darkcomet | e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80

Analysis

max time kernel
151s
max time network
167s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe
Size

611KB
MD5

5c898dd2bc147ffad06ac8362d13614c
SHA1

8f8fc1e81ee69b12a06e256d7f0cdceea54d25dd
SHA256

e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80
SHA512

fcfb8dca28fe47b61f2b201ce160854a3c865aa0f049020a2e741df271772d3e0fd71ebb30fa85d2ad80bc3c0dc0c57183a977f5f4082afc4c240c9d6b06b650
SSDEEP

12288:LTqSnzWHA+m3S0fapaJehb2qTvxpGrLRRWDyw4tw+Unzyn6PPr:/qSn4mCSJS1v7GPUz4tYun6n

Score

10^/10

darkcomet guest16 evasion rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:1604

192.168.1.7:1604

87.212.172.69:1604

rattedmyfriend.no-ip.biz:8003

Mutex

DC_MUTEX-E5UH45R

Attributes

gencode
61lo22hTYh4s
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\interpals.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\interpals.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\applaunch.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 2 IoCs

Processes:

Not crypted server.exeTRISTAN SERVER.EXE

pid process

1632 Not crypted server.exe
1504 TRISTAN SERVER.EXE

pid	process
1632	Not crypted server.exe
1504	TRISTAN SERVER.EXE

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1896-61-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1896-63-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1896-64-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1896-67-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1896-70-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1896-71-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1896-72-0x0000000000400000-0x000000000045D000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\Not crypted server.exe	upx
\Users\Admin\AppData\Local\Temp\Not crypted server.exe	upx
C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe	upx
C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe	upx
behavioral1/memory/1632-98-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral1/memory/1632-110-0x0000000000400000-0x000000000055B000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exeNot crypted server.exe

pid	process
780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe
780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe
1632	Not crypted server.exe
1632	Not crypted server.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe

description	pid	process	target process
PID 780 set thread context of 1896	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

1196 reg.exe
1724 reg.exe
468 reg.exe
1928 reg.exe

pid	process
1196	reg.exe
1724	reg.exe
468	reg.exe
1928	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

applaunch.exeNot crypted server.exeTRISTAN SERVER.EXE

description	pid	process
Token: 1	1896	applaunch.exe
Token: SeCreateTokenPrivilege	1896	applaunch.exe
Token: SeAssignPrimaryTokenPrivilege	1896	applaunch.exe
Token: SeLockMemoryPrivilege	1896	applaunch.exe
Token: SeIncreaseQuotaPrivilege	1896	applaunch.exe
Token: SeMachineAccountPrivilege	1896	applaunch.exe
Token: SeTcbPrivilege	1896	applaunch.exe
Token: SeSecurityPrivilege	1896	applaunch.exe
Token: SeTakeOwnershipPrivilege	1896	applaunch.exe
Token: SeLoadDriverPrivilege	1896	applaunch.exe
Token: SeSystemProfilePrivilege	1896	applaunch.exe
Token: SeSystemtimePrivilege	1896	applaunch.exe
Token: SeProfSingleProcessPrivilege	1896	applaunch.exe
Token: SeIncBasePriorityPrivilege	1896	applaunch.exe
Token: SeCreatePagefilePrivilege	1896	applaunch.exe
Token: SeCreatePermanentPrivilege	1896	applaunch.exe
Token: SeBackupPrivilege	1896	applaunch.exe
Token: SeRestorePrivilege	1896	applaunch.exe
Token: SeShutdownPrivilege	1896	applaunch.exe
Token: SeDebugPrivilege	1896	applaunch.exe
Token: SeAuditPrivilege	1896	applaunch.exe
Token: SeSystemEnvironmentPrivilege	1896	applaunch.exe
Token: SeChangeNotifyPrivilege	1896	applaunch.exe
Token: SeRemoteShutdownPrivilege	1896	applaunch.exe
Token: SeUndockPrivilege	1896	applaunch.exe
Token: SeSyncAgentPrivilege	1896	applaunch.exe
Token: SeEnableDelegationPrivilege	1896	applaunch.exe
Token: SeManageVolumePrivilege	1896	applaunch.exe
Token: SeImpersonatePrivilege	1896	applaunch.exe
Token: SeCreateGlobalPrivilege	1896	applaunch.exe
Token: 31	1896	applaunch.exe
Token: 32	1896	applaunch.exe
Token: 33	1896	applaunch.exe
Token: 34	1896	applaunch.exe
Token: 35	1896	applaunch.exe
Token: SeIncreaseQuotaPrivilege	1632	Not crypted server.exe
Token: SeSecurityPrivilege	1632	Not crypted server.exe
Token: SeTakeOwnershipPrivilege	1632	Not crypted server.exe
Token: SeLoadDriverPrivilege	1632	Not crypted server.exe
Token: SeSystemProfilePrivilege	1632	Not crypted server.exe
Token: SeSystemtimePrivilege	1632	Not crypted server.exe
Token: SeProfSingleProcessPrivilege	1632	Not crypted server.exe
Token: SeIncBasePriorityPrivilege	1632	Not crypted server.exe
Token: SeCreatePagefilePrivilege	1632	Not crypted server.exe
Token: SeBackupPrivilege	1632	Not crypted server.exe
Token: SeRestorePrivilege	1632	Not crypted server.exe
Token: SeShutdownPrivilege	1632	Not crypted server.exe
Token: SeDebugPrivilege	1632	Not crypted server.exe
Token: SeSystemEnvironmentPrivilege	1632	Not crypted server.exe
Token: SeChangeNotifyPrivilege	1632	Not crypted server.exe
Token: SeRemoteShutdownPrivilege	1632	Not crypted server.exe
Token: SeUndockPrivilege	1632	Not crypted server.exe
Token: SeManageVolumePrivilege	1632	Not crypted server.exe
Token: SeImpersonatePrivilege	1632	Not crypted server.exe
Token: SeCreateGlobalPrivilege	1632	Not crypted server.exe
Token: 33	1632	Not crypted server.exe
Token: 34	1632	Not crypted server.exe
Token: 35	1632	Not crypted server.exe
Token: SeIncreaseQuotaPrivilege	1504	TRISTAN SERVER.EXE
Token: SeSecurityPrivilege	1504	TRISTAN SERVER.EXE
Token: SeTakeOwnershipPrivilege	1504	TRISTAN SERVER.EXE
Token: SeLoadDriverPrivilege	1504	TRISTAN SERVER.EXE
Token: SeSystemProfilePrivilege	1504	TRISTAN SERVER.EXE
Token: SeSystemtimePrivilege	1504	TRISTAN SERVER.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

applaunch.exeTRISTAN SERVER.EXENot crypted server.exe

pid process

1896 applaunch.exe
1896 applaunch.exe
1896 applaunch.exe
1504 TRISTAN SERVER.EXE
1632 Not crypted server.exe

pid	process
1896	applaunch.exe
1896	applaunch.exe
1896	applaunch.exe
1504	TRISTAN SERVER.EXE
1632	Not crypted server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exeapplaunch.execmd.execmd.execmd.exe

description	pid	process	target process
PID 780 wrote to memory of 1896	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 780 wrote to memory of 1896	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 780 wrote to memory of 1896	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 780 wrote to memory of 1896	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 780 wrote to memory of 1896	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 780 wrote to memory of 1896	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 780 wrote to memory of 1896	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 780 wrote to memory of 1896	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 780 wrote to memory of 1896	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 780 wrote to memory of 1896	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 780 wrote to memory of 1896	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 780 wrote to memory of 940	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	WScript.exe
PID 780 wrote to memory of 940	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	WScript.exe
PID 780 wrote to memory of 940	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	WScript.exe
PID 780 wrote to memory of 940	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	WScript.exe
PID 780 wrote to memory of 1632	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	Not crypted server.exe
PID 780 wrote to memory of 1632	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	Not crypted server.exe
PID 780 wrote to memory of 1632	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	Not crypted server.exe
PID 780 wrote to memory of 1632	780	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	Not crypted server.exe
PID 1896 wrote to memory of 1704	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1704	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1704	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1704	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1704	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1704	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1704	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1752	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1752	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1752	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1752	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1752	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1752	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1752	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1688	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1688	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1688	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1688	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1688	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1688	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 1688	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 2044	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 2044	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 2044	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 2044	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 2044	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 2044	1896	applaunch.exe	cmd.exe
PID 1896 wrote to memory of 2044	1896	applaunch.exe	cmd.exe
PID 1704 wrote to memory of 1724	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 1724	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 1724	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 1724	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 1724	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 1724	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 1724	1704	cmd.exe	reg.exe
PID 1752 wrote to memory of 1196	1752	cmd.exe	reg.exe
PID 1752 wrote to memory of 1196	1752	cmd.exe	reg.exe
PID 1752 wrote to memory of 1196	1752	cmd.exe	reg.exe
PID 1752 wrote to memory of 1196	1752	cmd.exe	reg.exe
PID 1752 wrote to memory of 1196	1752	cmd.exe	reg.exe
PID 1752 wrote to memory of 1196	1752	cmd.exe	reg.exe
PID 1752 wrote to memory of 1196	1752	cmd.exe	reg.exe
PID 1688 wrote to memory of 1928	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1928	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1928	1688	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe
"C:\Users\Admin\AppData\Local\Temp\e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\interpals.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\interpals.exe:*:Enabled:Windows Messanger" /f
3⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\interpals.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\interpals.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:468

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1196

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cwKCo.vbs"
2⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe
"C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE
"C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe
Filesize
419KB

MD5
108c042c7a7d40744942dad445481774

SHA1
4a03259aa4599c027f12da0d3379216496ef0655

SHA256
ee31c8618d31624797b5a6c29e4ee9ffd466239c05bb966cb6ed597ae04a47bb

SHA512
c63950e78aed06bc175aff38a12d692ab2cdf6409d17fa08a6f8c5b3b1036d14d1f04c4bf6625d9bdca31dda725e6743f4e1c509d10202822a981a2edae39a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe
Filesize
419KB

MD5
108c042c7a7d40744942dad445481774

SHA1
4a03259aa4599c027f12da0d3379216496ef0655

SHA256
ee31c8618d31624797b5a6c29e4ee9ffd466239c05bb966cb6ed597ae04a47bb

SHA512
c63950e78aed06bc175aff38a12d692ab2cdf6409d17fa08a6f8c5b3b1036d14d1f04c4bf6625d9bdca31dda725e6743f4e1c509d10202822a981a2edae39a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE
Filesize
658KB

MD5
90050eb20b33f4f0155a98008aee0bf7

SHA1
3047729097f0979e87b1403333c384ae4e5c645c

SHA256
b10d168ed95926c7da49dc2937e40886d7c2dddd347312f0ec9be2ca8b146f60

SHA512
80c7c98b0cd26e405c38ede33426fb47ffe2dd01d810a79860fce7b646d330c179f4a45386070a6fc374e10c23a056b607f39bc64a615cb87a94112cd2a53efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE
Filesize
658KB

MD5
90050eb20b33f4f0155a98008aee0bf7

SHA1
3047729097f0979e87b1403333c384ae4e5c645c

SHA256
b10d168ed95926c7da49dc2937e40886d7c2dddd347312f0ec9be2ca8b146f60

SHA512
80c7c98b0cd26e405c38ede33426fb47ffe2dd01d810a79860fce7b646d330c179f4a45386070a6fc374e10c23a056b607f39bc64a615cb87a94112cd2a53efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwKCo.vbs
Filesize
394B

MD5
f52500f8ed2a5563b54286f1127195a4

SHA1
ce3615fffedcad20d348e7a501f68f61c8da186b

SHA256
1e4f06a679a3fac8a4b667bad3a4b3a728cc611f2db9988e85ca6f9acded8104

SHA512
e94ee1d6c6d00c873f8f73b4b7acb1b3e95a3278f08851465d32ce560bb29cc158b0e861b57045fb14c25e1d273c3426f976edf3398153517e586b9ea3d8d9ab

Download Submit
\Users\Admin\AppData\Local\Temp\Not crypted server.exe
Filesize
419KB

MD5
108c042c7a7d40744942dad445481774

SHA1
4a03259aa4599c027f12da0d3379216496ef0655

SHA256
ee31c8618d31624797b5a6c29e4ee9ffd466239c05bb966cb6ed597ae04a47bb

SHA512
c63950e78aed06bc175aff38a12d692ab2cdf6409d17fa08a6f8c5b3b1036d14d1f04c4bf6625d9bdca31dda725e6743f4e1c509d10202822a981a2edae39a5f

Download Submit
\Users\Admin\AppData\Local\Temp\Not crypted server.exe
Filesize
419KB

MD5
108c042c7a7d40744942dad445481774

SHA1
4a03259aa4599c027f12da0d3379216496ef0655

SHA256
ee31c8618d31624797b5a6c29e4ee9ffd466239c05bb966cb6ed597ae04a47bb

SHA512
c63950e78aed06bc175aff38a12d692ab2cdf6409d17fa08a6f8c5b3b1036d14d1f04c4bf6625d9bdca31dda725e6743f4e1c509d10202822a981a2edae39a5f

Download Submit
\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE
Filesize
658KB

MD5
90050eb20b33f4f0155a98008aee0bf7

SHA1
3047729097f0979e87b1403333c384ae4e5c645c

SHA256
b10d168ed95926c7da49dc2937e40886d7c2dddd347312f0ec9be2ca8b146f60

SHA512
80c7c98b0cd26e405c38ede33426fb47ffe2dd01d810a79860fce7b646d330c179f4a45386070a6fc374e10c23a056b607f39bc64a615cb87a94112cd2a53efe

Download Submit
\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE
Filesize
658KB

MD5
90050eb20b33f4f0155a98008aee0bf7

SHA1
3047729097f0979e87b1403333c384ae4e5c645c

SHA256
b10d168ed95926c7da49dc2937e40886d7c2dddd347312f0ec9be2ca8b146f60

SHA512
80c7c98b0cd26e405c38ede33426fb47ffe2dd01d810a79860fce7b646d330c179f4a45386070a6fc374e10c23a056b607f39bc64a615cb87a94112cd2a53efe

Download Submit
memory/468-97-0x0000000000000000-mapping.dmp

Download
memory/780-56-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/780-57-0x0000000004F55000-0x0000000004F66000-memory.dmp

Filesize
68KB

Download
memory/780-55-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/780-54-0x0000000000230000-0x00000000002D2000-memory.dmp

Filesize
648KB

Download
memory/780-59-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/780-58-0x00000000002E0000-0x00000000002EE000-memory.dmp

Filesize
56KB

Download
memory/940-76-0x0000000000000000-mapping.dmp

Download
memory/1196-95-0x0000000000000000-mapping.dmp

Download
memory/1504-105-0x0000000000000000-mapping.dmp

Download
memory/1632-79-0x0000000000000000-mapping.dmp

Download
memory/1632-110-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1632-98-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1688-86-0x0000000000000000-mapping.dmp

Download
memory/1704-82-0x0000000000000000-mapping.dmp

Download
memory/1724-94-0x0000000000000000-mapping.dmp

Download
memory/1752-84-0x0000000000000000-mapping.dmp

Download
memory/1896-64-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1896-93-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/1896-72-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1896-71-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1896-70-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1896-67-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1896-65-0x000000000045BC90-mapping.dmp

Download
memory/1896-63-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1896-61-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1896-109-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/1896-60-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1928-96-0x0000000000000000-mapping.dmp

Download
memory/2044-87-0x0000000000000000-mapping.dmp

Download