Analysis Overview
SHA256
bffdb13b50fb76a4e85e4e027e166271dbe2cc9ccaf19fbff4ba8cfeeb6ea297
Threat Level: Known bad
The file JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868 was found to be: Known bad.
Malicious Activity Summary
Darkcomet family
Darkcomet
Modifies WinLogon for persistence
Sets file to hidden
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-01 07:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-01 07:30
Reported
2025-03-01 07:32
Platform
win7-20241010-en
Max time kernel
64s
Max time network
19s
Command Line
Signatures
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1680 set thread context of 1492 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727 | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uthv5ulj\uthv5ulj.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67D7.tmp" "c:\Users\Admin\AppData\Local\Temp\uthv5ulj\CSC611A5B993A8748969C5B7492A1C03C21.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
Network
Files
memory/1680-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp
memory/1680-1-0x00000000003F0000-0x0000000000502000-memory.dmp
memory/1680-4-0x0000000073F60000-0x000000007464E000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\uthv5ulj\uthv5ulj.cmdline
| MD5 | a3d3552b879688f2de8596c2c146afd4 |
| SHA1 | 3ce4d602ea4f163b97c572c5f9a830494b78b35e |
| SHA256 | ae002cee780c9d95b723c51ccd92565a9ffe6906de98a0254c4e1c17176096d8 |
| SHA512 | cbeff8adc53b6456dfa0123b0d002a62510c4a3484334c582127bbaa978c850670815c64b08e91eb815c20f2df43453201a4336eb086cc81f155fe811b34ac98 |
\??\c:\Users\Admin\AppData\Local\Temp\uthv5ulj\uthv5ulj.0.cs
| MD5 | f60a1218bfdab4f9b0176d4e1a15ec68 |
| SHA1 | 2222a76846b6caf120589f7120a5a41f8811761d |
| SHA256 | fa9031f18b423c4d078667222b009f1d285149b93d60029feab549fc6d46a927 |
| SHA512 | c082a09f8e8b20776d5d1397b6a781c293df15a421c1f93e069df8df8fe59580100c7347deef3185c8104ecce2eae6fabfc44994805d21a23123a6a9cd763bc6 |
\??\c:\Users\Admin\AppData\Local\Temp\uthv5ulj\CSC611A5B993A8748969C5B7492A1C03C21.TMP
| MD5 | 67674598d46ac43798275c4db02cf508 |
| SHA1 | 051f140f2fba34cdb9c6e9b0bb418a566e5259a1 |
| SHA256 | ea6b4c99394a5f52773ff75744f75901dfa53a08e3d12fbfb453f44403ab4b04 |
| SHA512 | bfcbe48dec5d5208a15cfe427a5e93c4c0ee71288f1aa9a095b9768933304e06d5719c5373307696964610ef77d814eefc0263c92c7160380fc4df1ceb6d6197 |
C:\Users\Admin\AppData\Local\Temp\RES67D7.tmp
| MD5 | 55ac2fa1c8ec9bd874b7637526af95bd |
| SHA1 | 0be19a8e6cacbdd24bd3418553ca00d1ed5524ac |
| SHA256 | 59f1287bcdd3c0670fdd60166301c640d6510c0ae3f6dd7527bd50fdc762244d |
| SHA512 | ce62b2cf0a26a227ac626bdd3d046a3a65f60fbeb6b7a4d0374202e1f290d23de8ad8b43a09cbd28994a0f52c853d2ac32180c176b6a84180950abc8f556405c |
C:\Users\Admin\AppData\Local\Temp\uthv5ulj\uthv5ulj.dll
| MD5 | 9c9f86d31abc94dc2a450c2f957caba1 |
| SHA1 | aafa44781d8ed3ab7b975ea6f5ecd81d4a40f813 |
| SHA256 | b169ca4c43ad0fb39e8298e4d6b0dc601dd9acca1096389fba11d94ba795d7e9 |
| SHA512 | f7847b9e07d12d11999b990f7e6b89e3e3117ba4d1e2d30c040f34c6ca20ec51717d767c4d84f823de025dbcc80fcb2c8276702a9c42868fe420bd66a71949c2 |
memory/1680-15-0x00000000003D0000-0x00000000003D8000-memory.dmp
memory/1492-35-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1492-36-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1492-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1492-29-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1492-27-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1492-25-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1492-23-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1492-21-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1492-19-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1492-17-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1492-31-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1492-37-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1680-38-0x0000000073F60000-0x000000007464E000-memory.dmp
memory/1492-40-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1492-39-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
| MD5 | 34aa912defa18c2c129f1e09d75c1d7e |
| SHA1 | 9c3046324657505a30ecd9b1fdb46c05bde7d470 |
| SHA256 | 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386 |
| SHA512 | d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98 |
memory/1492-50-0x0000000000400000-0x00000000004B2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-01 07:30
Reported
2025-03-01 07:32
Platform
win10v2004-20250217-en
Max time kernel
120s
Max time network
140s
Command Line
Signatures
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1452 set thread context of 4552 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727 | C:\Windows\SysWOW64\attrib.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\04fdikmx\04fdikmx.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EB8.tmp" "c:\Users\Admin\AppData\Local\Temp\04fdikmx\CSC815E8200991A41CEA99D9F1AB8EFF7EE.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
Files
memory/1452-0-0x000000007473E000-0x000000007473F000-memory.dmp
memory/1452-1-0x0000000000260000-0x0000000000372000-memory.dmp
memory/1452-2-0x0000000004D30000-0x0000000004DCC000-memory.dmp
memory/1452-6-0x0000000074730000-0x0000000074EE0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\04fdikmx\04fdikmx.cmdline
| MD5 | 970797d6fe506b798585f556d5f8b974 |
| SHA1 | ff17371ae2915ed118a4f881c02317625c7af08c |
| SHA256 | 71fc03136bb2d0142863b0d53b1065d2c460e0f384f7b628124202857c24dfc5 |
| SHA512 | 360576ae861a9d337c065e1ae22ae86df79e166a84709b73a89058d332d7faa022c2e2f0f300064b50976c43bfc182532411284d98426c300577a4efcf749d70 |
\??\c:\Users\Admin\AppData\Local\Temp\04fdikmx\04fdikmx.0.cs
| MD5 | f60a1218bfdab4f9b0176d4e1a15ec68 |
| SHA1 | 2222a76846b6caf120589f7120a5a41f8811761d |
| SHA256 | fa9031f18b423c4d078667222b009f1d285149b93d60029feab549fc6d46a927 |
| SHA512 | c082a09f8e8b20776d5d1397b6a781c293df15a421c1f93e069df8df8fe59580100c7347deef3185c8104ecce2eae6fabfc44994805d21a23123a6a9cd763bc6 |
\??\c:\Users\Admin\AppData\Local\Temp\04fdikmx\CSC815E8200991A41CEA99D9F1AB8EFF7EE.TMP
| MD5 | 3c8a5dfaaf48e41086594de9f97e29c6 |
| SHA1 | a6814592b5a64d8752e0bd371bcb408b057f3ddb |
| SHA256 | 1a756e8274706986a39749ad42cb36a95d6ef91b1824d238d825da9ac2ff02f6 |
| SHA512 | a02f6ab135fcce155b90a156c4bcb1c37bb3b3495e9533b82463c1d62ac1234f3a5b75275fac3c3b7fbd2e25f57034e73d89da0786a66b825cce9ecabb887fa7 |
C:\Users\Admin\AppData\Local\Temp\RES6EB8.tmp
| MD5 | 23dca0039787962e6b56c3f4faa7c6a6 |
| SHA1 | f3c66040f28ce16456427ee9749def89f6bd91c1 |
| SHA256 | 0d89705db1207728b06cbc48d7daeb54bdba3db3484a49a7d0c27b7f1c0afdd4 |
| SHA512 | 384f5609659baeb5daf7c917c34099ed7b752b59390ecc52dc304b738ca3a62d5719e8b984be1b6c3474edf0f98f87cf14c20697d25fa009a82ae457ca697b23 |
C:\Users\Admin\AppData\Local\Temp\04fdikmx\04fdikmx.dll
| MD5 | a596f6e581c6dcde21fd4877bfc2487a |
| SHA1 | 499b359cc2c91e718ed0cab8b336a21c81699a74 |
| SHA256 | d254c1812dd93abaf928b59f3e462183f8640c9bb628b9f093b50c8c39f33594 |
| SHA512 | 5d2112262d3ab7e52e138d8eda2ffb4336cbb45faef67ff81096402708668d0e7f5324df4d47d5abe84caf77146dbf260cabb69e3547e42d2143a0aab9331ef8 |
memory/1452-16-0x0000000002630000-0x0000000002638000-memory.dmp
memory/4552-18-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4552-19-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1452-22-0x0000000074730000-0x0000000074EE0000-memory.dmp
memory/4552-21-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4552-23-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4552-24-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
| MD5 | d881de17aa8f2e2c08cbb7b265f928f9 |
| SHA1 | 08936aebc87decf0af6e8eada191062b5e65ac2a |
| SHA256 | b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0 |
| SHA512 | 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34 |
memory/4552-86-0x0000000000400000-0x00000000004B2000-memory.dmp