darkcomet | 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced

Analysis

max time kernel
183s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Size

713KB
MD5

4e99032cf799aad0a5b32fda617d3498
SHA1

e67deed6bfe806777b04266274713f3ed207fbff
SHA256

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced
SHA512

21aa9b2b080684fb976ce3f1a97b51159feb7a8113e30375ae63ae929b49ef35782755dd4c35b3d5f1c1a4955638532839e31a885e475c8f867c4ba2799453e3
SSDEEP

12288:aKkRlAZIWi9UnAqyYkYIxPzO7/zeGI/l6HijbiPFFJuPLn:asZIWvnAGkYuqbvH7yPj

Score

10^/10

darkcomet neshta guest16 persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

85.93.52.232:1604

Mutex

DC_MUTEX-X9V30LL

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
PMQDeEGAfQts
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Detect Neshta payload 29 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	family_neshta
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

temp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	temp.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 5 IoCs

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comtemp.exesvchost.commsdcsc.exe

pid process

1376 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
4496 svchost.com
1436 temp.exe
4512 svchost.com
3392 msdcsc.exe

pid	process
1376	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
4496	svchost.com
1436	temp.exe
4512	svchost.com
3392	msdcsc.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\temp.exe	upx
C:\Users\Admin\AppData\Local\Temp\temp.exe	upx
C:\Users\Admin\AppData\Local\Temp\temp.exe	upx
behavioral2/memory/1436-143-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
behavioral2/memory/3392-151-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1436-152-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exetemp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	temp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

temp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	temp.exe

Drops file in Program Files directory 64 IoCs

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe

Drops file in Windows directory 5 IoCs

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exetemp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	temp.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

temp.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1436	temp.exe
Token: SeSecurityPrivilege	1436	temp.exe
Token: SeTakeOwnershipPrivilege	1436	temp.exe
Token: SeLoadDriverPrivilege	1436	temp.exe
Token: SeSystemProfilePrivilege	1436	temp.exe
Token: SeSystemtimePrivilege	1436	temp.exe
Token: SeProfSingleProcessPrivilege	1436	temp.exe
Token: SeIncBasePriorityPrivilege	1436	temp.exe
Token: SeCreatePagefilePrivilege	1436	temp.exe
Token: SeBackupPrivilege	1436	temp.exe
Token: SeRestorePrivilege	1436	temp.exe
Token: SeShutdownPrivilege	1436	temp.exe
Token: SeDebugPrivilege	1436	temp.exe
Token: SeSystemEnvironmentPrivilege	1436	temp.exe
Token: SeChangeNotifyPrivilege	1436	temp.exe
Token: SeRemoteShutdownPrivilege	1436	temp.exe
Token: SeUndockPrivilege	1436	temp.exe
Token: SeManageVolumePrivilege	1436	temp.exe
Token: SeImpersonatePrivilege	1436	temp.exe
Token: SeCreateGlobalPrivilege	1436	temp.exe
Token: 33	1436	temp.exe
Token: 34	1436	temp.exe
Token: 35	1436	temp.exe
Token: 36	1436	temp.exe
Token: SeIncreaseQuotaPrivilege	3392	msdcsc.exe
Token: SeSecurityPrivilege	3392	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3392	msdcsc.exe
Token: SeLoadDriverPrivilege	3392	msdcsc.exe
Token: SeSystemProfilePrivilege	3392	msdcsc.exe
Token: SeSystemtimePrivilege	3392	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3392	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3392	msdcsc.exe
Token: SeCreatePagefilePrivilege	3392	msdcsc.exe
Token: SeBackupPrivilege	3392	msdcsc.exe
Token: SeRestorePrivilege	3392	msdcsc.exe
Token: SeShutdownPrivilege	3392	msdcsc.exe
Token: SeDebugPrivilege	3392	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3392	msdcsc.exe
Token: SeChangeNotifyPrivilege	3392	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3392	msdcsc.exe
Token: SeUndockPrivilege	3392	msdcsc.exe
Token: SeManageVolumePrivilege	3392	msdcsc.exe
Token: SeImpersonatePrivilege	3392	msdcsc.exe
Token: SeCreateGlobalPrivilege	3392	msdcsc.exe
Token: 33	3392	msdcsc.exe
Token: 34	3392	msdcsc.exe
Token: 35	3392	msdcsc.exe
Token: 36	3392	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

3392 msdcsc.exe

pid	process
3392	msdcsc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comtemp.exesvchost.com

description	pid	process	target process
PID 4344 wrote to memory of 1376	4344	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
PID 4344 wrote to memory of 1376	4344	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
PID 1376 wrote to memory of 4496	1376	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	svchost.com
PID 1376 wrote to memory of 4496	1376	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	svchost.com
PID 1376 wrote to memory of 4496	1376	557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe	svchost.com
PID 4496 wrote to memory of 1436	4496	svchost.com	temp.exe
PID 4496 wrote to memory of 1436	4496	svchost.com	temp.exe
PID 4496 wrote to memory of 1436	4496	svchost.com	temp.exe
PID 1436 wrote to memory of 4512	1436	temp.exe	svchost.com
PID 1436 wrote to memory of 4512	1436	temp.exe	svchost.com
PID 1436 wrote to memory of 4512	1436	temp.exe	svchost.com
PID 4512 wrote to memory of 3392	4512	svchost.com	msdcsc.exe
PID 4512 wrote to memory of 3392	4512	svchost.com	msdcsc.exe
PID 4512 wrote to memory of 3392	4512	svchost.com	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
"C:\Users\Admin\AppData\Local\Temp\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\temp.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4496

C:\Users\Admin\AppData\Local\Temp\temp.exe
C:\Users\Admin\AppData\Local\Temp\temp.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe"
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
Filesize
1.2MB

MD5
8e42f3a4a399d84e67ed633ba23863cb

SHA1
02ebfa5274214dcc48acfd24b8da3fb5cb93f6c6

SHA256
42716ea8beca9e555cef3b78a2fbf836c9da034318d625262810290309d955db

SHA512
0f6af721a89c2cf7249ecb1cc0a263c6252f8762b7381b35ccff6347d7d069799d2f0561bec0a651d690fbf29c98050bf15b604d3cca668b7437503ba102492f

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
Filesize
623KB

MD5
6e84b6096aaa18cabc30f1122d5af449

SHA1
e6729edd11b52055b5e34d39e5f3b8f071bbac4f

SHA256
c6b7f9119cf867951f007c5468f75eb4dca59c7eedeb0afdd8ad9d5b9606e759

SHA512
af5b33e7e190587bb152adf65fbcd4c1cd521f638863a6d1c7de29599cce6439b6c7b653180661cb0382007aefa0ae5a1b1b841eaaa116ce715f3a5ba0725a42

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe
Filesize
3.6MB

MD5
c0ac85794f04cb1648989075e6dfa55c

SHA1
c4e2ae9b72b40cd2eca4a178400c3832ad1df89e

SHA256
a62f88cb577ffe115d6b712dc4c559d5b9852f055ebbab092fda223b5e0dd046

SHA512
ef2f2a9b04e20a0dc7f5f088119d0f6e32801948e11f7f7a05e1e80c0e4313b6faa2527e4e8f15f878219e593ee0afc8350ade9094beae4a0c1f5107e2cf6a15

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE
Filesize
1.1MB

MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE
Filesize
2.8MB

MD5
eb008f1890fed6dc7d13a25ff9c35724

SHA1
751d3b944f160b1f77c1c8852af25b65ae9d649c

SHA256
a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090

SHA512
9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE
Filesize
1.1MB

MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe
Filesize
534KB

MD5
051978153bcd2b1cf032fa1bf5a82020

SHA1
ec6d1d42905a1c92ccee5f4980898d7a1d72aa23

SHA256
88e90f04db57a472acacf1f4e7616d05a488fc7a1b41a468b357ac4419489940

SHA512
68dec8a12b2c10a9ff83907705c68c77284928d9349a8ba93808d09123752b84944505208d7d71540e340dcbb06e74c79fa24748098308eeecab5f80ab4e8d15

Download Submit
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize
526KB

MD5
7ec5ddf3fcc6796ca4e49ba4b3cf196a

SHA1
0f5d6a04f70f466b3cbe1750d9be78da80579e07

SHA256
f71d62354d4c6eec8a9cd14db442b9a5f2a6550468b01bda06f82acaa8e0c9b8

SHA512
f3884675fd5d324843102bf7dcc22885962ce1feaaf9f2460af8de36d594102957da993576405f18686e04ac693b651fec22c4e66a9821329f53f712281c87ea

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
525KB

MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
Filesize
534KB

MD5
9f55bac10af986e036e32b0ce55c0e72

SHA1
a67519826bdc3e76ca0abec201c68869a31122c4

SHA256
8912ddc58ac2df57c6314620f661fae32d417c51b724b4c92e0055975f59072b

SHA512
b27b34e878b4de64ea75094a82d2745c73fd42873420a661dd6494941c331e0c397d6e9d67fe006a8e05c508fbaf9335fc3b7bd2a16d3cbf95da97b6d89eb105

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize
526KB

MD5
7ec5ddf3fcc6796ca4e49ba4b3cf196a

SHA1
0f5d6a04f70f466b3cbe1750d9be78da80579e07

SHA256
f71d62354d4c6eec8a9cd14db442b9a5f2a6550468b01bda06f82acaa8e0c9b8

SHA512
f3884675fd5d324843102bf7dcc22885962ce1feaaf9f2460af8de36d594102957da993576405f18686e04ac693b651fec22c4e66a9821329f53f712281c87ea

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize
714KB

MD5
24179b4581907abfef8a55ab41c97999

SHA1
e4de417476f43da4405f4340ebf6044f6b094337

SHA256
a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7

SHA512
6fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
536KB

MD5
31685b921fcd439185495e2bdc8c5ebf

SHA1
5d171dd1f2fc2ad55bde2e3c16a58abff07ae636

SHA256
4798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c

SHA512
04a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
525KB

MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Filesize
673KB

MD5
fbefde6ac78abf88621da3ccc7dd9daf

SHA1
ad230be204c8355a57a65b54e6db65e1dc19b617

SHA256
f74e5ffcd9d66becadd92a1f1add13fa88312825abb96cdf4aa6d2393c2495ba

SHA512
b254da4f8bb73ba0e8b14c99d1b2b1380d93a0aecff8677502da4fa4cb63a2a79b5e9f76970e2d6263f78db5ef0b0d15693ce5851a3b54e6c196a1007cd118b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Filesize
673KB

MD5
fbefde6ac78abf88621da3ccc7dd9daf

SHA1
ad230be204c8355a57a65b54e6db65e1dc19b617

SHA256
f74e5ffcd9d66becadd92a1f1add13fa88312825abb96cdf4aa6d2393c2495ba

SHA512
b254da4f8bb73ba0e8b14c99d1b2b1380d93a0aecff8677502da4fa4cb63a2a79b5e9f76970e2d6263f78db5ef0b0d15693ce5851a3b54e6c196a1007cd118b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
251KB

MD5
a4cc20b478e7d157bcf4e8198ab59569

SHA1
bb2d857d6ad41529c9eb96bb2056c5c615265fee

SHA256
a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41

SHA512
6e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d

Download Submit
C:\Windows\directx.sys
Filesize
43B

MD5
657c3ef749de8000cf38182d05f2659d

SHA1
87e776890090edb3e1c38b74d4760365227ba5a3

SHA256
453a0a9077781dce76cde7c146a2e405f50b3fca6f3827049b068731c6a4c25f

SHA512
3c9a98dce5439ad0b59a48dcd668c81e975056746fd4a557fc07a0e53d61bc53b85d215e05fc5f2811f2e7fe5f01b2ec6cb57912bbe3e66bd15f4ffbaa9dcff3

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
30268ff30af9c2179188a809ef2ddb5a

SHA1
ed389e7107e27936c9cba7cb81b3c6cb8b2c4eea

SHA256
af957861e3766cff6b0ae58ca97b716a3e8abfe3e54b01659f462d26b768d3f5

SHA512
e3a44993b7e2dfa1b2a10304978ad80ca6c9e3cefcff8adef42a7d2520fdc2769129af7a643cfae56617c8dbdd0f4d4ffc7d0804988561593944ec9a61bc7d89

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
30268ff30af9c2179188a809ef2ddb5a

SHA1
ed389e7107e27936c9cba7cb81b3c6cb8b2c4eea

SHA256
af957861e3766cff6b0ae58ca97b716a3e8abfe3e54b01659f462d26b768d3f5

SHA512
e3a44993b7e2dfa1b2a10304978ad80ca6c9e3cefcff8adef42a7d2520fdc2769129af7a643cfae56617c8dbdd0f4d4ffc7d0804988561593944ec9a61bc7d89

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
30268ff30af9c2179188a809ef2ddb5a

SHA1
ed389e7107e27936c9cba7cb81b3c6cb8b2c4eea

SHA256
af957861e3766cff6b0ae58ca97b716a3e8abfe3e54b01659f462d26b768d3f5

SHA512
e3a44993b7e2dfa1b2a10304978ad80ca6c9e3cefcff8adef42a7d2520fdc2769129af7a643cfae56617c8dbdd0f4d4ffc7d0804988561593944ec9a61bc7d89

Download Submit
C:\odt\OFFICE~1.EXE
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/1376-135-0x00007FFEA4480000-0x00007FFEA4EB6000-memory.dmp

Filesize
10.2MB

Download
memory/1376-132-0x0000000000000000-mapping.dmp

Download
memory/1436-152-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1436-140-0x0000000000000000-mapping.dmp

Download
memory/1436-143-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3392-151-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3392-149-0x0000000000000000-mapping.dmp

Download
memory/4496-136-0x0000000000000000-mapping.dmp

Download
memory/4512-145-0x0000000000000000-mapping.dmp

Download