Overview

overview

10

Static

static

3

72a4f802a0...28.exe

windows7-x64

10

72a4f802a0...28.exe

windows10-2004-x64

10

Resubmissions

11/03/2025, 16:25

250311-txd2jayygs 10

11/03/2025, 16:25

250311-tw2ffaxqz6 10

11/03/2025, 01:47

250311-b7vsxswzdv 10

09/03/2025, 02:19

250309-cr474awzex 10

Analysis

  • max time kernel
    900s
  • max time network
    902s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2025, 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528.exe

  • Size

    42.2MB

  • MD5

    357b5f06e0a084f8c37e6a38afa29c76

  • SHA1

    e7de8b81872b571e9e0fe6dcc48c94dfe8d50318

  • SHA256

    72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528

  • SHA512

    ab539349cb46cdf4c2ce48569a123abc9634adebe68e0ccd19c89f008692651deb727892c1476796d0229965ed25d96b73735ce9ab86fad2bf67abd65ae9cd36

  • SSDEEP

    786432:M129ofpkXbsydPnpeWjrqBqe4k51vJ8EhsI14StdNoIvTe3HzuREJgIkH5:Y29AwsydPnpXqBq4pmEhh4Sj9Te3TGEk

Score
10/10
darkcometponyspreaddddcollectioncredential_accessdefense_evasiondiscoverypersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

pony

C2

http://www.orway.bplaced.net/pony/gate.php

http://www.socialnetwork-toolbase.de/ucs/pny/gate.php

http://btcminer.ddns.net/pony/gate.php

Extracted

Family

darkcomet

Botnet

SPREADDDD

C2

852000.ddns.net:1604

btcminer.ddns.net:1604

p2k15.ddns.net:1604
Mutex

DC_MUTEX-H0WQWZT

Attributes
  • gencode

    skMDhHCCHML8

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 64 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • UPX packed file 32 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 22 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528.exe
    "C:\Users\Admin\AppData\Local\Temp\72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\divx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\divx.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5072
      • C:\Users\Admin\AppData\Local\Temp\is-BGNOG.tmp\divx.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-BGNOG.tmp\divx.tmp" /SL5="$90052,40413792,257024,C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\divx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4288
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVAudio.ax"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:3104
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVVideo.ax"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4560
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVSplitter.ax"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1800
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\DirectVobSub\vsfilter.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:4936
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\DirectVobSub64\vsfilter.dll"
          4⤵
          • Loads dropped DLL
          PID:3172
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\madVR.ax"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1688
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\madVR64.ax"
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:3620
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\LAVAudio.ax"
          4⤵
          • Loads dropped DLL
          PID:4024
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\LAVVideo.ax"
          4⤵
          • Loads dropped DLL
          PID:2344
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\LAVSplitter.ax"
          4⤵
          • Loads dropped DLL
          PID:3052
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Icaros\32-bit\IcarosPropertyHandler.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4212
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Icaros\64-bit\IcarosPropertyHandler.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:3416
        • C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x86.exe
          "C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x86.exe" -ot reg -on "HKLM\SOFTWARE\Microsoft\DirectShow\Preferred" -actn setowner -ownr "n:S-1-5-32-544;s:y"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:704
        • C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x86.exe
          "C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x86.exe" -ot reg -on "HKLM\SOFTWARE\Microsoft\DirectShow\Preferred" -actn ace -ace "n:S-1-5-32-544;p:full;s:y;i:so,sc;m:grant;w:dacl"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1356
        • C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x64.exe
          "C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x64.exe" -ot reg -on "HKLM\SOFTWARE\Microsoft\DirectShow\Preferred" -actn setowner -ownr "n:S-1-5-32-544;s:y"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3588
        • C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x64.exe
          "C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x64.exe" -ot reg -on "HKLM\SOFTWARE\Microsoft\DirectShow\Preferred" -actn ace -ace "n:S-1-5-32-544;p:full;s:y;i:so,sc;m:grant;w:dacl"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2876
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CODECP~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CODECP~1.EXE
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\codec.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\codec.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3104
        • C:\Users\Admin\AppData\Local\Temp\dlhost.exe
          C:\Users\Admin\AppData\Local\Temp\dlhost.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3768
          • C:\Users\Admin\AppData\Local\Temp\dlhost.exe
            "C:\Users\Admin\AppData\Local\Temp\dlhost.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\JkRfuCdPC
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2748
            • C:\Users\Admin\AppData\Local\Temp\net.exe
              "C:\Users\Admin\AppData\Local\Temp\net.exe"
              6⤵
              • Executes dropped EXE
              PID:1616
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 88
                7⤵
                • Program crash
                PID:4476
            • C:\Users\Admin\AppData\Local\Temp\net.exe
              "C:\Users\Admin\AppData\Local\Temp\net.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3528
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c del /q /f %temp%\*.lnk
                7⤵
                • System Location Discovery: System Language Discovery
                PID:808
        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          C:\Users\Admin\AppData\Local\Temp\svhost.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2856
          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            "C:\Users\Admin\AppData\Local\Temp\svhost.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\kFbyGHnpo
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2972
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3452
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2416
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c del /q /f %temp%\*.lnk
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3596
                • C:\Windows\System32\Conhost.exe
                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  8⤵
                    PID:3104
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pusher.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pusher.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4608
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pusher.exe
            "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pusher.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\LWyrXbgcf
            4⤵
            • Drops startup file
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1688
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              5⤵
              • Accesses Microsoft Outlook accounts
              • Accesses Microsoft Outlook profiles
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • outlook_win_path
              PID:3096
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:4100
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c del /q /f %temp%\*.lnk
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4668
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1616 -ip 1616
      1⤵
        PID:1936

