darkcomet | 9326e840342024f727e9a2b56efbdae6c798425972f0e58d01b5f564ab80de8c

Analysis

max time kernel
192s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9326e840342024f727e9a2b56efbdae6c798425972f0e58d01b5f564ab80de8c.exe
Size

6.9MB
MD5

7db9e97bbd23d33100885f6b032cfb06
SHA1

f82264d9d8b2cd10f48ca53088c9c2a70f15ee68
SHA256

9326e840342024f727e9a2b56efbdae6c798425972f0e58d01b5f564ab80de8c
SHA512

f432463c05597e37dcd035efc8f9539af8e7d4f26363c402805f9ca77782784c924736f2f1b4f813967d886d040900d76ca225e39f4760b6059c209cc8b56e78
SSDEEP

196608:Nviq75/Tzuf0tNzwd1uQrASQUugKWEjNl:xiC/Vqd1bQ5WYf

Score

10^/10

darkcomet guest15 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest15

skalede767.hopto.org:1604

Mutex

DC_MUTEX-HF2YCAJ

Attributes

InstallPath
test\test.exe
gencode
NzBN759r41eg
install
true
offline_keylogger
true
persistence
true
reg_key
testt

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

crypted.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\test\\test.exe"	crypted.exe

Executes dropped EXE 5 IoCs

Processes:

CDS.execrypted.exeCDS.execrypted.exetest.exe

pid process

5116 CDS.exe
1460 crypted.exe
4720 CDS.exe
4884 crypted.exe
4312 test.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

616 attrib.exe
1052 attrib.exe

pid	process
5116	CDS.exe
1460	crypted.exe
4720	CDS.exe
4884	crypted.exe
4312	test.exe

pid	process
616	attrib.exe
1052	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CDS.exeCDS.execrypted.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	CDS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	CDS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	crypted.exe

Loads dropped DLL 2 IoCs

Processes:

CDS.exeCDS.exe

pid process

5116 CDS.exe
4720 CDS.exe

pid	process
5116	CDS.exe
4720	CDS.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9326e840342024f727e9a2b56efbdae6c798425972f0e58d01b5f564ab80de8c.execrypted.execrypted.exetest.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9326e840342024f727e9a2b56efbdae6c798425972f0e58d01b5f564ab80de8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9326e840342024f727e9a2b56efbdae6c798425972f0e58d01b5f564ab80de8c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\testt = "C:\\Users\\Admin\\Documents\\test\\test.exe"	crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\testt = "C:\\Users\\Admin\\Documents\\test\\test.exe"	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

crypted.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crypted.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

CDS.exeCDS.exe

pid process

5116 CDS.exe
5116 CDS.exe
4720 CDS.exe
4720 CDS.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

CDS.exe

pid process

5116 CDS.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	crypted.exe

pid	process
5116	CDS.exe
5116	CDS.exe
4720	CDS.exe
4720	CDS.exe

pid	process
5116	CDS.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

AUDIODG.EXEcrypted.exetest.exe

description	pid	process
Token: 33	1048	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1048	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	4884	crypted.exe
Token: SeSecurityPrivilege	4884	crypted.exe
Token: SeTakeOwnershipPrivilege	4884	crypted.exe
Token: SeLoadDriverPrivilege	4884	crypted.exe
Token: SeSystemProfilePrivilege	4884	crypted.exe
Token: SeSystemtimePrivilege	4884	crypted.exe
Token: SeProfSingleProcessPrivilege	4884	crypted.exe
Token: SeIncBasePriorityPrivilege	4884	crypted.exe
Token: SeCreatePagefilePrivilege	4884	crypted.exe
Token: SeBackupPrivilege	4884	crypted.exe
Token: SeRestorePrivilege	4884	crypted.exe
Token: SeShutdownPrivilege	4884	crypted.exe
Token: SeDebugPrivilege	4884	crypted.exe
Token: SeSystemEnvironmentPrivilege	4884	crypted.exe
Token: SeChangeNotifyPrivilege	4884	crypted.exe
Token: SeRemoteShutdownPrivilege	4884	crypted.exe
Token: SeUndockPrivilege	4884	crypted.exe
Token: SeManageVolumePrivilege	4884	crypted.exe
Token: SeImpersonatePrivilege	4884	crypted.exe
Token: SeCreateGlobalPrivilege	4884	crypted.exe
Token: 33	4884	crypted.exe
Token: 34	4884	crypted.exe
Token: 35	4884	crypted.exe
Token: 36	4884	crypted.exe
Token: SeIncreaseQuotaPrivilege	4312	test.exe
Token: SeSecurityPrivilege	4312	test.exe
Token: SeTakeOwnershipPrivilege	4312	test.exe
Token: SeLoadDriverPrivilege	4312	test.exe
Token: SeSystemProfilePrivilege	4312	test.exe
Token: SeSystemtimePrivilege	4312	test.exe
Token: SeProfSingleProcessPrivilege	4312	test.exe
Token: SeIncBasePriorityPrivilege	4312	test.exe
Token: SeCreatePagefilePrivilege	4312	test.exe
Token: SeBackupPrivilege	4312	test.exe
Token: SeRestorePrivilege	4312	test.exe
Token: SeShutdownPrivilege	4312	test.exe
Token: SeDebugPrivilege	4312	test.exe
Token: SeSystemEnvironmentPrivilege	4312	test.exe
Token: SeChangeNotifyPrivilege	4312	test.exe
Token: SeRemoteShutdownPrivilege	4312	test.exe
Token: SeUndockPrivilege	4312	test.exe
Token: SeManageVolumePrivilege	4312	test.exe
Token: SeImpersonatePrivilege	4312	test.exe
Token: SeCreateGlobalPrivilege	4312	test.exe
Token: 33	4312	test.exe
Token: 34	4312	test.exe
Token: 35	4312	test.exe
Token: 36	4312	test.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

CDS.exeCDS.exetest.exe

pid process

5116 CDS.exe
5116 CDS.exe
4720 CDS.exe
4720 CDS.exe
4312 test.exe

pid	process
5116	CDS.exe
5116	CDS.exe
4720	CDS.exe
4720	CDS.exe
4312	test.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9326e840342024f727e9a2b56efbdae6c798425972f0e58d01b5f564ab80de8c.exeCDS.execrypted.exeCDS.execrypted.execmd.execmd.exetest.exe

description	pid	process	target process
PID 2988 wrote to memory of 5116	2988	9326e840342024f727e9a2b56efbdae6c798425972f0e58d01b5f564ab80de8c.exe	CDS.exe
PID 2988 wrote to memory of 5116	2988	9326e840342024f727e9a2b56efbdae6c798425972f0e58d01b5f564ab80de8c.exe	CDS.exe
PID 2988 wrote to memory of 5116	2988	9326e840342024f727e9a2b56efbdae6c798425972f0e58d01b5f564ab80de8c.exe	CDS.exe
PID 5116 wrote to memory of 1460	5116	CDS.exe	crypted.exe
PID 5116 wrote to memory of 1460	5116	CDS.exe	crypted.exe
PID 5116 wrote to memory of 1460	5116	CDS.exe	crypted.exe
PID 1460 wrote to memory of 4720	1460	crypted.exe	CDS.exe
PID 1460 wrote to memory of 4720	1460	crypted.exe	CDS.exe
PID 1460 wrote to memory of 4720	1460	crypted.exe	CDS.exe
PID 4720 wrote to memory of 4884	4720	CDS.exe	crypted.exe
PID 4720 wrote to memory of 4884	4720	CDS.exe	crypted.exe
PID 4720 wrote to memory of 4884	4720	CDS.exe	crypted.exe
PID 4884 wrote to memory of 3848	4884	crypted.exe	cmd.exe
PID 4884 wrote to memory of 3848	4884	crypted.exe	cmd.exe
PID 4884 wrote to memory of 3848	4884	crypted.exe	cmd.exe
PID 4884 wrote to memory of 1448	4884	crypted.exe	cmd.exe
PID 4884 wrote to memory of 1448	4884	crypted.exe	cmd.exe
PID 4884 wrote to memory of 1448	4884	crypted.exe	cmd.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 4884 wrote to memory of 5068	4884	crypted.exe	notepad.exe
PID 3848 wrote to memory of 616	3848	cmd.exe	attrib.exe
PID 3848 wrote to memory of 616	3848	cmd.exe	attrib.exe
PID 3848 wrote to memory of 616	3848	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1052	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1052	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1052	1448	cmd.exe	attrib.exe
PID 4884 wrote to memory of 4312	4884	crypted.exe	test.exe
PID 4884 wrote to memory of 4312	4884	crypted.exe	test.exe
PID 4884 wrote to memory of 4312	4884	crypted.exe	test.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe
PID 4312 wrote to memory of 3208	4312	test.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

616 attrib.exe
1052 attrib.exe

pid	process
616	attrib.exe
1052	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9326e840342024f727e9a2b56efbdae6c798425972f0e58d01b5f564ab80de8c.exe
"C:\Users\Admin\AppData\Local\Temp\9326e840342024f727e9a2b56efbdae6c798425972f0e58d01b5f564ab80de8c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe" +s +h
6⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe" +s +h
7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:616

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP" +s +h
6⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP" +s +h
7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1052

C:\Users\Admin\Documents\test\test.exe
"C:\Users\Admin\Documents\test\test.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:3208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
Filesize
3.7MB

MD5
9e8f41b360f093072a10e3587dbd78ad

SHA1
137f7665484c260c79a648a8acc1118888ec60a1

SHA256
e53f0e4ac9f70916fcf681625171ff07580466850061bf6d21dc2fcd8ad5782a

SHA512
d575b685d917aebf5d6fa9b5d2094aa5e693fe6b8a44b879b3d68a3a8f08a23d2067024f0f20f3682dc678081db352e9605610c023ced8621fdcd5857124856b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
3.7MB

MD5
796d5ca5b1c0b31ccb397ede120b7196

SHA1
4cfeda6e8319d7af884ef32ebd0d715e1ebe436a

SHA256
e65e68ee2f5e6071e5303fbf579d8ae72ca1d6a5b8914ab45b270d72c07b0114

SHA512
81457bde1e8b733510826818de78a3b302006fa6ee74e87a8a1efbbc2999d731abd0d015930efc1bd6a5b451fa1d4f14f1f80978b6d9c13d0948e76f8fa3d612

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
3.7MB

MD5
796d5ca5b1c0b31ccb397ede120b7196

SHA1
4cfeda6e8319d7af884ef32ebd0d715e1ebe436a

SHA256
e65e68ee2f5e6071e5303fbf579d8ae72ca1d6a5b8914ab45b270d72c07b0114

SHA512
81457bde1e8b733510826818de78a3b302006fa6ee74e87a8a1efbbc2999d731abd0d015930efc1bd6a5b451fa1d4f14f1f80978b6d9c13d0948e76f8fa3d612

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
Filesize
4B

MD5
b326b5062b2f0e69046810717534cb09

SHA1
5ffe533b830f08a0326348a9160afafc8ada44db

SHA256
b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b

SHA512
9120cd5faef07a08e971ff024a3fcbea1e3a6b44142a6d82ca28c6c42e4f852595bcf53d81d776f10541045abdb7c37950629415d0dc66c8d86c64a5606d32de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\630_10.png
Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.cdd
Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c.dat
Filesize
659KB

MD5
9e2b9ad859c293c90fb4416720677e82

SHA1
c9c487997575ec759a9ec9e2f55c914aeab7512a

SHA256
f2bfa67aae918b71fb02be85106365ee3c08617a7d19c374359e1b57fa1b5634

SHA512
782579ba3fd24397c556973ecefafad11fd5b60f1dbbe9561cf4a62d7c8de4abf4932950b20d285bd887f2eacc4fd4645ff399c9f6ff5cf15800c451ec9ef17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe
Filesize
659KB

MD5
4e91baedce6c4c201f6b04a3a88ed5fe

SHA1
231e34f3525f07f7cda9c2c3b2c53edc1e18fdb4

SHA256
d2337e78a3eb9e9d44e8fe4e95250656b899c71b82a03bf5ec3820b63ca1e8e5

SHA512
4ee22c3a2dbd24c93700ca1152f46b93dc50deced7bb251d4c84ae91b07beef3b661facd5dee016745df65dcdcef800036db3d601ef52e1198093777f0b85317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe
Filesize
659KB

MD5
4e91baedce6c4c201f6b04a3a88ed5fe

SHA1
231e34f3525f07f7cda9c2c3b2c53edc1e18fdb4

SHA256
d2337e78a3eb9e9d44e8fe4e95250656b899c71b82a03bf5ec3820b63ca1e8e5

SHA512
4ee22c3a2dbd24c93700ca1152f46b93dc50deced7bb251d4c84ae91b07beef3b661facd5dee016745df65dcdcef800036db3d601ef52e1198093777f0b85317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fs.settings
Filesize
4B

MD5
b326b5062b2f0e69046810717534cb09

SHA1
5ffe533b830f08a0326348a9160afafc8ada44db

SHA256
b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b

SHA512
9120cd5faef07a08e971ff024a3fcbea1e3a6b44142a6d82ca28c6c42e4f852595bcf53d81d776f10541045abdb7c37950629415d0dc66c8d86c64a5606d32de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\Documents\test\test.exe
Filesize
659KB

MD5
4e91baedce6c4c201f6b04a3a88ed5fe

SHA1
231e34f3525f07f7cda9c2c3b2c53edc1e18fdb4

SHA256
d2337e78a3eb9e9d44e8fe4e95250656b899c71b82a03bf5ec3820b63ca1e8e5

SHA512
4ee22c3a2dbd24c93700ca1152f46b93dc50deced7bb251d4c84ae91b07beef3b661facd5dee016745df65dcdcef800036db3d601ef52e1198093777f0b85317

Download Submit
C:\Users\Admin\Documents\test\test.exe
Filesize
659KB

MD5
4e91baedce6c4c201f6b04a3a88ed5fe

SHA1
231e34f3525f07f7cda9c2c3b2c53edc1e18fdb4

SHA256
d2337e78a3eb9e9d44e8fe4e95250656b899c71b82a03bf5ec3820b63ca1e8e5

SHA512
4ee22c3a2dbd24c93700ca1152f46b93dc50deced7bb251d4c84ae91b07beef3b661facd5dee016745df65dcdcef800036db3d601ef52e1198093777f0b85317

Download Submit
memory/616-159-0x0000000000000000-mapping.dmp

Download
memory/1052-160-0x0000000000000000-mapping.dmp

Download
memory/1448-157-0x0000000000000000-mapping.dmp

Download
memory/1460-141-0x0000000000000000-mapping.dmp

Download
memory/3208-164-0x0000000000000000-mapping.dmp

Download
memory/3848-156-0x0000000000000000-mapping.dmp

Download
memory/4312-161-0x0000000000000000-mapping.dmp

Download
memory/4720-144-0x0000000000000000-mapping.dmp

Download
memory/4884-153-0x0000000000000000-mapping.dmp

Download
memory/5068-158-0x0000000000000000-mapping.dmp

Download
memory/5116-132-0x0000000000000000-mapping.dmp

Download