Malware Analysis Report

2024-08-06 17:09

Sample ID 240522-n9aa8age9s
Target 6734ed528fd08246dab1055ce7a124de_JaffaCakes118
SHA256 20fc91290817d8b9208794e5464bb084d9a63fa96af2e674582a19d3af9d182f
Tags
darkcomet guest16 persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20fc91290817d8b9208794e5464bb084d9a63fa96af2e674582a19d3af9d182f

Threat Level: Known bad

The file 6734ed528fd08246dab1055ce7a124de_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 persistence rat trojan

Darkcomet

Modifies WinLogon for persistence

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-22 12:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 12:05

Reported

2024-05-22 12:53

Platform

win7-20240221-en

Max time kernel

137s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\CCC.exe" C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Video Card Control Center = "C:\\Windows\\system32\\CCC.exe" C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\CCC.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\CCC.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1460 set thread context of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 2684 set thread context of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\CCC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 1460 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 2564 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Windows\SysWOW64\CCC.exe
PID 2564 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Windows\SysWOW64\CCC.exe
PID 2564 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Windows\SysWOW64\CCC.exe
PID 2564 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 2684 wrote to memory of 1796 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe"

C:\Windows\SysWOW64\CCC.exe

"C:\Windows\system32\CCC.exe"

C:\Windows\SysWOW64\CCC.exe

"C:\Windows\SysWOW64\CCC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raptorsdc.duckdns.org udp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 8.8.8.8:53 raptorsdc.duckdns.org udp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 8.8.8.8:53 raptorsdc.duckdns.org udp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp

Files

memory/1460-0-0x0000000074711000-0x0000000074712000-memory.dmp

memory/1460-1-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/1460-2-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/2564-20-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2564-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2564-32-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2564-31-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2564-28-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2564-27-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2564-26-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2564-25-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2564-24-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2564-23-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2564-22-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2564-33-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2564-34-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1460-38-0x0000000074710000-0x0000000074CBB000-memory.dmp

\Windows\SysWOW64\CCC.exe

MD5 6734ed528fd08246dab1055ce7a124de
SHA1 44bcb8e21ea74f5bac9f20daf4772650b4277a6c
SHA256 20fc91290817d8b9208794e5464bb084d9a63fa96af2e674582a19d3af9d182f
SHA512 943a05779fc0e9da69a8c2df34ef19c6128a844f7ce1b166515fa0e5416c4c5af7f5928f8cf5d1032f483d3382a350809fda455ee3b90510a5b465a7f7d7b50c

memory/2684-48-0x00000000746C1000-0x00000000746C2000-memory.dmp

memory/2684-49-0x00000000746C0000-0x0000000074C6B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e0b3dcec8793fd00befdcd6802a456c
SHA1 617495e99303090be1da042843287feed9fc776e
SHA256 43f3fba0443164504b53d99cf1fd82740a22a667b452e077d2440ea8f09a3742
SHA512 c03a481c476dccc53f0ab5490db7024a7ee0021381166a1397e3f669504a2e26bee5dc674be2dc306eafcfe852586433a177efd91aaf4d4128bf97143cbcf6c8

C:\Users\Admin\AppData\Local\Temp\Tar32B7.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/1796-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2684-89-0x00000000746C0000-0x0000000074C6B000-memory.dmp

memory/1796-91-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-90-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-92-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-93-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-94-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-95-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-96-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-97-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-98-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-99-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-100-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-101-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-102-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-103-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-104-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-105-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-106-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-107-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-108-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-109-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-110-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-111-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-112-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-113-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-114-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-115-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-116-0x0000000000400000-0x00000000004B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 12:05

Reported

2024-05-22 12:54

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\CCC.exe" C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Card Control Center = "C:\\Windows\\system32\\CCC.exe" C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\CCC.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\CCC.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 404 set thread context of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 3736 set thread context of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\CCC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\CCC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CCC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 404 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 404 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 404 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 404 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 404 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 404 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 404 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 404 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 404 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 404 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 404 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 404 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe
PID 2272 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Windows\SysWOW64\CCC.exe
PID 2272 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Windows\SysWOW64\CCC.exe
PID 2272 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 4748 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 4748 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 4748 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1772 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1772 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1772 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe
PID 3736 wrote to memory of 1008 N/A C:\Windows\SysWOW64\CCC.exe C:\Windows\SysWOW64\CCC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6734ed528fd08246dab1055ce7a124de_JaffaCakes118.exe"

C:\Windows\SysWOW64\CCC.exe

"C:\Windows\system32\CCC.exe"

C:\Windows\SysWOW64\CCC.exe

"C:\Windows\SysWOW64\CCC.exe"

C:\Windows\SysWOW64\CCC.exe

"C:\Windows\SysWOW64\CCC.exe"

C:\Windows\SysWOW64\CCC.exe

"C:\Windows\SysWOW64\CCC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 raptorsdc.duckdns.org udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 25.69.169.192.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 raptorsdc.duckdns.org udp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 8.8.8.8:53 raptorsdc.duckdns.org udp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp
US 192.169.69.25:999 raptorsdc.duckdns.org tcp

Files

memory/404-0-0x0000000074B12000-0x0000000074B13000-memory.dmp

memory/404-1-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/404-2-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/2272-7-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2272-8-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2272-10-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2272-12-0x0000000001510000-0x0000000001511000-memory.dmp

memory/2272-11-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/404-16-0x0000000074B10000-0x00000000750C1000-memory.dmp

C:\Windows\SysWOW64\CCC.exe

MD5 6734ed528fd08246dab1055ce7a124de
SHA1 44bcb8e21ea74f5bac9f20daf4772650b4277a6c
SHA256 20fc91290817d8b9208794e5464bb084d9a63fa96af2e674582a19d3af9d182f
SHA512 943a05779fc0e9da69a8c2df34ef19c6128a844f7ce1b166515fa0e5416c4c5af7f5928f8cf5d1032f483d3382a350809fda455ee3b90510a5b465a7f7d7b50c

memory/3736-27-0x0000000073DC2000-0x0000000073DC3000-memory.dmp

memory/3736-28-0x0000000073DC0000-0x0000000074371000-memory.dmp

memory/3736-29-0x0000000073DC0000-0x0000000074371000-memory.dmp

memory/1008-37-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-39-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-38-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3736-40-0x0000000073DC0000-0x0000000074371000-memory.dmp

memory/2272-41-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-42-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-43-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-44-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-45-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-46-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-47-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-48-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-49-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-50-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-51-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-52-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-53-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-54-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-55-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-56-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-57-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-58-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-59-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-60-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-61-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-62-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-63-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-64-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-65-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-66-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1008-67-0x0000000000400000-0x00000000004B2000-memory.dmp