darkcomet | fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581

General

Target

fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
Size

844KB
MD5

5a1a76f5d6652816ec4bcb7cabead9a4
SHA1

150b6d0ce62b21a0b99e850c392b35c620360d99
SHA256

fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581
SHA512

ee9042b2e7cabc361701c131ead0f8eb1061639c90a5d01d77b54ab1e4c9cd018831607408d2fada544605f70e24a6bd2895464d695016fc44b11da06e9c2c32
SSDEEP

24576:9TSeM/uDIUuEPFQE+mYeg/Sia3aaBPJWxMjg:VCuDIUlPFv+mY36F9BP5jg

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

markgraham.noip.me:2124

Mutex

DCMIN_MUTEX-FUSP59W

Attributes

gencode
Le3UD9gfvz8p
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

WUDHost.exeAcctres.exeWUDHost.exe

pid process

1612 WUDHost.exe
1716 Acctres.exe
1228 WUDHost.exe
Loads dropped DLL 2 IoCs

Processes:

fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exeWUDHost.exe

pid process

620 fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
1612 WUDHost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1612	WUDHost.exe
1716	Acctres.exe
1228	WUDHost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WUDHost.exeWUDHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exeAcctres.exe

description	pid	process	target process
PID 620 set thread context of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 1716 set thread context of 1836	1716	Acctres.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exeWUDHost.exeAcctres.exe

pid	process
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
1612	WUDHost.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
1612	WUDHost.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
1612	WUDHost.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
1612	WUDHost.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
1612	WUDHost.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
1612	WUDHost.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
1716	Acctres.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
1716	Acctres.exe
620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exevbc.exeWUDHost.exeAcctres.exevbc.exeWUDHost.exe

description	pid	process
Token: SeDebugPrivilege	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
Token: 33	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
Token: SeIncBasePriorityPrivilege	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
Token: SeIncreaseQuotaPrivilege	388	vbc.exe
Token: SeSecurityPrivilege	388	vbc.exe
Token: SeTakeOwnershipPrivilege	388	vbc.exe
Token: SeLoadDriverPrivilege	388	vbc.exe
Token: SeSystemProfilePrivilege	388	vbc.exe
Token: SeSystemtimePrivilege	388	vbc.exe
Token: SeProfSingleProcessPrivilege	388	vbc.exe
Token: SeIncBasePriorityPrivilege	388	vbc.exe
Token: SeCreatePagefilePrivilege	388	vbc.exe
Token: SeBackupPrivilege	388	vbc.exe
Token: SeRestorePrivilege	388	vbc.exe
Token: SeShutdownPrivilege	388	vbc.exe
Token: SeDebugPrivilege	388	vbc.exe
Token: SeSystemEnvironmentPrivilege	388	vbc.exe
Token: SeChangeNotifyPrivilege	388	vbc.exe
Token: SeRemoteShutdownPrivilege	388	vbc.exe
Token: SeUndockPrivilege	388	vbc.exe
Token: SeManageVolumePrivilege	388	vbc.exe
Token: SeImpersonatePrivilege	388	vbc.exe
Token: SeCreateGlobalPrivilege	388	vbc.exe
Token: 33	388	vbc.exe
Token: 34	388	vbc.exe
Token: 35	388	vbc.exe
Token: SeDebugPrivilege	1612	WUDHost.exe
Token: SeDebugPrivilege	1716	Acctres.exe
Token: 33	1716	Acctres.exe
Token: SeIncBasePriorityPrivilege	1716	Acctres.exe
Token: SeIncreaseQuotaPrivilege	1836	vbc.exe
Token: SeSecurityPrivilege	1836	vbc.exe
Token: SeTakeOwnershipPrivilege	1836	vbc.exe
Token: SeLoadDriverPrivilege	1836	vbc.exe
Token: SeSystemProfilePrivilege	1836	vbc.exe
Token: SeSystemtimePrivilege	1836	vbc.exe
Token: SeProfSingleProcessPrivilege	1836	vbc.exe
Token: SeIncBasePriorityPrivilege	1836	vbc.exe
Token: SeCreatePagefilePrivilege	1836	vbc.exe
Token: SeBackupPrivilege	1836	vbc.exe
Token: SeRestorePrivilege	1836	vbc.exe
Token: SeShutdownPrivilege	1836	vbc.exe
Token: SeDebugPrivilege	1836	vbc.exe
Token: SeSystemEnvironmentPrivilege	1836	vbc.exe
Token: SeChangeNotifyPrivilege	1836	vbc.exe
Token: SeRemoteShutdownPrivilege	1836	vbc.exe
Token: SeUndockPrivilege	1836	vbc.exe
Token: SeManageVolumePrivilege	1836	vbc.exe
Token: SeImpersonatePrivilege	1836	vbc.exe
Token: SeCreateGlobalPrivilege	1836	vbc.exe
Token: 33	1836	vbc.exe
Token: 34	1836	vbc.exe
Token: 35	1836	vbc.exe
Token: SeDebugPrivilege	1228	WUDHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

388 vbc.exe

pid	process
388	vbc.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exeWUDHost.exeAcctres.exe

description	pid	process	target process
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 388	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	vbc.exe
PID 620 wrote to memory of 1612	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	WUDHost.exe
PID 620 wrote to memory of 1612	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	WUDHost.exe
PID 620 wrote to memory of 1612	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	WUDHost.exe
PID 620 wrote to memory of 1612	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	WUDHost.exe
PID 1612 wrote to memory of 1716	1612	WUDHost.exe	Acctres.exe
PID 1612 wrote to memory of 1716	1612	WUDHost.exe	Acctres.exe
PID 1612 wrote to memory of 1716	1612	WUDHost.exe	Acctres.exe
PID 1612 wrote to memory of 1716	1612	WUDHost.exe	Acctres.exe
PID 620 wrote to memory of 1228	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	WUDHost.exe
PID 620 wrote to memory of 1228	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	WUDHost.exe
PID 620 wrote to memory of 1228	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	WUDHost.exe
PID 620 wrote to memory of 1228	620	fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe	WUDHost.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe
PID 1716 wrote to memory of 1836	1716	Acctres.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe
"C:\Users\Admin\AppData\Local\Temp\fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1836
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
844KB

MD5
5a1a76f5d6652816ec4bcb7cabead9a4

SHA1
150b6d0ce62b21a0b99e850c392b35c620360d99

SHA256
fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581

SHA512
ee9042b2e7cabc361701c131ead0f8eb1061639c90a5d01d77b54ab1e4c9cd018831607408d2fada544605f70e24a6bd2895464d695016fc44b11da06e9c2c32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
844KB

MD5
5a1a76f5d6652816ec4bcb7cabead9a4

SHA1
150b6d0ce62b21a0b99e850c392b35c620360d99

SHA256
fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581

SHA512
ee9042b2e7cabc361701c131ead0f8eb1061639c90a5d01d77b54ab1e4c9cd018831607408d2fada544605f70e24a6bd2895464d695016fc44b11da06e9c2c32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
8KB

MD5
203abaf3a0b4387f8c83b8df44b52be4

SHA1
f298f77bf98b2941d4c7473c8fe0e8feedaaca6f

SHA256
4b5118a6792cf0fec015c0db676d42049333f725f9d10f4d36df95a41003ae38

SHA512
475e350bca4c5273779fe58e17bfe18a713572e17e417f700aa6418196c2830ae003f7fa9f8eb956ebea06e32fe35b47e967d5f1bff9b3a920585562360b0b50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
8KB

MD5
203abaf3a0b4387f8c83b8df44b52be4

SHA1
f298f77bf98b2941d4c7473c8fe0e8feedaaca6f

SHA256
4b5118a6792cf0fec015c0db676d42049333f725f9d10f4d36df95a41003ae38

SHA512
475e350bca4c5273779fe58e17bfe18a713572e17e417f700aa6418196c2830ae003f7fa9f8eb956ebea06e32fe35b47e967d5f1bff9b3a920585562360b0b50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
8KB

MD5
203abaf3a0b4387f8c83b8df44b52be4

SHA1
f298f77bf98b2941d4c7473c8fe0e8feedaaca6f

SHA256
4b5118a6792cf0fec015c0db676d42049333f725f9d10f4d36df95a41003ae38

SHA512
475e350bca4c5273779fe58e17bfe18a713572e17e417f700aa6418196c2830ae003f7fa9f8eb956ebea06e32fe35b47e967d5f1bff9b3a920585562360b0b50

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
844KB

MD5
5a1a76f5d6652816ec4bcb7cabead9a4

SHA1
150b6d0ce62b21a0b99e850c392b35c620360d99

SHA256
fba71d7e42c54406f33bfc7fb376513f3a3a5e6056e93567117c51b919a18581

SHA512
ee9042b2e7cabc361701c131ead0f8eb1061639c90a5d01d77b54ab1e4c9cd018831607408d2fada544605f70e24a6bd2895464d695016fc44b11da06e9c2c32

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
8KB

MD5
203abaf3a0b4387f8c83b8df44b52be4

SHA1
f298f77bf98b2941d4c7473c8fe0e8feedaaca6f

SHA256
4b5118a6792cf0fec015c0db676d42049333f725f9d10f4d36df95a41003ae38

SHA512
475e350bca4c5273779fe58e17bfe18a713572e17e417f700aa6418196c2830ae003f7fa9f8eb956ebea06e32fe35b47e967d5f1bff9b3a920585562360b0b50

Download Submit
memory/388-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/388-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/388-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/388-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/388-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/388-72-0x000000000048F888-mapping.dmp

Download
memory/388-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/388-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/388-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/388-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/388-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/388-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/388-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/388-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/620-55-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/620-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/620-56-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-93-0x0000000000000000-mapping.dmp

Download
memory/1228-116-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-117-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-77-0x0000000000000000-mapping.dmp

Download
memory/1612-81-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-92-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-83-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/1716-87-0x0000000000000000-mapping.dmp

Download
memory/1716-90-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/1716-91-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/1836-111-0x000000000048F888-mapping.dmp

Download
memory/1836-115-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads