darkcomet | eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe
Size

675KB
MD5

0b6ddda7ba995c36b25bf5f562b4104f
SHA1

fd103c9f0ac2f8462f9c8f24bcfe1fca22eb691d
SHA256

eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2
SHA512

c30e7ec9283f1917b05fdbf952d145837ad407b3bdc5431d78cb6a0f70af3a0192f0373c4fc3aefb7cae9766b0813ba802241a4a51f4b7ae7dbffd42738daab4
SSDEEP

12288:iat0EAH49n8BGe60O+/CRcDrNnyWP28xRqcrINVeAGXHbH6zAv2P5up+Jit:Nt24Je6BeC2yXKR0reNXHmzA0+

Score

10^/10

darkcomet æåðòâà evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Æåðòâà

znz.ddns.net:25565

Mutex

DC_MUTEX-Q6D7RHQ

Attributes

InstallPath
sv�h�st.exe
gencode
ijcTThqReeek
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svñhîst.exe"	1.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svñhîst.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svñhîst.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svñhîst.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svñhîst.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

svñhîst.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svñhîst.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	svñhîst.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svñhîst.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svñhîst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svñhîst.exe

Executes dropped EXE 3 IoCs

Processes:

2.exe1.exesvñhîst.exe

pid process

936 2.exe
1612 1.exe
1368 svñhîst.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2016 attrib.exe

pid	process
936	2.exe
1612	1.exe
1368	svñhîst.exe

pid	process
2016	attrib.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\1.exe	upx
\Users\Admin\AppData\Local\Temp\1.exe	upx
C:\Users\Admin\AppData\Local\Temp\1.exe	upx
\Users\Admin\AppData\Local\Temp\1.exe	upx
\Users\Admin\AppData\Local\Temp\1.exe	upx
\Users\Admin\AppData\Local\Temp\1.exe	upx
C:\Users\Admin\AppData\Local\Temp\1.exe	upx
\Windows\SysWOW64\svñhîst.exe	upx
\Windows\SysWOW64\svñhîst.exe	upx
C:\Windows\SysWOW64\svñhîst.exe	upx
C:\Windows\SysWOW64\svñhîst.exe	upx
behavioral1/memory/1368-90-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1612-92-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1368-94-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 8 IoCs

Processes:

cmd.exe2.exe1.exe

pid process

1420 cmd.exe
936 2.exe
936 2.exe
936 2.exe
936 2.exe
936 2.exe
1612 1.exe
1612 1.exe

pid	process
1420	cmd.exe
936	2.exe
936	2.exe
936	2.exe
936	2.exe
936	2.exe
1612	1.exe
1612	1.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svñhîst.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svñhîst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svñhîst.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1.exesvñhîst.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\svñhîst.exe"	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\svñhîst.exe"	svñhîst.exe

Drops file in System32 directory 3 IoCs

Processes:

1.exe

description	ioc	process
File created	C:\Windows\SysWOW64\svñhîst.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\svñhîst.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

296 NOTEPAD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svñhîst.exe

pid process

1368 svñhîst.exe

pid	process
296	NOTEPAD.EXE

pid	process
1368	svñhîst.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

1.exesvñhîst.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1612	1.exe
Token: SeSecurityPrivilege	1612	1.exe
Token: SeTakeOwnershipPrivilege	1612	1.exe
Token: SeLoadDriverPrivilege	1612	1.exe
Token: SeSystemProfilePrivilege	1612	1.exe
Token: SeSystemtimePrivilege	1612	1.exe
Token: SeProfSingleProcessPrivilege	1612	1.exe
Token: SeIncBasePriorityPrivilege	1612	1.exe
Token: SeCreatePagefilePrivilege	1612	1.exe
Token: SeBackupPrivilege	1612	1.exe
Token: SeRestorePrivilege	1612	1.exe
Token: SeShutdownPrivilege	1612	1.exe
Token: SeDebugPrivilege	1612	1.exe
Token: SeSystemEnvironmentPrivilege	1612	1.exe
Token: SeChangeNotifyPrivilege	1612	1.exe
Token: SeRemoteShutdownPrivilege	1612	1.exe
Token: SeUndockPrivilege	1612	1.exe
Token: SeManageVolumePrivilege	1612	1.exe
Token: SeImpersonatePrivilege	1612	1.exe
Token: SeCreateGlobalPrivilege	1612	1.exe
Token: 33	1612	1.exe
Token: 34	1612	1.exe
Token: 35	1612	1.exe
Token: SeIncreaseQuotaPrivilege	1368	svñhîst.exe
Token: SeSecurityPrivilege	1368	svñhîst.exe
Token: SeTakeOwnershipPrivilege	1368	svñhîst.exe
Token: SeLoadDriverPrivilege	1368	svñhîst.exe
Token: SeSystemProfilePrivilege	1368	svñhîst.exe
Token: SeSystemtimePrivilege	1368	svñhîst.exe
Token: SeProfSingleProcessPrivilege	1368	svñhîst.exe
Token: SeIncBasePriorityPrivilege	1368	svñhîst.exe
Token: SeCreatePagefilePrivilege	1368	svñhîst.exe
Token: SeBackupPrivilege	1368	svñhîst.exe
Token: SeRestorePrivilege	1368	svñhîst.exe
Token: SeShutdownPrivilege	1368	svñhîst.exe
Token: SeDebugPrivilege	1368	svñhîst.exe
Token: SeSystemEnvironmentPrivilege	1368	svñhîst.exe
Token: SeChangeNotifyPrivilege	1368	svñhîst.exe
Token: SeRemoteShutdownPrivilege	1368	svñhîst.exe
Token: SeUndockPrivilege	1368	svñhîst.exe
Token: SeManageVolumePrivilege	1368	svñhîst.exe
Token: SeImpersonatePrivilege	1368	svñhîst.exe
Token: SeCreateGlobalPrivilege	1368	svñhîst.exe
Token: 33	1368	svñhîst.exe
Token: 34	1368	svñhîst.exe
Token: 35	1368	svñhîst.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svñhîst.exe

