darkcomet | 58e3ae75f16937e07129bc76b022d17dec6ac16ba2751ff452eef13df027654b

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe
Size

1.1MB
MD5

eaa5c46ab384898a32e968e871fe9907
SHA1

af2ff761f45081aa5c34fefa5fe29f468dd37d7e
SHA256

58e3ae75f16937e07129bc76b022d17dec6ac16ba2751ff452eef13df027654b
SHA512

b9d43d34d75f3f5966512f1eda4a60a620dc11ed82f0cacf395f58b9ecafa251154d91a11a8b8e7021defe2211caa29eb4e1307a8bf8861bad6075d23fffe7c7
SSDEEP

24576:8IYaW+ssXngpALyOCdoFSqO95GFUuGjan:NW+ZXZL7wgSVDs8e

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	firefox.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2916	firefox.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3724 set thread context of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	firefox.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2916	firefox.exe
Token: SeSecurityPrivilege	2916	firefox.exe
Token: SeTakeOwnershipPrivilege	2916	firefox.exe
Token: SeLoadDriverPrivilege	2916	firefox.exe
Token: SeSystemProfilePrivilege	2916	firefox.exe
Token: SeSystemtimePrivilege	2916	firefox.exe
Token: SeProfSingleProcessPrivilege	2916	firefox.exe
Token: SeIncBasePriorityPrivilege	2916	firefox.exe
Token: SeCreatePagefilePrivilege	2916	firefox.exe
Token: SeBackupPrivilege	2916	firefox.exe
Token: SeRestorePrivilege	2916	firefox.exe
Token: SeShutdownPrivilege	2916	firefox.exe
Token: SeDebugPrivilege	2916	firefox.exe
Token: SeSystemEnvironmentPrivilege	2916	firefox.exe
Token: SeChangeNotifyPrivilege	2916	firefox.exe
Token: SeRemoteShutdownPrivilege	2916	firefox.exe
Token: SeUndockPrivilege	2916	firefox.exe
Token: SeManageVolumePrivilege	2916	firefox.exe
Token: SeImpersonatePrivilege	2916	firefox.exe
Token: SeCreateGlobalPrivilege	2916	firefox.exe
Token: 33	2916	firefox.exe
Token: 34	2916	firefox.exe
Token: 35	2916	firefox.exe
Token: 36	2916	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2916	firefox.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 4304	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	82
PID 3724 wrote to memory of 4304	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	82
PID 3724 wrote to memory of 4304	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	82
PID 4304 wrote to memory of 1884	4304	csc.exe	84
PID 4304 wrote to memory of 1884	4304	csc.exe	84
PID 4304 wrote to memory of 1884	4304	csc.exe	84
PID 3724 wrote to memory of 4520	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	85
PID 3724 wrote to memory of 4520	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	85
PID 3724 wrote to memory of 4520	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	85
PID 4520 wrote to memory of 4700	4520	csc.exe	87
PID 4520 wrote to memory of 4700	4520	csc.exe	87
PID 4520 wrote to memory of 4700	4520	csc.exe	87
PID 3724 wrote to memory of 1840	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	88
PID 3724 wrote to memory of 1840	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	88
PID 3724 wrote to memory of 1840	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	88
PID 1840 wrote to memory of 3808	1840	csc.exe	90
PID 1840 wrote to memory of 3808	1840	csc.exe	90
PID 1840 wrote to memory of 3808	1840	csc.exe	90
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 2916	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	91
PID 3724 wrote to memory of 5000	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	92
PID 3724 wrote to memory of 5000	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	92
PID 3724 wrote to memory of 5000	3724	eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe	92
PID 5000 wrote to memory of 4044	5000	csc.exe	94
PID 5000 wrote to memory of 4044	5000	csc.exe	94
PID 5000 wrote to memory of 4044	5000	csc.exe	94

C:\Users\Admin\AppData\Local\Temp\eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaa5c46ab384898a32e968e871fe9907_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\btme4r2b.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89C2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC89C1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1884
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\btme4r2b.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A9D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8A8D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4700
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\btme4r2b.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BA7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8BA6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3808
- C:\Users\Admin\AppData\Roaming\firefox.exe
  C:\Users\Admin\AppData\Roaming\firefox.exe
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\btme4r2b.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F9E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8F9D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES89C2.tmp

Filesize
1KB

MD5
38e06eae484e779b6ff294c866cb3eee

SHA1
4a65e2504c821acdc6af82b1b8460060aaddeb7b

SHA256
b3a7010f582dbf637684fcb448aa4fa55324d040f1171ad0383d41b4d750c6fb

SHA512
eb57d0738d2e14b02092e2ca71e1753b3785aa63a96d46ad096510d7b21851b9b852e189876595cdcd2d761181a551a953e251ef580313859dfd12f5be606deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8A9D.tmp

