darkcomet | 57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

Analysis

max time kernel
151s
max time network
62s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
Size

497KB
MD5

3e064b1071ad430572a3f6cf93bded95
SHA1

d20ebd5022710f10d2cb34381eddf4c4fb6c1112
SHA256

57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d
SHA512

05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26
SSDEEP

12288:RSrLA/nD6+NQzJFnC6PCgS3AFsFp7ZT/:RSrLQ60SXag8Akl

Score

10^/10

darkcomet newnet persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

newnet

raymondong.no-ip.org:1604

Mutex

DC_MUTEX-USJ8V54

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
rcNQGPe0V03M
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

hknswc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	hknswc.exe

Executes dropped EXE 64 IoCs

Processes:

AppMgnt.exehknswc.exeAppMgnt.exehknswc.exemsdcsc.exehknswc.exetakshost.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exeAppMgnt.exemsdcsc.exemsdcsc.exetakshost.exetakshost.exetakshost.exetakshost.exetakshost.exetakshost.exetakshost.exetakshost.exetakshost.exetakshost.exetakshost.exetakshost.exe

pid	process
568	AppMgnt.exe
1928	hknswc.exe
2020	AppMgnt.exe
1424	hknswc.exe
1996	msdcsc.exe
1428	hknswc.exe
1908	takshost.exe
368	msdcsc.exe
1552	msdcsc.exe
936	msdcsc.exe
1128	msdcsc.exe
1320	msdcsc.exe
1800	msdcsc.exe
2032	msdcsc.exe
1960	msdcsc.exe
1072	msdcsc.exe
968	msdcsc.exe
1628	msdcsc.exe
1108	msdcsc.exe
1984	msdcsc.exe
1168	msdcsc.exe
792	msdcsc.exe
828	msdcsc.exe
1820	msdcsc.exe
1896	msdcsc.exe
1652	msdcsc.exe
632	msdcsc.exe
1304	msdcsc.exe
1452	msdcsc.exe
1732	msdcsc.exe
1892	msdcsc.exe
1160	msdcsc.exe
1812	msdcsc.exe
2060	msdcsc.exe
2132	msdcsc.exe
2208	msdcsc.exe
2284	msdcsc.exe
2360	msdcsc.exe
2436	msdcsc.exe
2512	msdcsc.exe
2588	msdcsc.exe
2660	msdcsc.exe
2736	msdcsc.exe
2812	msdcsc.exe
2892	msdcsc.exe
2968	msdcsc.exe
3048	msdcsc.exe
2100	msdcsc.exe
2176	msdcsc.exe
2304	AppMgnt.exe
2272	msdcsc.exe
2388	msdcsc.exe
2484	takshost.exe
2640	takshost.exe
2724	takshost.exe
2796	takshost.exe
2900	takshost.exe
2952	takshost.exe
3028	takshost.exe
2080	takshost.exe
2200	takshost.exe
1940	takshost.exe
2348	takshost.exe
2416	takshost.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1708-60-0x0000000000250000-0x0000000000307000-memory.dmp	upx
behavioral1/memory/1708-62-0x0000000000250000-0x0000000000307000-memory.dmp	upx
behavioral1/memory/1424-93-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1424-96-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1424-98-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1424-99-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1424-107-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1428-119-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1428-120-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1428-121-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1428-124-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/368-144-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1552-156-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/936-168-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1320-187-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1800-199-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2032-211-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1960-223-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1072-235-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/968-247-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1108-266-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1984-278-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1168-290-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/792-302-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/828-314-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1820-326-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1896-338-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1652-350-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/632-362-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1304-374-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1452-386-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1732-398-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1892-410-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1160-422-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1812-434-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2060-446-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2132-458-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2208-470-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2284-482-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2360-495-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2436-507-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2512-519-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2588-531-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2660-543-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2736-555-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2812-567-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2892-579-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2968-591-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3048-603-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2100-615-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exeAppMgnt.exehknswc.exe

pid process

2012 57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
568 AppMgnt.exe
1424 hknswc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hknswc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	hknswc.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exehknswc.exemsdcsc.exetakshost.exe

description	pid	process	target process
PID 2012 set thread context of 1708	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
PID 1928 set thread context of 1424	1928	hknswc.exe	hknswc.exe
PID 1928 set thread context of 1428	1928	hknswc.exe	hknswc.exe
PID 1996 set thread context of 368	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1552	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 936	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1128	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1320	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1800	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2032	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1960	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1072	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 968	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1628	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1108	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1984	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1168	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 792	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 828	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1820	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1896	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1652	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 632	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1304	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1452	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1732	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1892	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1160	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 1812	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2060	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2132	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2208	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2284	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2360	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2436	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2512	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2588	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2660	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2736	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2812	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2892	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2968	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 3048	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2100	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2176	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2272	1996	msdcsc.exe	msdcsc.exe
PID 1996 set thread context of 2388	1996	msdcsc.exe	msdcsc.exe
PID 1908 set thread context of 2484	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2640	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2724	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2796	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2900	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2952	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 3028	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2080	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2200	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 1940	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2348	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2416	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2556	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 1916	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2720	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2820	1908	takshost.exe	takshost.exe
PID 1908 set thread context of 2916	1908	takshost.exe	takshost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe

pid	process
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exeAppMgnt.exehknswc.exeAppMgnt.exehknswc.exehknswc.exemsdcsc.exemsdcsc.exe

description	pid	process
Token: SeDebugPrivilege	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
Token: SeDebugPrivilege	568	AppMgnt.exe
Token: SeDebugPrivilege	1928	hknswc.exe
Token: SeDebugPrivilege	2020	AppMgnt.exe
Token: SeIncreaseQuotaPrivilege	1424	hknswc.exe
Token: SeSecurityPrivilege	1424	hknswc.exe
Token: SeTakeOwnershipPrivilege	1424	hknswc.exe
Token: SeLoadDriverPrivilege	1424	hknswc.exe
Token: SeSystemProfilePrivilege	1424	hknswc.exe
Token: SeSystemtimePrivilege	1424	hknswc.exe
Token: SeProfSingleProcessPrivilege	1424	hknswc.exe
Token: SeIncBasePriorityPrivilege	1424	hknswc.exe
Token: SeCreatePagefilePrivilege	1424	hknswc.exe
Token: SeBackupPrivilege	1424	hknswc.exe
Token: SeRestorePrivilege	1424	hknswc.exe
Token: SeShutdownPrivilege	1424	hknswc.exe
Token: SeDebugPrivilege	1424	hknswc.exe
Token: SeSystemEnvironmentPrivilege	1424	hknswc.exe
Token: SeChangeNotifyPrivilege	1424	hknswc.exe
Token: SeRemoteShutdownPrivilege	1424	hknswc.exe
Token: SeUndockPrivilege	1424	hknswc.exe
Token: SeManageVolumePrivilege	1424	hknswc.exe
Token: SeImpersonatePrivilege	1424	hknswc.exe
Token: SeCreateGlobalPrivilege	1424	hknswc.exe
Token: 33	1424	hknswc.exe
Token: 34	1424	hknswc.exe
Token: 35	1424	hknswc.exe
Token: SeIncreaseQuotaPrivilege	1428	hknswc.exe
Token: SeSecurityPrivilege	1428	hknswc.exe
Token: SeTakeOwnershipPrivilege	1428	hknswc.exe
Token: SeLoadDriverPrivilege	1428	hknswc.exe
Token: SeSystemProfilePrivilege	1428	hknswc.exe
Token: SeSystemtimePrivilege	1428	hknswc.exe
Token: SeProfSingleProcessPrivilege	1428	hknswc.exe
Token: SeIncBasePriorityPrivilege	1428	hknswc.exe
Token: SeCreatePagefilePrivilege	1428	hknswc.exe
Token: SeBackupPrivilege	1428	hknswc.exe
Token: SeRestorePrivilege	1428	hknswc.exe
Token: SeShutdownPrivilege	1428	hknswc.exe
Token: SeDebugPrivilege	1428	hknswc.exe
Token: SeSystemEnvironmentPrivilege	1428	hknswc.exe
Token: SeChangeNotifyPrivilege	1428	hknswc.exe
Token: SeRemoteShutdownPrivilege	1428	hknswc.exe
Token: SeUndockPrivilege	1428	hknswc.exe
Token: SeManageVolumePrivilege	1428	hknswc.exe
Token: SeImpersonatePrivilege	1428	hknswc.exe
Token: SeCreateGlobalPrivilege	1428	hknswc.exe
Token: 33	1428	hknswc.exe
Token: 34	1428	hknswc.exe
Token: 35	1428	hknswc.exe
Token: SeDebugPrivilege	1996	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	368	msdcsc.exe
Token: SeSecurityPrivilege	368	msdcsc.exe
Token: SeTakeOwnershipPrivilege	368	msdcsc.exe
Token: SeLoadDriverPrivilege	368	msdcsc.exe
Token: SeSystemProfilePrivilege	368	msdcsc.exe
Token: SeSystemtimePrivilege	368	msdcsc.exe
Token: SeProfSingleProcessPrivilege	368	msdcsc.exe
Token: SeIncBasePriorityPrivilege	368	msdcsc.exe
Token: SeCreatePagefilePrivilege	368	msdcsc.exe
Token: SeBackupPrivilege	368	msdcsc.exe
Token: SeRestorePrivilege	368	msdcsc.exe
Token: SeShutdownPrivilege	368	msdcsc.exe
Token: SeDebugPrivilege	368	msdcsc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

DllHost.exe

pid process

856 DllHost.exe
856 DllHost.exe
856 DllHost.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AppMgnt.exehknswc.exeAppMgnt.exe

pid process

568 AppMgnt.exe
568 AppMgnt.exe
1428 hknswc.exe
2020 AppMgnt.exe
2020 AppMgnt.exe

pid	process
856	DllHost.exe
856	DllHost.exe
856	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exeAppMgnt.exehknswc.exehknswc.exemsdcsc.exe

description	pid	process	target process
PID 2012 wrote to memory of 1708	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
PID 2012 wrote to memory of 1708	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
PID 2012 wrote to memory of 1708	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
PID 2012 wrote to memory of 1708	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
PID 2012 wrote to memory of 1708	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
PID 2012 wrote to memory of 1708	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
PID 2012 wrote to memory of 1708	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
PID 2012 wrote to memory of 1708	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
PID 2012 wrote to memory of 568	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	AppMgnt.exe
PID 2012 wrote to memory of 568	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	AppMgnt.exe
PID 2012 wrote to memory of 568	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	AppMgnt.exe
PID 2012 wrote to memory of 568	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	AppMgnt.exe
PID 568 wrote to memory of 1928	568	AppMgnt.exe	hknswc.exe
PID 568 wrote to memory of 1928	568	AppMgnt.exe	hknswc.exe
PID 568 wrote to memory of 1928	568	AppMgnt.exe	hknswc.exe
PID 568 wrote to memory of 1928	568	AppMgnt.exe	hknswc.exe
PID 2012 wrote to memory of 456	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	dw20.exe
PID 2012 wrote to memory of 456	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	dw20.exe
PID 2012 wrote to memory of 456	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	dw20.exe
PID 2012 wrote to memory of 456	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	dw20.exe
PID 2012 wrote to memory of 2020	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	AppMgnt.exe
PID 2012 wrote to memory of 2020	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	AppMgnt.exe
PID 2012 wrote to memory of 2020	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	AppMgnt.exe
PID 2012 wrote to memory of 2020	2012	57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe	AppMgnt.exe
PID 1928 wrote to memory of 1424	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1424	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1424	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1424	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1424	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1424	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1424	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1424	1928	hknswc.exe	hknswc.exe
PID 1424 wrote to memory of 1996	1424	hknswc.exe	msdcsc.exe
PID 1424 wrote to memory of 1996	1424	hknswc.exe	msdcsc.exe
PID 1424 wrote to memory of 1996	1424	hknswc.exe	msdcsc.exe
PID 1424 wrote to memory of 1996	1424	hknswc.exe	msdcsc.exe
PID 1928 wrote to memory of 1428	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1428	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1428	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1428	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1428	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1428	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1428	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1428	1928	hknswc.exe	hknswc.exe
PID 1928 wrote to memory of 1908	1928	hknswc.exe	takshost.exe
PID 1928 wrote to memory of 1908	1928	hknswc.exe	takshost.exe
PID 1928 wrote to memory of 1908	1928	hknswc.exe	takshost.exe
PID 1928 wrote to memory of 1908	1928	hknswc.exe	takshost.exe
PID 1996 wrote to memory of 368	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 368	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 368	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 368	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 368	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 368	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 368	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 368	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 1552	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 1552	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 1552	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 1552	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 1552	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 1552	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 1552	1996	msdcsc.exe	msdcsc.exe
PID 1996 wrote to memory of 1552	1996	msdcsc.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
"C:\Users\Admin\AppData\Local\Temp\57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe
  "C:\Users\Admin\AppData\Local\Temp\57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d.exe"
  2⤵
  PID:1708
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1552
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:936
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1128
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1320
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1800
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2032
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1960
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1072
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:968
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1628
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1108
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1984
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1168
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:792
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:828
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1820
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1896
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1652
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:632
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1304
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1452
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1732
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1892
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1160
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1812
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2060
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2132
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2208
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2284
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2360
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2436
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2512
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2588
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2660
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2736
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2812
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2892
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2968
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:3048
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2100
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2176
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2272
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
        6⤵
        Executes dropped EXE
        
