darkcomet | 05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218

Analysis

max time kernel
152s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218.exe
Size

4.0MB
MD5

a125b9552107d890ff36f239469c3d1a
SHA1

0b23e1fdf839ef419b58f7d209015169b29f91a1
SHA256

05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218
SHA512

53a538b9dc89c46d7739ff6a400dda4613f86152ba7d664f883294ca281fd81e68d140bafbfb6c6e46c3d9e5035dc6244141a82e0949c4d491db3d485379b867
SSDEEP

98304:rDzCjHUzA37ZzB2kBgwFJiN7XbrTFdQeEjo6CO1/u+Xjyyi:ryjHiA31zBVdJgLNdz8u+Xjyy

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

cheat-sector.zapto.org:5999

Mutex

DC_MUTEX-KLB55C5

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
nPUGdp1yiHz7
install
true
offline_keylogger
true
password
1337.LOLwat
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SERVER.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	SERVER.EXE

Executes dropped EXE 5 IoCs

Processes:

MW3 SP V.1.8.423 BY GRADENT.EXESERVER.EXEMW3 SP V.1.8.423 BY GRADENT.EXEMW3 SP V.1.8.423 BY GRADENT.EXEmsdcsc.exe

pid	process
1476	MW3 SP V.1.8.423 BY GRADENT.EXE
3492	SERVER.EXE
3752	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
1164	msdcsc.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218.exeSERVER.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SERVER.EXE

Loads dropped DLL 2 IoCs

Processes:

MW3 SP V.1.8.423 BY GRADENT.EXE

pid process

4268 MW3 SP V.1.8.423 BY GRADENT.EXE
4268 MW3 SP V.1.8.423 BY GRADENT.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SERVER.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	SERVER.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

SERVER.EXE

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ SERVER.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	SERVER.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MW3 SP V.1.8.423 BY GRADENT.EXE

pid	process
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE
4268	MW3 SP V.1.8.423 BY GRADENT.EXE

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

SERVER.EXEMW3 SP V.1.8.423 BY GRADENT.EXEmsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3492	SERVER.EXE
Token: SeSecurityPrivilege	3492	SERVER.EXE
Token: SeTakeOwnershipPrivilege	3492	SERVER.EXE
Token: SeLoadDriverPrivilege	3492	SERVER.EXE
Token: SeSystemProfilePrivilege	3492	SERVER.EXE
Token: SeSystemtimePrivilege	3492	SERVER.EXE
Token: SeProfSingleProcessPrivilege	3492	SERVER.EXE
Token: SeIncBasePriorityPrivilege	3492	SERVER.EXE
Token: SeCreatePagefilePrivilege	3492	SERVER.EXE
Token: SeBackupPrivilege	3492	SERVER.EXE
Token: SeRestorePrivilege	3492	SERVER.EXE
Token: SeShutdownPrivilege	3492	SERVER.EXE
Token: SeDebugPrivilege	3492	SERVER.EXE
Token: SeSystemEnvironmentPrivilege	3492	SERVER.EXE
Token: SeChangeNotifyPrivilege	3492	SERVER.EXE
Token: SeRemoteShutdownPrivilege	3492	SERVER.EXE
Token: SeUndockPrivilege	3492	SERVER.EXE
Token: SeManageVolumePrivilege	3492	SERVER.EXE
Token: SeImpersonatePrivilege	3492	SERVER.EXE
Token: SeCreateGlobalPrivilege	3492	SERVER.EXE
Token: 33	3492	SERVER.EXE
Token: 34	3492	SERVER.EXE
Token: 35	3492	SERVER.EXE
Token: 36	3492	SERVER.EXE
Token: SeDebugPrivilege	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: SeLoadDriverPrivilege	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: SeCreateGlobalPrivilege	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: 33	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: SeSecurityPrivilege	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: SeTakeOwnershipPrivilege	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: SeManageVolumePrivilege	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: SeBackupPrivilege	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: SeCreatePagefilePrivilege	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: SeShutdownPrivilege	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: SeRestorePrivilege	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: 33	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: SeIncBasePriorityPrivilege	4268	MW3 SP V.1.8.423 BY GRADENT.EXE
Token: SeIncreaseQuotaPrivilege	1164	msdcsc.exe
Token: SeSecurityPrivilege	1164	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1164	msdcsc.exe
Token: SeLoadDriverPrivilege	1164	msdcsc.exe
Token: SeSystemProfilePrivilege	1164	msdcsc.exe
Token: SeSystemtimePrivilege	1164	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1164	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1164	msdcsc.exe
Token: SeCreatePagefilePrivilege	1164	msdcsc.exe
Token: SeBackupPrivilege	1164	msdcsc.exe
Token: SeRestorePrivilege	1164	msdcsc.exe
Token: SeShutdownPrivilege	1164	msdcsc.exe
Token: SeDebugPrivilege	1164	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1164	msdcsc.exe
Token: SeChangeNotifyPrivilege	1164	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1164	msdcsc.exe
Token: SeUndockPrivilege	1164	msdcsc.exe
Token: SeManageVolumePrivilege	1164	msdcsc.exe
Token: SeImpersonatePrivilege	1164	msdcsc.exe
Token: SeCreateGlobalPrivilege	1164	msdcsc.exe
Token: 33	1164	msdcsc.exe
Token: 34	1164	msdcsc.exe
Token: 35	1164	msdcsc.exe
Token: 36	1164	msdcsc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MW3 SP V.1.8.423 BY GRADENT.EXE

pid process

4268 MW3 SP V.1.8.423 BY GRADENT.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1164 msdcsc.exe

pid	process
1164	msdcsc.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218.exeMW3 SP V.1.8.423 BY GRADENT.EXEMW3 SP V.1.8.423 BY GRADENT.EXESERVER.EXEmsdcsc.exe

description	pid	process	target process
PID 3540 wrote to memory of 1476	3540	05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218.exe	MW3 SP V.1.8.423 BY GRADENT.EXE
PID 3540 wrote to memory of 1476	3540	05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218.exe	MW3 SP V.1.8.423 BY GRADENT.EXE
PID 3540 wrote to memory of 1476	3540	05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218.exe	MW3 SP V.1.8.423 BY GRADENT.EXE
PID 3540 wrote to memory of 3492	3540	05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218.exe	SERVER.EXE
PID 3540 wrote to memory of 3492	3540	05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218.exe	SERVER.EXE
PID 3540 wrote to memory of 3492	3540	05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218.exe	SERVER.EXE
PID 1476 wrote to memory of 3752	1476	MW3 SP V.1.8.423 BY GRADENT.EXE	MW3 SP V.1.8.423 BY GRADENT.EXE
PID 1476 wrote to memory of 3752	1476	MW3 SP V.1.8.423 BY GRADENT.EXE	MW3 SP V.1.8.423 BY GRADENT.EXE
PID 1476 wrote to memory of 3752	1476	MW3 SP V.1.8.423 BY GRADENT.EXE	MW3 SP V.1.8.423 BY GRADENT.EXE
PID 3752 wrote to memory of 4268	3752	MW3 SP V.1.8.423 BY GRADENT.EXE	MW3 SP V.1.8.423 BY GRADENT.EXE
PID 3752 wrote to memory of 4268	3752	MW3 SP V.1.8.423 BY GRADENT.EXE	MW3 SP V.1.8.423 BY GRADENT.EXE
PID 3752 wrote to memory of 4268	3752	MW3 SP V.1.8.423 BY GRADENT.EXE	MW3 SP V.1.8.423 BY GRADENT.EXE
PID 3492 wrote to memory of 1164	3492	SERVER.EXE	msdcsc.exe
PID 3492 wrote to memory of 1164	3492	SERVER.EXE	msdcsc.exe
PID 3492 wrote to memory of 1164	3492	SERVER.EXE	msdcsc.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe
PID 1164 wrote to memory of 3652	1164	msdcsc.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218.exe
"C:\Users\Admin\AppData\Local\Temp\05e38385cc10acd6276f395397f1bae509771cf5ac4172212a01a8864754b218.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Roaming\MW3 SP V.1.8.423 BY GRADENT.EXE
"C:\Users\Admin\AppData\Roaming\MW3 SP V.1.8.423 BY GRADENT.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\MW3 SP V.1.8.423 BY GRADENT.EXE
"C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\MW3 SP V.1.8.423 BY GRADENT.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\extracted\MW3 SP V.1.8.423 BY GRADENT.EXE
"C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\extracted\MW3 SP V.1.8.423 BY GRADENT.EXE" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\extracted\CET_TRAINER.CETRAINER"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4268

C:\Users\Admin\AppData\Roaming\SERVER.EXE
"C:\Users\Admin\AppData\Roaming\SERVER.EXE"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:3652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\CET_Archive.dat
Filesize
3.0MB

MD5
c8baa0f79814be15cdc3e2190b75a73c

SHA1
bd42ff0f330358486e1aa3c80b566492ba6bf391

SHA256
5344423674db23a6cfab10227ccb7478357ffb4062b92ceaa44fd05152c6794d

SHA512
28a21fdc5e4e0e3e04a83f8acfbfc7dbfb2509987813dc764b153139cb4302ba167843871e4e82d3d5e971b7318104eb1c7dcd9971a768000fe2d6bac991d94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\MW3 SP V.1.8.423 BY GRADENT.EXE
Filesize
183KB

MD5
7037a98950fa4011691b8121da1a20e1

SHA1
8dbb0dc51efc5afb6839a647d9b38f56b9310528

SHA256
49f55634873319d06dd9a32f2c0b63ebd6cbdffdbcbad7162b7c31f50d3c7da1

SHA512
60a4ac59b8ce840dfa37dcac4785a18b76a55fd7dd55aa6bef4cd503a33959c74941da98211e27e082e533e47eeb176fc99bed91b4827bec904135a372d9128a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\MW3 SP V.1.8.423 BY GRADENT.EXE
Filesize
183KB

MD5
7037a98950fa4011691b8121da1a20e1

SHA1
8dbb0dc51efc5afb6839a647d9b38f56b9310528

SHA256
49f55634873319d06dd9a32f2c0b63ebd6cbdffdbcbad7162b7c31f50d3c7da1

SHA512
60a4ac59b8ce840dfa37dcac4785a18b76a55fd7dd55aa6bef4cd503a33959c74941da98211e27e082e533e47eeb176fc99bed91b4827bec904135a372d9128a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\extracted\CET_TRAINER.CETRAINER
Filesize
164KB

MD5
44411b1765e6f3f771223c2171cb61b7

SHA1
7f46996c54b6dcb6c536a29f14814626adec1cbc

SHA256
f1f8d2453e96242430a3b991115f2ac6dd230be210b71e44f6c239bedf9f34a7

SHA512
0875719d3f746b3031173c58b135d14ef3ec18b573fa18cb4ce5973e5a3136d4055be61f0f72ac7954b50d9236fd592773b8e96edd89fa8152399722154b37f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\extracted\MW3 SP V.1.8.423 BY GRADENT.EXE
Filesize
6.0MB

MD5
ab9983b19ae94f47cc870e1914955370

SHA1
42641e6015220db5095b28606c82c003e2db097b

SHA256
ce481709c585d0efeebabce7da99ed338d0faa80556eac6fd150fd44ed1f0b48

SHA512
eb60a4249a765d3972d60ec237098a6cf81dc554bed9950728423b2c69a01c3ae1df36df7db8dede4b5d88dee02c5f9a9eac460bf5893f052418de5fff48e5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\extracted\MW3 SP V.1.8.423 BY GRADENT.EXE
Filesize
6.0MB

MD5
ab9983b19ae94f47cc870e1914955370

SHA1
42641e6015220db5095b28606c82c003e2db097b

SHA256
ce481709c585d0efeebabce7da99ed338d0faa80556eac6fd150fd44ed1f0b48

SHA512
eb60a4249a765d3972d60ec237098a6cf81dc554bed9950728423b2c69a01c3ae1df36df7db8dede4b5d88dee02c5f9a9eac460bf5893f052418de5fff48e5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\extracted\defines.lua
Filesize
3KB

MD5
31065eca47aa65a75033dddd13e90755

SHA1
d4ee2db8aeb1b05060b0e9f130a27f6ccf16f18b

SHA256
317025f2cb7f93ffefb5c87fecf445e4fcaadfbd00ee9ac3e65b803c2b980534

SHA512
99045cb9f1475da98559b56d8bdae2414ead3544f419d4c3fe40c5e5b9679f48a870077fa0a54a3ea8e5d511842a868f088cbd35a44b72a2687897fdd683ec92

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\extracted\lua5.1-32.dll
Filesize
321KB

MD5
859be12ad1e4ace1418ff3a069b35115

SHA1
88ac1d322b610c8e57d7e0b275dfe525d7525e59

SHA256
9a99ea10acd1378ccc4f23a91b00b9969d640419779b17711b21f2100d2db48c

SHA512
2ec4615473843e5e723b09fdda510ce3d4cc64e46c92340561d4a09a975cc8d9d1162ca3d3f952c939b38557e5014fffd9976dfec3a7239472056d51136d7347

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\extracted\lua5.1-32.dll
Filesize
321KB

MD5
859be12ad1e4ace1418ff3a069b35115

SHA1
88ac1d322b610c8e57d7e0b275dfe525d7525e59

SHA256
9a99ea10acd1378ccc4f23a91b00b9969d640419779b17711b21f2100d2db48c

SHA512
2ec4615473843e5e723b09fdda510ce3d4cc64e46c92340561d4a09a975cc8d9d1162ca3d3f952c939b38557e5014fffd9976dfec3a7239472056d51136d7347

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\extracted\win32\dbghelp.dll
Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETCD1.tmp\extracted\win32\dbghelp.dll
Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
Filesize
662KB

MD5
4135e0a0f1f15661641aab62f0a1d5bd

SHA1
e6fb931d1250d38ee3b8030e549b3e043d2322bc

SHA256
6665bd9ffbfbacdceea63d23831300b01be39221cbb3d3f0717bb640b2839991

SHA512
c742808ec3cf159b251512e93a50886b419ebe0abcb202c51c34eb22cb00c5f411b7e6e687cf71277cf593b7508481c805faf2ca6c046aab2d6e3bf53f71cd17

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
Filesize
662KB

MD5
4135e0a0f1f15661641aab62f0a1d5bd

SHA1
e6fb931d1250d38ee3b8030e549b3e043d2322bc

SHA256
6665bd9ffbfbacdceea63d23831300b01be39221cbb3d3f0717bb640b2839991

SHA512
c742808ec3cf159b251512e93a50886b419ebe0abcb202c51c34eb22cb00c5f411b7e6e687cf71277cf593b7508481c805faf2ca6c046aab2d6e3bf53f71cd17

Download Submit
C:\Users\Admin\AppData\Roaming\MW3 SP V.1.8.423 BY GRADENT.EXE
Filesize
3.3MB

MD5
77a4d648766814327b526154b63736d9

SHA1
92a149e586f719acf58ebb2502053852f55fb6b0

SHA256
85383a82d890ab337eac20b99f77218e91d0a36f9d45653d5778989345b5df8c

SHA512
1a168055af563bcb37dffa0b6f843d8fd08ac0d1daa9bf1939555689cc684d481e310c82a97a3c38a3a7105560e7c90db0c6f063a3035b11d1a1f01741ba6cd0

Download Submit
C:\Users\Admin\AppData\Roaming\MW3 SP V.1.8.423 BY GRADENT.EXE
Filesize
3.3MB

MD5
77a4d648766814327b526154b63736d9

SHA1
92a149e586f719acf58ebb2502053852f55fb6b0

SHA256
85383a82d890ab337eac20b99f77218e91d0a36f9d45653d5778989345b5df8c

SHA512
1a168055af563bcb37dffa0b6f843d8fd08ac0d1daa9bf1939555689cc684d481e310c82a97a3c38a3a7105560e7c90db0c6f063a3035b11d1a1f01741ba6cd0

Download Submit
C:\Users\Admin\AppData\Roaming\SERVER.EXE
Filesize
662KB

MD5
4135e0a0f1f15661641aab62f0a1d5bd

SHA1
e6fb931d1250d38ee3b8030e549b3e043d2322bc

SHA256
6665bd9ffbfbacdceea63d23831300b01be39221cbb3d3f0717bb640b2839991

SHA512
c742808ec3cf159b251512e93a50886b419ebe0abcb202c51c34eb22cb00c5f411b7e6e687cf71277cf593b7508481c805faf2ca6c046aab2d6e3bf53f71cd17

Download Submit
C:\Users\Admin\AppData\Roaming\SERVER.EXE
Filesize
662KB

MD5
4135e0a0f1f15661641aab62f0a1d5bd

SHA1
e6fb931d1250d38ee3b8030e549b3e043d2322bc

SHA256
6665bd9ffbfbacdceea63d23831300b01be39221cbb3d3f0717bb640b2839991

SHA512
c742808ec3cf159b251512e93a50886b419ebe0abcb202c51c34eb22cb00c5f411b7e6e687cf71277cf593b7508481c805faf2ca6c046aab2d6e3bf53f71cd17

Download Submit
memory/1164-151-0x0000000000000000-mapping.dmp

Download
memory/1476-132-0x0000000000000000-mapping.dmp

Download
memory/3492-135-0x0000000000000000-mapping.dmp

Download
memory/3652-154-0x0000000000000000-mapping.dmp

Download
memory/3752-136-0x0000000000000000-mapping.dmp

Download
memory/4268-142-0x0000000000000000-mapping.dmp

Download