darkcomet | 067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

Analysis

max time kernel
183s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Size

856KB
MD5

0c6b3509bb5a0e67d037afa5eb523076
SHA1

3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d
SHA256

067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461
SHA512

b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d
SSDEEP

24576:HOGEY2LlIP8pKAWy8y60UOauWAFrYDz0M:JEYeIPH7OxVx5

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

lundinzzz.no-ip.biz:1604

lundinzzz.no-ip.biz:82

Mutex

DC_MUTEX-XK6B8QX

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
H8YYXHd9Vk1a
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Executes dropped EXE 45 IoCs

Processes:

msdcsc.exemsdcsc.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

pid	process
3484	msdcsc.exe
4716	msdcsc.exe
2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4056	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
3792	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4220	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
448	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4408	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4272	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
2808	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4204	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
1344	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
2260	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
3808	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
660	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
3000	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4780	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
3308	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
2464	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
2236	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
2600	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4384	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4764	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
1740	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
216	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4584	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
1116	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
1200	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
3712	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
3420	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
2352	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4476	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
2232	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4456	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
3444	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4388	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
2320	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4844	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
2024	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
1600	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
2056	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
1968	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
2072	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
952	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3372 attrib.exe
1360 attrib.exe

pid	process
3372	attrib.exe
1360	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msdcsc.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Suspicious use of SetThreadContext 45 IoCs

Processes:

067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exemsdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1648	448	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
1284	448	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
2092	4204	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
3036	1344	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4800	2260	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4304	3808	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4516	2600	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4372	4384	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4300	216	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
1408	4584	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
5084	1116	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4832	1200	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
3924	2352	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
3364	4800	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
1064	4456	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
1516	2320	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4912	952	WerFault.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exemsdcsc.exe

pid	process
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
3484	msdcsc.exe
3484	msdcsc.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msdcsc.exe

pid process

4716 msdcsc.exe

pid	process
4716	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exemsdcsc.exemsdcsc.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

description	pid	process
Token: SeDebugPrivilege	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeIncreaseQuotaPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeSecurityPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeTakeOwnershipPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeLoadDriverPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeSystemProfilePrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeSystemtimePrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeProfSingleProcessPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeIncBasePriorityPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeCreatePagefilePrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeBackupPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeRestorePrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeShutdownPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeDebugPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeSystemEnvironmentPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeChangeNotifyPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeRemoteShutdownPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeUndockPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeManageVolumePrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeImpersonatePrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeCreateGlobalPrivilege	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: 33	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: 34	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: 35	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: 36	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeDebugPrivilege	3484	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	4716	msdcsc.exe
Token: SeSecurityPrivilege	4716	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4716	msdcsc.exe
Token: SeLoadDriverPrivilege	4716	msdcsc.exe
Token: SeSystemProfilePrivilege	4716	msdcsc.exe
Token: SeSystemtimePrivilege	4716	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4716	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4716	msdcsc.exe
Token: SeCreatePagefilePrivilege	4716	msdcsc.exe
Token: SeBackupPrivilege	4716	msdcsc.exe
Token: SeRestorePrivilege	4716	msdcsc.exe
Token: SeShutdownPrivilege	4716	msdcsc.exe
Token: SeDebugPrivilege	4716	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4716	msdcsc.exe
Token: SeChangeNotifyPrivilege	4716	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4716	msdcsc.exe
Token: SeUndockPrivilege	4716	msdcsc.exe
Token: SeManageVolumePrivilege	4716	msdcsc.exe
Token: SeImpersonatePrivilege	4716	msdcsc.exe
Token: SeCreateGlobalPrivilege	4716	msdcsc.exe
Token: 33	4716	msdcsc.exe
Token: 34	4716	msdcsc.exe
Token: 35	4716	msdcsc.exe
Token: 36	4716	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeSecurityPrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeTakeOwnershipPrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeLoadDriverPrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeSystemProfilePrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeSystemtimePrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeProfSingleProcessPrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeIncBasePriorityPrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeCreatePagefilePrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeBackupPrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeRestorePrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeShutdownPrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeDebugPrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
Token: SeSystemEnvironmentPrivilege	2800	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

4716 msdcsc.exe

pid	process
4716	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exemsdcsc.execmd.execmd.exemsdcsc.exe

description	pid	process	target process
PID 4540 wrote to memory of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 wrote to memory of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 wrote to memory of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 wrote to memory of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 wrote to memory of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 wrote to memory of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 wrote to memory of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 wrote to memory of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 wrote to memory of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 wrote to memory of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 wrote to memory of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 wrote to memory of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4948 wrote to memory of 4192	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	cmd.exe
PID 4948 wrote to memory of 4192	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	cmd.exe
PID 4948 wrote to memory of 4192	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	cmd.exe
PID 4948 wrote to memory of 4132	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	cmd.exe
PID 4948 wrote to memory of 4132	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	cmd.exe
PID 4948 wrote to memory of 4132	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	cmd.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 4000	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	notepad.exe
PID 4948 wrote to memory of 3484	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	msdcsc.exe
PID 4948 wrote to memory of 3484	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	msdcsc.exe
PID 4948 wrote to memory of 3484	4948	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	msdcsc.exe
PID 3484 wrote to memory of 4716	3484	msdcsc.exe	msdcsc.exe
PID 3484 wrote to memory of 4716	3484	msdcsc.exe	msdcsc.exe
PID 3484 wrote to memory of 4716	3484	msdcsc.exe	msdcsc.exe
PID 4192 wrote to memory of 3372	4192	cmd.exe	attrib.exe
PID 4192 wrote to memory of 3372	4192	cmd.exe	attrib.exe
PID 4192 wrote to memory of 3372	4192	cmd.exe	attrib.exe
PID 3484 wrote to memory of 4716	3484	msdcsc.exe	msdcsc.exe
PID 3484 wrote to memory of 4716	3484	msdcsc.exe	msdcsc.exe
PID 3484 wrote to memory of 4716	3484	msdcsc.exe	msdcsc.exe
PID 3484 wrote to memory of 4716	3484	msdcsc.exe	msdcsc.exe
PID 3484 wrote to memory of 4716	3484	msdcsc.exe	msdcsc.exe
PID 3484 wrote to memory of 4716	3484	msdcsc.exe	msdcsc.exe
PID 3484 wrote to memory of 4716	3484	msdcsc.exe	msdcsc.exe
PID 3484 wrote to memory of 4716	3484	msdcsc.exe	msdcsc.exe
PID 3484 wrote to memory of 4716	3484	msdcsc.exe	msdcsc.exe
PID 4132 wrote to memory of 1360	4132	cmd.exe	attrib.exe
PID 4132 wrote to memory of 1360	4132	cmd.exe	attrib.exe
PID 4132 wrote to memory of 1360	4132	cmd.exe	attrib.exe
PID 4716 wrote to memory of 2856	4716	msdcsc.exe	notepad.exe
PID 4716 wrote to memory of 2856	4716	msdcsc.exe	notepad.exe
PID 4716 wrote to memory of 2856	4716	msdcsc.exe	notepad.exe
PID 4716 wrote to memory of 2856	4716	msdcsc.exe	notepad.exe
PID 4716 wrote to memory of 2856	4716	msdcsc.exe	notepad.exe
PID 4716 wrote to memory of 2856	4716	msdcsc.exe	notepad.exe
PID 4716 wrote to memory of 2856	4716	msdcsc.exe	notepad.exe
PID 4716 wrote to memory of 2856	4716	msdcsc.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3372 attrib.exe
1360 attrib.exe

pid	process
3372	attrib.exe
1360	attrib.exe

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1360

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4056

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:3792

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4220

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 516
3⤵
- Program crash
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 520
3⤵
- Program crash
PID:1284

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4408

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4272

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:2808

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 520
3⤵
- Program crash
PID:2092

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 520
3⤵
- Program crash
PID:3036

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 520
3⤵
- Program crash
PID:4800

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 520
3⤵
- Program crash
PID:4304

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:660

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:3000

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:3308

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:2464

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:2236

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 520
3⤵
- Program crash
PID:4516

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 520
3⤵
- Program crash
PID:4372

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4764

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:1740

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 520
3⤵
- Program crash
PID:4300

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 516
3⤵
- Program crash
PID:1408

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 520
3⤵
- Program crash
PID:5084

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 520
3⤵
- Program crash
PID:4832

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:3712

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:3420

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 520
3⤵
- Program crash
PID:3924

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 516
3⤵
- Program crash
PID:3364

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 524
3⤵
- Program crash
PID:1064

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:3444

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:4388

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 520
3⤵
- Program crash
PID:1516

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4844

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:2072

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
"C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe"
2⤵
- Executes dropped EXE
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 520
3⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 448 -ip 448
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 448 -ip 448
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4204 -ip 4204
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1344 -ip 1344
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2260 -ip 2260
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3808 -ip 3808
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2600 -ip 2600
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4384 -ip 4384
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 216 -ip 216
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4584 -ip 4584
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1116 -ip 1116
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1200 -ip 1200
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2352 -ip 2352
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4800 -ip 4800
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4456 -ip 4456
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2320 -ip 2320
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 952 -ip 952
1⤵
PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
856KB

MD5
0c6b3509bb5a0e67d037afa5eb523076

SHA1
3f8c601b9e3cf8af1b7a7f8e8b99f337caa97d9d

SHA256
067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461

SHA512
b50df71b7ce1f4f5f67e235e137371d3ec6bc468428c6b2055451e19f468552d82161f20742fc874f44cf3130818b65d022c320788bf176da85d4d69a30b970d

Download Submit
memory/216-352-0x0000000000000000-mapping.dmp

Download
memory/448-192-0x00000000005C0000-0x00000000006AA000-memory.dmp

Filesize
936KB

Download
memory/448-178-0x0000000000000000-mapping.dmp

Download
memory/448-187-0x00000000005C0000-0x00000000006AA000-memory.dmp

Filesize
936KB

Download
memory/448-193-0x00000000005C0000-0x00000000006AA000-memory.dmp

Filesize
936KB

Download
memory/660-274-0x0000000000000000-mapping.dmp

Download
memory/660-279-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/952-546-0x0000000000000000-mapping.dmp

Download
memory/1116-383-0x0000000000000000-mapping.dmp

Download
memory/1200-398-0x0000000000000000-mapping.dmp

Download
memory/1344-242-0x0000000000750000-0x000000000083A000-memory.dmp

Filesize
936KB

Download
memory/1344-243-0x0000000000750000-0x000000000083A000-memory.dmp

Filesize
936KB

Download
memory/1344-237-0x0000000000750000-0x000000000083A000-memory.dmp

Filesize
936KB

Download
memory/1344-229-0x0000000000000000-mapping.dmp

Download
memory/1360-151-0x0000000000000000-mapping.dmp

Download
memory/1600-521-0x0000000000000000-mapping.dmp

Download
memory/1600-527-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1600-561-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1740-346-0x0000000000000000-mapping.dmp

Download
memory/1740-353-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1968-533-0x0000000000000000-mapping.dmp

Download
memory/1968-539-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2024-525-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2024-515-0x0000000000000000-mapping.dmp

Download
memory/2056-534-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2056-528-0x0000000000000000-mapping.dmp

Download
memory/2072-545-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2072-540-0x0000000000000000-mapping.dmp

Download
memory/2232-445-0x0000000000000000-mapping.dmp

Download
memory/2232-452-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2236-311-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2236-305-0x0000000000000000-mapping.dmp

Download
memory/2260-244-0x0000000000000000-mapping.dmp

Download
memory/2320-494-0x0000000000000000-mapping.dmp

Download
memory/2352-424-0x0000000000000000-mapping.dmp

Download
memory/2464-299-0x0000000000000000-mapping.dmp

Download
memory/2464-304-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2600-310-0x0000000000000000-mapping.dmp

Download
memory/2800-160-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2800-153-0x0000000000000000-mapping.dmp

Download
memory/2808-207-0x0000000000000000-mapping.dmp

Download
memory/2808-213-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2856-152-0x0000000000000000-mapping.dmp

Download
memory/3000-285-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3000-280-0x0000000000000000-mapping.dmp

Download
memory/3308-297-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3308-298-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3308-291-0x0000000000000000-mapping.dmp

Download
memory/3372-146-0x0000000000000000-mapping.dmp

Download
memory/3420-419-0x0000000000000000-mapping.dmp

Download
memory/3420-425-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3444-488-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3444-482-0x0000000000000000-mapping.dmp

Download
memory/3484-140-0x0000000000000000-mapping.dmp

Download
memory/3484-144-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/3484-194-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/3712-418-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3712-413-0x0000000000000000-mapping.dmp

Download
memory/3792-173-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3792-166-0x0000000000000000-mapping.dmp

Download
memory/3808-259-0x0000000000000000-mapping.dmp

Download
memory/4000-139-0x0000000000000000-mapping.dmp

Download
memory/4056-167-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4056-161-0x0000000000000000-mapping.dmp

Download
memory/4132-138-0x0000000000000000-mapping.dmp

Download
memory/4192-137-0x0000000000000000-mapping.dmp

Download
memory/4204-227-0x0000000000900000-0x00000000009EA000-memory.dmp

Filesize
936KB

Download
memory/4204-214-0x0000000000000000-mapping.dmp

Download
memory/4204-222-0x0000000000900000-0x00000000009EA000-memory.dmp

Filesize
936KB

Download
memory/4204-228-0x0000000000900000-0x00000000009EA000-memory.dmp

Filesize
936KB

Download
memory/4220-172-0x0000000000000000-mapping.dmp

Download
memory/4220-179-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4272-208-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4272-201-0x0000000000000000-mapping.dmp

Download
memory/4384-326-0x0000000000000000-mapping.dmp

Download
memory/4388-509-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4388-493-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4388-487-0x0000000000000000-mapping.dmp

Download
memory/4408-202-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4408-196-0x0000000000000000-mapping.dmp

Download
memory/4456-467-0x0000000000000000-mapping.dmp

Download
memory/4476-440-0x0000000000000000-mapping.dmp

Download
memory/4476-446-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4540-132-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/4540-157-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/4584-368-0x0000000000000000-mapping.dmp

Download
memory/4716-195-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4716-145-0x0000000000000000-mapping.dmp

Download
memory/4716-156-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4764-341-0x0000000000000000-mapping.dmp

Download
memory/4764-347-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4780-293-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4780-286-0x0000000000000000-mapping.dmp

Download
memory/4800-451-0x0000000000000000-mapping.dmp

Download
memory/4844-517-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4844-510-0x0000000000000000-mapping.dmp

Download
memory/4948-143-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4948-136-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4948-135-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4948-134-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4948-133-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 4540 set thread context of 4948	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 3484 set thread context of 4716	3484	msdcsc.exe	msdcsc.exe
PID 4540 set thread context of 2800	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4056	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 3792	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4220	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 448	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4408	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4272	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 2808	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4204	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 1344	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 2260	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 3808	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 660	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 3000	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4780	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 3308	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 2464	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 2236	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 2600	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4384	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4764	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 1740	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 216	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4584	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 1116	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 1200	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 3712	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 3420	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 2352	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4476	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 2232	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4800	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4456	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 3444	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4388	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 2320	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 4844	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 2024	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 1600	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 2056	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 1968	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 2072	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe
PID 4540 set thread context of 952	4540	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe	067da2f3df03a2df83b8420c44bcef19995a483179ec0f572777df86622ba461.exe