Malware Analysis Report

2024-08-06 17:31

Sample ID 240701-j89x8s1dmc
Target 1a949339827c3534c314fc5cef076cfa_JaffaCakes118
SHA256 fa6ca82b40ad7f1cad6350c10b9b1aca038ed678ba4705465f5eca4a9604a844
Tags
darkcomet guest16 aspackv2 evasion persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa6ca82b40ad7f1cad6350c10b9b1aca038ed678ba4705465f5eca4a9604a844

Threat Level: Known bad

The file 1a949339827c3534c314fc5cef076cfa_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 aspackv2 evasion persistence rat trojan upx

Modifies WinLogon for persistence

Modifies security service

Darkcomet

Windows security bypass

Modifies firewall policy service

Sets file to hidden

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Loads dropped DLL

Windows security modification

UPX packed file

Executes dropped EXE

ASPack v2.12-2.42

Checks computer location settings

Modifies WinLogon

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

System policy modification

Views/modifies file attributes

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Active Setup
T1547.014
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Active Setup
T1547.014
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Disable or Modify System Firewall
T1562.004
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-01 08:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-01 08:21

Reported

2024-07-01 08:24

Platform

win7-20240611-en

Max time kernel

150s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" C:\Windows\services.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" C:\Windows\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Disables Task Manager via registry modification

evasion

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SubSeven.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
N/A N/A C:\Windows\SysWOW64\fservice.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\SysWOW64\fservice.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ C:\Windows\services.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\fservice.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
File opened for modification C:\Windows\SysWOW64\fservice.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
File created C:\Windows\SysWOW64\fservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File opened for modification C:\Windows\SysWOW64\fservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File created C:\Windows\SysWOW64\winkey.dll C:\Windows\services.exe N/A
File created C:\Windows\SysWOW64\reginv.dll C:\Windows\services.exe N/A
File created C:\Windows\SysWOW64\fservice.exe C:\Windows\services.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1360 set thread context of 1200 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\sservice.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
File created C:\Windows\services.exe C:\Windows\SysWOW64\fservice.exe N/A
File opened for modification C:\Windows\services.exe C:\Windows\SysWOW64\fservice.exe N/A
File created C:\Windows\system\sservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File opened for modification C:\Windows\system\sservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File created C:\Windows\system\sservice.exe C:\Windows\services.exe N/A
File opened for modification C:\Windows\system\sservice.exe C:\Windows\services.exe N/A
File created C:\Windows\system\sservice.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2448 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SubSeven.exe
PID 2448 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SubSeven.exe
PID 2448 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SubSeven.exe
PID 2448 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SubSeven.exe
PID 2448 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe
PID 2448 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe
PID 2448 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe
PID 2448 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe
PID 2448 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Bifrost.exe
PID 2448 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Bifrost.exe
PID 2448 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Bifrost.exe
PID 2448 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Bifrost.exe
PID 2012 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe C:\Windows\Explorer.EXE
PID 2448 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DarkComet.exe
PID 2448 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DarkComet.exe
PID 2448 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DarkComet.exe
PID 2448 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DarkComet.exe
PID 2012 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe C:\Windows\Explorer.EXE
PID 2012 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe C:\Windows\Explorer.EXE
PID 2448 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe
PID 2448 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe
PID 2448 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe
PID 2448 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe
PID 2012 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe C:\Windows\Explorer.EXE
PID 2012 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe C:\Windows\Explorer.EXE
PID 2012 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe C:\Windows\Explorer.EXE
PID 2496 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe C:\Windows\SysWOW64\fservice.exe
PID 2496 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe C:\Windows\SysWOW64\fservice.exe
PID 2496 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe C:\Windows\SysWOW64\fservice.exe
PID 2496 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe C:\Windows\SysWOW64\fservice.exe
PID 572 wrote to memory of 3004 N/A C:\Windows\SysWOW64\fservice.exe C:\Windows\services.exe
PID 572 wrote to memory of 3004 N/A C:\Windows\SysWOW64\fservice.exe C:\Windows\services.exe
PID 572 wrote to memory of 3004 N/A C:\Windows\SysWOW64\fservice.exe C:\Windows\services.exe
PID 572 wrote to memory of 3004 N/A C:\Windows\SysWOW64\fservice.exe C:\Windows\services.exe
PID 2744 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 2744 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 1624 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1624 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1624 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1624 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\SubSeven.exe

"C:\Users\Admin\AppData\Local\Temp\SubSeven.exe"

C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe

"C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe"

C:\Users\Admin\AppData\Local\Temp\Bifrost.exe

"C:\Users\Admin\AppData\Local\Temp\Bifrost.exe"

C:\Users\Admin\AppData\Local\Temp\DarkComet.exe

"C:\Users\Admin\AppData\Local\Temp\DarkComet.exe"

C:\Users\Admin\AppData\Local\Temp\ProRat.exe

"C:\Users\Admin\AppData\Local\Temp\ProRat.exe"

C:\Windows\SysWOW64\fservice.exe

C:\Windows\system32\fservice.exe

C:\Windows\services.exe

C:\Windows\services.exe -XP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\DarkComet.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp\DarkComet.exe" +s +h

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\NET.exe

NET STOP srservice

C:\Windows\SysWOW64\NET.exe

NET STOP navapsvc

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ProRat.exe.bat

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 STOP srservice

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 STOP navapsvc

Network

Country Destination Domain Proto
N/A 192.168.178.27:4110 tcp
N/A 192.168.178.27:41100 tcp
N/A 192.168.178.27:4112 tcp

Files

memory/2448-0-0x00000000748C1000-0x00000000748C2000-memory.dmp

memory/2448-1-0x00000000748C0000-0x0000000074E6B000-memory.dmp

memory/2448-2-0x00000000748C0000-0x0000000074E6B000-memory.dmp

\Users\Admin\AppData\Local\Temp\SubSeven.exe

MD5 a1f91ceb13bd21061479d9716f63d42d
SHA1 e61ea5d2f230da5750235b1c7ea409393b8486e8
SHA256 cb834303994b8cbc637af4088e3329691581b635dbe78c4f2d4f3ed4cffd3b5e
SHA512 ad52194def19b51a4fd630fe50294b6d73aa0b523cf73f223d117c46af4d8e585eb703d335c826678a5ff87eea4b339469fec30f0f07f492837e98a69424d9b0

memory/2448-7-0x0000000005000000-0x000000000510C000-memory.dmp

memory/2360-16-0x0000000000400000-0x000000000050C000-memory.dmp

memory/2448-14-0x0000000005000000-0x000000000510C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bifrost.exe

MD5 00eb83e1bbfa6aec6d1e781a78bc0454
SHA1 a8ccad37a9f10f1d8020cdbc98029795e316d869
SHA256 a8e6e03de4677be7e8f8cf48b42abb3661f206ef26c5986df90813fca101d899
SHA512 20e07ad6c3aab6320311cf30a5b766ecbaafc49b2f76a63d497ec5c5e30da9df440ca37841f6e4242581aece640afd500e70e04649a110451ef4c3e27b689daf

memory/2012-38-0x0000000010000000-0x0000000010011000-memory.dmp

memory/1400-43-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DarkComet.exe

MD5 84df488c078e35518db1fd6c9aa9ba87
SHA1 7119a12be57f669ed9d936294eaa703a89398f48
SHA256 58bee144b8930d90edac006468e5aefa0ecc44319d39cb3a6c9cf7cf13f68ca8
SHA512 e09c90223d4215a44818c9a21aa897e0372dbd63119bd602d38818240bc040c1d93cebd794bb96fed01ff9055ca3a2b2e08c15a23490fc6c263d778f06003a04

C:\Users\Admin\AppData\Local\Temp\ProRat.exe

MD5 5ac46ad5d65132a31357942360786b2f
SHA1 d8ba1b566f6bd314211feec4c1e2b3c3a2b9cb0a
SHA256 17c96882c2196c97937a7d594c6a43bad447263fe1efb5933c9575361ff98ecb
SHA512 c16957796155dcf64e467f413bfa6b3015a162e6454dfb6628523c0c6bb97deff5703d8616c0c8208123a95739ee9128c96ddf2a7e237a1e05e3a8f6036b5d35

memory/2496-73-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1400-58-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

memory/2448-72-0x0000000005100000-0x00000000052FC000-memory.dmp

memory/2448-68-0x0000000005100000-0x00000000052FC000-memory.dmp

memory/2012-80-0x0000000010000000-0x0000000010011000-memory.dmp

memory/2448-82-0x00000000748C0000-0x0000000074E6B000-memory.dmp

memory/2012-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2496-96-0x00000000030D0000-0x00000000032CC000-memory.dmp

memory/2496-90-0x00000000030D0000-0x00000000032CC000-memory.dmp

memory/572-102-0x0000000002FE0000-0x00000000031DC000-memory.dmp

memory/572-107-0x0000000002FE0000-0x00000000031DC000-memory.dmp

memory/2448-36-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

memory/2448-35-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

memory/3004-111-0x0000000010000000-0x000000001000B000-memory.dmp

\Windows\SysWOW64\winkey.dll

MD5 b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1 b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA256 45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512 f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

memory/2012-34-0x0000000010000000-0x0000000010011000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe

MD5 2621bf0c4086f801874857ca07eeae8e
SHA1 32ee702ce14d148f58f9344e22a4b8e301e562c5
SHA256 67f4623acc3ff4c84c4456e6f97a66d9ee2a148ce6a1aa1157b0aa362a379765
SHA512 33aa74e279f628711347b6910a343f8aa3a8ed31ef4c3d2e9226f43a8b237e9162e37605d67d89c359c6448e657bb10b9d8defbccf0322a728043708a49fd544

memory/748-144-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2744-153-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1360-156-0x0000000000400000-0x00000000004B5000-memory.dmp

\Windows\SysWOW64\reginv.dll

MD5 562e0d01d6571fa2251a1e9f54c6cc69
SHA1 83677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256 c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512 166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

memory/572-171-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/2496-174-0x0000000000400000-0x00000000005FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ProRat.exe.bat

MD5 0781898738882613a4fc080c5fd2e0fa
SHA1 189dd18c413f16e9bb91a7fea1418b1e38cf14cf
SHA256 82e7b490e2cac6acded0eb708f6f70d14d7aba0153482f7939b3e1c93fb9ad42
SHA512 31ec42a845ea8065c96d9b3aef81c65d4c5476fd8ecedcfadc18503ad0d2daadc461e9b9f160c4855e1969a2b182dbc12b1ca3190d2f2ee8b47e92fb409d2f35

memory/1200-155-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2360-178-0x0000000000400000-0x000000000050C000-memory.dmp

memory/3004-180-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/3004-181-0x0000000010000000-0x000000001000B000-memory.dmp

memory/3004-183-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/3004-185-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/3004-186-0x0000000000400000-0x00000000005FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-01 08:21

Reported

2024-07-01 08:24

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" C:\Windows\services.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" C:\Windows\services.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" C:\Windows\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Disables Task Manager via registry modification

evasion

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SubSeven.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
N/A N/A C:\Windows\SysWOW64\fservice.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\fservice.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ C:\Windows\services.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\winkey.dll C:\Windows\services.exe N/A
File created C:\Windows\SysWOW64\reginv.dll C:\Windows\services.exe N/A
File created C:\Windows\SysWOW64\fservice.exe C:\Windows\services.exe N/A
File created C:\Windows\SysWOW64\fservice.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
File opened for modification C:\Windows\SysWOW64\fservice.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
File created C:\Windows\SysWOW64\fservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File opened for modification C:\Windows\SysWOW64\fservice.exe C:\Windows\SysWOW64\fservice.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\services.exe C:\Windows\SysWOW64\fservice.exe N/A
File created C:\Windows\system\sservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File opened for modification C:\Windows\system\sservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File created C:\Windows\system\sservice.exe C:\Windows\services.exe N/A
File created C:\Windows\system\sservice.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
File opened for modification C:\Windows\system\sservice.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe N/A
File created C:\Windows\services.exe C:\Windows\SysWOW64\fservice.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 36 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SubSeven.exe
PID 1972 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SubSeven.exe
PID 1972 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SubSeven.exe
PID 1972 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe
PID 1972 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe
PID 1972 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe
PID 1972 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Bifrost.exe
PID 1972 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Bifrost.exe
PID 1972 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Bifrost.exe
PID 4612 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe
PID 4612 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe
PID 4612 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe
PID 1548 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe C:\Windows\Explorer.EXE
PID 1972 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DarkComet.exe
PID 1972 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DarkComet.exe
PID 1972 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DarkComet.exe
PID 1972 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe
PID 1972 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe
PID 1972 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ProRat.exe
PID 1548 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe C:\Windows\Explorer.EXE
PID 4380 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe C:\Windows\Explorer.EXE
PID 1592 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe C:\Windows\SysWOW64\fservice.exe
PID 1592 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe C:\Windows\SysWOW64\fservice.exe
PID 1592 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe C:\Windows\SysWOW64\fservice.exe
PID 4380 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 4380 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Windows\SysWOW64\notepad.exe
PID 1548 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\Bifrost.exe C:\Windows\Explorer.EXE
PID 1700 wrote to memory of 1708 N/A C:\Windows\SysWOW64\fservice.exe C:\Windows\services.exe
PID 1700 wrote to memory of 1708 N/A C:\Windows\SysWOW64\fservice.exe C:\Windows\services.exe
PID 1700 wrote to memory of 1708 N/A C:\Windows\SysWOW64\fservice.exe C:\Windows\services.exe
PID 4380 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 4380 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 4380 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\DarkComet.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 1708 wrote to memory of 3392 N/A C:\Windows\services.exe C:\Windows\SysWOW64\NET.exe
PID 1708 wrote to memory of 3392 N/A C:\Windows\services.exe C:\Windows\SysWOW64\NET.exe
PID 1708 wrote to memory of 3392 N/A C:\Windows\services.exe C:\Windows\SysWOW64\NET.exe
PID 1708 wrote to memory of 2504 N/A C:\Windows\services.exe C:\Windows\SysWOW64\NET.exe
PID 1708 wrote to memory of 2504 N/A C:\Windows\services.exe C:\Windows\SysWOW64\NET.exe
PID 1708 wrote to memory of 2504 N/A C:\Windows\services.exe C:\Windows\SysWOW64\NET.exe
PID 1592 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\ProRat.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\SubSeven.exe

"C:\Users\Admin\AppData\Local\Temp\SubSeven.exe"

C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe

"C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe"

C:\Users\Admin\AppData\Local\Temp\Bifrost.exe

"C:\Users\Admin\AppData\Local\Temp\Bifrost.exe"

C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe

StubPath

C:\Users\Admin\AppData\Local\Temp\DarkComet.exe

"C:\Users\Admin\AppData\Local\Temp\DarkComet.exe"

C:\Users\Admin\AppData\Local\Temp\ProRat.exe

"C:\Users\Admin\AppData\Local\Temp\ProRat.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 552 -ip 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 464

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\DarkComet.exe" +s +h

C:\Windows\SysWOW64\fservice.exe

C:\Windows\system32\fservice.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\services.exe

C:\Windows\services.exe -XP

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"

C:\Windows\SysWOW64\NET.exe

NET STOP srservice

C:\Windows\SysWOW64\NET.exe

NET STOP navapsvc

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ProRat.exe.bat

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 STOP srservice

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp\DarkComet.exe" +s +h

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 STOP navapsvc

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 192.168.178.27:1604 tcp
N/A 192.168.178.27:4110 tcp
N/A 192.168.178.27:4112 tcp
N/A 192.168.178.27:41100 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/1972-0-0x0000000075462000-0x0000000075463000-memory.dmp

memory/1972-1-0x0000000075460000-0x0000000075A11000-memory.dmp

memory/1972-2-0x0000000075460000-0x0000000075A11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SubSeven.exe

MD5 a1f91ceb13bd21061479d9716f63d42d
SHA1 e61ea5d2f230da5750235b1c7ea409393b8486e8
SHA256 cb834303994b8cbc637af4088e3329691581b635dbe78c4f2d4f3ed4cffd3b5e
SHA512 ad52194def19b51a4fd630fe50294b6d73aa0b523cf73f223d117c46af4d8e585eb703d335c826678a5ff87eea4b339469fec30f0f07f492837e98a69424d9b0

memory/2664-14-0x0000000000400000-0x000000000050C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe

MD5 2621bf0c4086f801874857ca07eeae8e
SHA1 32ee702ce14d148f58f9344e22a4b8e301e562c5
SHA256 67f4623acc3ff4c84c4456e6f97a66d9ee2a148ce6a1aa1157b0aa362a379765
SHA512 33aa74e279f628711347b6910a343f8aa3a8ed31ef4c3d2e9226f43a8b237e9162e37605d67d89c359c6448e657bb10b9d8defbccf0322a728043708a49fd544

C:\Users\Admin\AppData\Local\Temp\Bifrost.exe

MD5 00eb83e1bbfa6aec6d1e781a78bc0454
SHA1 a8ccad37a9f10f1d8020cdbc98029795e316d869
SHA256 a8e6e03de4677be7e8f8cf48b42abb3661f206ef26c5986df90813fca101d899
SHA512 20e07ad6c3aab6320311cf30a5b766ecbaafc49b2f76a63d497ec5c5e30da9df440ca37841f6e4242581aece640afd500e70e04649a110451ef4c3e27b689daf

memory/1548-42-0x0000000010000000-0x0000000010011000-memory.dmp

memory/1548-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4612-40-0x0000000000400000-0x0000000000402600-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DarkComet.exe

MD5 84df488c078e35518db1fd6c9aa9ba87
SHA1 7119a12be57f669ed9d936294eaa703a89398f48
SHA256 58bee144b8930d90edac006468e5aefa0ecc44319d39cb3a6c9cf7cf13f68ca8
SHA512 e09c90223d4215a44818c9a21aa897e0372dbd63119bd602d38818240bc040c1d93cebd794bb96fed01ff9055ca3a2b2e08c15a23490fc6c263d778f06003a04

C:\Users\Admin\AppData\Local\Temp\ProRat.exe

MD5 5ac46ad5d65132a31357942360786b2f
SHA1 d8ba1b566f6bd314211feec4c1e2b3c3a2b9cb0a
SHA256 17c96882c2196c97937a7d594c6a43bad447263fe1efb5933c9575361ff98ecb
SHA512 c16957796155dcf64e467f413bfa6b3015a162e6454dfb6628523c0c6bb97deff5703d8616c0c8208123a95739ee9128c96ddf2a7e237a1e05e3a8f6036b5d35

memory/1592-55-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/3448-60-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

memory/3448-34-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

memory/1548-31-0x0000000010000000-0x0000000010011000-memory.dmp

memory/1972-61-0x0000000075460000-0x0000000075A11000-memory.dmp

memory/1700-71-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/2292-72-0x0000000000F80000-0x0000000000F81000-memory.dmp

memory/1708-90-0x0000000000400000-0x00000000005FC000-memory.dmp

C:\Windows\SysWOW64\winkey.dll

MD5 b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1 b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA256 45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512 f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

memory/4380-100-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1708-99-0x0000000010000000-0x000000001000B000-memory.dmp

C:\Windows\SysWOW64\reginv.dll

MD5 562e0d01d6571fa2251a1e9f54c6cc69
SHA1 83677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256 c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512 166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

memory/3848-114-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/1700-113-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1592-118-0x0000000000400000-0x00000000005FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ProRat.exe.bat

MD5 0781898738882613a4fc080c5fd2e0fa
SHA1 189dd18c413f16e9bb91a7fea1418b1e38cf14cf
SHA256 82e7b490e2cac6acded0eb708f6f70d14d7aba0153482f7939b3e1c93fb9ad42
SHA512 31ec42a845ea8065c96d9b3aef81c65d4c5476fd8ecedcfadc18503ad0d2daadc461e9b9f160c4855e1969a2b182dbc12b1ca3190d2f2ee8b47e92fb409d2f35

memory/2664-122-0x0000000000400000-0x000000000050C000-memory.dmp

memory/1708-124-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/3440-126-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3440-129-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1708-127-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-130-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-131-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-134-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-137-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-140-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-143-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-146-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-149-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-152-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-155-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-158-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-161-0x0000000000400000-0x00000000005FC000-memory.dmp

memory/1708-164-0x0000000000400000-0x00000000005FC000-memory.dmp