darkcomet | a29e150b2ff91da057487b87d420e394347f3e0364742705705b103a2d518f61

General

Target

148da8473a260935979977ade797e718_JaffaCakes118.exe
Size

3.0MB
MD5

148da8473a260935979977ade797e718
SHA1

18d0286962802911133a5ab6ae5016c9cda08b6d
SHA256

a29e150b2ff91da057487b87d420e394347f3e0364742705705b103a2d518f61
SHA512

9c38ab2950450a0c22c5cb7dcf8cb99dd421344ac14e4d66890a1de11ab9a0185cbca967f6120a121bb720fae53774ea4545e48fca16ee501bdaa84d73d4ba81
SSDEEP

49152:hxxxK/o/y7wmmD9gukh9wiNInkjCG8mzD0W357/0nsj7a3LTK4U:hBykVCnh/InmCGACTj+TK4U

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

leifstresser.ddns.net:1604

127.0.0.1:1604

Mutex

cuntface

Attributes

InstallPath
Windows/Explorer
gencode
pG07ARK2K01Z
install
true
offline_keylogger
true
password
lolamoomoo1
persistence
true
reg_key
Updater

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

UDP FLOODER 1.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\pG07ARK2K01Z\\Windows/Explorer"	UDP FLOODER 1.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

148da8473a260935979977ade797e718_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	148da8473a260935979977ade797e718_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

[email protected]UDP FLOODER 1.EXE

pid process

3932 [email protected]
3220 UDP FLOODER 1.EXE

pid	process
3932	[email protected]
3220	UDP FLOODER 1.EXE

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE	upx
behavioral2/memory/3220-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-50-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-51-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-52-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-53-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-54-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-55-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-56-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-57-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-58-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-59-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-60-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-61-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-62-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3220-63-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UDP FLOODER 1.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\pG07ARK2K01Z\\Windows/Explorer"	UDP FLOODER 1.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exe

description	pid	process	target process
PID 1388 set thread context of 1228	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 set thread context of 736	1228	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 set thread context of 4516	736	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

148da8473a260935979977ade797e718_JaffaCakes118.exe

pid	process
1388	148da8473a260935979977ade797e718_JaffaCakes118.exe
1388	148da8473a260935979977ade797e718_JaffaCakes118.exe
1388	148da8473a260935979977ade797e718_JaffaCakes118.exe
1388	148da8473a260935979977ade797e718_JaffaCakes118.exe
1388	148da8473a260935979977ade797e718_JaffaCakes118.exe
1388	148da8473a260935979977ade797e718_JaffaCakes118.exe
1388	148da8473a260935979977ade797e718_JaffaCakes118.exe
1388	148da8473a260935979977ade797e718_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UDP FLOODER 1.EXE

pid process

3220 UDP FLOODER 1.EXE

pid	process
3220	UDP FLOODER 1.EXE

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exeUDP FLOODER 1.EXE

description	pid	process
Token: SeDebugPrivilege	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe
Token: SeDebugPrivilege	1228	148da8473a260935979977ade797e718_JaffaCakes118.exe
Token: SeDebugPrivilege	736	148da8473a260935979977ade797e718_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3220	UDP FLOODER 1.EXE
Token: SeSecurityPrivilege	3220	UDP FLOODER 1.EXE
Token: SeTakeOwnershipPrivilege	3220	UDP FLOODER 1.EXE
Token: SeLoadDriverPrivilege	3220	UDP FLOODER 1.EXE
Token: SeSystemProfilePrivilege	3220	UDP FLOODER 1.EXE
Token: SeSystemtimePrivilege	3220	UDP FLOODER 1.EXE
Token: SeProfSingleProcessPrivilege	3220	UDP FLOODER 1.EXE
Token: SeIncBasePriorityPrivilege	3220	UDP FLOODER 1.EXE
Token: SeCreatePagefilePrivilege	3220	UDP FLOODER 1.EXE
Token: SeBackupPrivilege	3220	UDP FLOODER 1.EXE
Token: SeRestorePrivilege	3220	UDP FLOODER 1.EXE
Token: SeShutdownPrivilege	3220	UDP FLOODER 1.EXE
Token: SeDebugPrivilege	3220	UDP FLOODER 1.EXE
Token: SeSystemEnvironmentPrivilege	3220	UDP FLOODER 1.EXE
Token: SeChangeNotifyPrivilege	3220	UDP FLOODER 1.EXE
Token: SeRemoteShutdownPrivilege	3220	UDP FLOODER 1.EXE
Token: SeUndockPrivilege	3220	UDP FLOODER 1.EXE
Token: SeManageVolumePrivilege	3220	UDP FLOODER 1.EXE
Token: SeImpersonatePrivilege	3220	UDP FLOODER 1.EXE
Token: SeCreateGlobalPrivilege	3220	UDP FLOODER 1.EXE
Token: 33	3220	UDP FLOODER 1.EXE
Token: 34	3220	UDP FLOODER 1.EXE
Token: 35	3220	UDP FLOODER 1.EXE
Token: 36	3220	UDP FLOODER 1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

UDP FLOODER 1.EXE

pid process

3220 UDP FLOODER 1.EXE

pid	process
3220	UDP FLOODER 1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exeUDP FLOODER 1.EXE

description	pid	process	target process
PID 1388 wrote to memory of 2924	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 2924	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 2924	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 2556	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 2556	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 2556	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1112	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1112	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1112	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1408	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1408	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1408	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228	1388	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736	1228	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736	1228	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736	1228	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736	1228	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736	1228	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736	1228	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736	1228	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736	1228	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516	736	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516	736	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516	736	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516	736	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516	736	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516	736	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516	736	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516	736	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516	736	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516	736	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 4516 wrote to memory of 3932	4516	148da8473a260935979977ade797e718_JaffaCakes118.exe	[email protected]
PID 4516 wrote to memory of 3932	4516	148da8473a260935979977ade797e718_JaffaCakes118.exe	[email protected]
PID 4516 wrote to memory of 3932	4516	148da8473a260935979977ade797e718_JaffaCakes118.exe	[email protected]
PID 4516 wrote to memory of 3220	4516	148da8473a260935979977ade797e718_JaffaCakes118.exe	UDP FLOODER 1.EXE
PID 4516 wrote to memory of 3220	4516	148da8473a260935979977ade797e718_JaffaCakes118.exe	UDP FLOODER 1.EXE
PID 4516 wrote to memory of 3220	4516	148da8473a260935979977ade797e718_JaffaCakes118.exe	UDP FLOODER 1.EXE
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe
PID 3220 wrote to memory of 5036	3220	UDP FLOODER 1.EXE	notepad.exe

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"
2⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"
2⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"
2⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"
2⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4516

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
5⤵
- Executes dropped EXE
PID:3932

C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE
"C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\148da8473a260935979977ade797e718_JaffaCakes118.exe.log
Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize
105KB

MD5
7cd2da0120e9b08e0a81d4bc8efef66f

SHA1
850d6c6fd6c308526381fd3445e4836dd7a0e1f0

SHA256
4750f78dd654a8b02cc5c0f10569f364673f03b407e2291279e30cae449c6f8b

SHA512
c2333eb54e5ce17dc2fd7ce25803fe0fb8b7e8d41be0ea6b57bba5e0fe73f8956f0867e78537c2c2f8f3581d83e67b6cd5ed8706beddcaf1c6654cbe2d7331f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE
Filesize
251KB

MD5
211945ebdfe62b019a73cfba4e15592c

SHA1
33a9822aa4a68379c5e50950bce5946a9bd6b4ac

SHA256
27cbae331070b3643799b7d6143f7e7d3e8492b2c743d7771e5331c78d0eccaf

SHA512
1bf2f4096ea79ab7bd5a6759b8f83623d789002d0ccf32ae9e0d45a9ec15a55cc619abf2ee2baa91251b8c7af2ad810098363387ff43def19ebe0edd66451b4d

Download Submit
memory/736-12-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/736-13-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/736-19-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/736-7-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1228-11-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1228-10-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1228-9-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1228-6-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1228-3-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1388-2-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1388-8-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1388-0-0x0000000074732000-0x0000000074733000-memory.dmp

Filesize
4KB

Download
memory/1388-1-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3220-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-56-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-63-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-62-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-61-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-60-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-59-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-58-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-57-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-55-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-54-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-52-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-50-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-51-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3932-48-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

Filesize
40KB

Download
memory/3932-49-0x0000000005180000-0x00000000051D6000-memory.dmp

Filesize
344KB

Download
memory/3932-47-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/3932-46-0x0000000005630000-0x0000000005BD4000-memory.dmp

Filesize
5.6MB

Download
memory/3932-45-0x0000000004FE0000-0x000000000507C000-memory.dmp

Filesize
624KB

Download
memory/3932-44-0x0000000000710000-0x0000000000730000-memory.dmp

Filesize
128KB

Download
memory/4516-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4516-42-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4516-18-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4516-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4516-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5036-43-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads