Analysis
-
max time kernel
183s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 02:57
Behavioral task
behavioral1
Sample
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Resource
win7-20220812-en
General
-
Target
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
-
Size
713KB
-
MD5
4e99032cf799aad0a5b32fda617d3498
-
SHA1
e67deed6bfe806777b04266274713f3ed207fbff
-
SHA256
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced
-
SHA512
21aa9b2b080684fb976ce3f1a97b51159feb7a8113e30375ae63ae929b49ef35782755dd4c35b3d5f1c1a4955638532839e31a885e475c8f867c4ba2799453e3
-
SSDEEP
12288:aKkRlAZIWi9UnAqyYkYIxPzO7/zeGI/l6HijbiPFFJuPLn:asZIWvnAGkYuqbvH7yPj
Malware Config
Extracted
darkcomet
Guest16
85.93.52.232:1604
DC_MUTEX-X9V30LL
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
PMQDeEGAfQts
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Detect Neshta payload 29 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\Windows\svchost.com family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE family_neshta C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe family_neshta C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe family_neshta C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
temp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" temp.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 5 IoCs
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comtemp.exesvchost.commsdcsc.exepid process 1376 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe 4496 svchost.com 1436 temp.exe 4512 svchost.com 3392 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\temp.exe upx C:\Users\Admin\AppData\Local\Temp\temp.exe upx C:\Users\Admin\AppData\Local\Temp\temp.exe upx behavioral2/memory/1436-143-0x0000000000400000-0x00000000004B7000-memory.dmp upx C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx behavioral2/memory/3392-151-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1436-152-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exetemp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation temp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
temp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" temp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comdescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE svchost.com File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe -
Drops file in Windows directory 5 IoCs
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comsvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exetemp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings temp.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
temp.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1436 temp.exe Token: SeSecurityPrivilege 1436 temp.exe Token: SeTakeOwnershipPrivilege 1436 temp.exe Token: SeLoadDriverPrivilege 1436 temp.exe Token: SeSystemProfilePrivilege 1436 temp.exe Token: SeSystemtimePrivilege 1436 temp.exe Token: SeProfSingleProcessPrivilege 1436 temp.exe Token: SeIncBasePriorityPrivilege 1436 temp.exe Token: SeCreatePagefilePrivilege 1436 temp.exe Token: SeBackupPrivilege 1436 temp.exe Token: SeRestorePrivilege 1436 temp.exe Token: SeShutdownPrivilege 1436 temp.exe Token: SeDebugPrivilege 1436 temp.exe Token: SeSystemEnvironmentPrivilege 1436 temp.exe Token: SeChangeNotifyPrivilege 1436 temp.exe Token: SeRemoteShutdownPrivilege 1436 temp.exe Token: SeUndockPrivilege 1436 temp.exe Token: SeManageVolumePrivilege 1436 temp.exe Token: SeImpersonatePrivilege 1436 temp.exe Token: SeCreateGlobalPrivilege 1436 temp.exe Token: 33 1436 temp.exe Token: 34 1436 temp.exe Token: 35 1436 temp.exe Token: 36 1436 temp.exe Token: SeIncreaseQuotaPrivilege 3392 msdcsc.exe Token: SeSecurityPrivilege 3392 msdcsc.exe Token: SeTakeOwnershipPrivilege 3392 msdcsc.exe Token: SeLoadDriverPrivilege 3392 msdcsc.exe Token: SeSystemProfilePrivilege 3392 msdcsc.exe