pid process

1368 svñhîst.exe

pid	process
1368	svñhîst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.execmd.exe2.exe1.execmd.exe

description	pid	process	target process
PID 1552 wrote to memory of 296	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	NOTEPAD.EXE
PID 1552 wrote to memory of 296	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	NOTEPAD.EXE
PID 1552 wrote to memory of 296	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	NOTEPAD.EXE
PID 1552 wrote to memory of 296	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	NOTEPAD.EXE
PID 1552 wrote to memory of 296	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	NOTEPAD.EXE
PID 1552 wrote to memory of 296	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	NOTEPAD.EXE
PID 1552 wrote to memory of 296	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	NOTEPAD.EXE
PID 1552 wrote to memory of 1420	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	cmd.exe
PID 1552 wrote to memory of 1420	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	cmd.exe
PID 1552 wrote to memory of 1420	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	cmd.exe
PID 1552 wrote to memory of 1420	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	cmd.exe
PID 1552 wrote to memory of 1420	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	cmd.exe
PID 1552 wrote to memory of 1420	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	cmd.exe
PID 1552 wrote to memory of 1420	1552	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	cmd.exe
PID 1420 wrote to memory of 936	1420	cmd.exe	2.exe
PID 1420 wrote to memory of 936	1420	cmd.exe	2.exe
PID 1420 wrote to memory of 936	1420	cmd.exe	2.exe
PID 1420 wrote to memory of 936	1420	cmd.exe	2.exe
PID 1420 wrote to memory of 936	1420	cmd.exe	2.exe
PID 1420 wrote to memory of 936	1420	cmd.exe	2.exe
PID 1420 wrote to memory of 936	1420	cmd.exe	2.exe
PID 936 wrote to memory of 1612	936	2.exe	1.exe
PID 936 wrote to memory of 1612	936	2.exe	1.exe
PID 936 wrote to memory of 1612	936	2.exe	1.exe
PID 936 wrote to memory of 1612	936	2.exe	1.exe
PID 936 wrote to memory of 1612	936	2.exe	1.exe
PID 936 wrote to memory of 1612	936	2.exe	1.exe
PID 936 wrote to memory of 1612	936	2.exe	1.exe
PID 1612 wrote to memory of 572	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 572	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 572	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 572	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 572	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 572	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 572	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 1076	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 1076	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 1076	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 1076	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 1076	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 1076	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 1076	1612	1.exe	cmd.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 1612 wrote to memory of 676	1612	1.exe	notepad.exe
PID 572 wrote to memory of 2016	572	cmd.exe	attrib.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

svñhîst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	svñhîst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	svñhîst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	svñhîst.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2016 attrib.exe

pid	process
2016	attrib.exe

C:\Users\Admin\AppData\Local\Temp\eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe
"C:\Users\Admin\AppData\Local\Temp\eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\good.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    2.exe -p97135 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1.exe" +s +h
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:572
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\1.exe" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2016
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        5⤵
        
        PID:1076
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:676
    - - C:\Windows\SysWOW64\svñhîst.exe
        
        "C:\Windows\system32\svñhîst.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1368
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
252KB

