darkcomet | 79edc7715d5c43513221d50e7df03d4353d835bb66a5ffdda14c8b26173b0eaf

Analysis

max time kernel
136s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3d543aed31ac43ca0987da0d4455bbd_JaffaCakes118.exe
Size

897KB
MD5

a3d543aed31ac43ca0987da0d4455bbd
SHA1

18d887afb4ea9701322e515353f20a7426d34074
SHA256

79edc7715d5c43513221d50e7df03d4353d835bb66a5ffdda14c8b26173b0eaf
SHA512

b9561229b3c4beee566abca4131854c9f93f7f1fe169a14481b28444032559db4a99fbd1ea2a384b98537fa51530acdabe14b6cc5b2940d5ebe7f2fb000b9bd9
SSDEEP

24576:f2O/GlATW0TRfddM3W+7FwmxhKbH3rUO46GU:3i0S3W+hwmxUT3is

Score

10^/10

darkcomet kamry persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

KAMRY

kamryykamry.duckdns.org:1908

Mutex

DCMIN_MUTEX-9CCG56T

Attributes

gencode
ihx34fB2ictJ
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a3d543aed31ac43ca0987da0d4455bbd_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	a3d543aed31ac43ca0987da0d4455bbd_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

njb.exenjb.exe

pid process

4308 njb.exe
2128 njb.exe

pid	process
4308	njb.exe
2128	njb.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4548-156-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4548-157-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4548-158-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4548-159-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4548-160-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4548-161-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4548-162-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4548-163-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

njb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ipoutlkjgkljghfjhkjhgh.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\njb.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\\\mge=mog"	njb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

njb.exe

description pid process target process

PID 2128 set thread context of 4548 2128 njb.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

njb.exe

pid process

4308 njb.exe
4308 njb.exe

description	pid	process	target process
PID 2128 set thread context of 4548	2128	njb.exe	RegSvcs.exe

pid	process
4308	njb.exe
4308	njb.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

RegSvcs.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4548	RegSvcs.exe
Token: SeSecurityPrivilege	4548	RegSvcs.exe
Token: SeTakeOwnershipPrivilege	4548	RegSvcs.exe
Token: SeLoadDriverPrivilege	4548	RegSvcs.exe
Token: SeSystemProfilePrivilege	4548	RegSvcs.exe
Token: SeSystemtimePrivilege	4548	RegSvcs.exe
Token: SeProfSingleProcessPrivilege	4548	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4548	RegSvcs.exe
Token: SeCreatePagefilePrivilege	4548	RegSvcs.exe
Token: SeBackupPrivilege	4548	RegSvcs.exe
Token: SeRestorePrivilege	4548	RegSvcs.exe
Token: SeShutdownPrivilege	4548	RegSvcs.exe
Token: SeDebugPrivilege	4548	RegSvcs.exe
Token: SeSystemEnvironmentPrivilege	4548	RegSvcs.exe
Token: SeChangeNotifyPrivilege	4548	RegSvcs.exe
Token: SeRemoteShutdownPrivilege	4548	RegSvcs.exe
Token: SeUndockPrivilege	4548	RegSvcs.exe
Token: SeManageVolumePrivilege	4548	RegSvcs.exe
Token: SeImpersonatePrivilege	4548	RegSvcs.exe
Token: SeCreateGlobalPrivilege	4548	RegSvcs.exe
Token: 33	4548	RegSvcs.exe
Token: 34	4548	RegSvcs.exe
Token: 35	4548	RegSvcs.exe
Token: 36	4548	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

4548 RegSvcs.exe

pid	process
4548	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

a3d543aed31ac43ca0987da0d4455bbd_JaffaCakes118.exenjb.exenjb.exe

description	pid	process	target process
PID 4764 wrote to memory of 4308	4764	a3d543aed31ac43ca0987da0d4455bbd_JaffaCakes118.exe	njb.exe
PID 4764 wrote to memory of 4308	4764	a3d543aed31ac43ca0987da0d4455bbd_JaffaCakes118.exe	njb.exe
PID 4764 wrote to memory of 4308	4764	a3d543aed31ac43ca0987da0d4455bbd_JaffaCakes118.exe	njb.exe
PID 4308 wrote to memory of 2128	4308	njb.exe	njb.exe
PID 4308 wrote to memory of 2128	4308	njb.exe	njb.exe
PID 4308 wrote to memory of 2128	4308	njb.exe	njb.exe
PID 2128 wrote to memory of 4548	2128	njb.exe	RegSvcs.exe
PID 2128 wrote to memory of 4548	2128	njb.exe	RegSvcs.exe
PID 2128 wrote to memory of 4548	2128	njb.exe	RegSvcs.exe
PID 2128 wrote to memory of 4548	2128	njb.exe	RegSvcs.exe
PID 2128 wrote to memory of 4548	2128	njb.exe	RegSvcs.exe
PID 2128 wrote to memory of 4548	2128	njb.exe	RegSvcs.exe
PID 2128 wrote to memory of 4548	2128	njb.exe	RegSvcs.exe
PID 2128 wrote to memory of 4548	2128	njb.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\a3d543aed31ac43ca0987da0d4455bbd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3d543aed31ac43ca0987da0d4455bbd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\14684326\njb.exe
"C:\Users\Admin\AppData\Local\Temp\14684326\njb.exe" mge=mog
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Local\Temp\14684326\njb.exe
C:\Users\Admin\AppData\Local\Temp\14684326\njb.exe C:\Users\Admin\AppData\Local\Temp\14684326\YWZIJ
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14684326\YWZIJ

Filesize
86KB

MD5
2671570cb747a296ff917e27b0b51f7d

SHA1
d9ded3dfcff90f236f2b6815a239492ce13d4b6d

SHA256
c8e3bc76ab56ed4ff0e5c5975ed6840188db9a71334bae9f043bd1f393919b62

SHA512
d21549a7e52e3afbb41bd4e7855f838d80671c4689ebade4fc2bfc6cecd64b410c9e29316cff2b39653d09531432bd9a2ce212bc08c98a2c5b13d5c440fc5a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\adi.icm

Filesize
508B

MD5
66652814bc6191b8ff194f6b3aa2ca8b

SHA1
879fe83c960839d1c287aab219b17176bf4ef008

SHA256
c4bf084e63d0bde2d9bb69f773dd36f35f27afe7dfb03c04a2b513855642fcef

SHA512
237ca30ddb2d69d8a3d69e14a2ef4d3b41332c3806efa4648b9f7e22c6169480811b915e13d74c442a734751778151a8656c71f469b28a22778f746e53d8520c

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\agd.icm

Filesize
549B

MD5
a0dab124f8f4cf80e7f970e424687ed8

SHA1
431077bda6ea492ae871eef43dfd62ac27d4509a

SHA256
b5c7afabe493a2647c3c54bfa03bd18097ae642081d9741a047d8c2f54788bd8

SHA512
d5d8e8bfd3b2464a896d5e395724412a50423386d7d4b1a5cae7399ffa40b468acec81f314a830e7959901d65db07fb823c6f848e16e2b15b7344bfd0328fcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\aoi.dat

Filesize
570B

MD5
73f42f69d4cc87406b41e9d3351717c5

SHA1
f40b9182779b920fd65268922670f7687e5b6e5c

SHA256
ff677bb0d5e4b3de8a04ad258ad232659326c921dfdda93e9aa9c7d0ead910d0

SHA512
5f9665ba83aff390a07e7356c46d9f775c85aee9b6e295b6d7f147c09345e77422cae3b723551c384dd66c44c45c324b32d6d80a5c55bffb658b65f43e30617e

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\aqw.mp3

Filesize
504B

MD5
ce25e14128dded934671a973a4f55bf0

SHA1
5004891dbace3147d037456a05a8c57f1015c2d5

SHA256
7ffbf9c2c11fb9d1b9ddce2d53da0b14f3f2bbca47de50e45d41f5357ce5b01f

SHA512
eeff38fbdbf6d6afbc6333741dcb753e93208c730c4d1caf8c63b2800992f4c7d8c8aac80e8d2220322ace06cd27598f382bce271d3235344f9f965cacbbe853

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\awb.ico

Filesize
603B

MD5
f580227c6fff69a84d186926cbd90f34

SHA1
955dfafcfbfa593a8ee76d76ac223776e0f8a68b

SHA256
e59bc4cf7e57920266eec0b4533fb44d985b68c513d547b34e82e4050e30090a

SHA512
5291eeea3d7d5d36b7e1e83566c615e750c99bcfa32b881d69788105947a78a05c2835a087c7493f1e0f52ec3e8d9b35186d9affbcb29fe3cb26897607b1b972

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\axw.jpg

Filesize
522B

MD5
1df1f64e8dd035331df6892e9844369b

SHA1
de4f9d6458073612ea208ae662b7c148798e232b

SHA256
c74e828a6a4a5d9a3fb84337a69ab45e069981a80d85537cebf358f7baf8def0

SHA512
465b6798f596a577011ca8265aa60b42ace5bc4333e44e71f8a967c027759f72f18fcf6e60d629fc0d685a06101318dc16ad2f7aa2a54b7f9ca8ebce4a87ddfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\bil.docx

Filesize
527B

MD5
9d9ffb2f5ae08625bcf82f1a81b94f6b

SHA1
517080ae49b4e637c0c53c5c3fa94d1e31682365

SHA256
19f090100a796a3aad09c3375ad39036f97945c5617bfc3c3325e74efc560f85

SHA512
202f21fcc61dc19b0cc7874017c0b0aab3e7edc2903f8239e2880c2e5431151e039b103d8af7cd5651c835b5d868ed26ad7815d0083124de4d49b0d94d6f5161

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\bxx.bmp

Filesize
565B

MD5
f7f655a2a18efa85a8717527509c6961

SHA1
605481dca81272dd1c1df50141cd7c74b1f8c4c0

SHA256
a09358141d30a5b19f0caa774c7bbc1f7e95b665c564c0ff9173431bca5ae4bf

SHA512
5b68f9e6db88f44a8207e1b1c050e56e88f735dc75a563f0e8a2450c2d25597bcdc438bc2b116d88da073aa65b369f025239ccac8dbf245415bbeb512fe655f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\cnt.pdf

Filesize
513B

MD5
18a6d6ccb59891b9e7b0c6ceff76693d

SHA1
27ce7b93ee8b36988031fa043a4f60171ebc8db3

SHA256
f0a571b0a96a56e12a25d3d2c1e80a40c4c41ed985cbd8bfe57835f0eb87428c

SHA512
73f9dcefdcab6559101597c9ff91508417e2499781adae77966ee18c5586c64ff9988b8f05535edbfdf9a687dc841064ead0ceebb6c7a3facc9dbfd6e5a8e76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\fgi.txt

Filesize
508B

MD5
8c846599571f1acb142d486d0f9286d9

SHA1
d92638647331ad8b39c96f58444823d502ed3b2e

SHA256
cc3832ec57b7e52de911845ed65f955596f63dd7fb6c297350159fa8f8bd86bb

SHA512
d50b0c6b6a748576cb1507de88402266358e73523d6255aa694e60c9a7aee69226c8c05c0805b4377930725dd14f20ee95525fd29559346d97819f7a520bfb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\frv.xl

Filesize
520B

MD5
b21150e897c80dfbeb48feb2825caadf

SHA1
c2de6899a562a8afeaddc9f8db717aca4585c508

SHA256
a3d425f087ef1e2c6b1f87f06c76a5250fc981d45fc0dea8f7ef2cf08eff6ca8

SHA512
3863d93e70d52f65037b2e8787abe8f469e8c4c57beaec34d2413077b86f2d509def3f34fb71465337a03c3e81087369740d845f5c8b139b58527214eec38574

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\fwh.bmp

Filesize
645B

MD5
aa583363a250f798d7de42c0c22979d3

SHA1
5f7afe1f812ba809dbccf69aaaed5ed8f73439cf

SHA256
8112e2cf4efa7b207d1fc665dbb9965813058cd202be4e678ef3bd24751f1ac2

SHA512
18024750a9d63d04b4d1df660e91e31cebb948e6108045045e06a42495b6a5841ffe1f2945230efa0c1424d232d1d8d6cf12a2567321e1f9a4da998abefa5e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\gup.ppt

Filesize
552B

MD5
69d650573186663da4d2f94868e1c7e5

SHA1
b2b33852d48302960eb90a6ebf8a13d1422399e2

SHA256
e679909122be72ecb4616b7cbfccae54f38104770000c0159cd15fe125031702

SHA512
a86f8a0e1bfe9c3a7b1abcca9b8324f711dae475c654e9362a1bb98b98f8c68d0b735c6c6f85300188bf66e6766879f702f5adb6e7fcb5aa0abab5e115fa0639

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\jhe.ppt

Filesize
566B

MD5
8c599198fef72a486af3767c74d03caf

SHA1
2d181e824a86762a6e07f878a31d65083776c375

SHA256
bc08b2c2ff8e79f487b2dac05a33d5a801e98a9d0f8131bc88e4b610e6529d59

SHA512
866c4d089a00062675501a2c12fe2937f35aec11f21b410d766b4c14b1c727893567aab0c9b624897bec4d3e2f9fbadab5c50f6d8eb338e538cb1dd73c955c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\jwk.dat

Filesize
554B

MD5
7f9e645f35c45b4211003e7a42a34259

SHA1
0ea8d957433d440f7bd8d14933e701f4f2310f61

SHA256
e6646f32bf20de54e89f586e49b537f4da64298a69c856144091c9f154407599

SHA512
d4e1d3ecb847adec3d362d59eebe127876863df2dac7646430eb505fc20e055cc20b6096ae5b294db7c87e45d523003ec5511b4bfd1d72464ccb4e75558b654e

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\kgs.ico

Filesize
519B

MD5
f21bb504b540c4bdc5367a5b9fb3fd2c

SHA1
65130bc7d127e3b848c54530faa2351375707047

SHA256
92d990c2c5b90f3cc753d9a26b7b57e823987a697fce28443d3dbbecb58cdcfb

SHA512
cf719c84a94047b6b014673c57559ddf842f74fec2d2b557e9b896023f4b00d1322852df224cbfae04f3ea472dfb15322d4bbc3803a1bcc54eb321fd655bfb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\krx.bmp

Filesize
602B

MD5
b9e6a7a08b5fbcd40f2d1cd08543c067

SHA1
ac5f7125327cee27ab8f6d70498a84d987ee4c7e

SHA256
ce7bf7d9b035e0b39a29c284117b2fd998bd16029d04cb7aeeff42d6de73d6df

SHA512
2405db4910f3a5d12f6ddd784cdcabd5041eb17b3adaa25cf2a5c8a30101a883bb0e8607998cffcbebfeae000eb712d3295e00125574e7ef756f481188e00b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\lar.docx

Filesize
605B

MD5
d261e21388b44d746225de7796aef4bb

SHA1
2ef41a44c73f51f5385554b1ac2835dafba06748

SHA256
1449f475118f4c81df5fcb106948122c157cfa914a66232e59dea9459d2ea9e9

SHA512
b3ae449d8bab00ac8ab19ee04a593119adba2cf2537cce99eb78f6aeab1458bdd80fa2462ef9c7ac4bb37075b6ec37007c0fa027eebf9e06760854014e49cf9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\ldv.xl

Filesize
528B

MD5
f0deaa732ac2568342d193ffbd280eba

SHA1
b13fe68922b0352f8256b8ce333a4964a5435748

SHA256
0be131cc82b68668700861430f81c911e9b948fc98a3939a9e2e7cc9ac53e53f

SHA512
9cdc03a912c76e99cd15a18194da01c8b68a461b9d62fa804639804ba0694b4e83a42bb1d227738c367c1df5c91fcb232c779cffd92819390ce5bd9484944102

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\lmq.dat

Filesize
568B

MD5
7d22faf16e32402c705deab2649d3e25

SHA1
3b9169c17267eaf103d1486d605915bca97b62a9

SHA256
e9c108215316d23b0361a36b0bfdddba983cc5548808717486b68eccc926faa2

SHA512
452feace390e3bca034b67c38a8628e438300d0a6f5a2d15d4d007f89aa1f03cf483a844ca5fbf8e3b053f2044198870796af23efa9b1633f564211b17a1d528

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\mcn.txt

Filesize
505B

MD5
da7fcfab54008bd874bba7abdd3c2e73

SHA1
034ed760115c13f0b9dd36186d1253da22387367

SHA256
bf022e0217a88c4155b79f311745ea7926269f9f40b6fd85d9ab1d6803187de4

SHA512
92fc147cf76b6f2e227fb5b85f7f5763eea1c3ce6f7007c3aa05c334bdc4924af26fb19b4775c79cc0616612efcdd407e9d7078246e6fe697685d4a8443d112a

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\mge=mog

Filesize
124KB

MD5
3c5fed8ae6790b7938210f37f61bb8dc

SHA1
8113a8b549bf29621c500bd770767039f1dfc7ae

SHA256
c9e0ce2121cd6a19084e7e1d47741fd74933c7276867d1a503b4c360468dc231

SHA512
b9c9cbe0ce45588a8452c2d329ea06c95d7aa9d6c19c9df834bf9260615708056b5fd85a5c93141c3930b9842ed9cc1f83c52eb3e4cdc5a2e7ce6c682714b1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\ndm.xl

Filesize
610B

MD5
55b95a0fdf56f1445d508202fadeaeea

SHA1
015a30b40ca303346b6ec308acfe54683d66a624

SHA256
b51affbf113f7affe4ef9c55d20d95b679edf0e51e4904a9ff48119eb691ef2e

SHA512
dec4a016b3cee6a8f2d0e868c570880a7d0c56bb50fdfd8a5709a1848ba1e14a01742f7d21f07a2a533bb525e3c4194342a7dd4402885b3e54abf19fcb768964

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\njb.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\nkh.ico

Filesize
509B

MD5
cd4240be79ec02628675f911e6d484ef

SHA1
f7534c7caa8388bef059bf530184dc862302f734

SHA256
3fae6405cf4bc87ff5978d6c5e142be3c88eed48ef174bea555438c46159eb44

SHA512
568f8dcd21d82d8c3e5ab0b4e0fa8ec95cf2473f88ee9674f2825af96f345792344e48c45b42d347de1d6dbfcd7476d7f03a259b9f6b280328cf1800eb245b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\nte.ppt

Filesize
520B

MD5
5b59367f205dc768412fcec5591a47d8

SHA1
7158f554d7b1d9220f8fc35aea2e37efdf5ad95b

SHA256
c8e4f75c8ddb31722e841fdd3b343a5b63c16e0a4b150ff259961d64361aaf70

SHA512
502445ca08db2bf5229dfc61ab216f67ac69ba84f424ee0d9f04a2017cc2ab3c6f91306b41de45e49700a8a2d1eac85e3480c7df3c8c09c97a02dd2cbf432520

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\okf.jpg

Filesize
566B

MD5
1a90d0a5ddc06c12fc6cdc719ac86b7d

SHA1
089daa8d88e72190292450140b0d049d27dde9c1

SHA256
9b4e7f7d1b0f2858166a2af1bb0601c11bb5dd9f571d13eb0e95325f3fbcca74

SHA512
3e944efbdf874fad84842984914af802db115f1794fa403f66d4dc126b7c5ba992ddc917439653c8fb7ee5353043d134511278255266c884b44639fe33283daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\pew.ico

Filesize
563B

MD5
3255bfad6a66cd3e3e750bcbd7c31595

SHA1
ec4cbc074acd8ac6e8289cd7830e746f2980be54

SHA256
52065572148909a4eee3a32f72abbcf14a9aea520053e18589d956794cf91d84

SHA512
18f094f00926181010c5e4cc4a2372ae238867fefc5da5e07c31365b5a61096c50136e76e32152e16d24d13a3f72aa9a771f3203449708ae9e9e6608e0bc031c

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\qrs.docx

Filesize
619B

MD5
ea525e1f2ff972a33758633b8ed54748

SHA1
6c25cfdd76c9319ce052d0a1dfbd0dfe9b3b5b6a

SHA256
eff60d4646cc3319da728dd6df43c0526df227533fb5ea8d380834b4547bfecb

SHA512
5f2c6ca88b615c908ed8df9df3ec3457908c5d6936c0826718d40e5b4b589772f519bb44234adcb27598e4e60974ad885f3fb0c84c8ddd57437bfd197f5b01af

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\qvp.mp4

Filesize
623B

MD5
505eb7efd729a763ff7acaac986f8a44

SHA1
a604061493c8a2f850d4f0abfa426059eed976c4

SHA256
51e67f2373b9875ce745397fad5180e46cae69ad0a2a5680cab36e7a142d12d0

SHA512
ebaeb119958100f6ed90ecc53789111fe354930f1d1385f37ba5491de0cab9d57b577a1e4c45406cfd115bbbc9a823867355eb7c16fec52ed0c0d0b79ed79d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\rkb.docx

Filesize
641KB

MD5
e81fccc49072486e3250bfb7580082e4

SHA1
3843644b2cfae9935fcd1cee7a2520dfb2a17c92

SHA256
59bdd3f040c2de5afdc17c71a9b51a40bacc472b8e3cde714bb0a66b07d18a47

SHA512
85f4561eaba6b6e10781aa391ee3121e7fb654d7ec91c6869e48655bf33898954e4dfd49e03d5f47353caa44d152c9903bc682346c32777a2a3a743c9e490184

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\rrt.dat

Filesize
572B

MD5
455cd70eb20484c5cb598bb67523a162

SHA1
2494e2ffbac46f848db9f735f3082129731c4e3b

SHA256
ae288ea238ee2831e649e2672f831a2572c6347a40d38c6f7c11f75c99583e79

SHA512
736a432c3390e7d71cd78ee1bbb04732b5ec35dd75a01716b29883056aa6718a6c2a68169982620ce130de92644b4b6a8f527ea587ad3e5018ecf8808927b029

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\rsu.docx

Filesize
564B

MD5
67ad83a8ec1a95d79c1840fd41a62d89

SHA1
e8ce04c7d0a208abb9c042446ebffc4a30815ab9

SHA256
b364e457351e1275281172d3e9ca9dd55a1252ab21702738096c51ec7ef6ad08

SHA512
5d92abb50060b50cf9202dae103f3a6db1d303d22882942213b83d05e36c7ba40c942420c5b34673b00152c09ef4f06d33702d80e2add82ebbb35e92674c5e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\sxc.xl

Filesize
562B

MD5
5d0edfa1321847d980f2438064e70fbd

SHA1
cbe74d8975776a8feb52e03e8b878ed7c7378473

SHA256
d2a69c150ce57c73d8f16d7db2b2de51b77b218a4f09dbcc9972899c1348eaa3

SHA512
7087fd1d0e3b88560e74474e48c4f56849e6d4bbca391131d3f99ae9827fe6d51c770204e87d4e42b5f3693d99ca26a0316dc1b61e9c912bb7f4ead3f2306fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\trf.docx

Filesize
575B

MD5
85b72bf720981573e3f42c99445bc60e

SHA1
3848022de6ae50f5b5b97a51066c7234d31e8ab3

SHA256
d43988f45eda28f9368ed61e35bcb056cd435a9f2923d9f4a1ed2e4cb626fd84

SHA512
9258ef1709df5a6f63c6a8ad8bf64542fc9e7c9d002d1a0bf790141f017535228ec9a426b873b1cb4459dfffcf32db3d0adb776383c7cee4ae5c8e44c5b46e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\ucb.ico

Filesize
548B

MD5
0c2b9b8ff62711ac1b97d893ac5307bd

SHA1
9f4dd5b1884ee43551aec4ab55b75e34a5ab8b1a

SHA256
ceba41f941206d9b0a13784a41095c407c4044346b8617389388551a20d55706

SHA512
83dd7e5250333ff1edb036411f980bd3727abb09bc38f396493b046ede20104da9574ef4831b0b21d3d42a0e25b756f2be0d1a0e81d50826f11bbc19d0c59978

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\uhu.docx

Filesize
512B

MD5
406a69a55b3eba03b16f485e8a90ab62

SHA1
6bb830ee5ac3c9a78b48e453984686b4c60c55ee

SHA256
7c8f1b87d69257e651c30d54b0aa93f94d3a4a6a2f5687aec45b163f362ccc8f

SHA512
3f6f58dd1e977126e283aff4a9bd36a20129d2cda29e1f0245a266f7581680d0fec7f11b28ac465ec8138f3fc227a607b82857876f983426ae457f57786a6bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\ujo.mp3

Filesize
504B

MD5
b15f7cfc671e692364f2e4043dc636fa

SHA1
5c601a191309b704f76c4480e045a78f596f50c0

SHA256
8af1bc5ca4c1266bbc7929526001113f58c2adbdbc3b2804f3ba6d77ddeafe28

SHA512
dfc5f30dac29af49bba94674d1a1c6839073104e1d6db1be5721b8d27d99c5454766ed937f8df39474d6dbb189ae70d6a0372c4c8936a8c8382064c7e3dd8ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\umh.xl

Filesize
551B

MD5
889c04b0c1986192e8f32231621554b1

SHA1
2d2144f88a2830c34901697f5437b7531eb8d5b4

SHA256
abe81887df977c681d3c141ab9be32647eab9b8d6f55ab778f71a01a8b6a01fb

SHA512
e8ff7a04d29edc78134069aeca17ded7c3e861ebd65b4a46a36f38aed0cb24724d356b9716d54896cbdf8bb3b75d40e854552d61372d9f9e63482e03a32364cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\vbq.mp4

Filesize
644B

MD5
4dde6b7d184a772da887e7637b171e87

SHA1
81435751b3801ea553e83e4e716ed4a2c57cf2b8

SHA256
a70a65b5e4406934330d6588623e6a28901b8e71b0f929ba81f00fea797157ad

SHA512
92c87d50218cf27687c29245ca297a1ce61e14c32bd366f2cf14e3f535914e11f215ceeca25a678f0501dd04b2dd29d2b47c6c3dfaebd7e6af87850af042e36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\vge.xl

Filesize
556B

MD5
c069d73ec90071f58fcf5bd09a4ffff8

SHA1
cbd991cf02b79bcd500e8bd7e516834736818a70

SHA256
c0cb3d27a9ee863d3f81c1dc1e7b67a0705645b7ee9ed3814e653430b736e245

SHA512
de884618ecccfa46e666db4157cd554fb4000e98e1a9bb4cc1886cdc1c7eacd1848bd461705fb4ba25bcde9849e46a1dbb2c8971cacdb676a952f3f62ecf424a

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\vgs.ppt

Filesize
568B

MD5
1f4f295244983ab2360b106afabdd26a

SHA1
2a9e87e0ad2b79c243b271cf272b335d37448192

SHA256
a44dcf50d6caad6ec0fb98cf02ad32b9e177a9e4dd8d6f8351ab4406d821ce57

SHA512
997f81f349227aa4121ae0fa8505580abcf0f4d4139785f94695a2b0614ba80e4917117dd8ad34d256384018bc9162d6fd062c4330b3217c6b299ce0a61ac880

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\vrg.ico

Filesize
552B

MD5
158b49cc09adf8d9e476ceabc079d01b

SHA1
0662141874e484035175a0641b3e9ab83dcca8b1

SHA256
b380b708aea8416bd7ce7c8b8cd67abac6631f6eb7517dd729213ed1c80f8146

SHA512
1c78fa7bf772aa4a3929d64f5cddadef213b1ec9705cc34c1d27491ff3dded9b9bced25e4a69f466ad4df10a412590f391ff468f15a70b4fba43dd66f72361c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\wan.icm

Filesize
508B

MD5
bb07102167a3db757018462e63b93ce3

SHA1
937b1165c9d6cee5b188da1217f2c5b6845ef947

SHA256
a3ea35e8b9e5dcce9f14a8fedaaa3881b6bd7ea59f9d9431b3433fad51665265

SHA512
943872e1653bb2ad011e9d8a25c1683fa138f5dfb7c1c096ba4dcded7a1367a799490a5f10766494e426948d9b6b3a029b45ddba6feda8d435d6c24addc3227f

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\wft.icm

Filesize
526B

MD5
6b7a15497ae8c2188efe110679d6a572

SHA1
39b42b9526bf99ad424d7781f8c8e361a90156c2

SHA256
f6afe1c6b9df74e016d2adbc731d0d052fb210e4224033adc3380f143043e7f3

SHA512
1be28c5908aee3766c0665f2703b655dd40e1ba1657040164b68c7f7cc986a95a915910e4e63a2e680cea4a1a386927c9196bcf3de1327f8c90c94134ef0b0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\wpo.ppt

Filesize
554B

MD5
7cc59a00d8464b3af327b4b9efabaaec

SHA1
f9f31ed536b081d87ca14452ac3ba691165bf14d

SHA256
9720fc1639487788d5e1b272a97271a8c97f2c9fcf48451b003d0b20fb9928e1

SHA512
e1bb6e0e0dfe7e9a01b68d508c7debb5589e7475239891c8d610c481e91987d03a5465b24a3c1467d22da5a1f9265df797e4933ef2d17ff2bfb6ff6db8efbf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\xho.docx

Filesize
676B

MD5
366ce5749df866b68c3c34c55baa692d

SHA1
9101fa832149f0d22484482aefdb5232dbbc8430

SHA256
bb5a50904c427005819346c46f9481742782bf40920f99282db1c7b7f21b40cf

SHA512
2b3621408c929853a5e98a819088f1fd717914ef61712bf5d7c74f38832f2930d8481db16e9d312e36d09f15209a6e2dc53ce2a98122722017f023f7c6a417b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\14684326\xwd.docx

Filesize
554B

MD5
06996fd31badf8a968c3c5e7d0186ec3

SHA1
934bf231f595a79f3e233cab86db32c1c917f5d1

SHA256
d7e55998ec6cd3fbb115677e20ff22a6bab7438507b540659bb80f61c6f04fa1

SHA512
704763529cac8bd0ae344163f59ef4816bae3c53c156f3a90061c91e19287d3405cefbb878edeaa3bb0be68ee3ead2b1773bf52e14e21f5a2947844bb8b07c63

Download Submit
memory/4548-161-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4548-163-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4548-162-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4548-160-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4548-159-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4548-158-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4548-157-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4548-156-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download