darkcomet | fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d

Analysis

max time kernel
151s
max time network
165s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe
Size

2.6MB
MD5

10c0e1e14e177d1486d99c3a91d84969
SHA1

c0b90a929ff7a8c1c14ee554f2cc55a39605217e
SHA256

fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d
SHA512

2d83e9fd63d40c2ee020c63878e2c5e421944a458f516741cfefa539de3649f59e3c64dfeab3496dd8c291a4f9756cc37cc3fe5f59d2e861e5a8553f417d3237
SSDEEP

49152:Txjs/ylV/q8f7NHOiCR577tOReeel4+GnBdJFEwks51SjaU7/fMP0:TxcylVyABa5PgdFZnBtE+10

Score

10^/10

darkcomet ±ö¿í16 bootkit evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

±ö¿Í16

heiseyinmou.gnway.net:2012

Mutex

DC_MUTEX-F4ZWV0U

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
czMVsH3hot1Q
install
true
offline_keylogger
true
persistence
true
reg_key
΢�͸��

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

okko1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	okko1.exe

Executes dropped EXE 3 IoCs

Processes:

maqi1.exeokko1.exemsdcsc.exe

pid process

1168 maqi1.exe
692 okko1.exe
1288 msdcsc.exe

pid	process
1168	maqi1.exe
692	okko1.exe
1288	msdcsc.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

okko1.exemsdcsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine	okko1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine	msdcsc.exe

Loads dropped DLL 6 IoCs

Processes:

cmd.execmd.exeokko1.exe

pid process

1568 cmd.exe
1568 cmd.exe
1500 cmd.exe
1500 cmd.exe
692 okko1.exe
692 okko1.exe

pid	process
1568	cmd.exe
1568	cmd.exe
1500	cmd.exe
1500	cmd.exe
692	okko1.exe
692	okko1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

okko1.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Î¢ÐÍ¸üÐÂ = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	okko1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Î¢ÐÍ¸üÐÂ = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

okko1.exemsdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	okko1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdcsc.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

okko1.exemsdcsc.exe

description ioc process

File opened for modification \??\PhysicalDrive0 okko1.exe
File opened for modification \??\PhysicalDrive0 msdcsc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

okko1.exemsdcsc.exe

pid process

692 okko1.exe
1288 msdcsc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

okko1.exemsdcsc.exe

pid process

692 okko1.exe
1288 msdcsc.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	okko1.exe
File opened for modification	\??\PhysicalDrive0	msdcsc.exe

pid	process
692	okko1.exe
1288	msdcsc.exe

pid	process
692	okko1.exe
1288	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

okko1.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	692	okko1.exe
Token: SeSecurityPrivilege	692	okko1.exe
Token: SeTakeOwnershipPrivilege	692	okko1.exe
Token: SeLoadDriverPrivilege	692	okko1.exe
Token: SeSystemProfilePrivilege	692	okko1.exe
Token: SeSystemtimePrivilege	692	okko1.exe
Token: SeProfSingleProcessPrivilege	692	okko1.exe
Token: SeIncBasePriorityPrivilege	692	okko1.exe
Token: SeCreatePagefilePrivilege	692	okko1.exe
Token: SeBackupPrivilege	692	okko1.exe
Token: SeRestorePrivilege	692	okko1.exe
Token: SeShutdownPrivilege	692	okko1.exe
Token: SeDebugPrivilege	692	okko1.exe
Token: SeSystemEnvironmentPrivilege	692	okko1.exe
Token: SeChangeNotifyPrivilege	692	okko1.exe
Token: SeRemoteShutdownPrivilege	692	okko1.exe
Token: SeUndockPrivilege	692	okko1.exe
Token: SeManageVolumePrivilege	692	okko1.exe
Token: SeImpersonatePrivilege	692	okko1.exe
Token: SeCreateGlobalPrivilege	692	okko1.exe
Token: 33	692	okko1.exe
Token: 34	692	okko1.exe
Token: 35	692	okko1.exe
Token: SeIncreaseQuotaPrivilege	1288	msdcsc.exe
Token: SeSecurityPrivilege	1288	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1288	msdcsc.exe
Token: SeLoadDriverPrivilege	1288	msdcsc.exe
Token: SeSystemProfilePrivilege	1288	msdcsc.exe
Token: SeSystemtimePrivilege	1288	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1288	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1288	msdcsc.exe
Token: SeCreatePagefilePrivilege	1288	msdcsc.exe
Token: SeBackupPrivilege	1288	msdcsc.exe
Token: SeRestorePrivilege	1288	msdcsc.exe
Token: SeShutdownPrivilege	1288	msdcsc.exe
Token: SeDebugPrivilege	1288	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1288	msdcsc.exe
Token: SeChangeNotifyPrivilege	1288	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1288	msdcsc.exe
Token: SeUndockPrivilege	1288	msdcsc.exe
Token: SeManageVolumePrivilege	1288	msdcsc.exe
Token: SeImpersonatePrivilege	1288	msdcsc.exe
Token: SeCreateGlobalPrivilege	1288	msdcsc.exe
Token: 33	1288	msdcsc.exe
Token: 34	1288	msdcsc.exe
Token: 35	1288	msdcsc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