MD5
8c93362c2f3bb62ff4768aa86e268a21

SHA1
af4b3179219511d7d7c0f922bb8593dc79a18471

SHA256
974d004191160c6f7f5d1da0997e81f8987808f1b7e4d00ad3db19dcc126ae56

SHA512
98b0800cd0d47f3781c0c3a60b93392bdf6273038c5118bcf49fa58c51ea05b8e385855b8211037a31662d9a8b09eb4b0ee51f73700590e0f91be9b4054c54b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
252KB

MD5
8c93362c2f3bb62ff4768aa86e268a21

SHA1
af4b3179219511d7d7c0f922bb8593dc79a18471

SHA256
974d004191160c6f7f5d1da0997e81f8987808f1b7e4d00ad3db19dcc126ae56

SHA512
98b0800cd0d47f3781c0c3a60b93392bdf6273038c5118bcf49fa58c51ea05b8e385855b8211037a31662d9a8b09eb4b0ee51f73700590e0f91be9b4054c54b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
33B

MD5
5b6bae6a6904f85436b1ab38dcc4a790

SHA1
c6556302d873217df621cdd5893424a61d72faae

SHA256
d3c84d033ac9e86c90b431fe9f71507d8ab1b8427f2f68688c1e771ea4cc3fa8

SHA512
987ff8fdd31434aae3629cb7fbb776e12f3ec3ac4855cb6715ed5f9e55984b9dcec5ffb0cd358961451037f17b42cc7103a0f240b0b16d16b726795464580e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
438KB

MD5
6f76c6d26dd252684163e0fb324d0a70

SHA1
3862a46eef009b5947c803b33c16f6fb3aa3a1e1

SHA256
d477d3daaa8f0f3d999c58602e24b1c1b1188eef9d206afaef314591798f019d

SHA512
59a7cf7e74ba545163b7a15b545d540d9d0c678100df1a92d9169762cbf5d9d6529464bfa1a4bc4d8fa9384e37bbea268e995942e8761bfd4d301ca7814f4eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
438KB

MD5
6f76c6d26dd252684163e0fb324d0a70

SHA1
3862a46eef009b5947c803b33c16f6fb3aa3a1e1

SHA256
d477d3daaa8f0f3d999c58602e24b1c1b1188eef9d206afaef314591798f019d

SHA512
59a7cf7e74ba545163b7a15b545d540d9d0c678100df1a92d9169762cbf5d9d6529464bfa1a4bc4d8fa9384e37bbea268e995942e8761bfd4d301ca7814f4eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\good.txt

Filesize
275KB

MD5
f5ed8cd6e8e25f702f41c768a91220b3

SHA1
c13ac128aac625beada1cdcb6e1f3aaa9d4c3e83

SHA256
e26206534d17d5798ccb1c61c5c54c4781e7cff18c26e0827a7f903aed697d02

SHA512
bfb27c9ee53f6094c28fc395b3fbc18b0c1450aad49fbc2aa51c7f14f756506a8c274423bf5b6a0768f76f3efde031b7f234b855c48c91049d0e1e5129e4c9c7

Download Submit
C:\Windows\SysWOW64\svñhîst.exe

Filesize
252KB

MD5
8c93362c2f3bb62ff4768aa86e268a21

SHA1
af4b3179219511d7d7c0f922bb8593dc79a18471

SHA256
974d004191160c6f7f5d1da0997e81f8987808f1b7e4d00ad3db19dcc126ae56

SHA512
98b0800cd0d47f3781c0c3a60b93392bdf6273038c5118bcf49fa58c51ea05b8e385855b8211037a31662d9a8b09eb4b0ee51f73700590e0f91be9b4054c54b1

Download Submit
C:\Windows\SysWOW64\svñhîst.exe

Filesize
252KB

MD5
8c93362c2f3bb62ff4768aa86e268a21

SHA1
af4b3179219511d7d7c0f922bb8593dc79a18471

SHA256
974d004191160c6f7f5d1da0997e81f8987808f1b7e4d00ad3db19dcc126ae56

SHA512
98b0800cd0d47f3781c0c3a60b93392bdf6273038c5118bcf49fa58c51ea05b8e385855b8211037a31662d9a8b09eb4b0ee51f73700590e0f91be9b4054c54b1

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
252KB

MD5
8c93362c2f3bb62ff4768aa86e268a21

SHA1
af4b3179219511d7d7c0f922bb8593dc79a18471

SHA256
974d004191160c6f7f5d1da0997e81f8987808f1b7e4d00ad3db19dcc126ae56

SHA512
98b0800cd0d47f3781c0c3a60b93392bdf6273038c5118bcf49fa58c51ea05b8e385855b8211037a31662d9a8b09eb4b0ee51f73700590e0f91be9b4054c54b1

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
252KB

MD5
8c93362c2f3bb62ff4768aa86e268a21

SHA1
af4b3179219511d7d7c0f922bb8593dc79a18471

SHA256
974d004191160c6f7f5d1da0997e81f8987808f1b7e4d00ad3db19dcc126ae56

SHA512
98b0800cd0d47f3781c0c3a60b93392bdf6273038c5118bcf49fa58c51ea05b8e385855b8211037a31662d9a8b09eb4b0ee51f73700590e0f91be9b4054c54b1

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
252KB

MD5
8c93362c2f3bb62ff4768aa86e268a21

SHA1
af4b3179219511d7d7c0f922bb8593dc79a18471

SHA256
974d004191160c6f7f5d1da0997e81f8987808f1b7e4d00ad3db19dcc126ae56

SHA512
98b0800cd0d47f3781c0c3a60b93392bdf6273038c5118bcf49fa58c51ea05b8e385855b8211037a31662d9a8b09eb4b0ee51f73700590e0f91be9b4054c54b1

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
252KB

MD5
8c93362c2f3bb62ff4768aa86e268a21

SHA1
af4b3179219511d7d7c0f922bb8593dc79a18471

SHA256
974d004191160c6f7f5d1da0997e81f8987808f1b7e4d00ad3db19dcc126ae56

SHA512
98b0800cd0d47f3781c0c3a60b93392bdf6273038c5118bcf49fa58c51ea05b8e385855b8211037a31662d9a8b09eb4b0ee51f73700590e0f91be9b4054c54b1

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
252KB

MD5
8c93362c2f3bb62ff4768aa86e268a21

SHA1
af4b3179219511d7d7c0f922bb8593dc79a18471

SHA256
974d004191160c6f7f5d1da0997e81f8987808f1b7e4d00ad3db19dcc126ae56

SHA512
98b0800cd0d47f3781c0c3a60b93392bdf6273038c5118bcf49fa58c51ea05b8e385855b8211037a31662d9a8b09eb4b0ee51f73700590e0f91be9b4054c54b1

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
438KB

MD5
6f76c6d26dd252684163e0fb324d0a70

SHA1
3862a46eef009b5947c803b33c16f6fb3aa3a1e1

SHA256
d477d3daaa8f0f3d999c58602e24b1c1b1188eef9d206afaef314591798f019d

SHA512
59a7cf7e74ba545163b7a15b545d540d9d0c678100df1a92d9169762cbf5d9d6529464bfa1a4bc4d8fa9384e37bbea268e995942e8761bfd4d301ca7814f4eff

Download Submit
\Windows\SysWOW64\svñhîst.exe

Filesize
252KB

MD5
8c93362c2f3bb62ff4768aa86e268a21

SHA1
af4b3179219511d7d7c0f922bb8593dc79a18471

SHA256
974d004191160c6f7f5d1da0997e81f8987808f1b7e4d00ad3db19dcc126ae56

SHA512
98b0800cd0d47f3781c0c3a60b93392bdf6273038c5118bcf49fa58c51ea05b8e385855b8211037a31662d9a8b09eb4b0ee51f73700590e0f91be9b4054c54b1

Download Submit
\Windows\SysWOW64\svñhîst.exe

Filesize
252KB

MD5
8c93362c2f3bb62ff4768aa86e268a21

SHA1
af4b3179219511d7d7c0f922bb8593dc79a18471

SHA256
974d004191160c6f7f5d1da0997e81f8987808f1b7e4d00ad3db19dcc126ae56

SHA512
98b0800cd0d47f3781c0c3a60b93392bdf6273038c5118bcf49fa58c51ea05b8e385855b8211037a31662d9a8b09eb4b0ee51f73700590e0f91be9b4054c54b1

Download Submit
memory/296-55-0x0000000000000000-mapping.dmp

Download
memory/572-75-0x0000000000000000-mapping.dmp

Download
memory/676-77-0x0000000000000000-mapping.dmp

Download
memory/936-63-0x0000000000000000-mapping.dmp

Download
memory/1076-76-0x0000000000000000-mapping.dmp

Download
memory/1276-91-0x0000000000000000-mapping.dmp

Download
memory/1368-90-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1368-85-0x0000000000000000-mapping.dmp

Download
memory/1368-94-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1420-57-0x0000000000000000-mapping.dmp

Download
memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1612-71-0x0000000000000000-mapping.dmp

Download
memory/1612-88-0x0000000005020000-0x00000000050D7000-memory.dmp

Filesize
732KB

Download
memory/1612-92-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2016-81-0x0000000000000000-mapping.dmp

Download