darkcomet | f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429

General

Target

f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe
Size

935KB
MD5

39155d3cb3f7297e02c78e8de64e0060
SHA1

3a8825b7168b837d5388f5b26b24ea950169f131
SHA256

f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429
SHA512

30d2d6237964da7af8fa9b89ef2168c471f5cd9a504ca2d777bdf361b813c8be21763d89f5ad92fc9ee1e1cf1104d41ee16b75b37934fce5544977a57c82c8a4
SSDEEP

24576:n4t9MIPPE/RaPtUPYh31XyGb7govmIa1x3c:K0/R0tkA1fgUmIix

Score

10^/10

darkcomet njrat hacked rat persistence rat trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

mark3000011.no-ip.biz:1177

Mutex

b5857819bb096c04134249d6f4e71934

Attributes

reg_key
b5857819bb096c04134249d6f4e71934
splitter
|'|'|

Extracted

Family

darkcomet

Botnet

RAT

C2

liorhadad.no-ip.info:1300

46.116.152.219:1300

85.64.54.170:1300

Mutex

DC_MUTEX-69QBQR9

Attributes

gencode
6GuJmgpzwFpe
install
false
offline_keylogger
true
password
123456s
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

gg.exe

pid process

1276 gg.exe

pid	process
1276	gg.exe

Loads dropped DLL 2 IoCs

Processes:

f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe

pid	process
856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe
856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exegg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe"	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe"	gg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exegg.exe

description	pid	process	target process
PID 856 set thread context of 920	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	cvtres.exe
PID 1276 set thread context of 1640	1276	gg.exe	cvtres.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000001d3d72a2f91c954ff8700ca54c037a6d1c09e5f081f52db3aebb5c96dedfcf7f000000000e8000000002000020000000a8a64c5d3ec727ca8aad31c54e48cf69c7db44a387f2014b7c5be73d37ca9452900000009feb76e29329360bf7a942ac7a95804b95bb645f843eaee66f08cb92d5a430c4bc94c1d205f30e087edeffb3d1010866f3f7615450f69c468c0a94aa7d2d6b15428c68b3ddf1d2658330198409bb55ddb5819a403465b8eb3b73ee70dd92384fa348e84f5b94f2ca51e856ad1001360da54fa1a0a4286246c7273e1ac43456813a03fb890116c9a9faa2b145e0315c1f40000000f3c530877bab361efd6c31c1ecbb0d63b3e8c72e727b43bfd84d8e27b0b9a19c0463b702e2c733a8f3ae889da7439422e127f586614ba6898c2124a0eaaf6441	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC617EC1-43A8-11ED-9916-DE5CC620A9B4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600473edb5d7d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371627846"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000cad1940a74f0530023f35ada0333b97037f2a76441541acef355f0093f030c56000000000e8000000002000020000000961119fe007702ebf9ae705697d2f5f9ea0a74e89876417676f8544b57fdb52b2000000073e4cc23aa8dcc5c72135bfb6cdb5d90e52b62e62a0b383e8ba99065739fa46140000000cf29c7c1dba96f00035aa622daf83d1e1f46996f81bf5e4c3da8acdca2d653334ac5a29d61c58aba71547c7dc8da15fdb90ea0c54831465adc5908cb9040a957	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe
Token: SeIncreaseQuotaPrivilege	1640	cvtres.exe
Token: SeSecurityPrivilege	1640	cvtres.exe
Token: SeTakeOwnershipPrivilege	1640	cvtres.exe
Token: SeLoadDriverPrivilege	1640	cvtres.exe
Token: SeSystemProfilePrivilege	1640	cvtres.exe
Token: SeSystemtimePrivilege	1640	cvtres.exe
Token: SeProfSingleProcessPrivilege	1640	cvtres.exe
Token: SeIncBasePriorityPrivilege	1640	cvtres.exe
Token: SeCreatePagefilePrivilege	1640	cvtres.exe
Token: SeBackupPrivilege	1640	cvtres.exe
Token: SeRestorePrivilege	1640	cvtres.exe
Token: SeShutdownPrivilege	1640	cvtres.exe
Token: SeDebugPrivilege	1640	cvtres.exe
Token: SeSystemEnvironmentPrivilege	1640	cvtres.exe
Token: SeChangeNotifyPrivilege	1640	cvtres.exe
Token: SeRemoteShutdownPrivilege	1640	cvtres.exe
Token: SeUndockPrivilege	1640	cvtres.exe
Token: SeManageVolumePrivilege	1640	cvtres.exe
Token: SeImpersonatePrivilege	1640	cvtres.exe
Token: SeCreateGlobalPrivilege	1640	cvtres.exe
Token: 33	1640	cvtres.exe
Token: 34	1640	cvtres.exe
Token: 35	1640	cvtres.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1964 iexplore.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

cvtres.exeiexplore.exeIEXPLORE.EXE

pid process

1640 cvtres.exe
1964 iexplore.exe
1964 iexplore.exe
1696 IEXPLORE.EXE
1696 IEXPLORE.EXE

pid	process
1964	iexplore.exe

pid	process
1640	cvtres.exe
1964	iexplore.exe
1964	iexplore.exe
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exegg.execvtres.exeiexplore.exe

description	pid	process	target process
PID 856 wrote to memory of 1276	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	gg.exe
PID 856 wrote to memory of 1276	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	gg.exe
PID 856 wrote to memory of 1276	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	gg.exe
PID 856 wrote to memory of 1276	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	gg.exe
PID 856 wrote to memory of 1292	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	WScript.exe
PID 856 wrote to memory of 1292	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	WScript.exe
PID 856 wrote to memory of 1292	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	WScript.exe
PID 856 wrote to memory of 1292	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	WScript.exe
PID 856 wrote to memory of 920	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	cvtres.exe
PID 856 wrote to memory of 920	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	cvtres.exe
PID 856 wrote to memory of 920	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	cvtres.exe
PID 856 wrote to memory of 920	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	cvtres.exe
PID 856 wrote to memory of 920	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	cvtres.exe
PID 856 wrote to memory of 920	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	cvtres.exe
PID 856 wrote to memory of 920	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	cvtres.exe
PID 856 wrote to memory of 920	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	cvtres.exe
PID 856 wrote to memory of 920	856	f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 1276 wrote to memory of 1640	1276	gg.exe	cvtres.exe
PID 920 wrote to memory of 1964	920	cvtres.exe	iexplore.exe
PID 920 wrote to memory of 1964	920	cvtres.exe	iexplore.exe
PID 920 wrote to memory of 1964	920	cvtres.exe	iexplore.exe
PID 920 wrote to memory of 1964	920	cvtres.exe	iexplore.exe
PID 1964 wrote to memory of 1696	1964	iexplore.exe	IEXPLORE.EXE
PID 1964 wrote to memory of 1696	1964	iexplore.exe	IEXPLORE.EXE
PID 1964 wrote to memory of 1696	1964	iexplore.exe	IEXPLORE.EXE
PID 1964 wrote to memory of 1696	1964	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe
"C:\Users\Admin\AppData\Local\Temp\f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\gg.exe
"C:\Users\Admin\AppData\Local\Temp\gg.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JSQXPWJM.vbs"
2⤵
PID:1292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=cvtres.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gg.exe
Filesize
782KB

MD5
33494ef99ed1250e796947c370876f46

SHA1
2b68d4796c608ee0bf794afbee7514b8773a1bbd

SHA256
8fda0b6082e33d1ed269fe21226fc292e684464a3e3c8c2a84709a84f78ca2c8

SHA512
e161edd77f3ee5bd9d8071c371d4296da25a1546a0e693b598fd2bc66456a786fd3f86c1908747f6a5d8dc81fd1e3054d10a0430fbac385d672a3069a41cbcc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gg.exe
Filesize
782KB

MD5
33494ef99ed1250e796947c370876f46

SHA1
2b68d4796c608ee0bf794afbee7514b8773a1bbd

SHA256
8fda0b6082e33d1ed269fe21226fc292e684464a3e3c8c2a84709a84f78ca2c8

SHA512
e161edd77f3ee5bd9d8071c371d4296da25a1546a0e693b598fd2bc66456a786fd3f86c1908747f6a5d8dc81fd1e3054d10a0430fbac385d672a3069a41cbcc9

Download Submit
C:\Users\Admin\AppData\Roaming\JSQXPWJM.vbs
Filesize
455B

MD5
e0d1baab1e00cf58f684cc15f81891af

SHA1
7a192fe8a1b1541710cf9535a6384465f8d079bc

SHA256
d177dcdf8e1a430a76b95977ef590659bb6f9bb0dd0ed9ecb142351235f786db

SHA512
c66888e2a2cb609d208bbdfc56d9592d1c564546b56311adb5a53adc79ce2f1ffce2a0c06eb905c5a6b81d04afbc45d0454b28ae703246054a2e1f4285e319b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LFP10VJ6.txt
Filesize
608B

MD5
7e2c31c7298a30d59dbe3124cee594ee

SHA1
c2f08d7c0285ecfc0618cbc9d9dfd2dd661ea1de

SHA256
c38fc38f1a0894ceac35e975bdac038ab19832a7b7cb4423a90981e9cf83586a

SHA512
916eb18c902ecf5fc53a2b53f60c943758521d6d3bdcd446501419ebdb6163eb773ad9832de700ece4d2a8710d458be13fef25c0ada44a7219b226220401ad5b

Download Submit
\Users\Admin\AppData\Local\Temp\gg.exe
Filesize
782KB

MD5
33494ef99ed1250e796947c370876f46

SHA1
2b68d4796c608ee0bf794afbee7514b8773a1bbd

SHA256
8fda0b6082e33d1ed269fe21226fc292e684464a3e3c8c2a84709a84f78ca2c8

SHA512
e161edd77f3ee5bd9d8071c371d4296da25a1546a0e693b598fd2bc66456a786fd3f86c1908747f6a5d8dc81fd1e3054d10a0430fbac385d672a3069a41cbcc9

Download Submit
\Users\Admin\AppData\Local\Temp\gg.exe
Filesize
782KB

MD5
33494ef99ed1250e796947c370876f46

SHA1
2b68d4796c608ee0bf794afbee7514b8773a1bbd

SHA256
8fda0b6082e33d1ed269fe21226fc292e684464a3e3c8c2a84709a84f78ca2c8

SHA512
e161edd77f3ee5bd9d8071c371d4296da25a1546a0e693b598fd2bc66456a786fd3f86c1908747f6a5d8dc81fd1e3054d10a0430fbac385d672a3069a41cbcc9

Download Submit
memory/856-74-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/856-55-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/856-56-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/856-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/920-71-0x0000000000408B0E-mapping.dmp

Download
memory/920-66-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/920-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/920-69-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/920-70-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/920-73-0x0000000000402000-0x0000000000408C00-memory.dmp

Filesize
27KB

Download
memory/920-75-0x0000000000402000-0x0000000000408C00-memory.dmp

Filesize
27KB

Download
memory/920-65-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1276-96-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/1276-63-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/1276-59-0x0000000000000000-mapping.dmp

Download
memory/1292-64-0x0000000000000000-mapping.dmp

Download
memory/1640-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-83-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-85-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-87-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-88-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-90-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-92-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-94-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-93-0x000000000048F888-mapping.dmp

Download
memory/1640-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-97-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-99-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-100-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads