darkcomet | a45f2cfac684b87635a67fcd3ec67a46b5dda029574f5f3f3ca3c9381a3929c1

General

Target

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
Size

1.0MB
MD5

8bc0e7d1a78d454caaa87d3b7caa92c3
SHA1

d0135e2e13f0d13aa2c49fb0d78f987f8d9ad67f
SHA256

a45f2cfac684b87635a67fcd3ec67a46b5dda029574f5f3f3ca3c9381a3929c1
SHA512

237016f4e9dd9b6a10359926caf886aea96595b20e87117b316019151e361895ba5ae10efd13f1c3066bc07ef4746d9ef59f857da7a6adc5966f75fbfebc4454
SSDEEP

24576:s4SRmIAZ6QGs1ikSHP5hs10Ot1LisENzP:s4SZO5SvOtVisEJP

Score

10^/10

darkcomet v2 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

V2

C2

spamblocker.no-ip.biz:1604

Mutex

DC_MUTEX-NZ2A7W0

Attributes

gencode
ji6MMZDpnHyq
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exepspluginwkr.exewinresume.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	pspluginwkr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	winresume.exe

Executes dropped EXE 3 IoCs

Processes:

pspluginwkr.exewinresume.exepspluginwkr.exe

pid process

1716 pspluginwkr.exe
2580 winresume.exe
4488 pspluginwkr.exe

pid	process
1716	pspluginwkr.exe
2580	winresume.exe
4488	pspluginwkr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pspluginwkr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor Control = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\pspluginwkr.exe"	pspluginwkr.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exewinresume.exe

description	pid	process	target process
PID 4588 set thread context of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 2580 set thread context of 540	2580	winresume.exe	AppLaunch.exe

Drops file in Windows directory 2 IoCs

Processes:

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AppLaunch.exepspluginwkr.exewinresume.exeAppLaunch.exepspluginwkr.exe8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pspluginwkr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winresume.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pspluginwkr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe

pid	process
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exeAppLaunch.exepspluginwkr.exewinresume.exeAppLaunch.exepspluginwkr.exe

description	pid	process
Token: SeDebugPrivilege	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3672	AppLaunch.exe
Token: SeSecurityPrivilege	3672	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	3672	AppLaunch.exe
Token: SeLoadDriverPrivilege	3672	AppLaunch.exe
Token: SeSystemProfilePrivilege	3672	AppLaunch.exe
Token: SeSystemtimePrivilege	3672	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	3672	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	3672	AppLaunch.exe
Token: SeCreatePagefilePrivilege	3672	AppLaunch.exe
Token: SeBackupPrivilege	3672	AppLaunch.exe
Token: SeRestorePrivilege	3672	AppLaunch.exe
Token: SeShutdownPrivilege	3672	AppLaunch.exe
Token: SeDebugPrivilege	3672	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	3672	AppLaunch.exe
Token: SeChangeNotifyPrivilege	3672	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	3672	AppLaunch.exe
Token: SeUndockPrivilege	3672	AppLaunch.exe
Token: SeManageVolumePrivilege	3672	AppLaunch.exe
Token: SeImpersonatePrivilege	3672	AppLaunch.exe
Token: SeCreateGlobalPrivilege	3672	AppLaunch.exe
Token: 33	3672	AppLaunch.exe
Token: 34	3672	AppLaunch.exe
Token: 35	3672	AppLaunch.exe
Token: 36	3672	AppLaunch.exe
Token: SeDebugPrivilege	1716	pspluginwkr.exe
Token: SeDebugPrivilege	2580	winresume.exe
Token: SeIncreaseQuotaPrivilege	540	AppLaunch.exe
Token: SeSecurityPrivilege	540	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	540	AppLaunch.exe
Token: SeLoadDriverPrivilege	540	AppLaunch.exe
Token: SeSystemProfilePrivilege	540	AppLaunch.exe
Token: SeSystemtimePrivilege	540	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	540	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	540	AppLaunch.exe
Token: SeCreatePagefilePrivilege	540	AppLaunch.exe
Token: SeBackupPrivilege	540	AppLaunch.exe
Token: SeRestorePrivilege	540	AppLaunch.exe
Token: SeShutdownPrivilege	540	AppLaunch.exe
Token: SeDebugPrivilege	540	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	540	AppLaunch.exe
Token: SeChangeNotifyPrivilege	540	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	540	AppLaunch.exe
Token: SeUndockPrivilege	540	AppLaunch.exe
Token: SeManageVolumePrivilege	540	AppLaunch.exe
Token: SeImpersonatePrivilege	540	AppLaunch.exe
Token: SeCreateGlobalPrivilege	540	AppLaunch.exe
Token: 33	540	AppLaunch.exe
Token: 34	540	AppLaunch.exe
Token: 35	540	AppLaunch.exe
Token: 36	540	AppLaunch.exe
Token: SeDebugPrivilege	4488	pspluginwkr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AppLaunch.exe

pid process

3672 AppLaunch.exe

pid	process
3672	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exepspluginwkr.exewinresume.exe

description	pid	process	target process
PID 4588 wrote to memory of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 4588 wrote to memory of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 4588 wrote to memory of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 4588 wrote to memory of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 4588 wrote to memory of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 4588 wrote to memory of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 4588 wrote to memory of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 4588 wrote to memory of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 4588 wrote to memory of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 4588 wrote to memory of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 4588 wrote to memory of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 4588 wrote to memory of 3672	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 4588 wrote to memory of 1716	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	pspluginwkr.exe
PID 4588 wrote to memory of 1716	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	pspluginwkr.exe
PID 4588 wrote to memory of 1716	4588	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	pspluginwkr.exe
PID 1716 wrote to memory of 2580	1716	pspluginwkr.exe	winresume.exe
PID 1716 wrote to memory of 2580	1716	pspluginwkr.exe	winresume.exe
PID 1716 wrote to memory of 2580	1716	pspluginwkr.exe	winresume.exe
PID 2580 wrote to memory of 540	2580	winresume.exe	AppLaunch.exe
PID 2580 wrote to memory of 540	2580	winresume.exe	AppLaunch.exe
PID 2580 wrote to memory of 540	2580	winresume.exe	AppLaunch.exe
PID 2580 wrote to memory of 540	2580	winresume.exe	AppLaunch.exe
PID 2580 wrote to memory of 540	2580	winresume.exe	AppLaunch.exe
PID 2580 wrote to memory of 540	2580	winresume.exe	AppLaunch.exe
PID 2580 wrote to memory of 540	2580	winresume.exe	AppLaunch.exe
PID 2580 wrote to memory of 540	2580	winresume.exe	AppLaunch.exe
PID 2580 wrote to memory of 540	2580	winresume.exe	AppLaunch.exe
PID 2580 wrote to memory of 540	2580	winresume.exe	AppLaunch.exe
PID 2580 wrote to memory of 540	2580	winresume.exe	AppLaunch.exe
PID 2580 wrote to memory of 540	2580	winresume.exe	AppLaunch.exe
PID 2580 wrote to memory of 4488	2580	winresume.exe	pspluginwkr.exe
PID 2580 wrote to memory of 4488	2580	winresume.exe	pspluginwkr.exe
PID 2580 wrote to memory of 4488	2580	winresume.exe	pspluginwkr.exe

C:\Users\Admin\AppData\Local\Temp\8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3672
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pspluginwkr.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pspluginwkr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winresume.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winresume.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:540
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pspluginwkr.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pspluginwkr.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\pspluginwkr.exe.log

Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pspluginwkr.exe

Filesize
15KB

MD5
99e0106f89c12144cd3c82216382e110

SHA1
44e1640b98b27aca3530d41a7b853c73172623fc

SHA256
4bef292be3b4fc87d7300408032886248e6bcfa002d3c5e48b7e47d6fedc78c5

SHA512
3b6d8f7679896ab1e69ae94025162116397c8adcf46a95c30dd54b2f8f95e0fc6adc9f068e5ecd4ed070084c646e12368588511756374c62c7525bf3b91e10ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winresume.exe

Filesize
1.0MB

MD5
8bc0e7d1a78d454caaa87d3b7caa92c3

SHA1
d0135e2e13f0d13aa2c49fb0d78f987f8d9ad67f

SHA256
a45f2cfac684b87635a67fcd3ec67a46b5dda029574f5f3f3ca3c9381a3929c1

SHA512
237016f4e9dd9b6a10359926caf886aea96595b20e87117b316019151e361895ba5ae10efd13f1c3066bc07ef4746d9ef59f857da7a6adc5966f75fbfebc4454

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
478B

MD5
83af92b8bc8d665c5a6b24544ba9373a

SHA1
573fcdbdbdb6bcbcc1e8e597a3e01a66170b1d94

SHA256
e8fc3b3fd9162cedd170a753ab46a0f8dd16606f10919e1986e0587a423b919c

SHA512
ab6d60f377503056739c077b17b685e3f762cf99c9abb1ea54404de6d3f20da78853f841d25aeee627a1113db3c16a62dd7b0ac1f3a46997f3b57ec3ad2aeb72

Download Submit
memory/1716-26-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/1716-24-0x00000000746A2000-0x00000000746A3000-memory.dmp

Filesize
4KB

Download
memory/1716-32-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/1716-30-0x00000000746A2000-0x00000000746A3000-memory.dmp

Filesize
4KB

Download
memory/1716-25-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/1716-37-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/3672-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3672-7-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3672-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3672-11-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3672-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3672-9-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3672-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3672-28-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3672-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4588-1-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/4588-0-0x00000000746A2000-0x00000000746A3000-memory.dmp

Filesize
4KB

Download
memory/4588-3-0x00000000746A2000-0x00000000746A3000-memory.dmp

Filesize
4KB

Download
memory/4588-40-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/4588-4-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/4588-2-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads