Resubmissions
16-12-2021 19:08
211216-xs71lacgb7 1016-12-2021 18:46
211216-xend2acga2 816-12-2021 18:41
211216-xbyqlacfh6 1016-12-2021 18:34
211216-w74q2sdddr 1016-12-2021 18:31
211216-w51llscfg9 416-12-2021 18:20
211216-wy8zeadddk 916-12-2021 18:16
211216-wwsveaddcp 10Analysis
-
max time kernel
176s -
max time network
179s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
16-12-2021 18:41
General
-
Target
https://youtube.com
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
gameservice.ddns.net:4320
Mutex
DC_MUTEX-WBUNVXD
Attributes
-
InstallPath
AudioDriver\taskhost.exe
-
gencode
EWSsWwgyJrUD
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
AudioDriver
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 30 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 48 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 52 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1584 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff98d2b4f50,0x7ff98d2b4f60,0x7ff98d2b4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1524 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4628 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3616 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5316 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4908 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3144 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3792 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1980 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4460 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5728 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6720 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,9340056300055147828,16863717792482057439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6732 /prefetch:82⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Сборник WinLocker Builderов[Пароль от архива 123123].rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\builder #6.exe"C:\Users\Admin\Desktop\builder #6.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\builder #6.exe"C:\Users\Admin\AppData\Local\Temp\builder #6.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\AudioDriver\taskhost.exe"C:\Users\Admin\Documents\AudioDriver\taskhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\AudioDriver\taskhost.exe"C:\Users\Admin\Documents\AudioDriver\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Users\Admin\Desktop\Trojan.exe"C:\Users\Admin\Desktop\Trojan.exe"1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad8855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAMD5
3f35a3844e16f03b5a60b7d276e887f1
SHA1612a6a3b3ae655c18c85dfd2d0dcb7f4ee3a305f
SHA256cc318426da54dc585faa68d9f6b7d29f1ae2ae1572e86ce7053df5dfcae09d94
SHA512f29b740f5422f25187d72ee492a0e9f1414bbca010f868eb6bab27d73e45e0d19e5ab9ad3f10a1068c6810c0ae54f50866d9ccb7fe149b7afb60464e630165d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_76F26EDEF7C1087F80A272B48769819EMD5
da9e2a6ff6021a01b9994f954c0c3b38
SHA1511262ecb22a96d48e9db54f6c3ecd943e076f10
SHA256873c7a0f931466ed1745f887e1090177e9ee5b837b8795749386ccf8e99eddb4
SHA512ebddb6578cce49b806db2e8583460dd4f6b80ab9d2eeb59ed3f0da32602673cc97a4b56bbdc51bed113feaae0f5de24e440cdfa04c918915a1bb98fa10d20c57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_30F32374BEBB4A72181B36E407396E90MD5
810acb1cda9a9171078c57f6f1569413
SHA13ce341fdafd6af03f935780bfe9dfcf7226232b7
SHA2569e59fedee59905f90a2d7ef18c09a59f661bce98f747c878bfb92d1f38f43418
SHA5121d945acb14202ffbc346e1f5f6abbc5ceb470170ab23cf0887a0abfa0461271c112a68c21862191c3ef359a98b4f272fb2585ef6723730e52e23e381e1ee78fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAMD5
64e9b8bb98e2303717538ce259bec57d
SHA12b07bf8e0d831da42760c54feff484635009c172
SHA25676bd459ec8e467efc3e3fb94cb21b9c77a2aa73c9d4c0f3faf823677be756331
SHA5128980af4a87a009f1ae165182d1edd4ccbd12b40a5890de5dbaea4dbf3aeb86edffd58b088b1e35e12d6b1197cc0db658a9392283583b3cb24a516ebc1f736c56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9641559E442FE3E0D68934A8083C5D76MD5
901c296fbb83dfe266931aeb4b3bfb8c
SHA1c10153d43d11a28e91a08c25d151b67332378a92
SHA256f86a74540a21e46eabe03e2c0914f99e8bce78108530b8108c327a947dddff8f
SHA512c46a1c0e189fd3e93fc9ff909956e020d19f1913630faf9b89159a020fbe78c0ac5db2350a959036a2d780b7a5a450bec1b2373f8d8b21a8d31abea785ab2ebb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAMD5
0a6e14aa152f8deb8e2aa79403d3fbd1
SHA16ccb0ac000bcb4bd287dfa76aeddd9d96b26094a
SHA256bef05ecf60b49bdb68c9040f13369b2e35e5b16368c14dc3b7e647bc2b771190
SHA512187f4805733740b87746c965b9d4ad9cecfb2b8c58f9b7a7cdd738431af8ae1075c3f2f3bc0e3cf0b9a5341a4366ec7ad6ebc23d37cfc263b7d3ee7de471ee24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_76F26EDEF7C1087F80A272B48769819EMD5
81bf2262d07dcd8dabe5d063273b3b82
SHA11a8ea0d04519e90c9aa699e20dedade3ef89528f
SHA256d7a3b7a45383065ec0d5c52fb6db62f6b8923f9021cafd3b1a88052e5bf6c0ca
SHA512301f054fa470a090d058da743ee95e418b062aebd0dec9efa82546213a840e5c5cff8fc78ee5aa46998111042f93fafae2231692a5404e410e9f6c620cfb4e50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_30F32374BEBB4A72181B36E407396E90MD5
17614ccc0e2163ed9fe0d4294c512427
SHA176332424660a13324beb5289cec4ee212b9c1b60
SHA256413210387395fd55153d566ca253486b5de7786a5cf793cab68197fe57ee047d
SHA5122813cfdd7019e37aa7edb8038a38bc70a6ef31ba5fd64daaaf58b0ca33d87b1e055fb12f147de793557050a2643cc7f6149ac135845367adefc1f0696147a5a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAMD5
d6b3a63f257f20dc976de24fee5e265f
SHA1f07273bf11527287c3103175f2be8aaf20a5ab43
SHA2564baca42f564efabff3292e3dbb038beb8afc0d861b1820b524d149ad5f7ad699
SHA512ee9715fcdc5669c1e3c13dd2fc650acc82edab34e251c1a16939d9957ac805202bcb64f9f6504863d29b8856038a94c89552a5f928ff5cba67d296881411dc5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9641559E442FE3E0D68934A8083C5D76MD5
e2ff814164748ac73fbb079e974f0af9
SHA12585381e0b19c08a91c6d689b7a14414b54538b7
SHA256e833ae81c6f1998e01f658d97755a667a803c8f1ebae2cb212dd9a2b7da2dfb1
SHA5122be8da07069ff3d5b684aa060bf323818fe51ca2a95b634ad08494554566aa7977d7a67296da45aa2c3625ba3e31e4b0a8c10f0b994102091bf31d47baf911f1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\38DZIYGX.cookieMD5
1125437a62bfc20380f4647cc439616b
SHA1691026db2b431a93c72a111025089635f8f89f9e
SHA256f6458db840bbafdc3d0cbe261bec5a87dd324f3e285e6709de327f63ffc59cb7
SHA51271fa5953026df79e4727382027530d9f9f575634fe02aa5bef04d6afe19ee270e83102b0c9a1e16746352fea37d4c1862570df9172688881f34844db0d0f9c85
-
C:\Users\Admin\AppData\Local\Temp\builder #6.exeMD5
9729d33f5cc788e9c1930bcc968acffa
SHA168c662875f7b805dd6f246919d406c8d92158073
SHA2563711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae
SHA512af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f
-
C:\Users\Admin\AppData\Local\Temp\builder #6.exeMD5
9729d33f5cc788e9c1930bcc968acffa
SHA168c662875f7b805dd6f246919d406c8d92158073
SHA2563711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae
SHA512af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f
-
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exeMD5
0d833c6509f350e0a15492597df2bda6
SHA11f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f
SHA256d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7
SHA5129e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118
-
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exeMD5
0d833c6509f350e0a15492597df2bda6
SHA11f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f
SHA256d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7
SHA5129e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118
-
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exeMD5
0d833c6509f350e0a15492597df2bda6
SHA11f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f
SHA256d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7
SHA5129e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118
-
C:\Users\Admin\Desktop\builder #6.exeMD5
5b8424091039427183735ad7957dcbf4
SHA1f6e8c595d397f7510c17f6e932d080b2040ede00
SHA2569b106ec7ed3ba6caf1370e573e03d1de093516ce2746bb8fe1f23b6d9b328cab
SHA5125a77c01ac24b0cda39384aa68fce7c823d4b0474e8190fe380dc30ce1d9c416c8bd98b1715c38471dd16304024b96627f46504afa87854b4f11914b5109d6ad0
-
C:\Users\Admin\Desktop\builder #6.exeMD5
5b8424091039427183735ad7957dcbf4
SHA1f6e8c595d397f7510c17f6e932d080b2040ede00
SHA2569b106ec7ed3ba6caf1370e573e03d1de093516ce2746bb8fe1f23b6d9b328cab
SHA5125a77c01ac24b0cda39384aa68fce7c823d4b0474e8190fe380dc30ce1d9c416c8bd98b1715c38471dd16304024b96627f46504afa87854b4f11914b5109d6ad0
-
C:\Users\Admin\Documents\AudioDriver\taskhost.exeMD5
0d833c6509f350e0a15492597df2bda6
SHA11f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f
SHA256d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7
SHA5129e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118
-
C:\Users\Admin\Downloads\Сборник WinLocker Builderов[Пароль от архива 123123].rarMD5
ca30cdb3e3d150f290973d9e734266d1
SHA17f7f9d43571d34a4c0b1b8735cdd2a061a63d43f
SHA256e4fa53900a2b1f7adfaafa94e588e4f7ac0c7c0cae6df89ba9f65ee6678f18d6
SHA512624d63d8b34a16a9ea0e5cc68b58b3addbb165d4e00942fd2c303a57a537c8f9a784f04e0252d14835e347c6bb488a60aa9c2d207865d4b88ddfef3b246265bd
-
\??\pipe\crashpad_3992_WNQBGIQVSRFPFJGKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1584-141-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-132-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-144-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-145-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-147-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-149-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-150-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-151-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-155-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-156-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-157-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-163-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-164-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-165-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-167-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-166-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-168-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-169-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-173-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-115-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-176-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-179-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-180-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-116-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-138-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-137-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-136-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-135-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-133-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-142-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-131-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-129-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-128-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-127-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-125-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-124-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-122-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-117-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-123-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-121-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-119-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/1584-120-0x00007FF99D0B0000-0x00007FF99D11B000-memory.dmpFilesize
428KB
-
memory/2944-140-0x0000000000000000-mapping.dmp
-
memory/4692-208-0x0000000000000000-mapping.dmp
-
memory/4692-216-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/4716-211-0x0000000000000000-mapping.dmp
-
memory/4716-217-0x0000000000660000-0x00000000007AA000-memory.dmpFilesize
1.3MB
-
memory/4716-218-0x0000000000660000-0x00000000007AA000-memory.dmpFilesize
1.3MB
-
memory/4716-219-0x0000000000660000-0x00000000007AA000-memory.dmpFilesize
1.3MB
-
memory/4760-221-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/4760-220-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4760-214-0x000000000048F888-mapping.dmp
-
memory/4844-222-0x0000000000000000-mapping.dmp
-
memory/4844-225-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB
-
memory/4844-227-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/4844-226-0x0000000002360000-0x0000000002369000-memory.dmpFilesize
36KB
-
memory/4872-224-0x000000000048F888-mapping.dmp
-
memory/4872-228-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/5052-229-0x0000000000520000-0x00000000005CE000-memory.dmpFilesize
696KB