darkcomet | 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced

Analysis

max time kernel
151s
max time network
167s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Size

713KB
MD5

4e99032cf799aad0a5b32fda617d3498
SHA1

e67deed6bfe806777b04266274713f3ed207fbff
SHA256

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced
SHA512

21aa9b2b080684fb976ce3f1a97b51159feb7a8113e30375ae63ae929b49ef35782755dd4c35b3d5f1c1a4955638532839e31a885e475c8f867c4ba2799453e3
SSDEEP

12288:aKkRlAZIWi9UnAqyYkYIxPzO7/zeGI/l6HijbiPFFJuPLn:asZIWvnAGkYuqbvH7yPj

Score

10^/10

darkcomet neshta guest16 persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

85.93.52.232:1604

Mutex

DC_MUTEX-X9V30LL

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
PMQDeEGAfQts
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Detect Neshta payload 18 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

temp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	temp.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 5 IoCs

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comtemp.exesvchost.commsdcsc.exe

pid process

1204 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
956 svchost.com
948 temp.exe
1784 svchost.com
1492 msdcsc.exe

pid	process
1204	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
956	svchost.com
948	temp.exe
1784	svchost.com
1492	msdcsc.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\temp.exe	upx
\Users\Admin\AppData\Local\Temp\temp.exe	upx
\Users\Admin\AppData\Local\Temp\temp.exe	upx
C:\Users\Admin\AppData\Local\Temp\temp.exe	upx
behavioral1/memory/948-74-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\temp.exe	upx
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe	upx
\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe	upx
\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe	upx
behavioral1/memory/1492-91-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/948-92-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1492-96-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe	upx
\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe	upx

Loads dropped DLL 11 IoCs

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comsvchost.com

pid	process
2036	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
2036	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
956	svchost.com
956	svchost.com
1784	svchost.com
1784	svchost.com
956	svchost.com
2036	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
2036	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
956	svchost.com
2036	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

temp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	temp.exe

Drops file in Program Files directory 64 IoCs

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com

Drops file in Windows directory 5 IoCs

Processes:

svchost.comsvchost.com557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

temp.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	948	temp.exe
Token: SeSecurityPrivilege	948	temp.exe
Token: SeTakeOwnershipPrivilege	948	temp.exe
Token: SeLoadDriverPrivilege	948	temp.exe
Token: SeSystemProfilePrivilege	948	temp.exe
Token: SeSystemtimePrivilege	948	temp.exe
Token: SeProfSingleProcessPrivilege	948	temp.exe
Token: SeIncBasePriorityPrivilege	948	temp.exe
Token: SeCreatePagefilePrivilege	948	temp.exe
Token: SeBackupPrivilege	948	temp.exe
Token: SeRestorePrivilege	948	temp.exe
Token: SeShutdownPrivilege	948	temp.exe
Token: SeDebugPrivilege	948	temp.exe
Token: SeSystemEnvironmentPrivilege	948	temp.exe
Token: SeChangeNotifyPrivilege	948	temp.exe
Token: SeRemoteShutdownPrivilege	948	temp.exe
Token: SeUndockPrivilege	948	temp.exe
Token: SeManageVolumePrivilege	948	temp.exe
Token: SeImpersonatePrivilege	948	temp.exe
Token: SeCreateGlobalPrivilege	948	temp.exe
Token: 33	948	temp.exe
Token: 34	948	temp.exe
Token: 35	948	temp.exe
Token: SeIncreaseQuotaPrivilege	1492	msdcsc.exe
Token: SeSecurityPrivilege	1492	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1492	msdcsc.exe
Token: SeLoadDriverPrivilege	1492	msdcsc.exe
Token: SeSystemProfilePrivilege	1492	msdcsc.exe
Token: SeSystemtimePrivilege	1492	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1492	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1492	msdcsc.exe
Token: SeCreatePagefilePrivilege	1492	msdcsc.exe
Token: SeBackupPrivilege	1492	msdcsc.exe
Token: SeRestorePrivilege	1492	msdcsc.exe
Token: SeShutdownPrivilege	1492	msdcsc.exe
Token: SeDebugPrivilege	1492	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1492	msdcsc.exe
Token: SeChangeNotifyPrivilege	1492	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1492	msdcsc.exe
Token: SeUndockPrivilege	1492	msdcsc.exe
Token: SeManageVolumePrivilege	1492	msdcsc.exe
Token: SeImpersonatePrivilege	1492	msdcsc.exe
Token: SeCreateGlobalPrivilege	1492	msdcsc.exe
Token: 33	1492	msdcsc.exe
Token: 34	1492	msdcsc.exe
Token: 35	1492	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1492 msdcsc.exe

pid	process
1492	msdcsc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comtemp.exesvchost.com

description	pid	process	target process
PID 2036 wrote to memory of 1204	2036	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
PID 2036 wrote to memory of 1204	2036	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
PID 2036 wrote to memory of 1204	2036	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
PID 2036 wrote to memory of 1204	2036	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
PID 1204 wrote to memory of 956	1204	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	svchost.com
PID 1204 wrote to memory of 956	1204	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	svchost.com
PID 1204 wrote to memory of 956	1204	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	svchost.com
PID 1204 wrote to memory of 956	1204	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	svchost.com
PID 956 wrote to memory of 948	956	svchost.com	temp.exe
PID 956 wrote to memory of 948	956	svchost.com	temp.exe
PID 956 wrote to memory of 948	956	svchost.com	temp.exe
PID 956 wrote to memory of 948	956	svchost.com	temp.exe
PID 948 wrote to memory of 1784	948	temp.exe	svchost.com
PID 948 wrote to memory of 1784	948	temp.exe	svchost.com
PID 948 wrote to memory of 1784	948	temp.exe	svchost.com
PID 948 wrote to memory of 1784	948	temp.exe	svchost.com
PID 1784 wrote to memory of 1492	1784	svchost.com	msdcsc.exe
PID 1784 wrote to memory of 1492	1784	svchost.com	msdcsc.exe
PID 1784 wrote to memory of 1492	1784	svchost.com	msdcsc.exe
PID 1784 wrote to memory of 1492	1784	svchost.com	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
"C:\Users\Admin\AppData\Local\Temp\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\temp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\temp.exe
C:\Users\Admin\AppData\Local\Temp\temp.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE
Filesize
741KB

MD5
5d2fd8de43da81187b030d6357ab75ce

SHA1
327122ef6afaffc61a86193fbe3d1cbabb75407e

SHA256
4d117648525a468532da011f0fc051e49bf472bbcb3e9c4696955bd398b9205f

SHA512
9f7470978346746b4e3366f9a6b277aa747cc45f13d36886fc16303221565d23348195b72ac25f7b1711789cd7cb925d7ceea91e384ef4f904a4e49b4e06d9b2

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE
Filesize
392KB

MD5
25b9301a6557a958b0a64752342be27d

SHA1
0887e1a9389a711ef8b82da8e53d9a03901edebc

SHA256
5d916f7c7f6cb6cfd7545a57cb9c9d9c6df16af3517298c346901081a9135303

SHA512
985f6b2fcac2f0425a1a339a55616012879a393caa747412d04c1ee4de3b12aff2cc051860066d84ecbeae335eaa5116ccb8a02090a2674eded367378c56b1ab

Download Submit
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE
Filesize
606KB

MD5
9b1c9f74ac985eab6f8e5b27441a757b

SHA1
9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

SHA256
2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

SHA512
d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

Download Submit
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize
526KB

MD5
7a81734925f7cb7617fa8c5949434d2d

SHA1
d235362248820a3e01111535ac0d383d0cf8f602

SHA256
2612a37955b885949d4a77596f9065b138504551d3332f91a245abd16d7cb44b

SHA512
68dfdac4d323ff3bff140ae39cd15f8adc0744a9808484b51ebeef3552fc5b796ddb4e0161863ce41b5230bbc91245917970b73f05429504ee8f944ae190affb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize
714KB

MD5
24179b4581907abfef8a55ab41c97999

SHA1
e4de417476f43da4405f4340ebf6044f6b094337

SHA256
a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7

SHA512
6fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
Filesize
536KB

MD5
3e8de969e12cd5e6292489a12a9834b6

SHA1
285b89585a09ead4affa32ecaaa842bc51d53ad5

SHA256
7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

SHA512
b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Filesize
673KB

MD5
fbefde6ac78abf88621da3ccc7dd9daf

SHA1
ad230be204c8355a57a65b54e6db65e1dc19b617

SHA256
f74e5ffcd9d66becadd92a1f1add13fa88312825abb96cdf4aa6d2393c2495ba

SHA512
b254da4f8bb73ba0e8b14c99d1b2b1380d93a0aecff8677502da4fa4cb63a2a79b5e9f76970e2d6263f78db5ef0b0d15693ce5851a3b54e6c196a1007cd118b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Filesize
673KB

MD5
fbefde6ac78abf88621da3ccc7dd9daf

SHA1
ad230be204c8355a57a65b54e6db65e1dc19b617

SHA256
f74e5ffcd9d66becadd92a1f1add13fa88312825abb96cdf4aa6d2393c2495ba

SHA512
b254da4f8bb73ba0e8b14c99d1b2b1380d93a0aecff8677502da4fa4cb63a2a79b5e9f76970e2d6263f78db5ef0b0d15693ce5851a3b54e6c196a1007cd118b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
C:\Windows\directx.sys
Filesize
44B

MD5
6b0e9a218062a0e0c7075bf73f88a801

SHA1
6ecab7ccfe4d3dc66270827cc7db73dc76300af5

SHA256
56fc0cf79bc77c72d36879de73d23c91620edc93c4b2727951cb2a00d5b2de75

SHA512
f86a77d2fa66e4d9261faa8d5428e8a224124a90394a5438e9053b5b29ce2c9d18dfbdeeadfe3a75675fd7baa7fe26ba64619ddfd3f594555981a388e9cbdf6f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
30268ff30af9c2179188a809ef2ddb5a

SHA1
ed389e7107e27936c9cba7cb81b3c6cb8b2c4eea

SHA256
af957861e3766cff6b0ae58ca97b716a3e8abfe3e54b01659f462d26b768d3f5

SHA512
e3a44993b7e2dfa1b2a10304978ad80ca6c9e3cefcff8adef42a7d2520fdc2769129af7a643cfae56617c8dbdd0f4d4ffc7d0804988561593944ec9a61bc7d89

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
30268ff30af9c2179188a809ef2ddb5a

SHA1
ed389e7107e27936c9cba7cb81b3c6cb8b2c4eea

SHA256
af957861e3766cff6b0ae58ca97b716a3e8abfe3e54b01659f462d26b768d3f5

SHA512
e3a44993b7e2dfa1b2a10304978ad80ca6c9e3cefcff8adef42a7d2520fdc2769129af7a643cfae56617c8dbdd0f4d4ffc7d0804988561593944ec9a61bc7d89

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
30268ff30af9c2179188a809ef2ddb5a

SHA1
ed389e7107e27936c9cba7cb81b3c6cb8b2c4eea

SHA256
af957861e3766cff6b0ae58ca97b716a3e8abfe3e54b01659f462d26b768d3f5

SHA512
e3a44993b7e2dfa1b2a10304978ad80ca6c9e3cefcff8adef42a7d2520fdc2769129af7a643cfae56617c8dbdd0f4d4ffc7d0804988561593944ec9a61bc7d89

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Filesize
673KB

MD5
fbefde6ac78abf88621da3ccc7dd9daf

SHA1
ad230be204c8355a57a65b54e6db65e1dc19b617

SHA256
f74e5ffcd9d66becadd92a1f1add13fa88312825abb96cdf4aa6d2393c2495ba

SHA512
b254da4f8bb73ba0e8b14c99d1b2b1380d93a0aecff8677502da4fa4cb63a2a79b5e9f76970e2d6263f78db5ef0b0d15693ce5851a3b54e6c196a1007cd118b9

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Filesize
673KB

MD5
fbefde6ac78abf88621da3ccc7dd9daf

SHA1
ad230be204c8355a57a65b54e6db65e1dc19b617

SHA256
f74e5ffcd9d66becadd92a1f1add13fa88312825abb96cdf4aa6d2393c2495ba

SHA512
b254da4f8bb73ba0e8b14c99d1b2b1380d93a0aecff8677502da4fa4cb63a2a79b5e9f76970e2d6263f78db5ef0b0d15693ce5851a3b54e6c196a1007cd118b9

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
memory/948-92-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/948-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/948-70-0x0000000000000000-mapping.dmp

Download
memory/956-73-0x0000000001D20000-0x0000000001DD7000-memory.dmp

Filesize
732KB

Download
memory/956-113-0x0000000002080000-0x0000000002137000-memory.dmp

Filesize
732KB

Download
memory/956-94-0x0000000001D20000-0x0000000001DD7000-memory.dmp

Filesize
732KB

Download
memory/956-64-0x0000000000000000-mapping.dmp

Download
memory/956-93-0x0000000001D20000-0x0000000001DD7000-memory.dmp

Filesize
732KB

Download
memory/956-72-0x0000000001D20000-0x0000000001DD7000-memory.dmp

Filesize
732KB

Download
memory/956-109-0x0000000002080000-0x0000000002137000-memory.dmp

Filesize
732KB

Download
memory/1204-57-0x0000000000000000-mapping.dmp

Download
memory/1204-62-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp

Filesize
8KB

Download
memory/1204-61-0x000007FEF28F0000-0x000007FEF3986000-memory.dmp

Filesize
16.6MB

Download
memory/1204-60-0x000007FEF3990000-0x000007FEF43B3000-memory.dmp

Filesize
10.1MB

Download
memory/1492-91-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1492-88-0x0000000000000000-mapping.dmp

Download
memory/1492-96-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1784-81-0x0000000000000000-mapping.dmp

Download
memory/2036-110-0x0000000002160000-0x0000000002217000-memory.dmp

Filesize
732KB

Download
memory/2036-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/2036-114-0x0000000002160000-0x0000000002217000-memory.dmp

Filesize
732KB

Download