darkcomet | 22e423eafb3a09cd1ebdaaf74d56d417ff15014411584ca7776037c816a94c8c

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
Size

929KB
MD5

68006a92b725e68495a759e120ad3a1f
SHA1

eaff3532840cae88f54fc30f0daa986cac326baf
SHA256

22e423eafb3a09cd1ebdaaf74d56d417ff15014411584ca7776037c816a94c8c
SHA512

a7739feb56c989c4e4ad473837c3e4059a7101d7fe50841392f5f02be76f6baa6350fb8a92c4bf5cfbd17080b8f2461665ece527accbf9db8b0ac4d02b3b8199
SSDEEP

24576:wY7GkZo8KDevbwZqyXRg6JCauMbZVjIwCzCZS:woZ2DYbCNXtJCCbZVjAH

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

itzforfun.no-ip.biz:80

Mutex

DC_MUTEX-UPLW39X

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
jyQHwifnNlFy
install
true
offline_keylogger
true
password
0123456789
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\jXclKGCk.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

2000 msdcsc.exe
Loads dropped DLL 1 IoCs

Processes:

vbc.exe

pid process

1012 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2000	msdcsc.exe

pid	process
1012	vbc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exevbc.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jXclKGCk.exe"	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe

description	pid	process	target process
PID 1300 set thread context of 2584	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 2584 set thread context of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 set thread context of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe

pid	process
2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

548 vbc.exe

pid	process
548	vbc.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1012	vbc.exe
Token: SeSecurityPrivilege	1012	vbc.exe
Token: SeTakeOwnershipPrivilege	1012	vbc.exe
Token: SeLoadDriverPrivilege	1012	vbc.exe
Token: SeSystemProfilePrivilege	1012	vbc.exe
Token: SeSystemtimePrivilege	1012	vbc.exe
Token: SeProfSingleProcessPrivilege	1012	vbc.exe
Token: SeIncBasePriorityPrivilege	1012	vbc.exe
Token: SeCreatePagefilePrivilege	1012	vbc.exe
Token: SeBackupPrivilege	1012	vbc.exe
Token: SeRestorePrivilege	1012	vbc.exe
Token: SeShutdownPrivilege	1012	vbc.exe
Token: SeDebugPrivilege	1012	vbc.exe
Token: SeSystemEnvironmentPrivilege	1012	vbc.exe
Token: SeChangeNotifyPrivilege	1012	vbc.exe
Token: SeRemoteShutdownPrivilege	1012	vbc.exe
Token: SeUndockPrivilege	1012	vbc.exe
Token: SeManageVolumePrivilege	1012	vbc.exe
Token: SeImpersonatePrivilege	1012	vbc.exe
Token: SeCreateGlobalPrivilege	1012	vbc.exe
Token: 33	1012	vbc.exe
Token: 34	1012	vbc.exe
Token: 35	1012	vbc.exe
Token: SeIncreaseQuotaPrivilege	548	vbc.exe
Token: SeSecurityPrivilege	548	vbc.exe
Token: SeTakeOwnershipPrivilege	548	vbc.exe
Token: SeLoadDriverPrivilege	548	vbc.exe
Token: SeSystemProfilePrivilege	548	vbc.exe
Token: SeSystemtimePrivilege	548	vbc.exe
Token: SeProfSingleProcessPrivilege	548	vbc.exe
Token: SeIncBasePriorityPrivilege	548	vbc.exe
Token: SeCreatePagefilePrivilege	548	vbc.exe
Token: SeBackupPrivilege	548	vbc.exe
Token: SeRestorePrivilege	548	vbc.exe
Token: SeShutdownPrivilege	548	vbc.exe
Token: SeDebugPrivilege	548	vbc.exe
Token: SeSystemEnvironmentPrivilege	548	vbc.exe
Token: SeChangeNotifyPrivilege	548	vbc.exe
Token: SeRemoteShutdownPrivilege	548	vbc.exe
Token: SeUndockPrivilege	548	vbc.exe
Token: SeManageVolumePrivilege	548	vbc.exe
Token: SeImpersonatePrivilege	548	vbc.exe
Token: SeCreateGlobalPrivilege	548	vbc.exe
Token: 33	548	vbc.exe
Token: 34	548	vbc.exe
Token: 35	548	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

548 vbc.exe

pid	process
548	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

68006a92b725e68495a759e120ad3a1f_JaffaCakes118.execsc.exe68006a92b725e68495a759e120ad3a1f_JaffaCakes118.execsc.execmd.exevbc.exevbc.exe

description	pid	process	target process
PID 1300 wrote to memory of 2916	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 1300 wrote to memory of 2916	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 1300 wrote to memory of 2916	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 1300 wrote to memory of 2916	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 2916 wrote to memory of 2568	2916	csc.exe	cvtres.exe
PID 2916 wrote to memory of 2568	2916	csc.exe	cvtres.exe
PID 2916 wrote to memory of 2568	2916	csc.exe	cvtres.exe
PID 2916 wrote to memory of 2568	2916	csc.exe	cvtres.exe
PID 1300 wrote to memory of 2584	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1300 wrote to memory of 2584	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1300 wrote to memory of 2584	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1300 wrote to memory of 2584	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1300 wrote to memory of 2584	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1300 wrote to memory of 2584	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1300 wrote to memory of 2584	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1300 wrote to memory of 2584	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1300 wrote to memory of 2584	1300	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 2584 wrote to memory of 568	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 2584 wrote to memory of 568	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 2584 wrote to memory of 568	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 2584 wrote to memory of 568	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 568 wrote to memory of 1512	568	csc.exe	cvtres.exe
PID 568 wrote to memory of 1512	568	csc.exe	cvtres.exe
PID 568 wrote to memory of 1512	568	csc.exe	cvtres.exe
PID 568 wrote to memory of 1512	568	csc.exe	cvtres.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1012	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 1160	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	cmd.exe
PID 2584 wrote to memory of 1160	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	cmd.exe
PID 2584 wrote to memory of 1160	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	cmd.exe
PID 2584 wrote to memory of 1160	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	cmd.exe
PID 1160 wrote to memory of 1800	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1800	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1800	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1800	1160	cmd.exe	reg.exe
PID 1012 wrote to memory of 2000	1012	vbc.exe	msdcsc.exe
PID 1012 wrote to memory of 2000	1012	vbc.exe	msdcsc.exe
PID 1012 wrote to memory of 2000	1012	vbc.exe	msdcsc.exe
PID 1012 wrote to memory of 2000	1012	vbc.exe	msdcsc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 2584 wrote to memory of 548	2584	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 548 wrote to memory of 684	548	vbc.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qjhuwk6m.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9609.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC95F9.tmp"
3⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vqu9tp4g.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0C3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA0B2.tmp"
4⤵
PID:1512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Executes dropped EXE
PID:2000

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\jXclKGCk.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\jXclKGCk.exe"
4⤵
- Modifies WinLogon for persistence
PID:1800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3c7c505f6f4b6ca5973e561ae871aabe

SHA1
4fac6e60fd7282928c048b353cc3466bd45a7cf3

SHA256
aa7302ebf70070407dc64a6152bce0960099a9bea70821d249608e2674a14600

SHA512
3e35bc4c74fed62c451728da5281d53dbb7395eb6912bf3175d33baa4147a35af095855c4b8c439264a8986f942feba1c2c3af5eb990543cdba467cc16bbfd7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9991.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9609.tmp
Filesize
1KB

MD5
d83491981c56d3366d454a45d89dfe7e

SHA1
512c567f94e3e4d65403ef451242f1cc5fbdac27

SHA256
596cc294d09f552c575a14db9cf6be5bf967454c2a581d09366c8346b92fa0b3

SHA512
3c85e8f119c115f3d203a17592d5f3d28264b59df1dc9c85bef01d6fc1bd362e35cd7135640827c682e4af58c609ac90f75ff9cf2aee3e259ffe4cbf3a91dd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA0C3.tmp
Filesize
1KB

MD5
a16e60d068aca4c06894215fef3f2241

SHA1
3260bdbb1b4dc2c9162c4b67736af57a36a88a99

SHA256
252ee98d5280712ad756e91993941ac47585a4359c16e24a28424ad437a04048

SHA512
7d1d32688e3eeae2f4854da2ff4dc146f9545a597663577892d5b90982aed1a7b51672552a75a1f67134862dda9fa1b5d9d0ac9eb887bcded71b170e9dc10a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F5E.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjhuwk6m.dll
Filesize
1.8MB

MD5
d2b1b405fd319b6a1c528d0badbc6ed1

SHA1
84430e9bea484918fc790cb5930d3bb54a8f965a

SHA256
d34e9d2523d444bca9de5a919acb4049e2e281c6e1448d1573ee715b7c5f0228

SHA512
0f1a33c46e0199622f22724d587652066ab3754d69ecba1cbb6403fabc52a31ee00738a2eaa0cb7692685599aba0b0ca2a514ea4475ef5bc8d03cc2c22f5509f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqu9tp4g.dll
Filesize
1.3MB

MD5
ed4faea4f6550924a9e9cfc723f4857b

SHA1
12b3e87309b9e4965e3d4535e3d5a778240afd5f

SHA256
7e5f9937cc8219925559b86d02e4abca759abf78805f9b12c460a1487afa22d1

SHA512
0d9ae239b640e20a58f04517e3e55f4ef88a0fd5d60a81120703e29e0b7abb70b608b6ed9449ffda7617aa5079c12f8e9ced5371713b1cff2cebb6d7f88702c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC95F9.tmp
Filesize
652B

MD5
d46ed29e78631ecebb5dde563a059b25

SHA1
976f0a32e26f4d346d5af7fac47a123f57327b0f

SHA256
47f94f6cc7f7c44c0dc3153f7d3946a89735bedd2c7ec3ceb32ebd8a5a67f1cf

SHA512
4a651025cbcc410bc0ff7b3ca9c2a36589e86f96d53ce62845aa1344271eb4da506be1c0a9f7440779541a7e46205eec7ca40c3cb020b3210b9526fc5deaa1d9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA0B2.tmp
Filesize
652B

MD5
d89575aa9ce1248e22c7c75701d47e69

SHA1
e088929442ce7755019de5c3fc969c11cdbdfb93

SHA256
efd7c266539d8047390547d6a1d84e0548bf4099f27bca905aea40c890381fbb

SHA512
162452e64fa464ee33d12ac4a47685fc1661ec31ae38e011ca899f7a7946323ca8d6e6191b354f55dd2892fbb65e590cb09c083266d102fe5727c3935be49130

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qjhuwk6m.cmdline
Filesize
196B

MD5
8a5f25dc28903d39d6577962a0c57814

SHA1
98269c173145b77fb7d8de1d26c9cf54360b25d9

SHA256
764d020bab22a5e97e2a5e31e0bbf675f9f8924edd6adf51a7ec82e3ca17826a

SHA512
22b19726873ab525237e496b2026fff8bf2b43427bf03900d30be834751416bfc263e5425f72483b3820c56db2fe2e915f35469fb1bb801adb2e77d601f69d53

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp916B.tmp.txt
Filesize
918KB

MD5
d3a4f9f8d7b58d197bd9236fab1700f2

SHA1
8f37a725440bef24f35223ba67e95a08e425c453

SHA256
1d1bb352d9bbdc481f4e01600398cb557798a176b67c7beb1af3a1ace6835995

SHA512
5e1444362e28948ec20890377a65b547bf5d6bf314b5448449abda9c9d705589636a63f850013a4039541c663473ad3a72d38fa3cd9eab9e324562f942f59a79

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp9FEB.tmp.txt
Filesize
651KB

MD5
3c9d73aa30988e4bf19c332f1eecf778

SHA1
f9c3895cbe1c5903f1ef6b45f667c9c15dd04654

SHA256
9c247ad0d4803bedeb223f96141e514d77b4da21ecfc3ca6b6f96a6302a20de3

SHA512
1d44aaab4f40a6c640be8f1458b4cebf359e068508fe179c64963c9996cc9d88f775dae21ce104ecc1fc69de3d535951a3d6b8c3074c13172f1f87217ee31ffe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vqu9tp4g.cmdline
Filesize
196B

MD5
27a6a8f3f679d38a0fc3f152efc62903

SHA1
64a94fcf3b0400bafaa787e9cfd035868e1e0b36

SHA256
306c3e26a9b3511f9572350d9c6b26583ad8fb707673f3637f75589446e9dd18

SHA512
7cfe4d8ed8e1a523ad8eef18926783d045a19cb9fe0afde2e875cbf1f49e23bbc2a7677cf9f9720092a2d5c87ee2e6e2616203dc8e3cffe43f60533b6c4e4445

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1012-110-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1012-92-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1012-115-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1012-90-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1012-106-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1012-112-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1012-102-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1012-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1012-98-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1012-95-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1012-88-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1012-125-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1300-64-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1300-1-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1300-2-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1300-0-0x0000000074131000-0x0000000074132000-memory.dmp

Filesize
4KB

Download
memory/2584-40-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2584-43-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2584-51-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2584-53-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2584-54-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2584-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-39-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2584-36-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2584-46-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2584-198-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-33-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-26-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download