Token: SeSystemtimePrivilege 3392 msdcsc.exe Token: SeProfSingleProcessPrivilege 3392 msdcsc.exe Token: SeIncBasePriorityPrivilege 3392 msdcsc.exe Token: SeCreatePagefilePrivilege 3392 msdcsc.exe Token: SeBackupPrivilege 3392 msdcsc.exe Token: SeRestorePrivilege 3392 msdcsc.exe Token: SeShutdownPrivilege 3392 msdcsc.exe Token: SeDebugPrivilege 3392 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3392 msdcsc.exe Token: SeChangeNotifyPrivilege 3392 msdcsc.exe Token: SeRemoteShutdownPrivilege 3392 msdcsc.exe Token: SeUndockPrivilege 3392 msdcsc.exe Token: SeManageVolumePrivilege 3392 msdcsc.exe Token: SeImpersonatePrivilege 3392 msdcsc.exe Token: SeCreateGlobalPrivilege 3392 msdcsc.exe Token: 33 3392 msdcsc.exe Token: 34 3392 msdcsc.exe Token: 35 3392 msdcsc.exe Token: 36 3392 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3392 msdcsc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comtemp.exesvchost.comdescription pid process target process PID 4344 wrote to memory of 1376 4344 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe PID 4344 wrote to memory of 1376 4344 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe PID 1376 wrote to memory of 4496 1376 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe svchost.com PID 1376 wrote to memory of 4496 1376 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe svchost.com PID 1376 wrote to memory of 4496 1376 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe svchost.com PID 4496 wrote to memory of 1436 4496 svchost.com temp.exe PID 4496 wrote to memory of 1436 4496 svchost.com temp.exe PID 4496 wrote to memory of 1436 4496 svchost.com temp.exe PID 1436 wrote to memory of 4512 1436 temp.exe svchost.com PID 1436 wrote to memory of 4512 1436 temp.exe svchost.com PID 1436 wrote to memory of 4512 1436 temp.exe svchost.com PID 4512 wrote to memory of 3392 4512 svchost.com msdcsc.exe PID 4512 wrote to memory of 3392 4512 svchost.com msdcsc.exe PID 4512 wrote to memory of 3392 4512 svchost.com msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe"C:\Users\Admin\AppData\Local\Temp\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\temp.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\temp.exeC:\Users\Admin\AppData\Local\Temp\temp.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exeC:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEFilesize
368KB
MD5a344438de9e499ca3d9038688440f406
SHA1c961917349de7e9d269f6f4a5593b6b9d3fcd4d2
SHA256715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557
SHA5128bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEFilesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exeFilesize
2.4MB
MD58ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA2568268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA5120b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEFilesize
183KB
MD59dfcdd1ab508b26917bb2461488d8605
SHA14ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA5121afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXEFilesize
254KB
MD54ddc609ae13a777493f3eeda70a81d40
SHA18957c390f9b2c136d37190e32bccae3ae671c80a
SHA25616d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950
SHA5129d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXEFilesize
386KB
MD58c753d6448183dea5269445738486e01
SHA1ebbbdc0022ca7487cd6294714cd3fbcb70923af9
SHA256473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997
SHA5124f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exeFilesize
125KB
MD5cce8964848413b49f18a44da9cb0a79b
SHA10b7452100d400acebb1c1887542f322a92cbd7ae
SHA256fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXEFilesize
278KB
MD512c29dd57aa69f45ddd2e47620e0a8d9
SHA1ba297aa3fe237ca916257bc46370b360a2db2223
SHA25622a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880
SHA512255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exeFilesize
1.2MB
MD58e42f3a4a399d84e67ed633ba23863cb
SHA102ebfa5274214dcc48acfd24b8da3fb5cb93f6c6
SHA25642716ea8beca9e555cef3b78a2fbf836c9da034318d625262810290309d955db
SHA5120f6af721a89c2cf7249ecb1cc0a263c6252f8762b7381b35ccff6347d7d069799d2f0561bec0a651d690fbf29c98050bf15b604d3cca668b7437503ba102492f
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exeFilesize
623KB
MD56e84b6096aaa18cabc30f1122d5af449
SHA1e6729edd11b52055b5e34d39e5f3b8f071bbac4f
SHA256c6b7f9119cf867951f007c5468f75eb4dca59c7eedeb0afdd8ad9d5b9606e759
SHA512af5b33e7e190587bb152adf65fbcd4c1cd521f638863a6d1c7de29599cce6439b6c7b653180661cb0382007aefa0ae5a1b1b841eaaa116ce715f3a5ba0725a42
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exeFilesize
3.6MB
MD5c0ac85794f04cb1648989075e6dfa55c
SHA1c4e2ae9b72b40cd2eca4a178400c3832ad1df89e
SHA256a62f88cb577ffe115d6b712dc4c559d5b9852f055ebbab092fda223b5e0dd046
SHA512ef2f2a9b04e20a0dc7f5f088119d0f6e32801948e11f7f7a05e1e80c0e4313b6faa2527e4e8f15f878219e593ee0afc8350ade9094beae4a0c1f5107e2cf6a15
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXEFilesize
1.1MB
MD5a5d9eaa7d52bffc494a5f58203c6c1b5
SHA197928ba7b61b46a1a77a38445679d040ffca7cc8
SHA25634b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48
SHA512b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXEFilesize
2.8MB
MD5eb008f1890fed6dc7d13a25ff9c35724
SHA1751d3b944f160b1f77c1c8852af25b65ae9d649c
SHA256a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090
SHA5129cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXEFilesize
1.1MB
MD5a5d9eaa7d52bffc494a5f58203c6c1b5
SHA197928ba7b61b46a1a77a38445679d040ffca7cc8
SHA25634b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48
SHA512b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787
-
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exeFilesize
534KB
MD5051978153bcd2b1cf032fa1bf5a82020
SHA1ec6d1d42905a1c92ccee5f4980898d7a1d72aa23
SHA25688e90f04db57a472acacf1f4e7616d05a488fc7a1b41a468b357ac4419489940
SHA51268dec8a12b2c10a9ff83907705c68c77284928d9349a8ba93808d09123752b84944505208d7d71540e340dcbb06e74c79fa24748098308eeecab5f80ab4e8d15
-
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
526KB
MD57ec5ddf3fcc6796ca4e49ba4b3cf196a
SHA10f5d6a04f70f466b3cbe1750d9be78da80579e07
SHA256f71d62354d4c6eec8a9cd14db442b9a5f2a6550468b01bda06f82acaa8e0c9b8
SHA512f3884675fd5d324843102bf7dcc22885962ce1feaaf9f2460af8de36d594102957da993576405f18686e04ac693b651fec22c4e66a9821329f53f712281c87ea
-
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
525KB
MD50d9146d70ac6a41ead1ea2d50d729508
SHA1b9e6ff83a26aaf105640f5d5cdab213c989dc370
SHA2560b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab
SHA512c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3
-
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
495KB
MD507e194ce831b1846111eb6c8b176c86e
SHA1b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA51255f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5
-
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exeFilesize
534KB
MD59f55bac10af986e036e32b0ce55c0e72
SHA1a67519826bdc3e76ca0abec201c68869a31122c4
SHA2568912ddc58ac2df57c6314620f661fae32d417c51b724b4c92e0055975f59072b
SHA512b27b34e878b4de64ea75094a82d2745c73fd42873420a661dd6494941c331e0c397d6e9d67fe006a8e05c508fbaf9335fc3b7bd2a16d3cbf95da97b6d89eb105
-
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEFilesize
6.7MB
MD563dc05e27a0b43bf25f151751b481b8c
SHA1b20321483dac62bce0aa0cef1d193d247747e189
SHA2567d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3
-
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
526KB
MD57ec5ddf3fcc6796ca4e49ba4b3cf196a
SHA10f5d6a04f70f466b3cbe1750d9be78da80579e07
SHA256f71d62354d4c6eec8a9cd14db442b9a5f2a6550468b01bda06f82acaa8e0c9b8
SHA512f3884675fd5d324843102bf7dcc22885962ce1feaaf9f2460af8de36d594102957da993576405f18686e04ac693b651fec22c4e66a9821329f53f712281c87ea
-
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
714KB
MD524179b4581907abfef8a55ab41c97999
SHA1e4de417476f43da4405f4340ebf6044f6b094337
SHA256a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7
SHA5126fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8
-
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
674KB
MD59c10a5ec52c145d340df7eafdb69c478
SHA157f3d99e41d123ad5f185fc21454367a7285db42
SHA256ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA5122704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f
-
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD531685b921fcd439185495e2bdc8c5ebf
SHA15d171dd1f2fc2ad55bde2e3c16a58abff07ae636
SHA2564798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c
SHA51204a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f
-
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
525KB
MD50d9146d70ac6a41ead1ea2d50d729508
SHA1b9e6ff83a26aaf105640f5d5cdab213c989dc370
SHA2560b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab
SHA512c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3
-
C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exeFilesize
673KB
MD5fbefde6ac78abf88621da3ccc7dd9daf
SHA1ad230be204c8355a57a65b54e6db65e1dc19b617
SHA256f74e5ffcd9d66becadd92a1f1add13fa88312825abb96cdf4aa6d2393c2495ba
SHA512b254da4f8bb73ba0e8b14c99d1b2b1380d93a0aecff8677502da4fa4cb63a2a79b5e9f76970e2d6263f78db5ef0b0d15693ce5851a3b54e6c196a1007cd118b9
-
C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exeFilesize
673KB
MD5fbefde6ac78abf88621da3ccc7dd9daf
SHA1ad230be204c8355a57a65b54e6db65e1dc19b617
SHA256f74e5ffcd9d66becadd92a1f1add13fa88312825abb96cdf4aa6d2393c2495ba
SHA512b254da4f8bb73ba0e8b14c99d1b2b1380d93a0aecff8677502da4fa4cb63a2a79b5e9f76970e2d6263f78db5ef0b0d15693ce5851a3b54e6c196a1007cd118b9
-
C:\Users\Admin\AppData\Local\Temp\temp.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
C:\Users\Admin\AppData\Local\Temp\temp.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
C:\Users\Admin\AppData\Local\Temp\temp.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
C:\Windows\directx.sysFilesize
43B
MD5657c3ef749de8000cf38182d05f2659d
SHA187e776890090edb3e1c38b74d4760365227ba5a3
SHA256453a0a9077781dce76cde7c146a2e405f50b3fca6f3827049b068731c6a4c25f
SHA5123c9a98dce5439ad0b59a48dcd668c81e975056746fd4a557fc07a0e53d61bc53b85d215e05fc5f2811f2e7fe5f01b2ec6cb57912bbe3e66bd15f4ffbaa9dcff3
-
C:\Windows\svchost.comFilesize
40KB
MD530268ff30af9c2179188a809ef2ddb5a
SHA1ed389e7107e27936c9cba7cb81b3c6cb8b2c4eea
SHA256af957861e3766cff6b0ae58ca97b716a3e8abfe3e54b01659f462d26b768d3f5
SHA512e3a44993b7e2dfa1b2a10304978ad80ca6c9e3cefcff8adef42a7d2520fdc2769129af7a643cfae56617c8dbdd0f4d4ffc7d0804988561593944ec9a61bc7d89
-
C:\Windows\svchost.comFilesize
40KB
MD530268ff30af9c2179188a809ef2ddb5a
SHA1ed389e7107e27936c9cba7cb81b3c6cb8b2c4eea
SHA256af957861e3766cff6b0ae58ca97b716a3e8abfe3e54b01659f462d26b768d3f5
SHA512e3a44993b7e2dfa1b2a10304978ad80ca6c9e3cefcff8adef42a7d2520fdc2769129af7a643cfae56617c8dbdd0f4d4ffc7d0804988561593944ec9a61bc7d89
-
C:\Windows\svchost.comFilesize
40KB
MD530268ff30af9c2179188a809ef2ddb5a
SHA1ed389e7107e27936c9cba7cb81b3c6cb8b2c4eea
SHA256af957861e3766cff6b0ae58ca97b716a3e8abfe3e54b01659f462d26b768d3f5
SHA512e3a44993b7e2dfa1b2a10304978ad80ca6c9e3cefcff8adef42a7d2520fdc2769129af7a643cfae56617c8dbdd0f4d4ffc7d0804988561593944ec9a61bc7d89
-
C:\odt\OFFICE~1.EXEFilesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
memory/1376-135-0x00007FFEA4480000-0x00007FFEA4EB6000-memory.dmpFilesize
10.2MB
-
memory/1376-132-0x0000000000000000-mapping.dmp
-
memory/1436-152-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1436-140-0x0000000000000000-mapping.dmp
-
memory/1436-143-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3392-151-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3392-149-0x0000000000000000-mapping.dmp
-
memory/4496-136-0x0000000000000000-mapping.dmp
-
memory/4512-145-0x0000000000000000-mapping.dmp