darkcomet | 3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2025, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Size

659KB
MD5

2767d03d18bb350f7a79727d88ed6055
SHA1

319636dd0a845cca392706ed3668eec3681c99fa
SHA256

3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784
SHA512

634e4ae7e2ff933ba40ea69e35332021923ce8c715c1b2d384241f1b8dc8aba894df511cea320545a2a3e6e01437752955bbdcfe8263833976d6054a46744e47
SSDEEP

12288:OQ50wlFE0Zen1Rm8bvfShkU0n4eujffBjmcXI2L2WoH6HCGePcatHl9/+:TWJm8bvK+U0MjRjmcXp2BoCGmn9

Score

10^/10

darkcomet stdeb discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

STDeb

127.0.0.1:1604

allseeingeyes.ddns.net:1604

allseeingeyes.ddns.net:50

allseeingeyes.ddns.net:51

allseeingeyes.ddns.net:52

allseeingeyes.ddns.net:139

Mutex

DC_MUTEX-BH7SGT0

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
J6rFjSkS7kJD
install
true
offline_keylogger
true
persistence
true
reg_key
winupdate

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Executes dropped EXE 2 IoCs

pid	Process
1700	msdcsc.exe
3920	msdcsc.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\JLQOfFxw.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\JLQOfFxw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\QfJtQOxr.exe"	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\QfJtQOxr.exe"	reg.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 4460 set thread context of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 1700 set thread context of 3920	1700	msdcsc.exe	100
PID 4460 set thread context of 2264	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	104
PID 4460 set thread context of 1352	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	111
PID 4460 set thread context of 4800	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	115
PID 4460 set thread context of 3676	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	116
PID 4460 set thread context of 2968	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	119
PID 4460 set thread context of 2408	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	120
PID 4460 set thread context of 4856	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	123
PID 4460 set thread context of 4492	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	126
PID 4460 set thread context of 2572	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	127

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
1700	msdcsc.exe
4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
1700	msdcsc.exe
4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
1700	msdcsc.exe
4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
1700	msdcsc.exe
4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
1700	msdcsc.exe
4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
1700	msdcsc.exe
4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
1700	msdcsc.exe
4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
1700	msdcsc.exe
4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
1700	msdcsc.exe
4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
1700	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeIncreaseQuotaPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSecurityPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeTakeOwnershipPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeLoadDriverPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemProfilePrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemtimePrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeProfSingleProcessPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeIncBasePriorityPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeCreatePagefilePrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeBackupPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeRestorePrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeShutdownPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeDebugPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemEnvironmentPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeChangeNotifyPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeRemoteShutdownPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeUndockPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeManageVolumePrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeImpersonatePrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeCreateGlobalPrivilege	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: 33	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: 34	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: 35	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: 36	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeDebugPrivilege	1700	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	3920	msdcsc.exe
Token: SeSecurityPrivilege	3920	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3920	msdcsc.exe
Token: SeLoadDriverPrivilege	3920	msdcsc.exe
Token: SeSystemProfilePrivilege	3920	msdcsc.exe
Token: SeSystemtimePrivilege	3920	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3920	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3920	msdcsc.exe
Token: SeCreatePagefilePrivilege	3920	msdcsc.exe
Token: SeBackupPrivilege	3920	msdcsc.exe
Token: SeRestorePrivilege	3920	msdcsc.exe
Token: SeShutdownPrivilege	3920	msdcsc.exe
Token: SeDebugPrivilege	3920	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3920	msdcsc.exe
Token: SeChangeNotifyPrivilege	3920	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3920	msdcsc.exe
Token: SeUndockPrivilege	3920	msdcsc.exe
Token: SeManageVolumePrivilege	3920	msdcsc.exe
Token: SeImpersonatePrivilege	3920	msdcsc.exe
Token: SeCreateGlobalPrivilege	3920	msdcsc.exe
Token: 33	3920	msdcsc.exe
Token: 34	3920	msdcsc.exe
Token: 35	3920	msdcsc.exe
Token: 36	3920	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSecurityPrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeTakeOwnershipPrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeLoadDriverPrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemProfilePrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemtimePrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeProfSingleProcessPrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeIncBasePriorityPrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeCreatePagefilePrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeBackupPrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeRestorePrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeShutdownPrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeDebugPrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemEnvironmentPrivilege	2264	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3920	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 2276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	86
PID 4460 wrote to memory of 2276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	86
PID 4460 wrote to memory of 2276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	86
PID 2276 wrote to memory of 2440	2276	csc.exe	89
PID 2276 wrote to memory of 2440	2276	csc.exe	89
PID 2276 wrote to memory of 2440	2276	csc.exe	89
PID 4460 wrote to memory of 4676	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	91
PID 4460 wrote to memory of 4676	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	91
PID 4460 wrote to memory of 4676	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	91
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4276	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	92
PID 4460 wrote to memory of 4924	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	93
PID 4460 wrote to memory of 4924	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	93
PID 4460 wrote to memory of 4924	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	93
PID 4924 wrote to memory of 212	4924	cmd.exe	95
PID 4924 wrote to memory of 212	4924	cmd.exe	95
PID 4924 wrote to memory of 212	4924	cmd.exe	95
PID 4276 wrote to memory of 1700	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	96
PID 4276 wrote to memory of 1700	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	96
PID 4276 wrote to memory of 1700	4276	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	96
PID 1700 wrote to memory of 4228	1700	msdcsc.exe	97
PID 1700 wrote to memory of 4228	1700	msdcsc.exe	97
PID 1700 wrote to memory of 4228	1700	msdcsc.exe	97
PID 4228 wrote to memory of 4404	4228	csc.exe	99
PID 4228 wrote to memory of 4404	4228	csc.exe	99
PID 4228 wrote to memory of 4404	4228	csc.exe	99
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 3920	1700	msdcsc.exe	100
PID 1700 wrote to memory of 864	1700	msdcsc.exe	101
PID 1700 wrote to memory of 864	1700	msdcsc.exe	101
PID 1700 wrote to memory of 864	1700	msdcsc.exe	101
PID 864 wrote to memory of 1224	864	cmd.exe	103
PID 864 wrote to memory of 1224	864	cmd.exe	103
PID 864 wrote to memory of 1224	864	cmd.exe	103
PID 4460 wrote to memory of 2264	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	104
PID 4460 wrote to memory of 2264	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	104
PID 4460 wrote to memory of 2264	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	104
PID 4460 wrote to memory of 2264	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	104
PID 4460 wrote to memory of 2264	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	104
PID 4460 wrote to memory of 2264	4460	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	104

C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
"C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2vsax4ot.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B95.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9B94.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2440
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7q43i9cn.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4228
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F9C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F8C.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
  - - C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
      "C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3920
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JLQOfFxw.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JLQOfFxw.exe
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1224
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\QfJtQOxr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\QfJtQOxr.exe
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:212
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:4056
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:212
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1352
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:4964
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3676
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:4016
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  PID:4948
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4492
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2vsax4ot.dll

Filesize
1.3MB

MD5
7732aed667cbfab575ef98fcefa92d99

SHA1
932e66a1722728c72ffe771cdac298cb0b43991a

SHA256
ecc0078d00857a1137b60e9f734acb613065bd2633600c9116a9e8a426dd5940

SHA512
d7fed310bed61f327b625798aa5a3ee351d142df05ac394b22b32b374f8549ec26809f7712bec0326c10a0c94e0ff45dfda01837c918cde78fc429e22e0d89eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7q43i9cn.dll

Filesize
1.3MB

MD5
fc6c25e66dd1372e9f8615d58c1fc121

SHA1
281ac9a914b31d35a246b21be9feb136a93e07eb

SHA256
cf2db6dbc515d62a3fe604fc9e18284c76581aeee5524b1088d401c77929e013

SHA512
b2add3f4475ad5731a4c608c81ba8fe083a0adba33b23e8b6760ec9135354d2daf202a4523da0b22cb9e29aa8ad770f75a0c61ad4937e17f1f202ac1704f147a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9B95.tmp

Filesize
1KB

MD5
7f5d9fc271abc20bb4d1f70e74abc82f

SHA1
72a6859f0e476ae7699563914b17c34e389dd38c

SHA256
e15506ed2ed4cf27ac1c81d31ecdf1b5cdab6aac11a81e0828beb5f1ced64b09

SHA512
856e68c53806a1de4792f1a2f273c6dd2a705592deb3436200e64b0231fd67acd2254282fdffc3ce51d1b923f6097a716622257954f0c80c6aa1d4feb24f3838

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F9C.tmp

Filesize
1KB

MD5
4e9bdd233a24f9b1e5e2cb95fc6dc2b4

SHA1
90c2912a07101060d5be88b287dc55b190a5e916

SHA256
a6605612142ef986e35bc19d6eb524dbddf7c8a4f075c11936dd4ef9b314b209

SHA512
e62cfa84ee84bf587398ebbeef616b0db5f04a77bbe4c3f34bbea54032ac10803e0aeca4efff32cbd46e1cbe24c46aa08906176cf2582236d84d173f4bc80ab7

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe

Filesize
659KB

MD5
2767d03d18bb350f7a79727d88ed6055

SHA1
319636dd0a845cca392706ed3668eec3681c99fa

SHA256
3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784

SHA512
634e4ae7e2ff933ba40ea69e35332021923ce8c715c1b2d384241f1b8dc8aba894df511cea320545a2a3e6e01437752955bbdcfe8263833976d6054a46744e47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2vsax4ot.cmdline

Filesize
196B

MD5
93a1b7d0f976f81082eb30a1daa2957b

SHA1
3d2802eb3050e5cecb8864964d5fd515a6e9713b

SHA256
34bfba895628047ce7eac943d53e6f34b79f6d887dd2bb3d8326500a94fb1545

SHA512
ab5717c3334ad903f0686ac4bc284a20e21fe03bc5ffcf03b4bd776573971a04fc1c378e88b163431277313e91d995b1bc57c5b23091340b71a6638a3e128ef2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7q43i9cn.cmdline

Filesize
196B

MD5
66bd22efd7ec301682bdb69eeb0d6cc1

SHA1
6f3614b44076e8af65a029bbb1a928069c912214

SHA256
80e5554695cee10f85c96a96ccb051c1cf41d005c66073feb0954553b88e40b8

SHA512
6f92cc9e05a6cebfb1c76e2317a41603984f85de0ecd0e3a7cd99beda204e4bd812822937b18c278d5a876e6995da05084191c308c730b0fdac4397f1f44c760

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9B94.tmp

Filesize
652B

MD5
3936ebde48cd2b4dd0d48c03cd26a0c9

SHA1
38a3ebc999b9f3706bd6e0300e8697846fc68767

SHA256
f393e7a738c5c3be4b26a3826f4630d1039d602bdaea098a4017830df8079b2a

SHA512
0ca87e61eb2d1f3631e7dce3b0401aefd420071c680d5704c343dd7c44e8a1a9aced9793833bdbd39734da44ed179bbde03f6d322c4a13b9c0918673c49dc88f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9F8C.tmp

Filesize
652B

MD5
c8035c338c89bed1ad2106c7447bc22b

SHA1
22236d33bd1dc28a996d388913d2efdc8e0a8391

SHA256
cc6b10b85dac2bf30bda317cf86226a702c6d177ee50cdc733b99f814355c63c

SHA512
47b58063448928d93592dcdfff0ff6e524abdcce8caa7e4f9424800cae100a7ce9dd0453460efa045e8ddba306c837a75738e3124cb2ab9a21688f6241e830b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp9A8A.tmp.txt

Filesize
649KB

MD5
7120e9abe458cf85d553fe8ba1829632

SHA1
a5c9afe205d92681fdcae316c25a21d8bd0b63a2

SHA256
094a826cc6904668cf2894ed5f71c8d6240bd5e85b0cb6cb500c9cbbbbdb5007

SHA512
c3d912ecdfb8ab7c78867a1f65fbce42a4d48cf5f04be5a48dfc4828b44c5b63bcdc4d822c5fd1e03d69b68babd50fec7fa62f4df26269bdf0018c2053b7e706

Download Submit
memory/1352-149-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1352-150-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2264-137-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2264-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2276-16-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2276-9-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/3920-120-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3920-121-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3920-119-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4276-31-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/4276-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4276-20-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4276-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4276-21-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4276-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4276-23-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4276-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4276-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4460-123-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4460-124-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4460-0-0x0000000074F22000-0x0000000074F23000-memory.dmp

Filesize
4KB

Download
memory/4460-122-0x0000000074F22000-0x0000000074F23000-memory.dmp

Filesize
4KB

Download
memory/4460-2-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4460-1-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4800-163-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4800-162-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download