maqi1.exemsdcsc.exe

pid process

1168 maqi1.exe
1168 maqi1.exe
1288 msdcsc.exe

pid	process
1168	maqi1.exe
1168	maqi1.exe
1288	msdcsc.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exeWScript.execmd.execmd.exeokko1.exe

description	pid	process	target process
PID 1960 wrote to memory of 944	1960	fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe	WScript.exe
PID 1960 wrote to memory of 944	1960	fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe	WScript.exe
PID 1960 wrote to memory of 944	1960	fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe	WScript.exe
PID 1960 wrote to memory of 944	1960	fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe	WScript.exe
PID 1960 wrote to memory of 944	1960	fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe	WScript.exe
PID 1960 wrote to memory of 944	1960	fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe	WScript.exe
PID 1960 wrote to memory of 944	1960	fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe	WScript.exe
PID 944 wrote to memory of 1568	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1568	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1568	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1568	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1568	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1568	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1568	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1500	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1500	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1500	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1500	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1500	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1500	944	WScript.exe	cmd.exe
PID 944 wrote to memory of 1500	944	WScript.exe	cmd.exe
PID 1568 wrote to memory of 1168	1568	cmd.exe	maqi1.exe
PID 1568 wrote to memory of 1168	1568	cmd.exe	maqi1.exe
PID 1568 wrote to memory of 1168	1568	cmd.exe	maqi1.exe
PID 1568 wrote to memory of 1168	1568	cmd.exe	maqi1.exe
PID 1568 wrote to memory of 1168	1568	cmd.exe	maqi1.exe
PID 1568 wrote to memory of 1168	1568	cmd.exe	maqi1.exe
PID 1568 wrote to memory of 1168	1568	cmd.exe	maqi1.exe
PID 1500 wrote to memory of 692	1500	cmd.exe	okko1.exe
PID 1500 wrote to memory of 692	1500	cmd.exe	okko1.exe
PID 1500 wrote to memory of 692	1500	cmd.exe	okko1.exe
PID 1500 wrote to memory of 692	1500	cmd.exe	okko1.exe
PID 1500 wrote to memory of 692	1500	cmd.exe	okko1.exe
PID 1500 wrote to memory of 692	1500	cmd.exe	okko1.exe
PID 1500 wrote to memory of 692	1500	cmd.exe	okko1.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1676	692	okko1.exe	notepad.exe
PID 692 wrote to memory of 1288	692	okko1.exe	msdcsc.exe
PID 692 wrote to memory of 1288	692	okko1.exe	msdcsc.exe
PID 692 wrote to memory of 1288	692	okko1.exe	msdcsc.exe
PID 692 wrote to memory of 1288	692	okko1.exe	msdcsc.exe
PID 692 wrote to memory of 1288	692	okko1.exe	msdcsc.exe
PID 692 wrote to memory of 1288	692	okko1.exe	msdcsc.exe
PID 692 wrote to memory of 1288	692	okko1.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe
"C:\Users\Admin\AppData\Local\Temp\fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c maqi1.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\RarSFX0\maqi1.exe
maqi1.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c okko1.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\RarSFX0\okko1.exe
okko1.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:1676

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.vbs
Filesize
106B

MD5
e747a0e254ab7f22c2b8ee54df6e5bb8

SHA1
92a5caa16fd59ddebdf587ba4a63ac51803180a6

SHA256
27748d903993b59f21a8d6ed85a0c20be4a5eabb87812c084a72354386146cd3

SHA512
a9e2759db18734c0ef1dadee1fa98d459f6efbdf37197f3df76671e22da11440062dc06108529d6c7272f9a875c51b1a78c635a72c3c87ebca3940ce763d8fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\maqi1.exe
Filesize
20KB

MD5
5eff78e5cca75e6c30fc246d788a6ab2

SHA1
8b09f99a3304afa60ef0559efbc94162de09ca39

SHA256
01960035d76685f023298fd55d5ff2da022ca531673e517eed5c28bb7f8e4e33

SHA512
ce6b16cbe6f4633f0f19c1de496f8a67e47dfb7db7e4dd4b3bb6c36ae8908b34c4ffd6a3e2552ef634ab9f296b2075c476cff257f72692cb9bd0458bc41c8d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\maqi1.exe
Filesize
20KB

MD5
5eff78e5cca75e6c30fc246d788a6ab2

SHA1
8b09f99a3304afa60ef0559efbc94162de09ca39

SHA256
01960035d76685f023298fd55d5ff2da022ca531673e517eed5c28bb7f8e4e33

SHA512
ce6b16cbe6f4633f0f19c1de496f8a67e47dfb7db7e4dd4b3bb6c36ae8908b34c4ffd6a3e2552ef634ab9f296b2075c476cff257f72692cb9bd0458bc41c8d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\okko1.exe
Filesize
2.6MB

MD5
31cf3cc235759304d54b64e35356baa0

SHA1
ea2d45d27e152341d0b9a4a3302f93b71ac9234d

SHA256
a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27

SHA512
da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\okko1.exe
Filesize
2.6MB

MD5
31cf3cc235759304d54b64e35356baa0

SHA1
ea2d45d27e152341d0b9a4a3302f93b71ac9234d

SHA256
a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27

SHA512
da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.6MB

MD5
31cf3cc235759304d54b64e35356baa0

SHA1
ea2d45d27e152341d0b9a4a3302f93b71ac9234d

SHA256
a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27

SHA512
da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.6MB

MD5
31cf3cc235759304d54b64e35356baa0

SHA1
ea2d45d27e152341d0b9a4a3302f93b71ac9234d

SHA256
a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27

SHA512
da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\maqi1.exe
Filesize
20KB

MD5
5eff78e5cca75e6c30fc246d788a6ab2

SHA1
8b09f99a3304afa60ef0559efbc94162de09ca39

SHA256
01960035d76685f023298fd55d5ff2da022ca531673e517eed5c28bb7f8e4e33

SHA512
ce6b16cbe6f4633f0f19c1de496f8a67e47dfb7db7e4dd4b3bb6c36ae8908b34c4ffd6a3e2552ef634ab9f296b2075c476cff257f72692cb9bd0458bc41c8d37

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\maqi1.exe
Filesize
20KB

MD5
5eff78e5cca75e6c30fc246d788a6ab2

SHA1
8b09f99a3304afa60ef0559efbc94162de09ca39

SHA256
01960035d76685f023298fd55d5ff2da022ca531673e517eed5c28bb7f8e4e33

SHA512
ce6b16cbe6f4633f0f19c1de496f8a67e47dfb7db7e4dd4b3bb6c36ae8908b34c4ffd6a3e2552ef634ab9f296b2075c476cff257f72692cb9bd0458bc41c8d37

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\okko1.exe
Filesize
2.6MB

MD5
31cf3cc235759304d54b64e35356baa0

SHA1
ea2d45d27e152341d0b9a4a3302f93b71ac9234d

SHA256
a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27

SHA512
da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\okko1.exe
Filesize
2.6MB

MD5
31cf3cc235759304d54b64e35356baa0

SHA1
ea2d45d27e152341d0b9a4a3302f93b71ac9234d

SHA256
a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27

SHA512
da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.6MB

MD5
31cf3cc235759304d54b64e35356baa0

SHA1
ea2d45d27e152341d0b9a4a3302f93b71ac9234d

SHA256
a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27

SHA512
da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.6MB

MD5
31cf3cc235759304d54b64e35356baa0

SHA1
ea2d45d27e152341d0b9a4a3302f93b71ac9234d

SHA256
a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27

SHA512
da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4

Download Submit
memory/692-71-0x0000000000000000-mapping.dmp

Download
memory/692-84-0x0000000007AB0000-0x000000000801E000-memory.dmp

Filesize
5.4MB

Download
memory/692-75-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/692-86-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/692-78-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/944-55-0x0000000000000000-mapping.dmp

Download
memory/1168-64-0x0000000000000000-mapping.dmp

Download
memory/1288-87-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/1288-81-0x0000000000000000-mapping.dmp

Download
memory/1288-85-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/1288-89-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/1288-90-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/1500-60-0x0000000000000000-mapping.dmp

Download
memory/1500-74-0x0000000002180000-0x00000000026EE000-memory.dmp

Filesize
5.4MB

Download
memory/1568-58-0x0000000000000000-mapping.dmp

Download
memory/1676-76-0x0000000000000000-mapping.dmp

Download
memory/1960-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download