Malware Analysis Report

2025-06-16 06:44

Sample ID 240120-rhmc9abef6
Target 6aa399068d8103d8e7e44c76a04a927f
SHA256 3d849011f1bda6edb5e9eebfb1c639fb0d5d4dc20cfc7605401e661a0ef1ebd2
Tags
darkcomet persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d849011f1bda6edb5e9eebfb1c639fb0d5d4dc20cfc7605401e661a0ef1ebd2

Threat Level: Known bad

The file 6aa399068d8103d8e7e44c76a04a927f was found to be: Known bad.

Malicious Activity Summary

darkcomet persistence rat trojan

Darkcomet

Modifies WinLogon for persistence

Drops file in Drivers directory

Loads dropped DLL

Uses the VBS compiler for execution

Executes dropped EXE

Checks BIOS information in registry

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 14:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 14:11

Reported

2024-01-20 14:14

Platform

win7-20231215-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windupdt\\winupdate.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\DefaultSystem = "C:\\ProgramData\\Sys32c.exe" C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windupdt\\winupdate.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1684 set thread context of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1684 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2664 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe
PID 2664 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe
PID 2664 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe
PID 2664 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe
PID 2664 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe
PID 2664 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe
PID 2664 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe

"C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe"

Network

N/A

Files

memory/1684-1-0x0000000000B20000-0x0000000000B60000-memory.dmp

memory/1684-0-0x0000000074DC0000-0x000000007536B000-memory.dmp

memory/1684-2-0x0000000074DC0000-0x000000007536B000-memory.dmp

memory/2664-7-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2664-5-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2664-9-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2664-3-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2664-13-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2664-11-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2664-15-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2664-17-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2664-22-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2664-21-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2664-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1684-27-0x0000000074DC0000-0x000000007536B000-memory.dmp

memory/2664-26-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2664-30-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2664-29-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2664-28-0x0000000000400000-0x00000000004D9000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

MD5 fde07b7deb47f1739dd6879f3505ebc5
SHA1 c5325e9d9eb9f5766061fa88ff55fee70bbd6a4f
SHA256 c455c9e8977b4f912bcf7bba61d089aa444101f11ab8a2e5052ad46e637de9cb
SHA512 3a50a603743e68f4d3cbcda2c4be31bdf0394fd2bce3408fee3568241f6336bd0e82911e63ebc93febd08adf11373b9c969d734f9dcd2dc41dc34881a357b3ab

memory/2664-39-0x0000000000400000-0x00000000004D9000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

MD5 028ba1b5349e19e13e8aaa82c07ee968
SHA1 bfabce674641a7733facbaf462e8c8628b2d5acc
SHA256 2c56a9575c13e93fdb87c9d0b790ae313c61895e40627541d1ba8c5012b47959
SHA512 1287d524033bdfc394460398ced6ae937f56647e5364f85ef8a3fc9ba6db9f87498f29656eb2b647583dcc295c61da1d969fe991fc7f541f784891e7dfc88078

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

MD5 4326c5bcbaf649fd8bc88ef80532c4a5
SHA1 bbddc8b8cb109bf39b90ff19d3a37146af690f49
SHA256 8e8be1be8c5159db747dcd1454addfd82644e74ddb0375f35ff52f831c429887
SHA512 6ea384987b96a0d684822af4d130aad3385eda01b618172d76fa4c048340b908b73425f5d9d52ca7a10481eb553bd09ed0d8bdb24a3c6e48d5e3f6b55492e0b7

\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

MD5 a141a3effac6f617f8614a0586c8d406
SHA1 72b8dad141ab1ea1ed51ebcf2b7d834f49ed037b
SHA256 50b6c15871317bfaa0376230cb537cc8fcfee7277570c34895179dabce8ac776
SHA512 ef18f56ae40a4193a4d87d1ad6dd3d426dcd47c895920bd6205274601e853383a34b613c72dca1412d448ab8173892309226c4f537326f1e301e01404429036b

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 14:11

Reported

2024-01-20 14:14

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windupdt\\winupdate.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DefaultSystem = "C:\\ProgramData\\Sys32c.exe" C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windupdt\\winupdate.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2776 set thread context of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2776 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4520 wrote to memory of 1552 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe
PID 4520 wrote to memory of 1552 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe
PID 4520 wrote to memory of 1552 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe

"C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
GB 96.17.178.176:80 tcp

Files

memory/2776-2-0x00000000748C0000-0x0000000074E71000-memory.dmp

memory/2776-1-0x00000000014D0000-0x00000000014E0000-memory.dmp

memory/2776-0-0x00000000748C0000-0x0000000074E71000-memory.dmp

memory/4520-4-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/4520-3-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/4520-5-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2776-10-0x00000000748C0000-0x0000000074E71000-memory.dmp

memory/4520-11-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/4520-12-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/4520-13-0x00000000021F0000-0x00000000021F1000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

MD5 66e265ca827a401294e0064082a71e29
SHA1 d2dee7d9b7415b89f866d557aee69c7e74cc15a7
SHA256 8de30cb4c4be2b0f508ad074be04fdca829e7530f062319cc35da16dcb581f54
SHA512 3107dd5f5604f5fcbab46e6cc72e77a4d0565ecca06ba234022022c037604c40c918d233442b028716694cafa3a755c4f0bc2960ecc49810e9eb9bcdeb1aa891

memory/4520-74-0x0000000000400000-0x00000000004D9000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

MD5 3a3ba4b6373bde1843d01d10e1b6ee64
SHA1 d9aa125d1b58ccb3d0fec336629e860f8e028a8a
SHA256 968809fd7feeecdfcf8bf29a88ccc55c3f95d15aca6b7a2afbdbeaf757152600
SHA512 1d5fc30e00f36a308467ed74f4e3d6e8463278b82c93076e2ad8131d66adac50ea57da2f93b53abcf5f5b81fa5ef427e9137589d870bab15282f6c796f11477e

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

MD5 8e39fd2e9d75384394c5d6a8b36fe59a
SHA1 ca665be11d79e27916e1672a3ecab3ae868da50a
SHA256 abed5d6051f25910572df226c0c9aa26a26993507edc554f0c93b51af0e8310a
SHA512 a90e19d14fd945f67645aed436bfe46fad9e37dbc6d9d13b2d55041209cbdf378ead883cec767570704a452165a60093007e506822f6c8c0bd1e4ed5c02b8f88