darkcomet | e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80

General

Target

e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe
Size

611KB
MD5

5c898dd2bc147ffad06ac8362d13614c
SHA1

8f8fc1e81ee69b12a06e256d7f0cdceea54d25dd
SHA256

e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80
SHA512

fcfb8dca28fe47b61f2b201ce160854a3c865aa0f049020a2e741df271772d3e0fd71ebb30fa85d2ad80bc3c0dc0c57183a977f5f4082afc4c240c9d6b06b650
SSDEEP

12288:LTqSnzWHA+m3S0fapaJehb2qTvxpGrLRRWDyw4tw+Unzyn6PPr:/qSn4mCSJS1v7GPUz4tYun6n

Score

10^/10

darkcomet guest16 evasion rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

rattedmyfriend.no-ip.biz:8003

Mutex

DC_MUTEX-CGVK3FE

Attributes

gencode
Z740hakFenqk
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\interpals.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\interpals.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\applaunch.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 2 IoCs

Processes:

Not crypted server.exeTRISTAN SERVER.EXE

pid process

4644 Not crypted server.exe
1552 TRISTAN SERVER.EXE

pid	process
4644	Not crypted server.exe
1552	TRISTAN SERVER.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4184-139-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4184-141-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4184-143-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4184-142-0x0000000000400000-0x000000000045D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe	upx
C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe	upx
behavioral2/memory/4644-160-0x0000000000400000-0x000000000055B000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exeNot crypted server.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Not crypted server.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe

description	pid	process	target process
PID 2700 set thread context of 4184	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

4492 reg.exe
3604 reg.exe
4712 reg.exe
4716 reg.exe

pid	process
4492	reg.exe
3604	reg.exe
4712	reg.exe
4716	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

applaunch.exeNot crypted server.exeTRISTAN SERVER.EXE

description	pid	process
Token: 1	4184	applaunch.exe
Token: SeCreateTokenPrivilege	4184	applaunch.exe
Token: SeAssignPrimaryTokenPrivilege	4184	applaunch.exe
Token: SeLockMemoryPrivilege	4184	applaunch.exe
Token: SeIncreaseQuotaPrivilege	4184	applaunch.exe
Token: SeMachineAccountPrivilege	4184	applaunch.exe
Token: SeTcbPrivilege	4184	applaunch.exe
Token: SeSecurityPrivilege	4184	applaunch.exe
Token: SeTakeOwnershipPrivilege	4184	applaunch.exe
Token: SeLoadDriverPrivilege	4184	applaunch.exe
Token: SeSystemProfilePrivilege	4184	applaunch.exe
Token: SeSystemtimePrivilege	4184	applaunch.exe
Token: SeProfSingleProcessPrivilege	4184	applaunch.exe
Token: SeIncBasePriorityPrivilege	4184	applaunch.exe
Token: SeCreatePagefilePrivilege	4184	applaunch.exe
Token: SeCreatePermanentPrivilege	4184	applaunch.exe
Token: SeBackupPrivilege	4184	applaunch.exe
Token: SeRestorePrivilege	4184	applaunch.exe
Token: SeShutdownPrivilege	4184	applaunch.exe
Token: SeDebugPrivilege	4184	applaunch.exe
Token: SeAuditPrivilege	4184	applaunch.exe
Token: SeSystemEnvironmentPrivilege	4184	applaunch.exe
Token: SeChangeNotifyPrivilege	4184	applaunch.exe
Token: SeRemoteShutdownPrivilege	4184	applaunch.exe
Token: SeUndockPrivilege	4184	applaunch.exe
Token: SeSyncAgentPrivilege	4184	applaunch.exe
Token: SeEnableDelegationPrivilege	4184	applaunch.exe
Token: SeManageVolumePrivilege	4184	applaunch.exe
Token: SeImpersonatePrivilege	4184	applaunch.exe
Token: SeCreateGlobalPrivilege	4184	applaunch.exe
Token: 31	4184	applaunch.exe
Token: 32	4184	applaunch.exe
Token: 33	4184	applaunch.exe
Token: 34	4184	applaunch.exe
Token: 35	4184	applaunch.exe
Token: SeIncreaseQuotaPrivilege	4644	Not crypted server.exe
Token: SeSecurityPrivilege	4644	Not crypted server.exe
Token: SeTakeOwnershipPrivilege	4644	Not crypted server.exe
Token: SeLoadDriverPrivilege	4644	Not crypted server.exe
Token: SeSystemProfilePrivilege	4644	Not crypted server.exe
Token: SeSystemtimePrivilege	4644	Not crypted server.exe
Token: SeProfSingleProcessPrivilege	4644	Not crypted server.exe
Token: SeIncBasePriorityPrivilege	4644	Not crypted server.exe
Token: SeCreatePagefilePrivilege	4644	Not crypted server.exe
Token: SeBackupPrivilege	4644	Not crypted server.exe
Token: SeRestorePrivilege	4644	Not crypted server.exe
Token: SeShutdownPrivilege	4644	Not crypted server.exe
Token: SeDebugPrivilege	4644	Not crypted server.exe
Token: SeSystemEnvironmentPrivilege	4644	Not crypted server.exe
Token: SeChangeNotifyPrivilege	4644	Not crypted server.exe
Token: SeRemoteShutdownPrivilege	4644	Not crypted server.exe
Token: SeUndockPrivilege	4644	Not crypted server.exe
Token: SeManageVolumePrivilege	4644	Not crypted server.exe
Token: SeImpersonatePrivilege	4644	Not crypted server.exe
Token: SeCreateGlobalPrivilege	4644	Not crypted server.exe
Token: 33	4644	Not crypted server.exe
Token: 34	4644	Not crypted server.exe
Token: 35	4644	Not crypted server.exe
Token: 36	4644	Not crypted server.exe
Token: SeIncreaseQuotaPrivilege	1552	TRISTAN SERVER.EXE
Token: SeSecurityPrivilege	1552	TRISTAN SERVER.EXE
Token: SeTakeOwnershipPrivilege	1552	TRISTAN SERVER.EXE
Token: SeLoadDriverPrivilege	1552	TRISTAN SERVER.EXE
Token: SeSystemProfilePrivilege	1552	TRISTAN SERVER.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

applaunch.exeTRISTAN SERVER.EXENot crypted server.exe

pid process

4184 applaunch.exe
4184 applaunch.exe
4184 applaunch.exe
1552 TRISTAN SERVER.EXE
4644 Not crypted server.exe

pid	process
4184	applaunch.exe
4184	applaunch.exe
4184	applaunch.exe
1552	TRISTAN SERVER.EXE
4644	Not crypted server.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exeapplaunch.execmd.execmd.execmd.execmd.exeNot crypted server.exe

description	pid	process	target process
PID 2700 wrote to memory of 4184	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 2700 wrote to memory of 4184	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 2700 wrote to memory of 4184	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 2700 wrote to memory of 4184	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 2700 wrote to memory of 4184	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 2700 wrote to memory of 4184	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 2700 wrote to memory of 4184	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 2700 wrote to memory of 4184	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	applaunch.exe
PID 4184 wrote to memory of 776	4184	applaunch.exe	cmd.exe
PID 4184 wrote to memory of 776	4184	applaunch.exe	cmd.exe
PID 4184 wrote to memory of 776	4184	applaunch.exe	cmd.exe
PID 4184 wrote to memory of 3132	4184	applaunch.exe	cmd.exe
PID 4184 wrote to memory of 3132	4184	applaunch.exe	cmd.exe
PID 4184 wrote to memory of 3132	4184	applaunch.exe	cmd.exe
PID 4184 wrote to memory of 2832	4184	applaunch.exe	cmd.exe
PID 4184 wrote to memory of 2832	4184	applaunch.exe	cmd.exe
PID 4184 wrote to memory of 2832	4184	applaunch.exe	cmd.exe
PID 4184 wrote to memory of 2848	4184	applaunch.exe	cmd.exe
PID 4184 wrote to memory of 2848	4184	applaunch.exe	cmd.exe
PID 4184 wrote to memory of 2848	4184	applaunch.exe	cmd.exe
PID 2848 wrote to memory of 4716	2848	cmd.exe	reg.exe
PID 2848 wrote to memory of 4716	2848	cmd.exe	reg.exe
PID 2848 wrote to memory of 4716	2848	cmd.exe	reg.exe
PID 776 wrote to memory of 4712	776	cmd.exe	reg.exe
PID 776 wrote to memory of 4712	776	cmd.exe	reg.exe
PID 776 wrote to memory of 4712	776	cmd.exe	reg.exe
PID 2832 wrote to memory of 3604	2832	cmd.exe	reg.exe
PID 2832 wrote to memory of 3604	2832	cmd.exe	reg.exe
PID 2832 wrote to memory of 3604	2832	cmd.exe	reg.exe
PID 3132 wrote to memory of 4492	3132	cmd.exe	reg.exe
PID 3132 wrote to memory of 4492	3132	cmd.exe	reg.exe
PID 3132 wrote to memory of 4492	3132	cmd.exe	reg.exe
PID 2700 wrote to memory of 3192	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	WScript.exe
PID 2700 wrote to memory of 3192	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	WScript.exe
PID 2700 wrote to memory of 3192	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	WScript.exe
PID 2700 wrote to memory of 4644	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	Not crypted server.exe
PID 2700 wrote to memory of 4644	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	Not crypted server.exe
PID 2700 wrote to memory of 4644	2700	e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe	Not crypted server.exe
PID 4644 wrote to memory of 1552	4644	Not crypted server.exe	TRISTAN SERVER.EXE
PID 4644 wrote to memory of 1552	4644	Not crypted server.exe	TRISTAN SERVER.EXE
PID 4644 wrote to memory of 1552	4644	Not crypted server.exe	TRISTAN SERVER.EXE

C:\Users\Admin\AppData\Local\Temp\e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe
"C:\Users\Admin\AppData\Local\Temp\e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4712

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4492

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:3604

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\interpals.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\interpals.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\interpals.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\interpals.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4716

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cwKCo.vbs"
2⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe
"C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644

C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE
"C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe
Filesize
419KB

MD5
108c042c7a7d40744942dad445481774

SHA1
4a03259aa4599c027f12da0d3379216496ef0655

SHA256
ee31c8618d31624797b5a6c29e4ee9ffd466239c05bb966cb6ed597ae04a47bb

SHA512
c63950e78aed06bc175aff38a12d692ab2cdf6409d17fa08a6f8c5b3b1036d14d1f04c4bf6625d9bdca31dda725e6743f4e1c509d10202822a981a2edae39a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe
Filesize
419KB

MD5
108c042c7a7d40744942dad445481774

SHA1
4a03259aa4599c027f12da0d3379216496ef0655

SHA256
ee31c8618d31624797b5a6c29e4ee9ffd466239c05bb966cb6ed597ae04a47bb

SHA512
c63950e78aed06bc175aff38a12d692ab2cdf6409d17fa08a6f8c5b3b1036d14d1f04c4bf6625d9bdca31dda725e6743f4e1c509d10202822a981a2edae39a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE
Filesize
658KB

MD5
90050eb20b33f4f0155a98008aee0bf7

SHA1
3047729097f0979e87b1403333c384ae4e5c645c

SHA256
b10d168ed95926c7da49dc2937e40886d7c2dddd347312f0ec9be2ca8b146f60

SHA512
80c7c98b0cd26e405c38ede33426fb47ffe2dd01d810a79860fce7b646d330c179f4a45386070a6fc374e10c23a056b607f39bc64a615cb87a94112cd2a53efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE
Filesize
658KB

MD5
90050eb20b33f4f0155a98008aee0bf7

SHA1
3047729097f0979e87b1403333c384ae4e5c645c

SHA256
b10d168ed95926c7da49dc2937e40886d7c2dddd347312f0ec9be2ca8b146f60

SHA512
80c7c98b0cd26e405c38ede33426fb47ffe2dd01d810a79860fce7b646d330c179f4a45386070a6fc374e10c23a056b607f39bc64a615cb87a94112cd2a53efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwKCo.vbs
Filesize
394B

MD5
f52500f8ed2a5563b54286f1127195a4

SHA1
ce3615fffedcad20d348e7a501f68f61c8da186b

SHA256
1e4f06a679a3fac8a4b667bad3a4b3a728cc611f2db9988e85ca6f9acded8104

SHA512
e94ee1d6c6d00c873f8f73b4b7acb1b3e95a3278f08851465d32ce560bb29cc158b0e861b57045fb14c25e1d273c3426f976edf3398153517e586b9ea3d8d9ab

Download Submit
memory/776-147-0x0000000000000000-mapping.dmp

Download
memory/1552-161-0x0000000000000000-mapping.dmp

Download
memory/2700-136-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/2700-137-0x0000000005490000-0x00000000054E6000-memory.dmp

Filesize
344KB

Download
memory/2700-132-0x0000000000780000-0x0000000000822000-memory.dmp

Filesize
648KB

Download
memory/2700-135-0x0000000005300000-0x0000000005392000-memory.dmp

Filesize
584KB

Download
memory/2700-134-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/2700-133-0x00000000051C0000-0x000000000525C000-memory.dmp

Filesize
624KB

Download
memory/2832-149-0x0000000000000000-mapping.dmp

Download
memory/2848-150-0x0000000000000000-mapping.dmp

Download
memory/3132-148-0x0000000000000000-mapping.dmp

Download
memory/3192-155-0x0000000000000000-mapping.dmp

Download
memory/3604-153-0x0000000000000000-mapping.dmp

Download
memory/4184-138-0x0000000000000000-mapping.dmp

Download
memory/4184-139-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4184-141-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4184-142-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4184-143-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4492-154-0x0000000000000000-mapping.dmp

Download
memory/4644-160-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4644-156-0x0000000000000000-mapping.dmp

Download
memory/4712-152-0x0000000000000000-mapping.dmp

Download
memory/4716-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads