darkcomet | 22e423eafb3a09cd1ebdaaf74d56d417ff15014411584ca7776037c816a94c8c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
Size

929KB
MD5

68006a92b725e68495a759e120ad3a1f
SHA1

eaff3532840cae88f54fc30f0daa986cac326baf
SHA256

22e423eafb3a09cd1ebdaaf74d56d417ff15014411584ca7776037c816a94c8c
SHA512

a7739feb56c989c4e4ad473837c3e4059a7101d7fe50841392f5f02be76f6baa6350fb8a92c4bf5cfbd17080b8f2461665ece527accbf9db8b0ac4d02b3b8199
SSDEEP

24576:wY7GkZo8KDevbwZqyXRg6JCauMbZVjIwCzCZS:woZ2DYbCNXtJCCbZVjAH

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

itzforfun.no-ip.biz:80

Mutex

DC_MUTEX-UPLW39X

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
jyQHwifnNlFy
install
true
offline_keylogger
true
password
0123456789
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

vbc.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\jDUveGwb.exe"	reg.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

2448 msdcsc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2448	msdcsc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jDUveGwb.exe"	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe

description	pid	process	target process
PID 1408 set thread context of 3480	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 3480 set thread context of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 set thread context of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe

pid	process
3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

4292 vbc.exe

pid	process
4292	vbc.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3472	vbc.exe
Token: SeSecurityPrivilege	3472	vbc.exe
Token: SeTakeOwnershipPrivilege	3472	vbc.exe
Token: SeLoadDriverPrivilege	3472	vbc.exe
Token: SeSystemProfilePrivilege	3472	vbc.exe
Token: SeSystemtimePrivilege	3472	vbc.exe
Token: SeProfSingleProcessPrivilege	3472	vbc.exe
Token: SeIncBasePriorityPrivilege	3472	vbc.exe
Token: SeCreatePagefilePrivilege	3472	vbc.exe
Token: SeBackupPrivilege	3472	vbc.exe
Token: SeRestorePrivilege	3472	vbc.exe
Token: SeShutdownPrivilege	3472	vbc.exe
Token: SeDebugPrivilege	3472	vbc.exe
Token: SeSystemEnvironmentPrivilege	3472	vbc.exe
Token: SeChangeNotifyPrivilege	3472	vbc.exe
Token: SeRemoteShutdownPrivilege	3472	vbc.exe
Token: SeUndockPrivilege	3472	vbc.exe
Token: SeManageVolumePrivilege	3472	vbc.exe
Token: SeImpersonatePrivilege	3472	vbc.exe
Token: SeCreateGlobalPrivilege	3472	vbc.exe
Token: 33	3472	vbc.exe
Token: 34	3472	vbc.exe
Token: 35	3472	vbc.exe
Token: 36	3472	vbc.exe
Token: SeIncreaseQuotaPrivilege	4292	vbc.exe
Token: SeSecurityPrivilege	4292	vbc.exe
Token: SeTakeOwnershipPrivilege	4292	vbc.exe
Token: SeLoadDriverPrivilege	4292	vbc.exe
Token: SeSystemProfilePrivilege	4292	vbc.exe
Token: SeSystemtimePrivilege	4292	vbc.exe
Token: SeProfSingleProcessPrivilege	4292	vbc.exe
Token: SeIncBasePriorityPrivilege	4292	vbc.exe
Token: SeCreatePagefilePrivilege	4292	vbc.exe
Token: SeBackupPrivilege	4292	vbc.exe
Token: SeRestorePrivilege	4292	vbc.exe
Token: SeShutdownPrivilege	4292	vbc.exe
Token: SeDebugPrivilege	4292	vbc.exe
Token: SeSystemEnvironmentPrivilege	4292	vbc.exe
Token: SeChangeNotifyPrivilege	4292	vbc.exe
Token: SeRemoteShutdownPrivilege	4292	vbc.exe
Token: SeUndockPrivilege	4292	vbc.exe
Token: SeManageVolumePrivilege	4292	vbc.exe
Token: SeImpersonatePrivilege	4292	vbc.exe
Token: SeCreateGlobalPrivilege	4292	vbc.exe
Token: 33	4292	vbc.exe
Token: 34	4292	vbc.exe
Token: 35	4292	vbc.exe
Token: 36	4292	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

4292 vbc.exe

pid	process
4292	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

68006a92b725e68495a759e120ad3a1f_JaffaCakes118.execsc.exe68006a92b725e68495a759e120ad3a1f_JaffaCakes118.execsc.execmd.exevbc.exevbc.exe

description	pid	process	target process
PID 1408 wrote to memory of 3096	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 1408 wrote to memory of 3096	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 1408 wrote to memory of 3096	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 3096 wrote to memory of 4308	3096	csc.exe	cvtres.exe
PID 3096 wrote to memory of 4308	3096	csc.exe	cvtres.exe
PID 3096 wrote to memory of 4308	3096	csc.exe	cvtres.exe
PID 1408 wrote to memory of 2960	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 2960	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 2960	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 2932	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 2932	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 2932	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 3480	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 3480	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 3480	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 3480	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 3480	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 3480	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 3480	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 1408 wrote to memory of 3480	1408	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
PID 3480 wrote to memory of 448	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 3480 wrote to memory of 448	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 3480 wrote to memory of 448	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	csc.exe
PID 448 wrote to memory of 1952	448	csc.exe	cvtres.exe
PID 448 wrote to memory of 1952	448	csc.exe	cvtres.exe
PID 448 wrote to memory of 1952	448	csc.exe	cvtres.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 3472	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4028	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	cmd.exe
PID 3480 wrote to memory of 4028	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	cmd.exe
PID 3480 wrote to memory of 4028	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	cmd.exe
PID 4028 wrote to memory of 640	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 640	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 640	4028	cmd.exe	reg.exe
PID 3472 wrote to memory of 2448	3472	vbc.exe	msdcsc.exe
PID 3472 wrote to memory of 2448	3472	vbc.exe	msdcsc.exe
PID 3472 wrote to memory of 2448	3472	vbc.exe	msdcsc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 3480 wrote to memory of 4292	3480	68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe	vbc.exe
PID 4292 wrote to memory of 3268	4292	vbc.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\el3gnux-.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F2A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4F29.tmp"
3⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe"
2⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe"
2⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68006a92b725e68495a759e120ad3a1f_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwfodugv.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50D0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC50CF.tmp"
4⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Executes dropped EXE
PID:2448

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\jDUveGwb.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\jDUveGwb.exe"
4⤵
- Modifies WinLogon for persistence
PID:640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4F2A.tmp
Filesize
1KB

MD5
da72b311509fdf5c76a0c1d3ae558e30

SHA1
0cfec4f743c132d7ea3652fe85e3f16891e4b78b

SHA256
6b63511422fb6e3b475cf0fbd4b674b49d58c240c9859a1c299c7faa1bfd08da

SHA512
296da29acd1eb4a86aba3ccf3c22982ff409a5a17ce95f8e809c7c98e2f82842600ca952b8a4182096220d6385c2504c6a70267618a9b93ff4e927ef22f618d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50D0.tmp
Filesize
1KB

MD5
7b473919b01bdcd8516e87850b830d99

SHA1
c0286a85612b6ee8364a8264009f701db8109043

SHA256
622b6bb9a08094f7dc6cf7faf5d58b2ec4efde42b8c58c11e8196947f8d4680b

SHA512
5dfc0af5bb0dee54d3dedc12473688dbc6c6d38afc99c2d02180b4c4c9aed061f8efa8d8725d090f57dc438a384f719a6728efdaeab56289ba732197b09181b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\el3gnux-.dll
Filesize
1.8MB

MD5
631f0c485365826910c6c86711ad0ee4

SHA1
92195d34612181613596812d8fc0ecef51476cb4

SHA256
3907c031a972f12234264294df843b834f213ee4095cc664793378a32887bf4a

SHA512
2ee6020171a0f8070958480abb55dddb0145013c3894d64a58461dd39424defb41e67536d321e75982db3b49464e5dcd760b20d95d0db056b697fa83e2a5b67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwfodugv.dll
Filesize
1.3MB

MD5
f8fc3a36e1e9f7c22fcfb0f02e4fa760

SHA1
49d88d514d2ccc594bef4ae83dfa7cd2c08e508f

SHA256
63f0cbbbb9d219729e673785e44bb182c313b544267644961371f8b8a52a6faf

SHA512
e68ba611c50c22fae58da3d321c86b0549cf750c91c9177062dbde3c3b01ed3acb9c9356c59d3d6b9637a22c87a27b873b88b63c856bf8ae0789d7f76a1e41d5

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4F29.tmp
Filesize
652B

MD5
4a7223dcf1fa0615e20cee59eca613b1

SHA1
4035e982d19e35e84bb7cf9750a34ad1cb4ca2fe

SHA256
ce14c99cf354dce5d6fff12a33d4b311f2fa673f03184655f8d3ec8b845884db

SHA512
1a078807f63a9eaf130385f5ef5e384e5b129d4c81f03e17ccaf1bf84a48a3278ad22813ee948e240c5ed44239d2df4aca60bb408abe8b4dae4aab61303a341f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC50CF.tmp
Filesize
652B

MD5
2524714bf209c2448b16537cf2236d92

SHA1
fd006e0af64f64991d0fc90d70d011a4a7ed13d5

SHA256
f23517028f6e744b6da152d546237ead7fb85b6f2f96292fd9b776246e47eacc

SHA512
b1779c8c43bb3a17ca7b79edae3870a81743f264c8addf44a0e17bfcf70b41cac88deeeba9e06e9d9cec22dacba7def0ee9fc0eae8d715dc0eb18a2ae7109c72

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\el3gnux-.cmdline
Filesize
196B

MD5
79bf307b53c360c61f44fa132d31640a

SHA1
f27751e66733c744593074882bb19e5e09356fb5

SHA256
e1f0ab9b803df4e4455d98950fe2a589faa0621c9b91b064cb24b97ace490a99

SHA512
cf457729ed7fd1655a269d9adee992a873e2d990a043c4a8873478b843ebc219f6b4622d97047f742a4f5cef7ef7aaa92bd7cea6adc893aa98795a37cdc947ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nwfodugv.cmdline
Filesize
196B

MD5
10ced3545e5a4418133cd7fac693f1df

SHA1
d49beb244d8fc88371e5670a0f7ca1cd45d5ba61

SHA256
ca90decaef788ae01bb787dd03926d89f3d9b296e5697b8c8be6f2b09a57adc7

SHA512
0f5064302f05288ffe6b8611e88e0bd307cb8bb312b824f8571de60e1aefbd317113556849cf560c1c8a3da84841f827f460094a5a8d6825b30dc78a8a4cb729

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp4E20.tmp.txt
Filesize
918KB

MD5
d3a4f9f8d7b58d197bd9236fab1700f2

SHA1
8f37a725440bef24f35223ba67e95a08e425c453

SHA256
1d1bb352d9bbdc481f4e01600398cb557798a176b67c7beb1af3a1ace6835995

SHA512
5e1444362e28948ec20890377a65b547bf5d6bf314b5448449abda9c9d705589636a63f850013a4039541c663473ad3a72d38fa3cd9eab9e324562f942f59a79

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp5072.tmp.txt
Filesize
651KB

MD5
3c9d73aa30988e4bf19c332f1eecf778

SHA1
f9c3895cbe1c5903f1ef6b45f667c9c15dd04654

SHA256
9c247ad0d4803bedeb223f96141e514d77b4da21ecfc3ca6b6f96a6302a20de3

SHA512
1d44aaab4f40a6c640be8f1458b4cebf359e068508fe179c64963c9996cc9d88f775dae21ce104ecc1fc69de3d535951a3d6b8c3074c13172f1f87217ee31ffe

Download Submit
memory/448-44-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/448-39-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/1408-0-0x0000000075022000-0x0000000075023000-memory.dmp

Filesize
4KB

Download
memory/1408-30-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/1408-1-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/3096-12-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/3096-19-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/3268-86-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3472-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3472-49-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3472-52-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3472-48-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3472-47-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3472-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3472-54-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3472-53-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3472-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3480-27-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/3480-25-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3480-29-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/3480-22-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3480-23-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3480-28-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/3480-89-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/4292-90-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-95-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-88-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-85-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-91-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-92-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-93-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-94-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-87-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-96-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-97-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-98-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-99-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-100-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-101-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4292-102-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download