darkcomet | 9acd6e6d7de619ebffd68ef84963f3804cea80099df09dc9b9892eda6d655f0e

Resubmissions

25/07/2024, 17:33

240725-v4xb5axemc 10

25/07/2024, 17:27

240725-v1kh6axcqg 10

Analysis

max time kernel
140s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Size

713KB
MD5

708d11b4ea44a535aff234c67126476c
SHA1

41b1f80a886ad1e879d625e8c3ed0c543edec3e5
SHA256

9acd6e6d7de619ebffd68ef84963f3804cea80099df09dc9b9892eda6d655f0e
SHA512

627d5bcaaac76dd50080de6e82b283bc23cc926110d03039025ca5416745239761b13863b3f98fb750a514ee82a7b734f7495050d56bcbd932965eafb7901574
SSDEEP

12288:aaAchpWsuVTv7ItY8XljyypHP7cOLBev03hlULsmWZ++09ZcKDVsgd3t:7AEENIq8XwyVPQclDq/+WnpsS3t

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0028bffb8deda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2900B7F1-4AAC-11EF-8FDE-E2BC28E7E786} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb7800000000020000000000106600000001000020000000525482c6c6d3b77fe0b6306175724d2f6837885fb1f5f941130d19ef21ff71f1000000000e80000000020000200000003727f1bf86a906964136121aa384bfc477540221c0489fe79e9e3521ed9dc0d3200000006a0f8ed4d71baa6d1d5fda927234100918995fa99bc000b764478458d53d3d4e40000000bd1c092681eee86e6efd289c7d26133eb344567af2d0544f6ff256a026c0af32a268df9a6ee6618814f2af088e90e429fa161ec0c519f8c27d77cf03f303b073	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb78000000000200000000001066000000010000200000009dabafbd84e1ab3cb8628bad7c50f773f6754ec0c3c7ca8f9ccbf3227255e8f1000000000e8000000002000020000000cae66bad53b92abcb7c126cb189c48848c58f01c18c23a61a8d03b8bb08625cb90000000c14c0b5d91ac9fc05e7ccfc7a64d9e268c62cefecd154e9542719f0a03e204b12309e20a010bb6dad999c02f7031a9cdad1aba4ae63f4cc7dfc809806c0586f858faf93bfb35ef2ce9ba5f9518e9a96c411780b5bd13b4d0a32aa2f4a4c45dcf554c7f9b813f8fad6c30ffa0a2a66567a4ac16e1d4821f48f36865d32d705f14b3518d81ab5984bb508aed3dbaf21ce34000000040ba74af53844d2c133f69ac038b6d55f6caa870c4f8b9d4422f6cc1ae4255f4c7fa26049b0a9c12b4d41ba1d7ee3b2f864f00c0ee625551f4964cce44d1b4d3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2124	WINWORD.EXE
2008	POWERPNT.EXE
1084	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeSecurityPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeBackupPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeRestorePrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeShutdownPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeDebugPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeUndockPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: 33	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: 34	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: 35	3032	708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
Token: SeDebugPrivilege	580	taskmgr.exe
Token: SeShutdownPrivilege	2880	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
2916	IEXPLORE.EXE

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2124	WINWORD.EXE
2008	POWERPNT.EXE
2008	POWERPNT.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2916	1932	iexplore.exe	36
PID 1932 wrote to memory of 2916	1932	iexplore.exe	36
PID 1932 wrote to memory of 2916	1932	iexplore.exe	36
PID 1932 wrote to memory of 2916	1932	iexplore.exe	36
PID 2916 wrote to memory of 2880	2916	IEXPLORE.EXE	37
PID 2916 wrote to memory of 2880	2916	IEXPLORE.EXE	37
PID 2916 wrote to memory of 2880	2916	IEXPLORE.EXE	37
PID 2916 wrote to memory of 2880	2916	IEXPLORE.EXE	37
PID 2008 wrote to memory of 2584	2008	POWERPNT.EXE	42
PID 2008 wrote to memory of 2584	2008	POWERPNT.EXE	42
PID 2008 wrote to memory of 2584	2008	POWERPNT.EXE	42
PID 2008 wrote to memory of 2584	2008	POWERPNT.EXE	42

C:\Users\Admin\AppData\Local\Temp\708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\708d11b4ea44a535aff234c67126476c_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:580

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2780

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2880

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UninstallUpdate.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\ProtectConnect.pptx"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2584

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\CompareEnter.docx"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7adadbf680ea69b24d0e6651fb247031

SHA1
a8348752723aee40d11c7dac8223bfd1a871a367

SHA256
fe834f19e0ba72c4e3459c83eab0b0c20022f98f7a54527ef3d6d003348c78e4

SHA512
41190f0fbbd6097e4a3ceb7ac9731f647fc69154ab64194d17353ecd80a97d729cca531a20a2cbe38cc8b82bb643e21bb05d12ae99bf67aefc1a76f58fd6cc19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3566b017c7a9f6b5aaf9ce9c80fafe6

SHA1
e0416d928f0e122b4b518beb5d8b99032ecc069f

SHA256
f44a1b0e961e21365f5beedb200e544e601ad69a117009f074e32b5685c32ca9

SHA512
ee43725298e1177a1cf90f099624e76606b54e9c3591d849871708b3f927a8aea753c8e07b488b6c6c3a6e4760e699e8b1f3ff08120bf17de9f76e63e1ba7a09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82043d1539977708dab217b694ac74ca

SHA1
2b079b586f742e363e1ac2a4d9cfac27a0460c36

SHA256
f23934d8a639efdedd18f6de8e4bf5292b2bc5592b7936a5ade4a2fd842adfbe

SHA512
52700d56f11dc709e9a61b03d95e3fe6e54c2c6b9ca43eb2449de3f48d01fcab920d9da49704c742c6865612d23a972e6784c2d8c6915891c656f149e13763f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee07eb7921975e38828b833b34b30494

SHA1
368063e2f46b7d4855bc7bf9a9eca1190d46f34b

SHA256
2ed0e2cd59f3957026f79d3acee34d4d81730981ef00de3d6763fdbf7d10b704

SHA512
c09afe439d1e30e79dd23123f13ea43ab3261cc131501dde68092e5f20fc01fef5125a68f171f83d203fbf79355d1d0f63135f05a5c0c871bd423bf5a5de86b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bec715bc27c42c12a53cb0d6bdd7a56

SHA1
7419c4fbdd956b720ad05d755781bdc338273eab

SHA256
be7b5508c2dd75d936cfc8334b45698ed9d6dfca64900fac7c7528816f6c2669

SHA512
b80b693e2b5277c009e80dca4b9f723098fd8d863e74a4b2c1fa0f1d7abe7a872d87e1f6327c3104adf13a48be0c00f6e67abc9abe046a44da8b0f44a18f05cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8551e5cd75d342b22ca25db105d3667

SHA1
a24b136b28b6e912d6c699fc0e3abacc81b18f4d

SHA256
087efeb7080705dc68811ac7f06d9df1f3c327d698aac0fb8cd25fc36b6a9c2d

SHA512
5977834aa6819ee1d08d4410d1a0543270312e67b9ecb3f9bac71370a78853dcf1f7bfb491f94d816caa9f75ed1ebf3632b94d05bf6bdd8652adb7b37d9b6c92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fb4432d4f7839e2d8cbfb075b44fe53

SHA1
fcd4975bdc19e07e006118e8eb568f70efeca0ec

SHA256
ab4872b5112ce8aead82aa81b05a8d2e9370abf2fb4307877d1471e15361dd3a

SHA512
d4f86382ff50b294cc56c41e07957e46ebfb9077633639d0ca38d92f057e0a0f557c176103d35ae1bfad787d5e28be2229847ec4646dac683e03fa1d8e25c4b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1903976619f13d3d6dacc4d548ccc08

SHA1
cbdb8a50b0c8127b3cd1744b0fb7a98f3cd06be4

SHA256
74191c4c79d670f348dc616f2a623ab3ea4dfb15333e9d1e4f4ad534ac684383

SHA512
9f63f0b89bd6e8cf7b7e2e932bae2012b9723f5fbfaf154ce9d75019bb0085274ab567daa984a98ce084febc78c1f67b45c65d9fe33466fbd5abed321cd72af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc

Filesize
419KB

MD5
1a8f7fa75c3d6a57109cee66801d1367

SHA1
f5ed66189c4bb3290f2f73f7cb7f71dcd18e70a2

SHA256
5b4913917f0e18fd34a43aec9aca68e0f85158b1a2591b6dd336598e501593cb

SHA512
1e2e34650439dee9b46f79cce18a59cb9af21962e3a3335f38a3e09e1e324adbff659d13100e0edf006a3b243769eef5210339789dcd1783fedadbce9bfbe45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab12A8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1329.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
434B

MD5
480c0231f3d7cd28e7843af47fe1e408

SHA1
b06014db1dbb8324f30b17c97ed54a516c364432

SHA256
b8fca69f9953ab1cf0c438b85acaaeaad411e2bb74101846e328a912756ebae7

SHA512
f3bb4520d7e672619fcb70d2a8a8bed2db8e8e77736a4308d3f344d001c84be24da949ee4ccc04fc511b156be9ebfba5b3a15d0ee8683bee0c30d10c85b030ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
21ac77cb6e4e6a3673a03c1d60756e77

SHA1
57025f101db02ce8af756f0b77e4b293c4489e84

SHA256
2a9be9ff42754fdb3f49a75ed1da8e3057269227989d2fcd632b808db30fb982

SHA512
569d95924c0efe27ad1c56d5c08b824509ea3caa86e17f76d160e21db311662cbdd8083225aecc79462c6310d42d4e3a8fb3080f66b85d8e6872b9ed556d6199

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/580-4-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/580-3-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1084-496-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2008-486-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2124-16-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2124-484-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3032-6-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3032-0-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3032-460-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3032-401-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3032-1-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3032-494-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3032-5-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3032-7-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3032-9-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3032-517-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3032-518-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download