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Event Triggered Execution

      1
      T1546

      Component Object Model Hijacking

      1
      T1546.015

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Event Triggered Execution

      1
      T1546

      Component Object Model Hijacking

      1
      T1546.015

      Defense Evasion

      Indicator Removal

      1
      T1070

      File Deletion

      1
      T1070.004

      Modify Registry

      1
      T1112

      Credential Access

      Unsecured Credentials

      2
      T1552

      Credentials In Files

      2
      T1552.001

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      3
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Email Collection

      2
      T1114

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\DirectVobSub64\vsfilter.dll
        Filesize

        1.8MB

        MD5

        1368ade1a6690d364dbf063fed88564c

        SHA1

        cfa31815f7246199be40e42d69e01183dae9a473

        SHA256

        3830920e7bc7a076aedfbc5506d3472a4bcdb73c502273c5f65878ae74b594cd

        SHA512

        ae7c000444dcde2834fe6efbea1469bc8625e42eef5025d6d6a12aa2d7f5e3abe0a7e48e6836829d721f1c14df19ebbdaf3aeb2e4292da475f62310bdf6b68ea

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\DirectVobSub\vsfilter.dll
        Filesize

        1.5MB

        MD5

        52e76ec0bb8107ccabe309cefc7e4861

        SHA1

        a3578963ac38bd97f4f838202979f63df057a773

        SHA256

        bb095360972ec84557e1cddab05a49a0b7e04def85d48dacaa8ee5a70e43a4c6

        SHA512

        6ee3e1668b8ac18ebc5860aa9a429d428abf2793e2cbfac724909b6038bce043305fd9db35727b4f8fb0a8102e2203b0d2b7ce6f18ce004206f22af241caa95d

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\LAVAudio.ax
        Filesize

        289KB

        MD5

        198593663a47bed4d4f46e064948fc0a

        SHA1

        4027518294605a1cf1eb1df700c8814dcd912f38

        SHA256

        3a14d169012959f7116d1d3044718d57457ce5c058eff1750dd2e7a1af4fa527

        SHA512

        e46e9502b4de2f4471f281bbb4648dca54e244c773cff6f83009188adb12a6680078f407e4170abc7593145328810b571f2553147448dd80cd14923b92b88cf0

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\avcodec-lav-56.dll
        Filesize

        9.8MB

        MD5

        4ccef936f16fe8d13280075a5dfef04d

        SHA1

        87b75a915d95116f4a5442af04d662c1a94afce9

        SHA256

        e6a21cc3469cd09d0d8469536e208a28bba53a296ee86c930193c5f3958e6fe8

        SHA512

        d6c84312a5200216c547a074706cf7e89828c35adc34cef34dfca0e5ef9c7057134819549df1b8a43fc3db2034e4e9fa94d32b65fe67418e922e6a4a390c93dd

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\avformat-lav-56.dll
        Filesize

        1.3MB

        MD5

        eabef82cdde22218730ac6ddb07a58e4

        SHA1

        2733f5e3849bc07c13b3b98c9518e266156c5bfa

        SHA256

        5f40a5538df383fce822545c05069acba292a5f6468dfb42ae315d11b5f5c918

        SHA512

        25c1ab9824138bf9737ca79a1b0fa9771afe5fe9acbac9736794309493226c82c9830b2e03c46e82e4f3a45842f5c7f77d332f1f99e6133c0ab330f367e00d07

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\avresample-lav-2.dll
        Filesize

        157KB

        MD5

        d7ae7bb993c289a6beaffdf1c047b0cf

        SHA1

        a5a90c28d02c24f7761a8c04299fd2aa3176f7ba

        SHA256

        dab66d4a52de0bf4f638170bff7cb105b8f2e6953024a7d13f2eaf8045de07aa

        SHA512

        fb4e3804d6571e87631e902884b97d5d3098949e87074502dfc90641089d4d22188a673b5229fd6aae71f9c7a0c1af0c032be00b30c732d39546393a6b7ae11c

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\avutil-lav-54.dll
        Filesize

        390KB

        MD5

        ba88f34c14ba2560f04d11e4bb322b03

        SHA1

        b69c3b7a69b03e26ccad0888ab404d8861123703

        SHA256

        b39222340559033688394a4ceb775bbdc155bbcd5a47eb25bda9e2b5e8e514c1

        SHA512

        bb9bd70626290fafedc5362ce5c41538f06ed31f4e5628bbd3c9910902aa05f08cc84a7944569aea0ab0018f432725ed716d562b913aaf3c4ab72c93a3315e22

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVAudio.ax
        Filesize

        251KB

        MD5

        550d922b2d08d6b73ac0b53a6bf043ab

        SHA1

        2d97ee2b82f28ff8a28162aa2308b93c51e09387

        SHA256

        daa614332780919e8c32b9dd8487b0caa97458aaed90a573fda32bf82385f732

        SHA512

        2cbd976fc3c691e0e13833b0b6f9d5ee03955e6b3311a1edc558f1e53aa935c22866cf7c18671d2a347fcf1c468bba6270174f7dfd6de80854dfa9b20fd31681

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVSplitter.ax
        Filesize

        480KB

        MD5

        db14b3840a49da053d22d734b55e5b26

        SHA1

        287287b3573f1f68275b24357a96410327f6895c

        SHA256

        1005a3e68df7d400f63dbf03cf5b0dd19bb0823664a85097e219823b9dbd6a9b

        SHA512

        d078759db8337360a8419203f823f8c9ec07cc8fef64880feec901651c73a31d16302cb82631e7354ef0832378096adf3359b5b28b791d903a3dc459e425dc9a

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVVideo.ax
        Filesize

        954KB

        MD5

        ae049a27b51ec2a7779cdfc477683b62

        SHA1

        abad08d0f49006291bf7d628581d567cd2cbc9da

        SHA256

        8d72b1ce97c36421ef3d0325249e09eee684605b0e0c1d342ed6d0120d079a8a

        SHA512

        1fcb146d43b0895266399d72b2d35cb2a63b5f79488ed7410b69b3b8e32b8fab5025872156a0d5ffe7e7f8b20641c835dbebeae17b449312aba7ff59a4b89e95

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\avcodec-lav-56.dll
        Filesize

        9.4MB

        MD5

        c652086050df7414d76fc0d6c228ef4b

        SHA1

        f556e9e29b6a99eea52dd1d4aef3af90ed4a9355

        SHA256

        2056ed41ff28faa90d6eaa3c1be0a9b77d507bfa451933bcec62e47aa002f39d

        SHA512

        2be5fb9b7ecd5b753065165a28d8076865ffc9c1d3520b214e017fb6fd6d8697deed8fb888d87f872ee3072596638361650fb7904e4daf73480e3328fa457041

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\avfilter-lav-5.dll
        Filesize

        177KB

        MD5

        bf01b213af787ebab456d83f52e6e564

        SHA1

        38cdff5cc4612e05b90ad37a5620d4ff9181d27b

        SHA256

        60e94ff1e7896198d40983aadb848501a8c6f76070d9897090993310f9feb74d

        SHA512

        cbf70f7f3e2ab55ab81ec8024960150d99c0dfae89ca0b88f6eb7d6d27c64aa891cadc473a83e6aa7f62f6ba14eba4d2ad0f0db46551fd3248673971313e3eff

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\avformat-lav-56.dll
        Filesize

        1.4MB

        MD5

        c4e431100317acca1db955bde74c96ba

        SHA1

        084233465566928890281cb51f24a44357fc4a29

        SHA256

        502a0f185bb3bf616bf107355d557c9c15c43d43597fd3d25d6072532798f439

        SHA512

        3e35409bb94787d02974f2abbf7614b3549edd8909ed124183494656c3e9c81f6356e7fe6951d9d23f7a527c9530b6b9b866708732703b18feffeb5683dcaa88

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\avresample-lav-2.dll
        Filesize

        151KB

        MD5

        ead1924880fb56f052e2c685f7584dce

        SHA1

        3e8724aa6f92f425e88ca451890c61576bf66e25

        SHA256

        4abf3e808e369e83c9c4212d61724692c73e1ef753cd79f1734f562ad46af38b

        SHA512

        c84f4408decf57e96afce73754bfd972fdb61d861b29ab143cb03ac4f4e70424c19a4c7c93e638d1b425511c83e5fd6cc232eaf649cb7f50e193ebb87cb49202

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\avutil-lav-54.dll
        Filesize

        438KB

        MD5

        e2c760c8fa62887f92a536d056d148d9

        SHA1

        5c73786780ba25a63ac29b199ac86c4d855a7d7a

        SHA256

        90647be676dd07ed7ab2360475e8a774282ca5b3080060ff44a1163f93447d10

        SHA512

        1de0ae45ae584bacac1a9e4ca3dde17aeed967c20255d1ef766696acfe3f636106f6b296310815b4bf4149546fd7c4b6ef30ef5118aecad3357e064239bc6db6

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\libbluray.dll
        Filesize

        240KB

        MD5

        53e26b42caf45d340f0bb7ac0e2e5187

        SHA1

        e811ecbf0ef201dee94ad5a93049f9471e1500d4

        SHA256

        4a2f41a8a5f395811ad9064b529f2b7f6ebf89d00084badce88675f4ba0d9201

        SHA512

        3606f5c6102bae69a082d56448557f2f26ec0a48a4db9ab2e2c61fec8df018e3490a401c88bf3877169566a3eb1056e9bbdb129b21b3db23decdd94d3a80f64b

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\swscale-lav-3.dll
        Filesize

        502KB

        MD5

        27550c88b2c9993678d5ff1a07b25a14

        SHA1

        58423774b030538fc5c1d3149b8cc77e5b584dbd

        SHA256

        db10df242fabd9546fee2d2a01b0fadd45d2fae587ff8b5e541387c728a9ebd3

        SHA512

        22c1dd819e094de375ac2295b6a87cea221edf189b3db9b8060fa20ac61a9edbbc5a389e5138eed3ebf6db294ef37e541b9e53d8a089d9330bc4f9c2052a6d97

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\MADHCNET32.DLL
        Filesize

        988KB

        MD5

        21a0d17bf051f8b2f7e63684d54b1ae8

        SHA1

        63f71684886b5c42f32e8712a18b2187ce08ba7c

        SHA256

        f9c2148e6fe902802f8adcb0a8e6cca6b5b1d32bc88c51bb56106302b16141ba

        SHA512

        2a9e565e1d580df8247b0882f94d3e5a2c987834aa13bd45fad3b1ad6225a193782d06699958fe179cf5fed23862ffcd36efb3125f0ad94b4531309e4c439194

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\MVRSETTINGS64.DLL
        Filesize

        1.4MB

        MD5

        94e0c053f17abc021d8cd71b4e9503c8

        SHA1

        63bc8819a6466a6d1f6dfd762e12ae3731647e9d

        SHA256

        bbfd5699a63a47d5c6cc068371eb3d48ecdfd00ca5f3dec213164e571b3f4afd

        SHA512

        69cb34fb8285124b99e50278125da80819ea942bcc6e1b6e300296c8ae2de33c2dab42cffa40857e47c7281a25fc4d4a4f9e148e6109d7dad2d01b51834e553f

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\madHcNet64.dll
        Filesize

        1.4MB

        MD5

        90cf53138339e90a52ffde3e531af7de

        SHA1

        753375fcf60d2be53a72c4be2d8a13140c778eba

        SHA256

        d8067aad400cf70eca9eb7c8216ae1d3031f87dc74e09699ecf25b47aafa12b4

        SHA512

        18c78dbd87a9ce795f298ebeec698ac8288fad5467d307ff5ec83f748b5d9fc20a1a72dfed2ad90de1d9787b2961aee7fb3ef86c8919983a7f2b9385f783ec55

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\madVR.ax
        Filesize

        2.8MB

        MD5

        c6498d08f03a46ffebc03122923acfd7

        SHA1

        63ef5e9c0524ac51a81c60000d5f96b4d595c7e9

        SHA256

        b440c85d0fda98cf311321b6a7e0476ebceed441470f23be6b2c50779053e165

        SHA512

        f9e6a6854ab156d6c630a6fd5044ca96442e2d009bcb1d85e5d75c13c8d20576265528ea8c6c7eb6bcb868a9bc8299d3c14f455255007dc68b2df43bb5319356

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\madVR64.ax
        Filesize

        3.0MB

        MD5

        3c5f7c53f406c05393358e40348e1e54

        SHA1

        9f27dc59af9201ae4493459fddd14719c0d3a164

        SHA256

        5027c797636e08c6f8a5fc0fc3292337d8b68b14dfb0eeaeb3566e462f92e4b7

        SHA512

        743f627ba8feea52f3d07aae789f9754b47fdd2d0037aa806bc360a043132eb2966476b7d5ad7f4403f01cef87265e0c122f31840206b1b35f54635f20615057

        Download Submit

      • C:\Program Files (x86)\K-Lite Codec Pack\Filters\madVR\mvrSettings32.dll
        Filesize

        980KB

        MD5

        3b8cf2b7d08638136d66e57750389592

        SHA1

        01da46995e9c340cbe1af0f934f778d626ab7978

        SHA256

        afb27ee90f175c50e8f84f3d63f844c89fda3e72d9738fb081b21700b97cb360

        SHA512

        aced1361668be33aa0d2f6e672ad0485360342a73bc3d79c7719dc681f62ec1e3b00576eb98f66b89e2ef041818a1e8f48ef5e4b13ad4ef87e317afa06b7288d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\divx.exe
        Filesize

        39.1MB

        MD5

        83638209152822d2c9fe80cc7c634651

        SHA1

        c77ff7890d935d19fe2c4d3d0ad933247e383e32

        SHA256

        777159af2544a2bd9d7bff6c6c120981325c580939d276235904c8be1bc6922c

        SHA512

        34dd370511691037507eb395ba18bc5c65ff7527ec6681f1e05930a96ea583064788c1e9a380b9210971b817c9e92381019e76ba846d064dd3a2d210e937e959

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\aut8940.tmp
        Filesize

        1.1MB

        MD5

        29dc7c626ac48deb0283a5ae198afb01

        SHA1

        2e6fc2b2a3efd0ef5a4d37721be6922176138df7

        SHA256

        ecd5ccc6fe1e5bff9023e8026205366ab32d639bad5352a165c52f59369e9b62

        SHA512

        861678543f21a2fba0f65a0f38d031168a331dc8373579cf72c7eaa2dd44f4c128a18ca1b1103eea1da01563c4d6cc8fa0239866ee478ec04e7b26500d2fa8c1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-BGNOG.tmp\divx.tmp
        Filesize

        1.3MB

        MD5

        77d3db03dfcb155bfdc21eea46158565

        SHA1

        7ef9f5a1ed81052c8a7a53c6bfbdcad46817f971

        SHA256

        58e366192e500acd1c9e8bcad208ec4b36e19072ca03a1f8d9da99e4002c6d45

        SHA512

        546b71cb5244e9813501e425437b0abd5041be313a1bb12e2976a471c6fe83ac083849d72686ad7401289cf164eef176d830e81acb90a6e7ff8823f1bbc316a8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-FF4E2.tmp\_isetup\_iscrypt.dll
        Filesize

        2KB

        MD5

        a69559718ab506675e907fe49deb71e9

        SHA1

        bc8f404ffdb1960b50c12ff9413c893b56f2e36f

        SHA256

        2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

        SHA512

        e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-FF4E2.tmp\klcp_detect.dll
        Filesize

        55KB

        MD5

        5b4eaa57dce5f61687513fdec129282e

        SHA1

        66f2bd1b49c3bdba54923e93cfcf3548748b99c7

        SHA256

        7be1d61459c0ce007aa12d0fe0d747775897827f0da6c90c3a189f02b878beb8

        SHA512

        9e62764e241aaec8b773699097465f21a7abba0e1bdf00af1fa1d4e6418475199e9acf2e568a819f875ca8227ee23dc203a45c923fa83c4185a2375a96518b00

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\net.exe
        Filesize

        4KB

        MD5

        b8b3eaf4cd8d25a248ae35e50c60a2cd

        SHA1

        5675bea07480d26530165b3d853bb0d9b4790f1d

        SHA256

        6fe52421d30a6aeaaf9398e00555e08e1c84fd997956248b661708a55ea88d78

        SHA512

        832845e8ea1be26fc8756b7ef53ff49a500cc799fe189ba4229599702955192b4d8c87159c17cb949b5df0b4c055b798f66c174ba8cb0613e9a830168e7b3dd5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        Filesize

        1.3MB

        MD5

        840a1508abc59cd1006cf7989f443dfc

        SHA1

        6277d23d77ad50718c7f38de03b0d6221e0788f2

        SHA256

        df039f2c04f986fb8e9b8fd7d734713f5efd143a614c0cdf11c0e8390652518a

        SHA512

        a562f89a82cebaaed6143f1ae809cc8755913743d8b2c2ea3cbe918a70b37ce798b1c97239fcfc828e1df7985b87663eb13c42ad1a4d2e1c34c13b4b84633aaa

        Download Submit

      • memory/1688-391-0x00000000024F0000-0x00000000025EF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/1688-389-0x00000000023C0000-0x00000000024BE000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2416-512-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/2416-524-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/2416-509-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/2416-511-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/2748-508-0x0000000000400000-0x0000000000512000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3096-546-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/3096-545-0x0000000000430000-0x00000000004F9000-memory.dmp

        Filesize

        804KB

        Download

      • memory/3096-488-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/3096-487-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/3096-485-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/3096-517-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/3452-504-0x0000000000400000-0x000000000056C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3452-503-0x0000000000400000-0x000000000056C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3452-519-0x0000000000400000-0x000000000056C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3452-543-0x0000000000400000-0x000000000056C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3452-539-0x0000000000400000-0x000000000056C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3452-535-0x0000000000400000-0x000000000056C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3452-522-0x0000000000400000-0x000000000056C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3452-527-0x0000000000400000-0x000000000056C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3452-498-0x0000000000400000-0x000000000056C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3452-531-0x0000000000400000-0x000000000056C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3452-499-0x0000000000400000-0x000000000056C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3452-500-0x0000000000400000-0x000000000056C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3528-505-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/3528-502-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/3528-506-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/3620-399-0x0000000002580000-0x00000000026F3000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3620-401-0x0000000002760000-0x00000000028D3000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3768-444-0x0000000000400000-0x0000000000512000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3768-450-0x0000000000400000-0x0000000000512000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4100-518-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/4100-489-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/4100-490-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/4100-492-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/4288-260-0x0000000000400000-0x000000000054D000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4288-28-0x0000000000400000-0x000000000054D000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4288-30-0x0000000000400000-0x000000000054D000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4288-13-0x0000000000400000-0x000000000054D000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4288-422-0x0000000000400000-0x000000000054D000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4288-32-0x0000000000400000-0x000000000054D000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4288-34-0x0000000000400000-0x000000000054D000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/5072-27-0x0000000000400000-0x0000000000449000-memory.dmp

        Filesize

        292KB

        Download

      • memory/5072-6-0x0000000000400000-0x0000000000449000-memory.dmp

        Filesize

        292KB

        Download

      • memory/5072-9-0x0000000000401000-0x0000000000412000-memory.dmp

        Filesize

        68KB

        Download

      • memory/5072-423-0x0000000000400000-0x0000000000449000-memory.dmp

        Filesize

        292KB

        Download