        PID:2304
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2388
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2448
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2676
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2804
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2888
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:3012
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2068
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2152
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:1600
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2328
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2572
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2628
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2656
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2932
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2096
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2356
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:1500
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2864
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2124
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:852
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:1528
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2884
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2112
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2256
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:1764
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2960
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:2244
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        
        PID:1536
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1428
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1908
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2484
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2640
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2724
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2796
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2900
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2952
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3028
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2080
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2200
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1940
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2348
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2416
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2556
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:1916
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2720
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2820
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2916
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:3004
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:1936
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2128
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2204
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2264
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2312
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2444
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:1948
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2648
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2832
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:3008
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2168
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2276
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2372
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2672
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2044
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2992
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2232
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2608
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2708
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2996
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:1112
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2552
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2836
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2084
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2432
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2748
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2940
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2116
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:680
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2596
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:1784
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2872
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2056
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:1888
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:1944
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2688
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2944
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2188
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2624
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2576
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:764
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2224
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2536
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2848
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2156
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        5⤵
        
        PID:2496
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 936
  2⤵
  PID:456
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2020

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
14KB

MD5
9de341ca4dd62774ec3879337522e491

SHA1
682db3ba6f088d73351a8d6fd728632f1bbd4653

SHA256
43482bf71fea728857949755a8837ca49b4109803773cadbdc084f610e8a2337

SHA512
8d0049d385164f5ef7ad74751ecd2c8b842f506be4ab72c9169ac6480cda177b0441845f166961d4f900571d7f3b8a41b0c75cb875ce0dd90e9bf337baf388e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
14KB

MD5
9de341ca4dd62774ec3879337522e491

SHA1
682db3ba6f088d73351a8d6fd728632f1bbd4653

SHA256
43482bf71fea728857949755a8837ca49b4109803773cadbdc084f610e8a2337

SHA512
8d0049d385164f5ef7ad74751ecd2c8b842f506be4ab72c9169ac6480cda177b0441845f166961d4f900571d7f3b8a41b0c75cb875ce0dd90e9bf337baf388e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
14KB

MD5
9de341ca4dd62774ec3879337522e491

SHA1
682db3ba6f088d73351a8d6fd728632f1bbd4653

SHA256
43482bf71fea728857949755a8837ca49b4109803773cadbdc084f610e8a2337

SHA512
8d0049d385164f5ef7ad74751ecd2c8b842f506be4ab72c9169ac6480cda177b0441845f166961d4f900571d7f3b8a41b0c75cb875ce0dd90e9bf337baf388e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
14KB

MD5
9de341ca4dd62774ec3879337522e491

SHA1
682db3ba6f088d73351a8d6fd728632f1bbd4653

SHA256
43482bf71fea728857949755a8837ca49b4109803773cadbdc084f610e8a2337

SHA512
8d0049d385164f5ef7ad74751ecd2c8b842f506be4ab72c9169ac6480cda177b0441845f166961d4f900571d7f3b8a41b0c75cb875ce0dd90e9bf337baf388e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Desktop\gapd-1.jpg

Filesize
66KB

MD5
601bcd997fe33516a2f721bee6fbecb6

SHA1
1170c32b165848ab298bb60162bbe8a0ac3637f5

SHA256
4339b91a0081f2a57df3c0e854e46603912cae30b26c0cf6e679efdc9348b618

SHA512
ac3655bc4ad70a8d12aa19d6d7219f2a23e7de756580310753ae5bca26ab8029e859f40463ca382505cbc4ef8691a0d8da49699b0bcf8877c5d70add6a7baa73

Download Submit
C:\Users\Admin\Desktop\gapd-1.jpg

Filesize
66KB

MD5
601bcd997fe33516a2f721bee6fbecb6

SHA1
1170c32b165848ab298bb60162bbe8a0ac3637f5

SHA256
4339b91a0081f2a57df3c0e854e46603912cae30b26c0cf6e679efdc9348b618

SHA512
ac3655bc4ad70a8d12aa19d6d7219f2a23e7de756580310753ae5bca26ab8029e859f40463ca382505cbc4ef8691a0d8da49699b0bcf8877c5d70add6a7baa73

Download Submit
C:\Users\Admin\Desktop\gapd-1.jpg

Filesize
66KB

MD5
601bcd997fe33516a2f721bee6fbecb6

SHA1
1170c32b165848ab298bb60162bbe8a0ac3637f5

SHA256
4339b91a0081f2a57df3c0e854e46603912cae30b26c0cf6e679efdc9348b618

SHA512
ac3655bc4ad70a8d12aa19d6d7219f2a23e7de756580310753ae5bca26ab8029e859f40463ca382505cbc4ef8691a0d8da49699b0bcf8877c5d70add6a7baa73

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
14KB

MD5
9de341ca4dd62774ec3879337522e491

SHA1
682db3ba6f088d73351a8d6fd728632f1bbd4653

SHA256
43482bf71fea728857949755a8837ca49b4109803773cadbdc084f610e8a2337

SHA512
8d0049d385164f5ef7ad74751ecd2c8b842f506be4ab72c9169ac6480cda177b0441845f166961d4f900571d7f3b8a41b0c75cb875ce0dd90e9bf337baf388e2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
497KB

MD5
3e064b1071ad430572a3f6cf93bded95

SHA1
d20ebd5022710f10d2cb34381eddf4c4fb6c1112

SHA256
57ebd0be0270a97b374ea1ec73f4f5cc7c8f8c2784ddb301ecaf7f155831bc9d

SHA512
05b408e8e35de2a2e73c0b0bc07a9c88ef548b9f3ed071f81460c75748825a0f776a8082f1e556d3cb27cd73bc1c98091abf3f2d7c8fcd3e0df90fdf2cd63b26

Download Submit
memory/368-144-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/368-137-0x00000000004B5770-mapping.dmp

Download
memory/456-80-0x0000000000000000-mapping.dmp

Download
memory/568-84-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/568-85-0x0000000002225000-0x0000000002236000-memory.dmp

Filesize
68KB

Download
memory/568-82-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/568-67-0x0000000000000000-mapping.dmp

Download
memory/568-76-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/568-77-0x0000000002225000-0x0000000002236000-memory.dmp

Filesize
68KB

Download
memory/632-362-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/632-356-0x00000000004B5770-mapping.dmp

Download
memory/792-296-0x00000000004B5770-mapping.dmp

Download
memory/792-302-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/828-314-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/828-308-0x00000000004B5770-mapping.dmp

Download
memory/936-162-0x00000000004B5770-mapping.dmp

Download
memory/936-168-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/968-241-0x00000000004B5770-mapping.dmp

Download
memory/968-247-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1072-229-0x00000000004B5770-mapping.dmp

Download
memory/1072-235-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1108-260-0x00000000004B5770-mapping.dmp

Download
memory/1108-266-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1128-174-0x00000000004B5770-mapping.dmp

Download
memory/1160-422-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1160-416-0x00000000004B5770-mapping.dmp

Download
memory/1168-284-0x00000000004B5770-mapping.dmp

Download
memory/1168-290-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1304-368-0x00000000004B5770-mapping.dmp

Download
memory/1304-374-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1320-187-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1320-181-0x00000000004B5770-mapping.dmp

Download
memory/1424-94-0x00000000004B5770-mapping.dmp

Download
memory/1424-93-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1424-107-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1424-96-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1424-98-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1424-99-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1428-124-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1428-121-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1428-120-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1428-119-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1428-115-0x00000000004B5770-mapping.dmp

Download
memory/1452-380-0x00000000004B5770-mapping.dmp

Download
memory/1452-386-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1552-150-0x00000000004B5770-mapping.dmp

Download
memory/1552-156-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1628-253-0x00000000004B5770-mapping.dmp

Download
memory/1652-344-0x00000000004B5770-mapping.dmp

Download
memory/1652-350-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1708-59-0x0000000000250000-0x0000000000307000-memory.dmp

Filesize
732KB

Download
memory/1708-62-0x0000000000250000-0x0000000000307000-memory.dmp

Filesize
732KB

Download
memory/1708-60-0x0000000000250000-0x0000000000307000-memory.dmp

Filesize
732KB

Download
memory/1708-64-0x00000000004B5770-mapping.dmp

Download
memory/1732-398-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1732-392-0x00000000004B5770-mapping.dmp

Download
memory/1800-193-0x00000000004B5770-mapping.dmp

Download
memory/1800-199-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1812-434-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1812-428-0x00000000004B5770-mapping.dmp

Download
memory/1820-320-0x00000000004B5770-mapping.dmp

Download
memory/1820-326-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1892-404-0x00000000004B5770-mapping.dmp

Download
memory/1892-410-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1896-332-0x00000000004B5770-mapping.dmp

Download
memory/1896-338-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1908-125-0x0000000000000000-mapping.dmp

Download
memory/1908-492-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-130-0x0000000000446000-0x0000000000457000-memory.dmp

Filesize
68KB

Download
memory/1908-131-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-79-0x0000000000A56000-0x0000000000A67000-memory.dmp

Filesize
68KB

Download
memory/1928-73-0x0000000000000000-mapping.dmp

Download
memory/1928-129-0x0000000000A56000-0x0000000000A67000-memory.dmp

Filesize
68KB

Download
memory/1928-128-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-78-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-83-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1940-763-0x00000000004B5770-mapping.dmp

Download
memory/1960-217-0x00000000004B5770-mapping.dmp

Download
memory/1960-223-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1984-278-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1984-272-0x00000000004B5770-mapping.dmp

Download
memory/1996-123-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-101-0x0000000000000000-mapping.dmp

Download
memory/1996-109-0x0000000000166000-0x0000000000177000-memory.dmp

Filesize
68KB

Download
memory/1996-108-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-55-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-56-0x0000000000786000-0x0000000000797000-memory.dmp

Filesize
68KB

Download
memory/2012-57-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/2020-106-0x00000000004F5000-0x0000000000506000-memory.dmp

Filesize
68KB

Download
memory/2020-86-0x0000000000000000-mapping.dmp

Download
memory/2020-105-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-122-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-205-0x00000000004B5770-mapping.dmp

Download
memory/2032-211-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2060-446-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2060-440-0x00000000004B5770-mapping.dmp

Download
memory/2080-741-0x00000000004B5770-mapping.dmp

Download
memory/2100-615-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2100-609-0x00000000004B5770-mapping.dmp

Download
memory/2132-452-0x00000000004B5770-mapping.dmp

Download
memory/2132-458-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2176-621-0x00000000004B5770-mapping.dmp

Download
memory/2200-752-0x00000000004B5770-mapping.dmp

Download
memory/2208-464-0x00000000004B5770-mapping.dmp

Download
memory/2208-470-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2272-636-0x00000000004B5770-mapping.dmp

Download
memory/2284-476-0x00000000004B5770-mapping.dmp

Download
memory/2284-482-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2304-634-0x0000000000000000-mapping.dmp

Download
memory/2360-488-0x00000000004B5770-mapping.dmp

Download
memory/2360-495-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2388-651-0x00000000004B5770-mapping.dmp

Download
memory/2436-507-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2436-501-0x00000000004B5770-mapping.dmp

Download
memory/2484-659-0x00000000004B5770-mapping.dmp

Download
memory/2512-513-0x00000000004B5770-mapping.dmp

Download
memory/2512-519-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2588-531-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2588-525-0x00000000004B5770-mapping.dmp

Download
memory/2640-672-0x00000000004B5770-mapping.dmp

Download
memory/2660-537-0x00000000004B5770-mapping.dmp

Download
memory/2660-543-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-686-0x00000000004B5770-mapping.dmp

Download
memory/2736-549-0x00000000004B5770-mapping.dmp

Download
memory/2736-555-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2796-697-0x00000000004B5770-mapping.dmp

Download
memory/2812-561-0x00000000004B5770-mapping.dmp

Download
memory/2812-567-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2892-573-0x00000000004B5770-mapping.dmp

Download
memory/2892-579-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2900-708-0x00000000004B5770-mapping.dmp

Download
memory/2952-719-0x00000000004B5770-mapping.dmp

Download
memory/2968-585-0x00000000004B5770-mapping.dmp

Download
memory/2968-591-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3028-730-0x00000000004B5770-mapping.dmp

Download
memory/3048-603-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3048-597-0x00000000004B5770-mapping.dmp

Download