Analysis Overview
SHA256
f37dc2aab4817b85c6b2caf9c5ed0790d4613fd9248207c7c37270c13aafed4c
Threat Level: Known bad
The file 7d6816ca8761c9611542c326105efbbf_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-31 17:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-31 17:59
Reported
2024-07-31 18:02
Platform
win7-20240708-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Darkcomet
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1604 set thread context of 1612 | N/A | C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
Files
memory/1604-0-0x00000000748D1000-0x00000000748D2000-memory.dmp
memory/1604-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp
memory/1604-2-0x00000000748D0000-0x0000000074E7B000-memory.dmp
memory/1612-7-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-19-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-29-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-30-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-27-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-25-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1612-21-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-17-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-15-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-26-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-11-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-9-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-13-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-31-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1612-32-0x0000000000400000-0x00000000004B5000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
| MD5 | 7a42e78aa3fbb2ae0ff164c239c1fd81 |
| SHA1 | a492a76a98f67c17ae93d6d619e173eed6eaaae4 |
| SHA256 | 78604f7e3b34d01ac8204694cdc77bdb6e72612beb5f70719e7236ff029711a8 |
| SHA512 | 238945d8463275d9a4d658429190120ccc138531d19202bceba0e13a7464e50970c1ee7ed9af1f980c53460fad1931efc25629061d6cb8dbebda5c13b94116e0 |
memory/1604-42-0x00000000748D0000-0x0000000074E7B000-memory.dmp
memory/1612-43-0x0000000000400000-0x00000000004B5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-31 17:59
Reported
2024-07-31 18:02
Platform
win10v2004-20240730-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Darkcomet
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe | N/A |
Executes dropped EXE
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2012 set thread context of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | mynet.m3th.org | udp |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
Files
memory/2012-0-0x00000000749B2000-0x00000000749B3000-memory.dmp
memory/2012-1-0x00000000749B0000-0x0000000074F61000-memory.dmp
memory/2012-2-0x00000000749B0000-0x0000000074F61000-memory.dmp
memory/2032-8-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/2032-7-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/2032-9-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/2032-10-0x00000000022D0000-0x00000000022D1000-memory.dmp
memory/2032-11-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/2032-12-0x0000000000400000-0x00000000004B5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe
| MD5 | 7a42e78aa3fbb2ae0ff164c239c1fd81 |
| SHA1 | a492a76a98f67c17ae93d6d619e173eed6eaaae4 |
| SHA256 | 78604f7e3b34d01ac8204694cdc77bdb6e72612beb5f70719e7236ff029711a8 |
| SHA512 | 238945d8463275d9a4d658429190120ccc138531d19202bceba0e13a7464e50970c1ee7ed9af1f980c53460fad1931efc25629061d6cb8dbebda5c13b94116e0 |
memory/4460-24-0x00000000749B0000-0x0000000074F61000-memory.dmp
memory/4460-23-0x00000000749B2000-0x00000000749B3000-memory.dmp
memory/4460-25-0x00000000749B0000-0x0000000074F61000-memory.dmp
memory/4460-27-0x00000000749B0000-0x0000000074F61000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\lodctr.exe.log
| MD5 | 1754173b0ed4624c61fcf04f894e5bb6 |
| SHA1 | 2fbf7999a2e14f19c9aeb1ac0e58b8a3859368b1 |
| SHA256 | 19e1f5731300f62cc4bb6eac90e96b7ff5de1bf8c13a434f1a7e38ee6927d757 |
| SHA512 | 63ae7b7da19c5b65ce73565042cf7386c8d53ab6645b901a9f684d5039e28addd91938d8d61cec153b675e80c25d92fae62bff53edf19914643c94f3a56db710 |
memory/2012-32-0x00000000749B2000-0x00000000749B3000-memory.dmp
memory/2012-33-0x00000000749B0000-0x0000000074F61000-memory.dmp