darkcomet | eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4.exe
Size

4.9MB
MD5

0f1c2db4971cb37da97ed6dff6f071b8
SHA1

1a11434db84ab8189cca0e73c439ed862de17df0
SHA256

eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4
SHA512

7797adf05623c865710681f0b4572dbd39e30c996dbfe959b732c07fe646fc829c7004f94ff8884c1687b98863b84bb3c04573a87d95d9a627777c8f6a21d8fd
SSDEEP

49152:TWpFbzP8NKERLbzZAbS+r8StQmMqRSYtPZOpiz+13zcQWQY0JxX3Sr:

Score

10^/10

darkcomet hawkeye evasion keylogger persistence rat spyware stealer trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

audidgi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	audidgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audidgi.exe"	audidgi.exe

Executes dropped EXE 6 IoCs

Processes:

HMA-Pro-VPN-2.6.6-install.exeshit1.exesvchost.exeaudidgi.exeWmiPrwSE.exeWmiPrwSE.exe

pid process

2660 HMA-Pro-VPN-2.6.6-install.exe
1752 shit1.exe
260 svchost.exe
2604 audidgi.exe
4272 WmiPrwSE.exe
2220 WmiPrwSE.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1412 attrib.exe

pid	process
1412	attrib.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2220-155-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2220-157-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2220-158-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2220-160-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2220-159-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4.exeshit1.exeWmiPrwSE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	shit1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WmiPrwSE.exe

Loads dropped DLL 5 IoCs

Processes:

HMA-Pro-VPN-2.6.6-install.exe

pid	process
2660	HMA-Pro-VPN-2.6.6-install.exe
2660	HMA-Pro-VPN-2.6.6-install.exe
2660	HMA-Pro-VPN-2.6.6-install.exe
2660	HMA-Pro-VPN-2.6.6-install.exe
2660	HMA-Pro-VPN-2.6.6-install.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

audidgi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audidgi.exe"	audidgi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

WmiPrwSE.exe

description pid process target process

PID 4272 set thread context of 2220 4272 WmiPrwSE.exe WmiPrwSE.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4272 set thread context of 2220	4272	WmiPrwSE.exe	WmiPrwSE.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\HMA-Pro-VPN-2.6.6-install.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\HMA-Pro-VPN-2.6.6-install.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\HMA-Pro-VPN-2.6.6-install.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\HMA-Pro-VPN-2.6.6-install.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exeaudidgi.exeWmiPrwSE.exe

pid	process
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
4272	WmiPrwSE.exe
4272	WmiPrwSE.exe
4272	WmiPrwSE.exe
4272	WmiPrwSE.exe
4272	WmiPrwSE.exe
4272	WmiPrwSE.exe
4272	WmiPrwSE.exe
4272	WmiPrwSE.exe
4272	WmiPrwSE.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe
260	svchost.exe
4272	WmiPrwSE.exe
2604	audidgi.exe
260	svchost.exe
2604	audidgi.exe
4272	WmiPrwSE.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

shit1.exesvchost.exeaudidgi.exeWmiPrwSE.exeWmiPrwSE.exe

description	pid	process
Token: SeDebugPrivilege	1752	shit1.exe
Token: SeDebugPrivilege	260	svchost.exe
Token: SeDebugPrivilege	2604	audidgi.exe
Token: SeDebugPrivilege	4272	WmiPrwSE.exe
Token: SeIncreaseQuotaPrivilege	2220	WmiPrwSE.exe
Token: SeSecurityPrivilege	2220	WmiPrwSE.exe
Token: SeTakeOwnershipPrivilege	2220	WmiPrwSE.exe
Token: SeLoadDriverPrivilege	2220	WmiPrwSE.exe
Token: SeSystemProfilePrivilege	2220	WmiPrwSE.exe
Token: SeSystemtimePrivilege	2220	WmiPrwSE.exe
Token: SeProfSingleProcessPrivilege	2220	WmiPrwSE.exe
Token: SeIncBasePriorityPrivilege	2220	WmiPrwSE.exe
Token: SeCreatePagefilePrivilege	2220	WmiPrwSE.exe
Token: SeBackupPrivilege	2220	WmiPrwSE.exe
Token: SeRestorePrivilege	2220	WmiPrwSE.exe
Token: SeShutdownPrivilege	2220	WmiPrwSE.exe
Token: SeDebugPrivilege	2220	WmiPrwSE.exe
Token: SeSystemEnvironmentPrivilege	2220	WmiPrwSE.exe
Token: SeChangeNotifyPrivilege	2220	WmiPrwSE.exe
Token: SeRemoteShutdownPrivilege	2220	WmiPrwSE.exe
Token: SeUndockPrivilege	2220	WmiPrwSE.exe
Token: SeManageVolumePrivilege	2220	WmiPrwSE.exe
Token: SeImpersonatePrivilege	2220	WmiPrwSE.exe
Token: SeCreateGlobalPrivilege	2220	WmiPrwSE.exe
Token: 33	2220	WmiPrwSE.exe
Token: 34	2220	WmiPrwSE.exe
Token: 35	2220	WmiPrwSE.exe
Token: 36	2220	WmiPrwSE.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WmiPrwSE.exe

pid process

2220 WmiPrwSE.exe

pid	process
2220	WmiPrwSE.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4.exeshit1.exesvchost.exeaudidgi.exeWmiPrwSE.exeWmiPrwSE.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 2660	2016	eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4.exe	HMA-Pro-VPN-2.6.6-install.exe
PID 2016 wrote to memory of 2660	2016	eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4.exe	HMA-Pro-VPN-2.6.6-install.exe
PID 2016 wrote to memory of 2660	2016	eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4.exe	HMA-Pro-VPN-2.6.6-install.exe
PID 2016 wrote to memory of 1752	2016	eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4.exe	shit1.exe
PID 2016 wrote to memory of 1752	2016	eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4.exe	shit1.exe
PID 2016 wrote to memory of 1752	2016	eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4.exe	shit1.exe
PID 1752 wrote to memory of 260	1752	shit1.exe	svchost.exe
PID 1752 wrote to memory of 260	1752	shit1.exe	svchost.exe
PID 1752 wrote to memory of 260	1752	shit1.exe	svchost.exe
PID 260 wrote to memory of 956	260	svchost.exe	svchost.exe
PID 260 wrote to memory of 956	260	svchost.exe	svchost.exe
PID 260 wrote to memory of 956	260	svchost.exe	svchost.exe
PID 260 wrote to memory of 2604	260	svchost.exe	audidgi.exe
PID 260 wrote to memory of 2604	260	svchost.exe	audidgi.exe
PID 260 wrote to memory of 2604	260	svchost.exe	audidgi.exe
PID 2604 wrote to memory of 4272	2604	audidgi.exe	WmiPrwSE.exe
PID 2604 wrote to memory of 4272	2604	audidgi.exe	WmiPrwSE.exe
PID 2604 wrote to memory of 4272	2604	audidgi.exe	WmiPrwSE.exe
PID 4272 wrote to memory of 2220	4272	WmiPrwSE.exe	WmiPrwSE.exe
PID 4272 wrote to memory of 2220	4272	WmiPrwSE.exe	WmiPrwSE.exe
PID 4272 wrote to memory of 2220	4272	WmiPrwSE.exe	WmiPrwSE.exe
PID 4272 wrote to memory of 2220	4272	WmiPrwSE.exe	WmiPrwSE.exe
PID 4272 wrote to memory of 2220	4272	WmiPrwSE.exe	WmiPrwSE.exe
PID 4272 wrote to memory of 2220	4272	WmiPrwSE.exe	WmiPrwSE.exe
PID 4272 wrote to memory of 2220	4272	WmiPrwSE.exe	WmiPrwSE.exe
PID 4272 wrote to memory of 2220	4272	WmiPrwSE.exe	WmiPrwSE.exe
PID 2220 wrote to memory of 3376	2220	WmiPrwSE.exe	cmd.exe
PID 2220 wrote to memory of 3376	2220	WmiPrwSE.exe	cmd.exe
PID 2220 wrote to memory of 3376	2220	WmiPrwSE.exe	cmd.exe
PID 3376 wrote to memory of 1412	3376	cmd.exe	attrib.exe
PID 3376 wrote to memory of 1412	3376	cmd.exe	attrib.exe
PID 3376 wrote to memory of 1412	3376	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1412 attrib.exe

pid	process
1412	attrib.exe

C:\Users\Admin\AppData\Local\Temp\eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4.exe
"C:\Users\Admin\AppData\Local\Temp\eefb7e6f07e9cc6b7a631250a9832a73d3341a5cd89a8c1a979ef9621c682de4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\HMA-Pro-VPN-2.6.6-install.exe
"C:\Users\Admin\AppData\Local\Temp\HMA-Pro-VPN-2.6.6-install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660