Filesize
1KB

MD5
4afb7af6975b1d8c7133f8123be470cf

SHA1
6af9917ac39ca60ab955685fb63b40b62571284e

SHA256
c44ab36eda8825897a6a8420e20d271a84819f7dbc8f2035805c866b28c90b3b

SHA512
d2e3f950baaa3f7e5e109dae508d05bafc3764b5649dd726f82f42c4912a169bca71f8d90f698398627e2494375ad05cd5bace512bebe7a1bb783b62af9d10fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8BA7.tmp

Filesize
1KB

MD5
b9e652637de346319a4955c45ec088d0

SHA1
c72b82247c51219a1cfc44ece70e4f59f436ebaf

SHA256
ddbd1d7d10ad6302c4ef011651d62cca6168a3176b7d6def5463135aae8a28a9

SHA512
67e1917be373bb7e13180a2094f146a1b5d4f9e7319912096ce2010671406493b33cd48f208fa990c4fde32ee817090d60c5e660ec695cb274b431c8849e8910

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8F9E.tmp

Filesize
1KB

MD5
b343bb62306f4fd400762deb10f80029

SHA1
a341712d6b284a27ca26e63546036938025378de

SHA256
1241eee1062dec0621f3461a51239caedaa5c88f0bcbe20bb34fd33ba0af92c4

SHA512
4ca6f73345e90264b19d997af15ecd83ef13ac41c60074fa5e2b48bb369215b05d2b4c61aef2b24bbda989006f15202c7478b49b58c160b3e5623d4d38e2f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\btme4r2b.dll

Filesize
3KB

MD5
d3dc63327cf719f2948a56115164e75f

SHA1
ec9942905a177b44a74b2c1515daa355772d6034

SHA256
de8fe3e3c3cd49cc351a5cc5e59abd64b0f006bf3f2cd645c7207b0691be7983

SHA512
eee4b21ae792d01a6820ce1cceda076466e26aa251645238d6c53f9580c554917e257708e724fc983c41a66b657aba6e3e2e227b2eb0ec1508ae477e67157d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\btme4r2b.dll

Filesize
3KB

MD5
3cf2fed202b1479cea71e41e3a9dcd49

SHA1
56c3b13a94be66ad026429fc5c1d926a7ea2fb0f

SHA256
7984281add49f25daee088438bdd63629c9c76be34e29a3b254ed44e9376680d

SHA512
c4cc29bdeb27aaf4bf8f3f149bc656fc37c282c4301c50aeaa3b0a72a2874f605ce983c5778f7f6deb885040a6b50f87977b2665f71e5da0b76d0686088d21f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\btme4r2b.dll

Filesize
9KB

MD5
3e20c904c37667816b862cfd5f3978a2

SHA1
6d4b80fa329133b19a843fe66bfb6c53183cba17

SHA256
91ee90b6c02a75917dee14578135ebb6ee6b76b83b7ad29873972d808fe7d528

SHA512
2074cad4a8c3400d4ae1753cc153256f177f273afc20ca77fb792ba0fc210ba27eea113356eed391a6985b94d4e4f6087e4930f6114b75b4b99d80efb5e6e656

Download Submit
C:\Users\Admin\AppData\Local\Temp\btme4r2b.dll

Filesize
3KB

MD5
8866f3ce8c1bd56754b130cd1f02b270

SHA1
023bd8ab299af898196a1aeb963c3ffd695100b4

SHA256
67c8c016c9082ece51b685c6c6aa841f75bcfb3b5eb5ad5492376fd703a05326

SHA512
9d252f4c3ac7e1cb4021fafadd44c6671e5a9fc49deab9a2f547db680bb593d80958bbdd8cf6127a7858ecc63a9580ff4bdf38e0d09362a2457cc318499a8ae7

Download Submit
C:\Users\Admin\AppData\Roaming\firefox.exe

Filesize
1024B

MD5
5680aa2cc0b5884b9fc96b8a3e1379eb

SHA1
912ee1aec2d6532af837a5deb3b31bc82988b864

SHA256
1dd485f826b051aff3788bf3f2b7a055b62378bd3501f5d2eece9eb2b34e9999

SHA512
5d4382d008de4513349f5c464e2807fd214e193b43e58e024e2fb131650c94e92dbec02aec4eae3bca9bbf2405baa1c1aaf71841a69eda6a163fd6cfb5e12aa4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC89C1.tmp

Filesize
652B

MD5
0a042a61ead6ef5c2183f59ea1051ba7

SHA1
cc4a6db467a2fc61734559b1f88448fe75624d8d

SHA256
d1aa8232bb65a4d4205ee83aa8c7f3c9d8fb58655b11e818ad6f82124aa2a06c

SHA512
f3bae950dabe48c7828553cd3f274bf35761a0b20f0f9702424e78d3e7abe3785b0dca8382dac8caf4cf42b182d8d0ac3c7a0847ab2d52709167485897fc2491

