f8d28befe223e8a61

SHA512
e4c98336dd3d10d195eb66b397edffeda3435699cb3f3706d06b1a70e416da7f69c04478a2e44c3cb4e2a1fd7c97f47fb7490a7da33a2152f95538cf6d6d94db

Download Submit
\Users\Admin\AppData\Roaming\Zuqag\noasa.exe

Filesize
775KB

MD5
f2ee3c486f5486ba4fb93a7018a158f6

SHA1
52f9849490352347c790f55925a0c882a1808f9b

SHA256
2c1d717ae75dd42d53848d4d9fb4a4e90c19ec788025e32f8d28befe223e8a61

SHA512
e4c98336dd3d10d195eb66b397edffeda3435699cb3f3706d06b1a70e416da7f69c04478a2e44c3cb4e2a1fd7c97f47fb7490a7da33a2152f95538cf6d6d94db

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
memory/600-82-0x0000000000000000-mapping.dmp

Download
memory/600-256-0x00000000023B0000-0x00000000023E0000-memory.dmp

Filesize
192KB

Download
memory/600-303-0x00000000023B0000-0x00000000023E0000-memory.dmp

Filesize
192KB

Download
memory/624-110-0x0000000000000000-mapping.dmp

Download
memory/624-310-0x0000000000100000-0x000000000014C000-memory.dmp

Filesize
304KB

Download
memory/624-263-0x0000000000100000-0x000000000014C000-memory.dmp

Filesize
304KB

Download
memory/684-302-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/684-131-0x0000000000000000-mapping.dmp

Download
memory/804-80-0x0000000000000000-mapping.dmp

Download
memory/888-210-0x0000000073170000-0x000000007371B000-memory.dmp

Filesize
5.7MB

Download
memory/888-185-0x00000000006C6000-0x00000000006D7000-memory.dmp

Filesize
68KB

Download
memory/888-211-0x00000000006C6000-0x00000000006D7000-memory.dmp

Filesize
68KB

Download
memory/888-178-0x0000000000000000-mapping.dmp

Download
memory/888-184-0x0000000073170000-0x000000007371B000-memory.dmp

Filesize
5.7MB

Download
memory/948-235-0x0000000005730000-0x0000000005757000-memory.dmp

Filesize
156KB

Download
memory/1048-139-0x0000000000000000-mapping.dmp

Download
memory/1100-217-0x0000000000200000-0x0000000000227000-memory.dmp

Filesize
156KB

Download
memory/1100-214-0x0000000000200000-0x0000000000227000-memory.dmp

Filesize
156KB

Download
memory/1100-215-0x0000000000200000-0x0000000000227000-memory.dmp

Filesize
156KB

Download
memory/1100-216-0x0000000000200000-0x0000000000227000-memory.dmp

Filesize
156KB

Download
memory/1164-57-0x0000000000000000-mapping.dmp

Download
memory/1164-73-0x00000000007D6000-0x00000000007E7000-memory.dmp

Filesize
68KB

Download
memory/1164-70-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1164-125-0x00000000007D6000-0x00000000007E7000-memory.dmp

Filesize
68KB

Download
memory/1164-124-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-220-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1276-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1276-166-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1276-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1276-167-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1276-157-0x00000000004512E0-mapping.dmp

Download
memory/1276-155-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1276-165-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1372-74-0x0000000000B86000-0x0000000000B97000-memory.dmp

Filesize
68KB

Download
memory/1372-71-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1372-129-0x0000000000B86000-0x0000000000B97000-memory.dmp

Filesize
68KB

Download
memory/1372-126-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1372-64-0x0000000000000000-mapping.dmp

Download
memory/1456-230-0x0000000000000000-mapping.dmp

Download
memory/1500-188-0x0000000000000000-mapping.dmp

Download
memory/1676-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1680-115-0x0000000000401180-mapping.dmp

Download
memory/1680-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1772-108-0x0000000000413048-mapping.dmp

Download
memory/1772-120-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1772-104-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1772-98-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1772-174-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1772-130-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1772-95-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1772-88-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1772-127-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1772-154-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1772-231-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1772-89-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1884-136-0x0000000000000000-mapping.dmp

Download
memory/1912-172-0x000000000041C410-mapping.dmp

Download
memory/1992-140-0x0000000000000000-mapping.dmp

Download
memory/1996-234-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1996-199-0x0000000000413048-mapping.dmp

Download
memory/2008-111-0x0000000000000000-mapping.dmp

Download
memory/2008-300-0x0000000000100000-0x000000000014C000-memory.dmp

Filesize
304KB

Download
memory/2024-128-0x0000000000000000-mapping.dmp

Download
memory/2024-301-0x0000000000660000-0x0000000000687000-memory.dmp

Filesize
156KB

Download