C:\Users\Admin\AppData\Local\Temp\shit1.exe
"C:\Users\Admin\AppData\Local\Temp\shit1.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:260

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
4⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe" +s +h
7⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe" +s +h
8⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HMA-Pro-VPN-2.6.6-install.exe
Filesize
3.3MB

MD5
c71ec4e7e42f810231ffaf2643484ecd

SHA1
dca40605bc151e66d6e4defb29aef1d2ced08b23

SHA256
1bc6921b6cd30f7df4a8d66014d7b10aa3f6d1ae33135fd60761e595a1539da3

SHA512
b6785786603531e023a1025a5c82056c17516c37d742136abe63c526e1b8da7b416b786b209f14f2d493500f3fc45f69814cb0a8af91e98eb67d02ebc5a0f160

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMA-Pro-VPN-2.6.6-install.exe
Filesize
3.3MB

MD5
c71ec4e7e42f810231ffaf2643484ecd

SHA1
dca40605bc151e66d6e4defb29aef1d2ced08b23

SHA256
1bc6921b6cd30f7df4a8d66014d7b10aa3f6d1ae33135fd60761e595a1539da3

SHA512
b6785786603531e023a1025a5c82056c17516c37d742136abe63c526e1b8da7b416b786b209f14f2d493500f3fc45f69814cb0a8af91e98eb67d02ebc5a0f160

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
43B

MD5
b0286a1c04471719f24882f7ed58fd57

SHA1
7551ded53321d4a3b7a79a806881464ffef2495f

SHA256
698a4c31ef1fcbb33b9138c0da62cc91771e03610170dcabbfc983fb30e2626d

SHA512
1892d5703c8326b7ae56c6c5935fcbf83adbe0c586cb1fa9b61e10144e251aa1cacdfcb6be42261855b58bfe401ac3cadfbf4a796fe7fa2d606a177574aaf5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
Filesize
282KB

MD5
777832f3251ed4ada9f6ba4f63ac82c5

SHA1
4f15d60c9139150376683cd940d590432980dd07

SHA256
85f366402734f34f39c1e759d56ce9365a2e59d77708ef70f3ade4c5f601a9d1

SHA512
8ba6d92d654312d9c322cd42be987c90ac2de28b3890989eabc8f59e9b207beb1eb1de8dc3d5e066d2dc33826e22b8338d1bd8a15463519180ee40f11c21d7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
Filesize
282KB

MD5
777832f3251ed4ada9f6ba4f63ac82c5

SHA1
4f15d60c9139150376683cd940d590432980dd07

SHA256
85f366402734f34f39c1e759d56ce9365a2e59d77708ef70f3ade4c5f601a9d1

SHA512
8ba6d92d654312d9c322cd42be987c90ac2de28b3890989eabc8f59e9b207beb1eb1de8dc3d5e066d2dc33826e22b8338d1bd8a15463519180ee40f11c21d7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
Filesize
282KB

MD5
777832f3251ed4ada9f6ba4f63ac82c5

SHA1
4f15d60c9139150376683cd940d590432980dd07

SHA256
85f366402734f34f39c1e759d56ce9365a2e59d77708ef70f3ade4c5f601a9d1

SHA512
8ba6d92d654312d9c322cd42be987c90ac2de28b3890989eabc8f59e9b207beb1eb1de8dc3d5e066d2dc33826e22b8338d1bd8a15463519180ee40f11c21d7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
Filesize
8KB

MD5
514efe550078fbedb88e23774742e295

SHA1
971bcc5648e1a70ef6a9a7c909663d2e01a31473

SHA256
673528eae87d1f48f9a8238de868e8f44aa92575744259a7a3e8b5ac34ca9ca2

SHA512
b952bd54f348b7d39b1a2f2a322068d31a4837988aceb09821bd6f54216f79f356868497b44f17e060e3fc6c5b130caaf247a64dc0bb49569ba4b8472cf34451

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
Filesize
8KB

MD5
514efe550078fbedb88e23774742e295

SHA1
971bcc5648e1a70ef6a9a7c909663d2e01a31473

SHA256
673528eae87d1f48f9a8238de868e8f44aa92575744259a7a3e8b5ac34ca9ca2

SHA512
b952bd54f348b7d39b1a2f2a322068d31a4837988aceb09821bd6f54216f79f356868497b44f17e060e3fc6c5b130caaf247a64dc0bb49569ba4b8472cf34451

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA51F.tmp\InstallOptions.dll
Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA51F.tmp\InstallOptions.dll
Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA51F.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA51F.tmp\UserInfo.dll
Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA51F.tmp\UserInfo.dll
Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\shit1.exe
Filesize
282KB

MD5
777832f3251ed4ada9f6ba4f63ac82c5

SHA1
4f15d60c9139150376683cd940d590432980dd07

SHA256
85f366402734f34f39c1e759d56ce9365a2e59d77708ef70f3ade4c5f601a9d1

SHA512
8ba6d92d654312d9c322cd42be987c90ac2de28b3890989eabc8f59e9b207beb1eb1de8dc3d5e066d2dc33826e22b8338d1bd8a15463519180ee40f11c21d7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\shit1.exe
Filesize
282KB

MD5
777832f3251ed4ada9f6ba4f63ac82c5

SHA1
4f15d60c9139150376683cd940d590432980dd07

SHA256
85f366402734f34f39c1e759d56ce9365a2e59d77708ef70f3ade4c5f601a9d1

SHA512
8ba6d92d654312d9c322cd42be987c90ac2de28b3890989eabc8f59e9b207beb1eb1de8dc3d5e066d2dc33826e22b8338d1bd8a15463519180ee40f11c21d7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
282KB

MD5
777832f3251ed4ada9f6ba4f63ac82c5

SHA1
4f15d60c9139150376683cd940d590432980dd07

SHA256
85f366402734f34f39c1e759d56ce9365a2e59d77708ef70f3ade4c5f601a9d1

SHA512
8ba6d92d654312d9c322cd42be987c90ac2de28b3890989eabc8f59e9b207beb1eb1de8dc3d5e066d2dc33826e22b8338d1bd8a15463519180ee40f11c21d7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
282KB

MD5
777832f3251ed4ada9f6ba4f63ac82c5

SHA1
4f15d60c9139150376683cd940d590432980dd07

SHA256
85f366402734f34f39c1e759d56ce9365a2e59d77708ef70f3ade4c5f601a9d1

SHA512
8ba6d92d654312d9c322cd42be987c90ac2de28b3890989eabc8f59e9b207beb1eb1de8dc3d5e066d2dc33826e22b8338d1bd8a15463519180ee40f11c21d7a2

Download Submit
memory/260-147-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/260-170-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/260-141-0x0000000000000000-mapping.dmp

Download
memory/956-149-0x0000000000000000-mapping.dmp

Download
memory/1412-164-0x0000000000000000-mapping.dmp

Download
memory/1752-146-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/1752-169-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/1752-135-0x0000000000000000-mapping.dmp

Download
memory/2016-132-0x000000001BC70000-0x000000001C6A6000-memory.dmp

Filesize
10.2MB

Download
memory/2220-155-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2220-157-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2220-158-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2220-160-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2220-159-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2220-154-0x0000000000000000-mapping.dmp

Download
memory/2604-171-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/2604-150-0x0000000000000000-mapping.dmp

Download
memory/2604-161-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/2660-168-0x0000000002891000-0x0000000002893000-memory.dmp

Filesize
8KB

Download
memory/2660-133-0x0000000000000000-mapping.dmp

Download
memory/3376-163-0x0000000000000000-mapping.dmp

Download
memory/4272-152-0x0000000000000000-mapping.dmp

Download
memory/4272-162-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/4272-172-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download