darkcomet | 99c3b4f9d4c32256e5ab697c5dc4ff1d753b146c846681e429e2a3eb2f207ada

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
Size

2.1MB
MD5

80331cb992b4aaf28c0109096c78e137
SHA1

856a328b145d2a02f591d2fd62e71e21db4e0622
SHA256

99c3b4f9d4c32256e5ab697c5dc4ff1d753b146c846681e429e2a3eb2f207ada
SHA512

128e2ea41800e3a93da297921f918014ae1dc05750f7dcace823fdcd365f422127dca449dd5ce05813ce44eff195b6f589cc95bf4cc40f404bb00eb9ed79a5be
SSDEEP

24576:WDQMyUCLowSEwiR49iPUHV8XgYrpxbNT9IA0HD4OsqirBJu9crkQCmLMR:W8MyUCNd+vVeob0OMp2

Score

10^/10

darkcomet latentbot getjava defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Getjava

essstzttztz.zapto.org:1612

Mutex

DC_MUTEX-NPVY9D6

Attributes

gencode
z3bx7DQvDgi3
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

essstzttztz.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Executes dropped EXE 1 IoCs

Processes:

jx.exe

pid	Process
2740	jx.exe

Loads dropped DLL 1 IoCs

Processes:

80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe

pid	Process
1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\javacs = "C:\\Users\\Admin\\AppData\\Roaming\\javamc.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1984 set thread context of 2136	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	33
PID 1984 set thread context of 2504	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	37

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x00080000000186f8-41.dat	upx
behavioral1/memory/2740-46-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/2504-51-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-53-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-56-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-57-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-59-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-58-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-62-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-61-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2740-76-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/2504-77-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-78-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2740-90-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/2504-91-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-92-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-93-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-94-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-95-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-96-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-97-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-98-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-99-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-100-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-101-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-102-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2504-103-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

cmd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.exe80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exevbc.execvtres.exevbc.execmd.exejx.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jx.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

jx.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	jx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	jx.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exevbc.exe

description	pid	Process
Token: SeDebugPrivilege	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2504	vbc.exe
Token: SeSecurityPrivilege	2504	vbc.exe
Token: SeTakeOwnershipPrivilege	2504	vbc.exe
Token: SeLoadDriverPrivilege	2504	vbc.exe
Token: SeSystemProfilePrivilege	2504	vbc.exe
Token: SeSystemtimePrivilege	2504	vbc.exe
Token: SeProfSingleProcessPrivilege	2504	vbc.exe
Token: SeIncBasePriorityPrivilege	2504	vbc.exe
Token: SeCreatePagefilePrivilege	2504	vbc.exe
Token: SeBackupPrivilege	2504	vbc.exe
Token: SeRestorePrivilege	2504	vbc.exe
Token: SeShutdownPrivilege	2504	vbc.exe
Token: SeDebugPrivilege	2504	vbc.exe
Token: SeSystemEnvironmentPrivilege	2504	vbc.exe
Token: SeChangeNotifyPrivilege	2504	vbc.exe
Token: SeRemoteShutdownPrivilege	2504	vbc.exe
Token: SeUndockPrivilege	2504	vbc.exe
Token: SeManageVolumePrivilege	2504	vbc.exe
Token: SeImpersonatePrivilege	2504	vbc.exe
Token: SeCreateGlobalPrivilege	2504	vbc.exe
Token: 33	2504	vbc.exe
Token: 34	2504	vbc.exe
Token: 35	2504	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exevbc.exe

pid	Process
2136	vbc.exe
2504	vbc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exevbc.exe

description	pid	Process	procid_target
PID 1984 wrote to memory of 1944	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1944	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1944	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1944	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	30
PID 1944 wrote to memory of 1960	1944	vbc.exe	32
PID 1944 wrote to memory of 1960	1944	vbc.exe	32
PID 1944 wrote to memory of 1960	1944	vbc.exe	32
PID 1944 wrote to memory of 1960	1944	vbc.exe	32
PID 1984 wrote to memory of 2136	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2744	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	34
PID 1984 wrote to memory of 2744	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	34
PID 1984 wrote to memory of 2744	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	34
PID 1984 wrote to memory of 2744	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	34
PID 1984 wrote to memory of 2740	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	36
PID 1984 wrote to memory of 2740	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	36
PID 1984 wrote to memory of 2740	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	36
PID 1984 wrote to memory of 2740	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	36
PID 1984 wrote to memory of 2740	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	36
PID 1984 wrote to memory of 2740	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	36
PID 1984 wrote to memory of 2740	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	36
PID 1984 wrote to memory of 2504	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	37
PID 1984 wrote to memory of 2504	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	37
PID 1984 wrote to memory of 2504	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	37
PID 1984 wrote to memory of 2504	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	37
PID 1984 wrote to memory of 2504	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	37
PID 1984 wrote to memory of 2504	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	37
PID 1984 wrote to memory of 2504	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	37
PID 1984 wrote to memory of 2504	1984	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qvukih1o.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA767.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA766.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1960
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2136
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\jx.exe
  "C:\Users\Admin\AppData\Local\Temp\jx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA767.tmp

Filesize
1KB

MD5
721cf0847e1f545030ee79187477e450

SHA1
cca027a6f8c331f2e31a030e7ef577b58a916cc2

SHA256
a258c51a3a1c1d3a005f8cf0b925a37acdac952f83d2472a033b53dd575c21b2

SHA512
275aecb86bd7fbe4d6cb08e0fa8f054bb989dbdf3d2359d5c4a0edb1616da4d75fb577db5d57ac0142a39a9be95063b94e55f4349b74033226a02934cf1607d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvukih1o.0.vb

Filesize
256B

MD5
9f362c5084b0126d5460310d3353d13e

SHA1
8617abc0a8c22a109b52e2e3c85b4400ed04b40e

SHA256
83ef5a38a9ddf6fcb030ef4f4f63c0e989a49c83691f18b07f851bf35544f2d0

SHA512
9f701a8cec9297f50533ee6cf72851f2400bc777013b663cacea1b531801446d08ffc9a3f5d120b7e81a0f363c7421b9c2103e26be6606f7fe29de3107c4cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvukih1o.cmdline

Filesize
317B

MD5
7fe204c9f29c6876a59c96f1d17e7827

SHA1
806a99861b6dc8f73edcfed206a981019c968831

SHA256
d6cd14665e448e29073b5c0c22c048b66bd1c154ab837b21d2985ee0f920bcdc

SHA512
a1a7e4c47735012247d0799c9a7f3ee7056cba4b0dff43cdbb6dfd456d917e6d8036160e9e505c5de8d5eef9b73374f25803231c70f8facee073cb8d86ef602f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvukih1o.dll

Filesize
6KB

MD5
ad27a54af6e4487f37b73143a3afe06f

SHA1
bb929ec45395bf0442ab22914ead69fe45335640

SHA256
fed906a3798935801800182179ab2897bee1b7e58ee93b2f1d94a289250c807d

SHA512
208ffe8f81e1ad5e7df05b5504446ac6de386649435c4d7e9d73b44c91f3ab25b7661c923815b76c01cdb258b4b84ad818a480408f1665134b2361fcdc86c568

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA766.tmp

Filesize
652B

MD5
6936178f5ede1f9b0a6d61307219f981

SHA1
0c9fafe1ad1e05f4fb6a61b6578d0e3da29f19f6

SHA256
269aafb5edadc660ad5b11a6e7bfbe327bcc623de9af18e0bd8a4f4f8fec13b4

SHA512
ff6f27cb85775a30debb66e4c18909c050752caf7884dba1a2adaee6ae2ea8f764b45729481bd2775e2751125a0eb1a5225fb6179f0a282330356ad2f4ffcbaf

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
100B

MD5
46141ad6a47ab3d59e09d2e191cee4c9

SHA1
8ccccc6069099a080e7d264200d4c6206e5b1fa5

SHA256
7c5221717bcc045387d609cbd4b1801159e417a9908bad7fc89a271371e6f2a4

SHA512
59afd1d01c979a4c75a565da390265ace4f8594f231a8ba9e6091357e143472a9c4d3e363d75a13a771798d35bfcd897bce0e8ae62db175eebf97a750969bb6e

Download Submit
C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\jx.exe

Filesize
871KB

MD5
f6167efc4d1ef0d0e2739a521f6c87d0

SHA1
c8d1a4b74fd774718ad5d2210e5db1a8c57f931c

SHA256
ec3357953ca575beffae55678548f8348cbeaef6a753d3de151007862962e03e

SHA512
ce39f11229ed14011acfd0a0edb9bf4bcf9f043b72e8d14320c3235f6889e05ec4dffc521af8ad481326140e31a475badff86a54be45740b857e84fd42342901

Download Submit
memory/1944-7-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-16-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-4-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-1-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-0-0x00000000749E1000-0x00000000749E2000-memory.dmp

Filesize
4KB

Download
memory/1984-60-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-45-0x0000000006E70000-0x000000000702B000-memory.dmp

Filesize
1.7MB

Download
memory/2136-20-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2136-31-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2136-28-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2136-36-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2136-26-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2136-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2136-22-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2136-21-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2504-51-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-96-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-56-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-57-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-103-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-59-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-58-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-62-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-61-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-102-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-77-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-78-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-101-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-91-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-92-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-93-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-94-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-95-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-49-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-97-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-98-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-99-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-100-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2740-90-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2740-76-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2740-46-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download