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\btme4r2b.0.cs

Filesize
145B

MD5
ba6ec1b2fa632969eb6217076a1c4f08

SHA1
6acaf6779a95b5230704d4b1530a33e94b0f65a4

SHA256
f733a5aeee3c9fab0088008db45d8671d0448b5e375b2dab879174a764b5d22c

SHA512
45d7c61b209bf41eca14f4afab43512ea6ca46a149975a4a2fde905aafa29d906f074e190982cb162fa08f6a3e3a09e0332dae17a8bb6b4b06dd7ac138359a19

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\btme4r2b.0.cs

Filesize
7KB

MD5
c79c02b8be614ba0ad11b9a2deac9067

SHA1
5338181abf8d8436df240ec8bfe8699ed40eac83

SHA256
aeb41fe4117e42c32d7c61fe9caa02f2ec937418a3ffb6ee64b5a8309e0d7b78

SHA512
4b0efe655b237185454a41c79c1b5cd9b8e80cfa36f7abb8a5d63629f400bb73d58f196584ec5421a8b2e6608b9c00d44514ada9651bcf19aea8ba4cce5b4a4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\btme4r2b.0.cs

Filesize
581B

MD5
66ef352d1119c1836743b2f7af00aef4

SHA1
892a1f85ad149303c131aff659ab80d83ebe6c48

SHA256
41bd4ae5e10dc424186e80921d4b4b796a2b13d1a58a5eb1a68421f92fd32508

SHA512
7e62ea15392a6aac5a3654322070feb80335120a21c55a272b82d95b0020aedc7ae3cce48e7f1814dbfad52bae4782f7f2c69e994ad7592ff298dc3a33a62513

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\btme4r2b.0.cs

Filesize
125B

MD5
d779673c35148f756809d39b03bf5295

SHA1
b670b23504caeee9275d489c820f1163ee7ee147

SHA256
c5a5757a556125554190ee6ccf03141280f77766003c8319bd67eb835efd9934

SHA512
58daab6cb6821ba5cecd86a16c36061e51b41d9aee2de88b9632e09001f4791eb8ad4ed074f00429a3540ccf4c293e45676fdbb9d9342ede577ed3342ad024ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\btme4r2b.cmdline

Filesize
187B

MD5
60e08d2c587a8f9305f6dd5e61628710

SHA1
3c9700cb231b015a4eeb63fba62939557ced9b2f

SHA256
a6a9d4c570b09a4192fae26711e7a91a802b04c102bf5cf9eb005d5d489bce29

SHA512
9fe6e7df3cfab05b6628399cb1ece0c1848cde1003af866c0ffc96ff918170ecec351949edca88db934d8f607a962128576485448c699ed728cfeb7a4676e4ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\btme4r2b.cmdline

Filesize
203B

MD5
b1625d33edfda6fac8fe37f6ff053c76

SHA1
0025de4ecb034233375a0672cde704fcdcec0509

SHA256
cef49c23a4a6c81a8f6e24e0ec8064819acaa9c32f1af01d0592376260b6da10

SHA512
e4c572bead78bcc4a4311ec1e85f8c20ed12dc762191005cee92c6da111a045f20c8d299fbf93edaf14e00ecf7763b29a8698c5b2891861081852e8a09f90681

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\btme4r2b.cmdline

Filesize
219B

MD5
a2a33685cefa26a4edb8add01ae89447

SHA1
047da728c070e33885a768ad1f94b0788ab16ff5

SHA256
ae3fda2a315090fe0cc741e4405f955e845537f80ebcd4159ff5b2d742fd751e

SHA512
4d4365d95427d73c569ea3a76a307b4f1e74eebba5fe29372f5bf9a5652d9c565987ca609693955f61db765f209c8f09c7467db7c7e52971b1434f72cda8d9fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\btme4r2b.cmdline

Filesize
235B

MD5
a24f95acbc44a5221d7090f498e037a1

SHA1
f9b2735638c55c87a8b4991984e3938dedb1eb3b

SHA256
48707a20230090700e9a4826ba54c679049763729c23d6b8f8aa9a2a890d9a50

SHA512
59e64ab82d97b2c5c18739fed311780420badff6e985a941da5574c1b878e5f290cc891d4507c48a0aeb958753a8d6c38814b89a592d52b68391b442281d6ba2

Download Submit
memory/1840-46-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/1840-39-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/2916-60-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-87-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-90-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-55-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-50-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-57-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-89-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-77-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-64-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-63-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-62-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-61-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-85-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-83-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-81-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-79-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3724-2-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/3724-76-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/3724-75-0x0000000075242000-0x0000000075243000-memory.dmp

Filesize
4KB

Download
memory/3724-1-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/3724-0-0x0000000075242000-0x0000000075243000-memory.dmp

Filesize
4KB

Download
memory/4304-8-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4304-15-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4520-27-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4520-30-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads