Overview

overview

10

Static

static

3

357b5f06e0...76.exe

windows7-x64

10

357b5f06e0...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2025, 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    357b5f06e0a084f8c37e6a38afa29c76.exe

  • Size

    42.2MB

  • MD5

    357b5f06e0a084f8c37e6a38afa29c76

  • SHA1

    e7de8b81872b571e9e0fe6dcc48c94dfe8d50318

  • SHA256

    72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528

  • SHA512

    ab539349cb46cdf4c2ce48569a123abc9634adebe68e0ccd19c89f008692651deb727892c1476796d0229965ed25d96b73735ce9ab86fad2bf67abd65ae9cd36

  • SSDEEP

    786432:M129ofpkXbsydPnpeWjrqBqe4k51vJ8EhsI14StdNoIvTe3HzuREJgIkH5:Y29AwsydPnpXqBq4pmEhh4Sj9Te3TGEk

Score
10/10
darkcomethawkeyeponyspreaddddcollectioncredential_accessdefense_evasiondiscoverykeyloggerpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

pony

C2

http://www.orway.bplaced.net/pony/gate.php

http://www.socialnetwork-toolbase.de/ucs/pny/gate.php

http://btcminer.ddns.net/pony/gate.php

Extracted

Family

darkcomet

Botnet

SPREADDDD

C2

852000.ddns.net:1604

btcminer.ddns.net:1604

p2k15.ddns.net:1604
Mutex

DC_MUTEX-H0WQWZT

Attributes
  • gencode

    skMDhHCCHML8

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Hawkeye family
    hawkeye
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Detected Nirsoft tools 7 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 62 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • UPX packed file 30 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 22 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\357b5f06e0a084f8c37e6a38afa29c76.exe
    "C:\Users\Admin\AppData\Local\Temp\357b5f06e0a084f8c37e6a38afa29c76.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\divx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\divx.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\Users\Admin\AppData\Local\Temp\is-8FDVP.tmp\divx.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-8FDVP.tmp\divx.tmp" /SL5="$B0058,40413792,257024,C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\divx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVAudio.ax"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:3420
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVVideo.ax"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4584
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVSplitter.ax"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1676
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\DirectVobSub\vsfilter.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2808
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\DirectVobSub64\vsfilter.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:4060
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\madVR.ax"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3824
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\madVR64.ax"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          PID:2152
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\LAVAudio.ax"
          4⤵
          • Loads dropped DLL
          PID:1968
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\LAVVideo.ax"
          4⤵
          • Loads dropped DLL
          PID:4560
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\LAVSplitter.ax"
          4⤵
          • Loads dropped DLL
          PID:3116
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Icaros\32-bit\IcarosPropertyHandler.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:744
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Icaros\64-bit\IcarosPropertyHandler.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:1292
        • C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x86.exe
          "C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x86.exe" -ot reg -on "HKLM\SOFTWARE\Microsoft\DirectShow\Preferred" -actn setowner -ownr "n:S-1-5-32-544;s:y"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4900
        • C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x86.exe
          "C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x86.exe" -ot reg -on "HKLM\SOFTWARE\Microsoft\DirectShow\Preferred" -actn ace -ace "n:S-1-5-32-544;p:full;s:y;i:so,sc;m:grant;w:dacl"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3592
        • C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x64.exe
          "C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x64.exe" -ot reg -on "HKLM\SOFTWARE\Microsoft\DirectShow\Preferred" -actn setowner -ownr "n:S-1-5-32-544;s:y"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4820
        • C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x64.exe
          "C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x64.exe" -ot reg -on "HKLM\SOFTWARE\Microsoft\DirectShow\Preferred" -actn ace -ace "n:S-1-5-32-544;p:full;s:y;i:so,sc;m:grant;w:dacl"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3832
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CODECP~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CODECP~1.EXE
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\codec.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\codec.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Users\Admin\AppData\Local\Temp\dlhost.exe
          C:\Users\Admin\AppData\Local\Temp\dlhost.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3960
          • C:\Users\Admin\AppData\Local\Temp\dlhost.exe
            "C:\Users\Admin\AppData\Local\Temp\dlhost.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\JkRfuCdPC
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:756
            • C:\Users\Admin\AppData\Local\Temp\net.exe
              "C:\Users\Admin\AppData\Local\Temp\net.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:664
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
                7⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:1656
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4292
            • C:\Users\Admin\AppData\Local\Temp\net.exe
              "C:\Users\Admin\AppData\Local\Temp\net.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3116
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c del /q /f %temp%\*.lnk
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4860
                • C:\Windows\System32\Conhost.exe
                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  8⤵
                    PID:4820
          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            C:\Users\Admin\AppData\Local\Temp\svhost.exe
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:8
            • C:\Users\Admin\AppData\Local\Temp\svhost.exe
              "C:\Users\Admin\AppData\Local\Temp\svhost.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\kFbyGHnpo
              5⤵
              • Drops startup file
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2972
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:4580
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2368
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c del /q /f %temp%\*.lnk
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:4372
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pusher.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pusher.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pusher.exe
            "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pusher.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\LWyrXbgcf
            4⤵
            • Drops startup file
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:4980
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              5⤵
              • Accesses Microsoft Outlook accounts
              • Accesses Microsoft Outlook profiles
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • outlook_win_path
              PID:2928
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:736
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c del /q /f %temp%\*.lnk
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4336

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Defense Evasion

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    2
    T1114

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\DirectVobSub64\vsfilter.dll
      Filesize

      1.8MB

      MD5

      1368ade1a6690d364dbf063fed88564c

      SHA1

      cfa31815f7246199be40e42d69e01183dae9a473

      SHA256

      3830920e7bc7a076aedfbc5506d3472a4bcdb73c502273c5f65878ae74b594cd

      SHA512

      ae7c000444dcde2834fe6efbea1469bc8625e42eef5025d6d6a12aa2d7f5e3abe0a7e48e6836829d721f1c14df19ebbdaf3aeb2e4292da475f62310bdf6b68ea

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\DirectVobSub\vsfilter.dll
      Filesize

      1.5MB

      MD5

      52e76ec0bb8107ccabe309cefc7e4861

      SHA1

      a3578963ac38bd97f4f838202979f63df057a773

      SHA256

      bb095360972ec84557e1cddab05a49a0b7e04def85d48dacaa8ee5a70e43a4c6

      SHA512

      6ee3e1668b8ac18ebc5860aa9a429d428abf2793e2cbfac724909b6038bce043305fd9db35727b4f8fb0a8102e2203b0d2b7ce6f18ce004206f22af241caa95d

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\LAVAudio.ax
      Filesize

      289KB

      MD5

      198593663a47bed4d4f46e064948fc0a

      SHA1

      4027518294605a1cf1eb1df700c8814dcd912f38

      SHA256

      3a14d169012959f7116d1d3044718d57457ce5c058eff1750dd2e7a1af4fa527

      SHA512

      e46e9502b4de2f4471f281bbb4648dca54e244c773cff6f83009188adb12a6680078f407e4170abc7593145328810b571f2553147448dd80cd14923b92b88cf0

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\avcodec-lav-56.dll
      Filesize

      9.8MB

      MD5

      4ccef936f16fe8d13280075a5dfef04d

      SHA1

      87b75a915d95116f4a5442af04d662c1a94afce9

      SHA256

      e6a21cc3469cd09d0d8469536e208a28bba53a296ee86c930193c5f3958e6fe8

      SHA512

      d6c84312a5200216c547a074706cf7e89828c35adc34cef34dfca0e5ef9c7057134819549df1b8a43fc3db2034e4e9fa94d32b65fe67418e922e6a4a390c93dd

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\avformat-lav-56.dll
      Filesize

      1.3MB

      MD5

      eabef82cdde22218730ac6ddb07a58e4

      SHA1

      2733f5e3849bc07c13b3b98c9518e266156c5bfa

      SHA256

      5f40a5538df383fce822545c05069acba292a5f6468dfb42ae315d11b5f5c918

      SHA512

      25c1ab9824138bf9737ca79a1b0fa9771afe5fe9acbac9736794309493226c82c9830b2e03c46e82e4f3a45842f5c7f77d332f1f99e6133c0ab330f367e00d07

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\avresample-lav-2.dll
      Filesize

      157KB

      MD5

      d7ae7bb993c289a6beaffdf1c047b0cf

      SHA1

      a5a90c28d02c24f7761a8c04299fd2aa3176f7ba

      SHA256

      dab66d4a52de0bf4f638170bff7cb105b8f2e6953024a7d13f2eaf8045de07aa

      SHA512

      fb4e3804d6571e87631e902884b97d5d3098949e87074502dfc90641089d4d22188a673b5229fd6aae71f9c7a0c1af0c032be00b30c732d39546393a6b7ae11c

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\avutil-lav-54.dll
      Filesize

      390KB

      MD5

      ba88f34c14ba2560f04d11e4bb322b03

      SHA1

      b69c3b7a69b03e26ccad0888ab404d8861123703

      SHA256

      b39222340559033688394a4ceb775bbdc155bbcd5a47eb25bda9e2b5e8e514c1

      SHA512

      bb9bd70626290fafedc5362ce5c41538f06ed31f4e5628bbd3c9910902aa05f08cc84a7944569aea0ab0018f432725ed716d562b913aaf3c4ab72c93a3315e22

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVAudio.ax
      Filesize

      251KB

      MD5

      550d922b2d08d6b73ac0b53a6bf043ab

      SHA1

      2d97ee2b82f28ff8a28162aa2308b93c51e09387

      SHA256

      daa614332780919e8c32b9dd8487b0caa97458aaed90a573fda32bf82385f732

      SHA512

      2cbd976fc3c691e0e13833b0b6f9d5ee03955e6b3311a1edc558f1e53aa935c22866cf7c18671d2a347fcf1c468bba6270174f7dfd6de80854dfa9b20fd31681

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVSplitter.ax
      Filesize

      480KB

      MD5

      db14b3840a49da053d22d734b55e5b26

      SHA1

      287287b3573f1f68275b24357a96410327f6895c

      SHA256

      1005a3e68df7d400f63dbf03cf5b0dd19bb0823664a85097e219823b9dbd6a9b

      SHA512

      d078759db8337360a8419203f823f8c9ec07cc8fef64880feec901651c73a31d16302cb82631e7354ef0832378096adf3359b5b28b791d903a3dc459e425dc9a

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVVideo.ax
      Filesize

      954KB

      MD5

      ae049a27b51ec2a7779cdfc477683b62

      SHA1

      abad08d0f49006291bf7d628581d567cd2cbc9da

      SHA256

      8d72b1ce97c36421ef3d0325249e09eee684605b0e0c1d342ed6d0120d079a8a

      SHA512

      1fcb146d43b0895266399d72b2d35cb2a63b5f79488ed7410b69b3b8e32b8fab5025872156a0d5ffe7e7f8b20641c835dbebeae17b449312aba7ff59a4b89e95

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\avcodec-lav-56.dll
      Filesize

      9.4MB

      MD5

      c652086050df7414d76fc0d6c228ef4b

      SHA1

      f556e9e29b6a99eea52dd1d4aef3af90ed4a9355

      SHA256

      2056ed41ff28faa90d6eaa3c1be0a9b77d507bfa451933bcec62e47aa002f39d

      SHA512

      2be5fb9b7ecd5b753065165a28d8076865ffc9c1d3520b214e017fb6fd6d8697deed8fb888d87f872ee3072596638361650fb7904e4daf73480e3328fa457041

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\avfilter-lav-5.dll
      Filesize

