Overview
overview
10Static
static
10DARKCOMET ...ty.exe
windows7-x64
1DARKCOMET ...ty.exe
windows10-2004-x64
1DARKCOMET ...at.exe
windows7-x64
10DARKCOMET ...at.exe
windows10-2004-x64
10DARKCOMET ...er.exe
windows7-x64
1DARKCOMET ...er.exe
windows10-2004-x64
1DARKCOMET ...e3.dll
windows7-x64
3DARKCOMET ...e3.dll
windows10-2004-x64
3DARKCOMET ...er.dll
windows7-x64
1DARKCOMET ...er.dll
windows10-2004-x64
1Analysis
-
max time kernel
139s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 09:43
Behavioral task
behavioral1
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/Celesty Binder/Celesty.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/Celesty Binder/Celesty.exe
Resource
win10v2004-20220718-en
Behavioral task
behavioral3
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/DarkCometRat.exe
Resource
win7-20220718-en
Behavioral task
behavioral4
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/DarkCometRat.exe
Resource
win10v2004-20220718-en
Behavioral task
behavioral5
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/Spoof extensions/Spoofer.exe
Resource
win7-20220715-en
Behavioral task
behavioral6
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/Spoof extensions/Spoofer.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/sqlite3.dll
Resource
win7-20220715-en
Behavioral task
behavioral8
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/sqlite3.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/userfixer.dll
Resource
win7-20220715-en
Behavioral task
behavioral10
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/userfixer.dll
Resource
win10v2004-20220718-en
General
-
Target
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/DarkCometRat.exe
-
Size
12.1MB
-
MD5
c8c39c4d8cdfa38169be4057a70e04f2
-
SHA1
ceddeda4a89ad8c0fc1765511ef9da9696803f9f
-
SHA256
62f21406a307e447db6f0c2d91c626d947544effd6f56800c5e2e1beea18375c
-
SHA512
ab21a5273e481cce2173ea6ee5d450a28f5ab1411699500f62d2c4e1b35dd5fc825931a0cd8cca9da4e92f5e2e06784e3f14006e1d76b8e197baf02ff22f0a30
Malware Config
Extracted
asyncrat
0.5.7B
Default
susiahat24199a.ddns.net:6606
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
JavaCrashHandle.exe
-
install_folder
%AppData%
Extracted
darkcomet
Guest16
sussysdfffdfff343.duckdns.org:1604
DC_MUTEX-QH9A6P4
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
YBnxcFaotAui
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
JavaUpdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
HAXIMIZE-V2.0 CRACKED.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" HAXIMIZE-V2.0 CRACKED.EXE -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Async RAT payload 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE asyncrat C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE asyncrat C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE asyncrat behavioral3/memory/1640-70-0x0000000000DA0000-0x0000000000DC6000-memory.dmp asyncrat \Users\Admin\AppData\Roaming\JavaCrashHandle.exe asyncrat C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe asyncrat behavioral3/memory/1716-98-0x0000000000F50000-0x0000000000F76000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe asyncrat -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Executes dropped EXE 5 IoCs
Processes:
DARKCOMET.EXEDARKCOMETRATLAUNCHER.EXEHAXIMIZE-V2.0 CRACKED.EXEmsdcsc.exeJavaCrashHandle.exepid process 2012 DARKCOMET.EXE 1640 DARKCOMETRATLAUNCHER.EXE 1408 HAXIMIZE-V2.0 CRACKED.EXE 1692 msdcsc.exe 1716 JavaCrashHandle.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1872 attrib.exe 1500 attrib.exe -
Loads dropped DLL 7 IoCs
Processes:
DarkCometRat.exeHAXIMIZE-V2.0 CRACKED.EXEcmd.exepid process 1952 DarkCometRat.exe 1952 DarkCometRat.exe 1952 DarkCometRat.exe 1952 DarkCometRat.exe 1408 HAXIMIZE-V2.0 CRACKED.EXE 1408 HAXIMIZE-V2.0 CRACKED.EXE 1164 cmd.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
HAXIMIZE-V2.0 CRACKED.EXEmsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" HAXIMIZE-V2.0 CRACKED.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2004 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
DARKCOMETRATLAUNCHER.EXEpid process 1640 DARKCOMETRATLAUNCHER.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1692 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
HAXIMIZE-V2.0 CRACKED.EXEmsdcsc.exeDARKCOMETRATLAUNCHER.EXEJavaCrashHandle.exedescription pid process Token: SeIncreaseQuotaPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeSecurityPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeTakeOwnershipPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeLoadDriverPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeSystemProfilePrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeSystemtimePrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeProfSingleProcessPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeIncBasePriorityPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeCreatePagefilePrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeBackupPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeRestorePrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeShutdownPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeDebugPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeSystemEnvironmentPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeChangeNotifyPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeRemoteShutdownPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeUndockPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeManageVolumePrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeImpersonatePrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeCreateGlobalPrivilege 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: 33 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: 34 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: 35 1408 HAXIMIZE-V2.0 CRACKED.EXE Token: SeIncreaseQuotaPrivilege 1692 msdcsc.exe Token: SeSecurityPrivilege 1692 msdcsc.exe Token: SeTakeOwnershipPrivilege 1692 msdcsc.exe Token: SeLoadDriverPrivilege 1692 msdcsc.exe Token: SeSystemProfilePrivilege 1692 msdcsc.exe Token: SeSystemtimePrivilege 1692 msdcsc.exe Token: SeProfSingleProcessPrivilege 1692 msdcsc.exe Token: SeIncBasePriorityPrivilege 1692 msdcsc.exe Token: SeCreatePagefilePrivilege 1692 msdcsc.exe Token: SeBackupPrivilege 1692 msdcsc.exe Token: SeRestorePrivilege 1692 msdcsc.exe Token: SeShutdownPrivilege 1692 msdcsc.exe Token: SeDebugPrivilege 1692 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1692 msdcsc.exe Token: SeChangeNotifyPrivilege 1692 msdcsc.exe Token: SeRemoteShutdownPrivilege 1692 msdcsc.exe Token: SeUndockPrivilege 1692 msdcsc.exe Token: SeManageVolumePrivilege 1692 msdcsc.exe Token: SeImpersonatePrivilege 1692 msdcsc.exe Token: SeCreateGlobalPrivilege 1692 msdcsc.exe Token: 33 1692 msdcsc.exe Token: 34 1692 msdcsc.exe Token: 35 1692 msdcsc.exe Token: SeDebugPrivilege 1640 DARKCOMETRATLAUNCHER.EXE Token: SeDebugPrivilege 1716 JavaCrashHandle.exe Token: SeDebugPrivilege 1716 JavaCrashHandle.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
DARKCOMET.EXEpid process 2012 DARKCOMET.EXE 2012 DARKCOMET.EXE 2012 DARKCOMET.EXE 2012 DARKCOMET.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
DARKCOMET.EXEpid process 2012 DARKCOMET.EXE 2012 DARKCOMET.EXE 2012 DARKCOMET.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
DARKCOMET.EXEmsdcsc.exepid process 2012 DARKCOMET.EXE 1692 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DarkCometRat.exeHAXIMIZE-V2.0 CRACKED.EXEcmd.execmd.exemsdcsc.exedescription pid process target process PID 1952 wrote to memory of 2012 1952 DarkCometRat.exe DARKCOMET.EXE PID 1952 wrote to memory of 2012 1952 DarkCometRat.exe DARKCOMET.EXE PID 1952 wrote to memory of 2012 1952 DarkCometRat.exe DARKCOMET.EXE PID 1952 wrote to memory of 2012 1952 DarkCometRat.exe DARKCOMET.EXE PID 1952 wrote to memory of 1640 1952 DarkCometRat.exe DARKCOMETRATLAUNCHER.EXE PID 1952 wrote to memory of 1640 1952 DarkCometRat.exe DARKCOMETRATLAUNCHER.EXE PID 1952 wrote to memory of 1640 1952 DarkCometRat.exe DARKCOMETRATLAUNCHER.EXE PID 1952 wrote to memory of 1640 1952 DarkCometRat.exe DARKCOMETRATLAUNCHER.EXE PID 1952 wrote to memory of 1640 1952 DarkCometRat.exe DARKCOMETRATLAUNCHER.EXE PID 1952 wrote to memory of 1640 1952 DarkCometRat.exe DARKCOMETRATLAUNCHER.EXE PID 1952 wrote to memory of 1640 1952 DarkCometRat.exe DARKCOMETRATLAUNCHER.EXE PID 1952 wrote to memory of 1408 1952 DarkCometRat.exe HAXIMIZE-V2.0 CRACKED.EXE PID 1952 wrote to memory of 1408 1952 DarkCometRat.exe HAXIMIZE-V2.0 CRACKED.EXE PID 1952 wrote to memory of 1408 1952 DarkCometRat.exe HAXIMIZE-V2.0 CRACKED.EXE PID 1952 wrote to memory of 1408 1952 DarkCometRat.exe HAXIMIZE-V2.0 CRACKED.EXE PID 1408 wrote to memory of 940 1408 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 1408 wrote to memory of 940 1408 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 1408 wrote to memory of 940 1408 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 1408 wrote to memory of 940 1408 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 1408 wrote to memory of 1096 1408 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 1408 wrote to memory of 1096 1408 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 1408 wrote to memory of 1096 1408 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 1408 wrote to memory of 1096 1408 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 940 wrote to memory of 1872 940 cmd.exe attrib.exe PID 940 wrote to memory of 1872 940 cmd.exe attrib.exe PID 940 wrote to memory of 1872 940 cmd.exe attrib.exe PID 940 wrote to memory of 1872 940 cmd.exe attrib.exe PID 1096 wrote to memory of 1500 1096 cmd.exe attrib.exe PID 1096 wrote to memory of 1500 1096 cmd.exe attrib.exe PID 1096 wrote to memory of 1500 1096 cmd.exe attrib.exe PID 1096 wrote to memory of 1500 1096 cmd.exe attrib.exe PID 1408 wrote to memory of 1692 1408 HAXIMIZE-V2.0 CRACKED.EXE msdcsc.exe PID 1408 wrote to memory of 1692 1408 HAXIMIZE-V2.0 CRACKED.EXE msdcsc.exe PID 1408 wrote to memory of 1692 1408 HAXIMIZE-V2.0 CRACKED.EXE msdcsc.exe PID 1408 wrote to memory of 1692 1408 HAXIMIZE-V2.0 CRACKED.EXE msdcsc.exe PID 1692 wrote to memory of 1920 1692 msdcsc.exe iexplore.exe PID 1692 wrote to memory of 1920 1692 msdcsc.exe iexplore.exe PID 1692 wrote to memory of 1920 1692 msdcsc.exe iexplore.exe PID 1692 wrote to memory of 1920 1692 msdcsc.exe iexplore.exe PID 1692 wrote to memory of 948 1692 msdcsc.exe explorer.exe PID 1692 wrote to memory of 948 1692 msdcsc.exe explorer.exe PID 1692 wrote to memory of 948 1692 msdcsc.exe explorer.exe PID 1692 wrote to memory of 948 1692 msdcsc.exe explorer.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 268 1692 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1500 attrib.exe 1872 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMET 5.3.1 Fixed\DARKCOMET 5.3.1\DarkCometRat.exe"C:\Users\Admin\AppData\Local\Temp\DARKCOMET 5.3.1 Fixed\DARKCOMET 5.3.1\DarkCometRat.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXE"C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXE"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE"C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE"C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3074.tmp.bat""3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "JavaCrashHandle" /tr '"C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"' & exit3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"1⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "JavaCrashHandle" /tr '"C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"'1⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXEFilesize
11.3MB
MD5d761f3aa64064a706a521ba14d0f8741
SHA1ab7382bcfdf494d0327fccce9c884592bcc1adeb
SHA25621ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
SHA512d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXEFilesize
126KB
MD53c9ca31b4d07143cc51a965fa8cd7ee8
SHA1f1b83c2ba9955c15d2620b73a42ed92db8b49d49
SHA256605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83
SHA5126fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXEFilesize
126KB
MD53c9ca31b4d07143cc51a965fa8cd7ee8
SHA1f1b83c2ba9955c15d2620b73a42ed92db8b49d49
SHA256605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83
SHA5126fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d
-
C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXEFilesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXEFilesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
C:\Users\Admin\AppData\Local\Temp\tmp3074.tmp.batFilesize
159B
MD50176c432d416a259afed3c69b18f27b9
SHA1bc3e50ee96ec112c8eeff70026d94ab259ff465d
SHA256ee39fc029f3a70b5d59ff830d8cb01d4f64d55dbb44be687158797bc1371983a
SHA512aa840f80da20a190f7fbd2f095a3a8491f2e06fbbb71ac37b668818611b1808d442fd1665eb47305a2d648b06d7d9bab1e06c08acde28654ac91e5ad02a59c89
-
C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exeFilesize
126KB
MD53c9ca31b4d07143cc51a965fa8cd7ee8
SHA1f1b83c2ba9955c15d2620b73a42ed92db8b49d49
SHA256605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83
SHA5126fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d
-
C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exeFilesize
126KB
MD53c9ca31b4d07143cc51a965fa8cd7ee8
SHA1f1b83c2ba9955c15d2620b73a42ed92db8b49d49
SHA256605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83
SHA5126fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
\Users\Admin\AppData\Local\Temp\DARKCOMET.EXEFilesize
11.3MB
MD5d761f3aa64064a706a521ba14d0f8741
SHA1ab7382bcfdf494d0327fccce9c884592bcc1adeb
SHA25621ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
SHA512d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f
-
\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXEFilesize
126KB
MD53c9ca31b4d07143cc51a965fa8cd7ee8
SHA1f1b83c2ba9955c15d2620b73a42ed92db8b49d49
SHA256605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83
SHA5126fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d
-
\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXEFilesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXEFilesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
\Users\Admin\AppData\Roaming\JavaCrashHandle.exeFilesize
126KB
MD53c9ca31b4d07143cc51a965fa8cd7ee8
SHA1f1b83c2ba9955c15d2620b73a42ed92db8b49d49
SHA256605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83
SHA5126fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
memory/268-82-0x0000000000000000-mapping.dmp
-
memory/580-89-0x0000000000000000-mapping.dmp
-
memory/920-84-0x0000000000000000-mapping.dmp
-
memory/940-72-0x0000000000000000-mapping.dmp
-
memory/1096-73-0x0000000000000000-mapping.dmp
-
memory/1164-85-0x0000000000000000-mapping.dmp
-
memory/1408-66-0x0000000000000000-mapping.dmp
-
memory/1500-75-0x0000000000000000-mapping.dmp
-
memory/1640-70-0x0000000000DA0000-0x0000000000DC6000-memory.dmpFilesize
152KB
-
memory/1640-60-0x0000000000000000-mapping.dmp
-
memory/1692-78-0x0000000000000000-mapping.dmp
-
memory/1716-98-0x0000000000F50000-0x0000000000F76000-memory.dmpFilesize
152KB
-
memory/1716-95-0x0000000000000000-mapping.dmp
-
memory/1872-74-0x0000000000000000-mapping.dmp
-
memory/1952-54-0x0000000076321000-0x0000000076323000-memory.dmpFilesize
8KB
-
memory/2004-90-0x0000000000000000-mapping.dmp
-
memory/2012-69-0x00000000744B1000-0x00000000744B3000-memory.dmpFilesize
8KB
-
memory/2012-56-0x0000000000000000-mapping.dmp