darkcomet | ab7f8227177f84c781322b23009f32e372a53ba826a9a96b36a1ee0145b4e0ae

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 20:12 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Size

2.5MB
MD5

24ce711ea3798396150d70df3184fdbb
SHA1

d339a73736b7dd931419b56898aeb8cb373cc1e8
SHA256

ab7f8227177f84c781322b23009f32e372a53ba826a9a96b36a1ee0145b4e0ae
SHA512

8a5ccacc7465f7a38f149d2ee3968ecd04b8927711a4aee134803748669fba4afef6fa21615bc48c02031394b89460932ba2a642b9a7fc2d3372b2386868fdbd
SSDEEP

49152:ZeOYNw8+Cu9ifT5KzyrOTFfoPebTxc4w6SkNB9SEruYtUs72/eS:ZjtoVKzyrONoPMqkNBUErBtUs72eS

Score

10^/10

darkcomet latentbot hydra antivirüs discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Hydra Antivirüs

127.0.0.1:1604

hydrahydra1907.zapto.org:1604

Mutex

DC_MUTEX-F1THYT4

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
fDsHmDftmeEj
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

latentbot

hydrahydra1907.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1612	attrib.exe
4860	attrib.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	msdcsc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	msdcsc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
4516	msdcsc.exe
4168	msdcsc.exe
4960	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 1372	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	88
PID 4168 set thread context of 4960	4168	msdcsc.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3836	2420	WerFault.exe	92
1212	3448	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D06818FC-4374-8FAD-76B6-BC3885DF62D8}	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D06818FC-4374-8FAD-76B6-BC3885DF62D8}\ = "System Monitor Source Properties"	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D06818FC-4374-8FAD-76B6-BC3885DF62D8}\InprocServer32	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D06818FC-4374-8FAD-76B6-BC3885DF62D8}\InprocServer32\ = "%SystemRoot%\\SysWow64\\sysmon.ocx"	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D06818FC-4374-8FAD-76B6-BC3885DF62D8}\InprocServer32\ThreadingModel = "Apartment"	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:E0EC633E	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
File opened for modification	C:\ProgramData\TEMP:E0EC633E	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
File opened for modification	C:\ProgramData\TEMP:E0EC633E	msdcsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4960	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: 33	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: 33	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeSecurityPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeBackupPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeRestorePrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeShutdownPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeDebugPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeUndockPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: 33	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: 34	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: 35	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: 36	1372	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: 33	4168	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4168	msdcsc.exe
Token: 33	4168	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4168	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	4960	msdcsc.exe
Token: SeSecurityPrivilege	4960	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4960	msdcsc.exe
Token: SeLoadDriverPrivilege	4960	msdcsc.exe
Token: SeSystemProfilePrivilege	4960	msdcsc.exe
Token: SeSystemtimePrivilege	4960	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4960	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4960	msdcsc.exe
Token: SeCreatePagefilePrivilege	4960	msdcsc.exe
Token: SeBackupPrivilege	4960	msdcsc.exe
Token: SeRestorePrivilege	4960	msdcsc.exe
Token: SeShutdownPrivilege	4960	msdcsc.exe
Token: SeDebugPrivilege	4960	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4960	msdcsc.exe
Token: SeChangeNotifyPrivilege	4960	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4960	msdcsc.exe
Token: SeUndockPrivilege	4960	msdcsc.exe
Token: SeManageVolumePrivilege	4960	msdcsc.exe
Token: SeImpersonatePrivilege	4960	msdcsc.exe
Token: SeCreateGlobalPrivilege	4960	msdcsc.exe
Token: 33	4960	msdcsc.exe
Token: 34	4960	msdcsc.exe
Token: 35	4960	msdcsc.exe
Token: 36	4960	msdcsc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
4168	msdcsc.exe
4960	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 2300 wrote to memory of 1372	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	88
PID 2300 wrote to memory of 1372	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	88
PID 2300 wrote to memory of 1372	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	88
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 2300 wrote to memory of 1372	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	88
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 2300 wrote to memory of 1372	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	88
PID 1568 wrote to memory of 2300	1568	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	85
PID 2300 wrote to memory of 1372	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	88
PID 2300 wrote to memory of 1372	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	88
PID 2300 wrote to memory of 1372	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	88
PID 2300 wrote to memory of 1372	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	88
PID 2300 wrote to memory of 1372	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	88
PID 2300 wrote to memory of 1372	2300	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	88

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1612	attrib.exe
4860	attrib.exe

C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      PID:1940
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      PID:692
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4860
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:2420
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 416
        5⤵
        Program crash
        
        PID:3836
  - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4516
    - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4168
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4960
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 352
        8⤵
        Program crash
        
        PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2420 -ip 2420
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3448 -ip 3448
1⤵
PID:3092

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

0.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.159.190.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

98.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

98.117.19.2.in-addr.arpa

IN PTR

Response

98.117.19.2.in-addr.arpa

IN PTR

a2-19-117-98deploystaticakamaitechnologiescom
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

hydrahydra1907.zapto.org

msdcsc.exe

Remote address:

8.8.8.8:53

Request

hydrahydra1907.zapto.org

IN A

Response
DNS

92.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.16.208.104.in-addr.arpa

IN PTR

Response

127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe
127.0.0.1:1604

msdcsc.exe

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

0.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

0.159.190.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

98.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

98.117.19.2.in-addr.arpa
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

210 B
130 B
3
1

DNS Request

hydrahydra1907.zapto.org

DNS Request

hydrahydra1907.zapto.org

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

140 B
130 B
2
1

DNS Request

hydrahydra1907.zapto.org

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

hydrahydra1907.zapto.org

dns

msdcsc.exe

70 B
130 B
1
1

DNS Request

hydrahydra1907.zapto.org
8.8.8.8:53

92.16.208.104.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

92.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:E0EC633E

Filesize
128B

MD5
be8c82636789027835db2ce6816797db

SHA1
99accf6c947528e297e95f97a4bc94ee4d65761e

SHA256
36b1afe9ffcb9675badc01757b968573b6da5d0fdfb7653f798b57e226f7f4d3

SHA512
a1bf2d0bbe374a68ade5072eb8c2dfe560c65dba0c67ca305f7dc5021a9e2c367a2ebcac03787011804efe95790dce1cc0a537ed1edcaf7224ac2a78f179a252

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
2.5MB

MD5
24ce711ea3798396150d70df3184fdbb

SHA1
d339a73736b7dd931419b56898aeb8cb373cc1e8

SHA256
ab7f8227177f84c781322b23009f32e372a53ba826a9a96b36a1ee0145b4e0ae

SHA512
8a5ccacc7465f7a38f149d2ee3968ecd04b8927711a4aee134803748669fba4afef6fa21615bc48c02031394b89460932ba2a642b9a7fc2d3372b2386868fdbd

Download Submit
memory/1372-27-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1372-23-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1372-57-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1372-22-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1372-20-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1568-0-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1568-28-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2300-25-0x0000000002690000-0x00000000027D2000-memory.dmp

Filesize
1.3MB

Download
memory/2300-17-0x0000000002690000-0x00000000027D2000-memory.dmp

Filesize
1.3MB

Download
memory/2300-10-0x0000000002690000-0x00000000027D2000-memory.dmp

Filesize
1.3MB

Download
memory/2300-15-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2300-16-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2300-4-0x0000000002690000-0x00000000027D2000-memory.dmp

Filesize
1.3MB

Download
memory/2300-14-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2300-3-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2420-33-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3448-80-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/4168-63-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/4168-61-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/4168-48-0x0000000002810000-0x0000000002952000-memory.dmp

Filesize
1.3MB

Download
memory/4168-64-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/4168-65-0x0000000002810000-0x0000000002952000-memory.dmp

Filesize
1.3MB

Download
memory/4168-54-0x0000000002810000-0x0000000002952000-memory.dmp

Filesize
1.3MB

Download
memory/4168-75-0x0000000002810000-0x0000000002952000-memory.dmp

Filesize
1.3MB

Download
memory/4516-76-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/4516-45-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/4960-73-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-87-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-82-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-81-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-71-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-79-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-84-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-85-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-86-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-78-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-88-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-89-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-90-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-91-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-92-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-93-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-94-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-95-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4960-96-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.