      177KB

      MD5

      bf01b213af787ebab456d83f52e6e564

      SHA1

      38cdff5cc4612e05b90ad37a5620d4ff9181d27b

      SHA256

      60e94ff1e7896198d40983aadb848501a8c6f76070d9897090993310f9feb74d

      SHA512

      cbf70f7f3e2ab55ab81ec8024960150d99c0dfae89ca0b88f6eb7d6d27c64aa891cadc473a83e6aa7f62f6ba14eba4d2ad0f0db46551fd3248673971313e3eff

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\avformat-lav-56.dll
      Filesize

      1.4MB

      MD5

      c4e431100317acca1db955bde74c96ba

      SHA1

      084233465566928890281cb51f24a44357fc4a29

      SHA256

      502a0f185bb3bf616bf107355d557c9c15c43d43597fd3d25d6072532798f439

      SHA512

      3e35409bb94787d02974f2abbf7614b3549edd8909ed124183494656c3e9c81f6356e7fe6951d9d23f7a527c9530b6b9b866708732703b18feffeb5683dcaa88

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\avresample-lav-2.dll
      Filesize

      151KB

      MD5

      ead1924880fb56f052e2c685f7584dce

      SHA1

      3e8724aa6f92f425e88ca451890c61576bf66e25

      SHA256

      4abf3e808e369e83c9c4212d61724692c73e1ef753cd79f1734f562ad46af38b

      SHA512

      c84f4408decf57e96afce73754bfd972fdb61d861b29ab143cb03ac4f4e70424c19a4c7c93e638d1b425511c83e5fd6cc232eaf649cb7f50e193ebb87cb49202

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\avutil-lav-54.dll
      Filesize

      438KB

      MD5

      e2c760c8fa62887f92a536d056d148d9

      SHA1

      5c73786780ba25a63ac29b199ac86c4d855a7d7a

      SHA256

      90647be676dd07ed7ab2360475e8a774282ca5b3080060ff44a1163f93447d10

      SHA512

      1de0ae45ae584bacac1a9e4ca3dde17aeed967c20255d1ef766696acfe3f636106f6b296310815b4bf4149546fd7c4b6ef30ef5118aecad3357e064239bc6db6

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\libbluray.dll
      Filesize

      240KB

      MD5

      53e26b42caf45d340f0bb7ac0e2e5187

      SHA1

      e811ecbf0ef201dee94ad5a93049f9471e1500d4

      SHA256

      4a2f41a8a5f395811ad9064b529f2b7f6ebf89d00084badce88675f4ba0d9201

      SHA512

      3606f5c6102bae69a082d56448557f2f26ec0a48a4db9ab2e2c61fec8df018e3490a401c88bf3877169566a3eb1056e9bbdb129b21b3db23decdd94d3a80f64b

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\swscale-lav-3.dll
      Filesize

      502KB

      MD5

      27550c88b2c9993678d5ff1a07b25a14

      SHA1

      58423774b030538fc5c1d3149b8cc77e5b584dbd

      SHA256

      db10df242fabd9546fee2d2a01b0fadd45d2fae587ff8b5e541387c728a9ebd3

      SHA512

      22c1dd819e094de375ac2295b6a87cea221edf189b3db9b8060fa20ac61a9edbbc5a389e5138eed3ebf6db294ef37e541b9e53d8a089d9330bc4f9c2052a6d97

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\madHcNet32.dll
      Filesize

      988KB

      MD5

      21a0d17bf051f8b2f7e63684d54b1ae8

      SHA1

      63f71684886b5c42f32e8712a18b2187ce08ba7c

      SHA256

      f9c2148e6fe902802f8adcb0a8e6cca6b5b1d32bc88c51bb56106302b16141ba

      SHA512

      2a9e565e1d580df8247b0882f94d3e5a2c987834aa13bd45fad3b1ad6225a193782d06699958fe179cf5fed23862ffcd36efb3125f0ad94b4531309e4c439194

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\madHcNet64.dll
      Filesize

      1.4MB

      MD5

      90cf53138339e90a52ffde3e531af7de

      SHA1

      753375fcf60d2be53a72c4be2d8a13140c778eba

      SHA256

      d8067aad400cf70eca9eb7c8216ae1d3031f87dc74e09699ecf25b47aafa12b4

      SHA512

      18c78dbd87a9ce795f298ebeec698ac8288fad5467d307ff5ec83f748b5d9fc20a1a72dfed2ad90de1d9787b2961aee7fb3ef86c8919983a7f2b9385f783ec55

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\madVR.ax
      Filesize

      2.8MB

      MD5

      c6498d08f03a46ffebc03122923acfd7

      SHA1

      63ef5e9c0524ac51a81c60000d5f96b4d595c7e9

      SHA256

      b440c85d0fda98cf311321b6a7e0476ebceed441470f23be6b2c50779053e165

      SHA512

      f9e6a6854ab156d6c630a6fd5044ca96442e2d009bcb1d85e5d75c13c8d20576265528ea8c6c7eb6bcb868a9bc8299d3c14f455255007dc68b2df43bb5319356

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\madVR64.ax
      Filesize

      3.0MB

      MD5

      3c5f7c53f406c05393358e40348e1e54

      SHA1

      9f27dc59af9201ae4493459fddd14719c0d3a164

      SHA256

      5027c797636e08c6f8a5fc0fc3292337d8b68b14dfb0eeaeb3566e462f92e4b7

      SHA512

      743f627ba8feea52f3d07aae789f9754b47fdd2d0037aa806bc360a043132eb2966476b7d5ad7f4403f01cef87265e0c122f31840206b1b35f54635f20615057

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\mvrSettings32.dll
      Filesize

      980KB

      MD5

      3b8cf2b7d08638136d66e57750389592

      SHA1

      01da46995e9c340cbe1af0f934f778d626ab7978

      SHA256

      afb27ee90f175c50e8f84f3d63f844c89fda3e72d9738fb081b21700b97cb360

      SHA512

      aced1361668be33aa0d2f6e672ad0485360342a73bc3d79c7719dc681f62ec1e3b00576eb98f66b89e2ef041818a1e8f48ef5e4b13ad4ef87e317afa06b7288d

      Download Submit

    • C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\mvrSettings64.dll
      Filesize

      1.4MB

      MD5

      94e0c053f17abc021d8cd71b4e9503c8

      SHA1

      63bc8819a6466a6d1f6dfd762e12ae3731647e9d

      SHA256

      bbfd5699a63a47d5c6cc068371eb3d48ecdfd00ca5f3dec213164e571b3f4afd

      SHA512

      69cb34fb8285124b99e50278125da80819ea942bcc6e1b6e300296c8ae2de33c2dab42cffa40857e47c7281a25fc4d4a4f9e148e6109d7dad2d01b51834e553f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\divx.exe
      Filesize

      39.1MB

      MD5

      83638209152822d2c9fe80cc7c634651

      SHA1

      c77ff7890d935d19fe2c4d3d0ad933247e383e32

      SHA256

      777159af2544a2bd9d7bff6c6c120981325c580939d276235904c8be1bc6922c

      SHA512

      34dd370511691037507eb395ba18bc5c65ff7527ec6681f1e05930a96ea583064788c1e9a380b9210971b817c9e92381019e76ba846d064dd3a2d210e937e959

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aut3D6F.tmp
      Filesize

      1.1MB

      MD5

      29dc7c626ac48deb0283a5ae198afb01

      SHA1

      2e6fc2b2a3efd0ef5a4d37721be6922176138df7

      SHA256

      ecd5ccc6fe1e5bff9023e8026205366ab32d639bad5352a165c52f59369e9b62

      SHA512

      861678543f21a2fba0f65a0f38d031168a331dc8373579cf72c7eaa2dd44f4c128a18ca1b1103eea1da01563c4d6cc8fa0239866ee478ec04e7b26500d2fa8c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-8FDVP.tmp\divx.tmp
      Filesize

      1.3MB

      MD5

      77d3db03dfcb155bfdc21eea46158565

      SHA1

      7ef9f5a1ed81052c8a7a53c6bfbdcad46817f971

      SHA256

      58e366192e500acd1c9e8bcad208ec4b36e19072ca03a1f8d9da99e4002c6d45

      SHA512

      546b71cb5244e9813501e425437b0abd5041be313a1bb12e2976a471c6fe83ac083849d72686ad7401289cf164eef176d830e81acb90a6e7ff8823f1bbc316a8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-Q3HAC.tmp\_isetup\_iscrypt.dll
      Filesize

      2KB

      MD5

      a69559718ab506675e907fe49deb71e9

      SHA1

      bc8f404ffdb1960b50c12ff9413c893b56f2e36f

      SHA256

      2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

      SHA512

      e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-Q3HAC.tmp\klcp_detect.dll
      Filesize

      55KB

      MD5

      5b4eaa57dce5f61687513fdec129282e

      SHA1

      66f2bd1b49c3bdba54923e93cfcf3548748b99c7

      SHA256

      7be1d61459c0ce007aa12d0fe0d747775897827f0da6c90c3a189f02b878beb8

      SHA512

      9e62764e241aaec8b773699097465f21a7abba0e1bdf00af1fa1d4e6418475199e9acf2e568a819f875ca8227ee23dc203a45c923fa83c4185a2375a96518b00

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\net.exe
      Filesize

      4KB

      MD5

      b8b3eaf4cd8d25a248ae35e50c60a2cd

      SHA1

      5675bea07480d26530165b3d853bb0d9b4790f1d

      SHA256

      6fe52421d30a6aeaaf9398e00555e08e1c84fd997956248b661708a55ea88d78

      SHA512

      832845e8ea1be26fc8756b7ef53ff49a500cc799fe189ba4229599702955192b4d8c87159c17cb949b5df0b4c055b798f66c174ba8cb0613e9a830168e7b3dd5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      Filesize

      1.3MB

      MD5

      840a1508abc59cd1006cf7989f443dfc

      SHA1

      6277d23d77ad50718c7f38de03b0d6221e0788f2

      SHA256

      df039f2c04f986fb8e9b8fd7d734713f5efd143a614c0cdf11c0e8390652518a

      SHA512

      a562f89a82cebaaed6143f1ae809cc8755913743d8b2c2ea3cbe918a70b37ce798b1c97239fcfc828e1df7985b87663eb13c42ad1a4d2e1c34c13b4b84633aaa

      Download Submit

    • memory/664-495-0x0000000000400000-0x0000000000484000-memory.dmp

      Filesize

      528KB

      Download

    • memory/736-492-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

      Download

    • memory/736-523-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

      Download

    • memory/736-491-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

      Download

    • memory/736-488-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

      Download

    • memory/756-499-0x0000000000400000-0x0000000000512000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1656-520-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1656-521-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1656-519-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2152-401-0x0000000002580000-0x00000000026F3000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2152-399-0x0000000002700000-0x0000000002873000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2368-506-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2368-508-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2368-509-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2368-529-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2928-489-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2928-522-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2928-487-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2928-490-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2928-560-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2992-417-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2992-13-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2992-34-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2992-188-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2992-424-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2992-30-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2992-28-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2992-32-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3116-501-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

      Download

    • memory/3116-500-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

      Download

    • memory/3116-497-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

      Download

    • memory/3824-391-0x00000000025A0000-0x000000000269E000-memory.dmp

      Filesize

      1016KB

      Download

    • memory/3824-389-0x00000000024A0000-0x000000000259F000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/3960-452-0x0000000000400000-0x0000000000512000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3960-446-0x0000000000400000-0x0000000000512000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4292-530-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4292-531-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4292-536-0x0000000000460000-0x0000000000529000-memory.dmp

      Filesize

      804KB

      Download

    • memory/4292-537-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4520-27-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/4520-9-0x0000000000401000-0x0000000000412000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4520-6-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/4520-425-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/4580-510-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4580-527-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4580-524-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4580-514-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4580-511-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4580-515-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4580-540-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4580-544-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4580-548-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4580-505-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download