darkcomet | 838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933

Analysis

max time kernel
143s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe
Size

1.3MB
MD5

2ceb126e45e29ae5260343d67d666379
SHA1

44bfc88df3e9bbaddbc08da0d2cfb18cce9d7722
SHA256

838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933
SHA512

142317bf8f5f5a2bb09011b90fe1b20c6d465f74aaa4b429554e0bbb9841f2ac1fffc6fbdf7b2f1ac4417732b14550a21162871404a0bb28c0c9e9697ef12039
SSDEEP

24576:1t24elz/eTxEP26JA7bnH2v27efUlcaVW67fsMxTLc2UgaRg299pWN7wyyw:h/WPK7QlsqKWKf15op1Wiyh

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

5.254.112.46:1604

Mutex

DC_MUTEX-TWH65U6

Attributes

gencode
g2krJbMz8YKU
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

rsqrc.batrsqrc.batRegSvcs.exe

pid process

2036 rsqrc.bat
1952 rsqrc.bat
948 RegSvcs.exe

pid	process
2036	rsqrc.bat
1952	rsqrc.bat
948	RegSvcs.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/948-95-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/948-97-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/948-98-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/948-101-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/948-103-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/948-105-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/948-106-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/948-107-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Loads dropped DLL 7 IoCs

Processes:

838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exersqrc.batrsqrc.bat

pid	process
1460	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe
1460	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe
1460	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe
1460	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe
1460	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe
2036	rsqrc.bat
1952	rsqrc.bat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rsqrc.bat

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\jhnjd\\rsqrc.bat C:\\Users\\Admin\\AppData\\Roaming\\jhnjd\\wptjq.kll"	rsqrc.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	rsqrc.bat

Suspicious use of SetThreadContext 1 IoCs

Processes:

rsqrc.bat

description pid process target process

PID 1952 set thread context of 948 1952 rsqrc.bat RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1284 taskkill.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

rsqrc.bat

pid process

1952 rsqrc.bat
1952 rsqrc.bat
1952 rsqrc.bat
1952 rsqrc.bat
1952 rsqrc.bat
1952 rsqrc.bat
1952 rsqrc.bat
1952 rsqrc.bat
1952 rsqrc.bat

description	pid	process	target process
PID 1952 set thread context of 948	1952	rsqrc.bat	RegSvcs.exe

pid	process
1284	taskkill.exe

pid	process
1952	rsqrc.bat
1952	rsqrc.bat
1952	rsqrc.bat
1952	rsqrc.bat
1952	rsqrc.bat
1952	rsqrc.bat
1952	rsqrc.bat
1952	rsqrc.bat
1952	rsqrc.bat

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

taskkill.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeIncreaseQuotaPrivilege	948	RegSvcs.exe
Token: SeSecurityPrivilege	948	RegSvcs.exe
Token: SeTakeOwnershipPrivilege	948	RegSvcs.exe
Token: SeLoadDriverPrivilege	948	RegSvcs.exe
Token: SeSystemProfilePrivilege	948	RegSvcs.exe
Token: SeSystemtimePrivilege	948	RegSvcs.exe
Token: SeProfSingleProcessPrivilege	948	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	948	RegSvcs.exe
Token: SeCreatePagefilePrivilege	948	RegSvcs.exe
Token: SeBackupPrivilege	948	RegSvcs.exe
Token: SeRestorePrivilege	948	RegSvcs.exe
Token: SeShutdownPrivilege	948	RegSvcs.exe
Token: SeDebugPrivilege	948	RegSvcs.exe
Token: SeSystemEnvironmentPrivilege	948	RegSvcs.exe
Token: SeChangeNotifyPrivilege	948	RegSvcs.exe
Token: SeRemoteShutdownPrivilege	948	RegSvcs.exe
Token: SeUndockPrivilege	948	RegSvcs.exe
Token: SeManageVolumePrivilege	948	RegSvcs.exe
Token: SeImpersonatePrivilege	948	RegSvcs.exe
Token: SeCreateGlobalPrivilege	948	RegSvcs.exe
Token: 33	948	RegSvcs.exe
Token: 34	948	RegSvcs.exe
Token: 35	948	RegSvcs.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1444 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

948 RegSvcs.exe

pid	process
1444	DllHost.exe

pid	process
948	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exersqrc.batrsqrc.bat

description	pid	process	target process
PID 1460 wrote to memory of 2036	1460	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe	rsqrc.bat
PID 1460 wrote to memory of 2036	1460	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe	rsqrc.bat
PID 1460 wrote to memory of 2036	1460	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe	rsqrc.bat
PID 1460 wrote to memory of 2036	1460	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe	rsqrc.bat
PID 1460 wrote to memory of 2036	1460	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe	rsqrc.bat
PID 1460 wrote to memory of 2036	1460	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe	rsqrc.bat
PID 1460 wrote to memory of 2036	1460	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe	rsqrc.bat
PID 2036 wrote to memory of 1952	2036	rsqrc.bat	rsqrc.bat
PID 2036 wrote to memory of 1952	2036	rsqrc.bat	rsqrc.bat
PID 2036 wrote to memory of 1952	2036	rsqrc.bat	rsqrc.bat
PID 2036 wrote to memory of 1952	2036	rsqrc.bat	rsqrc.bat
PID 2036 wrote to memory of 1952	2036	rsqrc.bat	rsqrc.bat
PID 2036 wrote to memory of 1952	2036	rsqrc.bat	rsqrc.bat
PID 2036 wrote to memory of 1952	2036	rsqrc.bat	rsqrc.bat
PID 1952 wrote to memory of 976	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 976	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 976	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 976	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 976	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 976	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 976	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 2004	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 2004	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 2004	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 2004	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 2004	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 2004	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 2004	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1652	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1652	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1652	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1652	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1652	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1652	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1652	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 816	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 816	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 816	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 816	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 816	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 816	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 816	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 672	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 672	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 672	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 672	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 672	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 672	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 672	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 364	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 364	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 364	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 364	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 364	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 364	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 364	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1692	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1692	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1692	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1692	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1692	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1692	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 1692	1952	rsqrc.bat	mshta.exe
PID 1952 wrote to memory of 524	1952	rsqrc.bat	cmd.exe

C:\Users\Admin\AppData\Local\Temp\838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe
"C:\Users\Admin\AppData\Local\Temp\838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
"C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat" wptjq.kll
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat C:\Users\Admin\AppData\Roaming\jhnjd\GKIVI
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:976

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:2004

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1652

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:816

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:672

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:364

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C taskkill /f /IM mshta.exe
4⤵
PID:524

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM mshta.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:948

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
33KB

MD5
aaa0a6db78a883fa65ded2f45bf0819d

SHA1
f5af5366e662d6b608d9bea1add23fd0dfb23b75

SHA256
1ed4ce274b96cc7a02429f04203f9e173d25a817953f3651444afa1b15fd3a15

SHA512
31388ab17f959b77fe3f559cc48b39f5f0c644ff3217b6bf2e1e5044ceac6bf1ae906fe1018009e494d475b9732c7b9ca0cb56236377d7a4e4c702da7c06d73e

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\GKIVI
Filesize
117KB

MD5
3384979a23fbe4de79286b1901121b19

SHA1
5e69f43dcc8ed992ab17c233271712bb0bf60f13

SHA256
ae2427d833c91c213875fe7e70b05c88e949859da91b33681d598e3fd6b4f740

SHA512
0f98ff4b4c631dfc388e515dcaa3e858ed2c9581a63d9ab3ec588ea9ef17a593dc632c6f9093c13944812f273153ea0f0b37a1ca8aaa30a23d1199dcdf832fa3

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\YMQGIX
Filesize
36KB

MD5
0aac4b05aeb233740b90d11654cfb4c5

SHA1
b593bba4350616176b1a545098120fff9e2d7e2a

SHA256
1a9d10aeeff5c9d2b7fde7171980ce29585b7815fb40d10812a85768f12ff8ca

SHA512
8225d0f32cd6ef4b2ce124dd534fd0127beafce07b88b38b0ce2c54d3d1249d53ad306b0524f48a706c7da38151a41a06d6935ce17d663663db19139bcc18120

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\evcvt
Filesize
1KB

MD5
29dbcf965f4dff981947089c033ce279

SHA1
4515a4a916ddd532916623a5c1e3dce65b23ebe0

SHA256
a1b87f397a8247361bea88e4fc9586ab9cf0dda6b63025bd7e381861a1153b9b

SHA512
5c12af9573942a9277de140f541f2b4793eb9de131f79a3b871890e390ae5c025a29b74f260d94792a3197ebb505f1416fb4d3d4769947e9bac6b30b9acd42c5

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\kjuqx
Filesize
253KB

MD5
cc9b49169076c95352ff036ec8d5b417

SHA1
961b7929f2f2a6a5847c90b5e31822cf9e9d9bd7

SHA256
394554cefb606f39adf9fbd6bce30d4d9e7eed21d08a906f499702a3558df436

SHA512
ca3f6463f1080e7471fcfc95cda867cebf1fd2a411232cbbc47c74cc100d5eb6f91aa4c9ce51bab72e267a7b79211e0193072b131d50c0f6b18e416afc394e07

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\ruhpc.nxm
Filesize
117KB

MD5
74f54b55d58214debc9039ede4212c1a

SHA1
f2008323fa362b20808c00c6b27001802059fafd

SHA256
57f3016b9344b070f515928149652c0579c5319504c206a200412f44efb0c571

SHA512
329953a8293b7247c03cad7ef93b2f6ba652e399256acb09f7c7820e6d17756520038ab20148b6b4f3cf6580c8a0b01719bfb4fe03ee7bb8148d61274150380a

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\who.jpg
Filesize
422KB

MD5
fbfa893bdf7e3ebf0c6002422e309f5a

SHA1
6960c3b9120c31e7f147d5711279cd3f12642155

SHA256
50dd467a197f04e93ddd3bb6dafeb7400446ee23aef75b53eaf18f77d5ab8bc9

SHA512
049b5c3ecae33cd478b3a00d15dd36be8d33e942dea89ad9793f387d491d9352775c2c8b74e80143442bdee8440dc98c4d9fcab6e6b138c118d48c7d4c01790f

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\wptjq.kll
Filesize
3KB

MD5
79d5c6f556e0bd45eb399cb806488195

SHA1
0dbf3209bc2c21c4ce40497b8210b3d03e3a95a4

SHA256
b6715a8d5b4651cbda91206008672a0350fbb22c9f159a253f33d63d575159ce

SHA512
f0b6ef4db0edb893aaca0d12b0491e8c00e654df6e39fb271b0dad6fe2b25b71a53582fdf2377324ba2958bc4ae3b29de9b3352fa5f1842fdc6653a8b689551b

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
33KB

MD5
aaa0a6db78a883fa65ded2f45bf0819d

SHA1
f5af5366e662d6b608d9bea1add23fd0dfb23b75

SHA256
1ed4ce274b96cc7a02429f04203f9e173d25a817953f3651444afa1b15fd3a15

SHA512
31388ab17f959b77fe3f559cc48b39f5f0c644ff3217b6bf2e1e5044ceac6bf1ae906fe1018009e494d475b9732c7b9ca0cb56236377d7a4e4c702da7c06d73e

Download Submit
\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
memory/364-83-0x0000000000000000-mapping.dmp

Download
memory/524-87-0x0000000000000000-mapping.dmp

Download
memory/672-81-0x0000000000000000-mapping.dmp

Download
memory/816-79-0x0000000000000000-mapping.dmp

Download
memory/948-107-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/948-98-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/948-105-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/948-103-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/948-95-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/948-101-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/948-106-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/948-99-0x00000000004B8C50-mapping.dmp

Download
memory/948-94-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/948-97-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/976-74-0x0000000000000000-mapping.dmp

Download
memory/1284-89-0x0000000000000000-mapping.dmp

Download
memory/1460-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1652-78-0x0000000000000000-mapping.dmp

Download
memory/1692-85-0x0000000000000000-mapping.dmp

Download
memory/1952-69-0x0000000000000000-mapping.dmp

Download
memory/2004-76-0x0000000000000000-mapping.dmp

Download
memory/2036-61-0x0000000000000000-mapping.dmp

Download