darkcomet | 1001065dcc00ff8d14c2166940a2936b1ff78c3cffa17eb75b502a2a9a932a2c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
Size

748KB
MD5

d604a165826a3df124f663479b0607b5
SHA1

f3afcb70f500c2dcdb2fc0edd6869c31b43dc792
SHA256

1001065dcc00ff8d14c2166940a2936b1ff78c3cffa17eb75b502a2a9a932a2c
SHA512

00f0c02b13fd7806cd8664b5278b3a21785f8dd8871655d7af24794c46a0c39514648d25f33d1b33b7967dd3bec0882051205d26decc12a10f2a6a54589a9ebf
SSDEEP

12288:M5S3h2B5NGhJIrb6RgGKKmsDkAuTVGH6Txqa0m6vo:iyhRyrb6SGKWuRGHHad6w

Score

10^/10

darkcomet isrstealer latentbot dongaa discovery persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

DonGaa

euro2012.zapto.org:3389

olympic2012.zapto.org:3390

Mutex

DC_MUTEX-RK8JYCB

Attributes

InstallPath
java\jar.exe
gencode
MfdGPqFwSQrd
install
true
offline_keylogger
true
password
123
persistence
true
reg_key
Microsoffpdate

Extracted

Family

latentbot

olympic2012.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/2136-75-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/2136-76-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/2136-93-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\java\\jar.exe"	out.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	out.exe

Executes dropped EXE 4 IoCs

pid	Process
3180	out.exe
4104	out.exe
932	jar.exe
4844	jar.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IgfxTray = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoffpdate = "C:\\Users\\Admin\\AppData\\Roaming\\java\\jar.exe"	out.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoffpdate = "C:\\Users\\Admin\\AppData\\Roaming\\java\\jar.exe"	jar.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3180 set thread context of 4104	3180	out.exe	90
PID 932 set thread context of 4844	932	jar.exe	94
PID 3156 set thread context of 2136	3156	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe	96
PID 2136 set thread context of 4576	2136	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe	97

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0014000000023b7c-6.dat	upx
behavioral2/memory/3180-10-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4104-13-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4104-16-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3180-18-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4104-19-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4104-20-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4104-21-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4104-22-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4104-57-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/932-59-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4844-67-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-66-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-68-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/932-70-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4844-71-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-74-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-73-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4576-79-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4576-80-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4576-81-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4576-84-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4844-95-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-96-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-97-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-98-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-99-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-100-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-101-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-102-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-103-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-104-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-105-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/4844-106-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	out.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	out.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	out.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4104	out.exe
Token: SeSecurityPrivilege	4104	out.exe
Token: SeTakeOwnershipPrivilege	4104	out.exe
Token: SeLoadDriverPrivilege	4104	out.exe
Token: SeSystemProfilePrivilege	4104	out.exe
Token: SeSystemtimePrivilege	4104	out.exe
Token: SeProfSingleProcessPrivilege	4104	out.exe
Token: SeIncBasePriorityPrivilege	4104	out.exe
Token: SeCreatePagefilePrivilege	4104	out.exe
Token: SeBackupPrivilege	4104	out.exe
Token: SeRestorePrivilege	4104	out.exe
Token: SeShutdownPrivilege	4104	out.exe
Token: SeDebugPrivilege	4104	out.exe
Token: SeSystemEnvironmentPrivilege	4104	out.exe
Token: SeChangeNotifyPrivilege	4104	out.exe
Token: SeRemoteShutdownPrivilege	4104	out.exe
Token: SeUndockPrivilege	4104	out.exe
Token: SeManageVolumePrivilege	4104	out.exe
Token: SeImpersonatePrivilege	4104	out.exe
Token: SeCreateGlobalPrivilege	4104	out.exe
Token: 33	4104	out.exe
Token: 34	4104	out.exe
Token: 35	4104	out.exe
Token: 36	4104	out.exe
Token: SeIncreaseQuotaPrivilege	4844	jar.exe
Token: SeSecurityPrivilege	4844	jar.exe
Token: SeTakeOwnershipPrivilege	4844	jar.exe
Token: SeLoadDriverPrivilege	4844	jar.exe
Token: SeSystemProfilePrivilege	4844	jar.exe
Token: SeSystemtimePrivilege	4844	jar.exe
Token: SeProfSingleProcessPrivilege	4844	jar.exe
Token: SeIncBasePriorityPrivilege	4844	jar.exe
Token: SeCreatePagefilePrivilege	4844	jar.exe
Token: SeBackupPrivilege	4844	jar.exe
Token: SeRestorePrivilege	4844	jar.exe
Token: SeShutdownPrivilege	4844	jar.exe
Token: SeDebugPrivilege	4844	jar.exe
Token: SeSystemEnvironmentPrivilege	4844	jar.exe
Token: SeChangeNotifyPrivilege	4844	jar.exe
Token: SeRemoteShutdownPrivilege	4844	jar.exe
Token: SeUndockPrivilege	4844	jar.exe
Token: SeManageVolumePrivilege	4844	jar.exe
Token: SeImpersonatePrivilege	4844	jar.exe
Token: SeCreateGlobalPrivilege	4844	jar.exe
Token: 33	4844	jar.exe
Token: 34	4844	jar.exe
Token: 35	4844	jar.exe
Token: 36	4844	jar.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3156	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
3180	out.exe
932	jar.exe
4844	jar.exe
2136	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 3180	3156	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe	89
PID 3156 wrote to memory of 3180	3156	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe	89
PID 3156 wrote to memory of 3180	3156	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe	89
PID 3180 wrote to memory of 4104	3180	out.exe	90
PID 3180 wrote to memory of 4104	3180	out.exe	90
PID 3180 wrote to memory of 4104	3180	out.exe	90
PID 3180 wrote to memory of 4104	3180	out.exe	90
PID 3180 wrote to memory of 4104	3180	out.exe	90
PID 3180 wrote to memory of 4104	3180	out.exe	90
PID 3180 wrote to memory of 4104	3180	out.exe	90
PID 3180 wrote to memory of 4104	3180	out.exe	90
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 4140	4104	out.exe	91
PID 4104 wrote to memory of 932	4104	out.exe	92
PID 4104 wrote to memory of 932	4104	out.exe	92
PID 4104 wrote to memory of 932	4104	out.exe	92
PID 932 wrote to memory of 4844	932	jar.exe	94
PID 932 wrote to memory of 4844	932	jar.exe	94
PID 932 wrote to memory of 4844	932	jar.exe	94
PID 932 wrote to memory of 4844	932	jar.exe	94
PID 932 wrote to memory of 4844	932	jar.exe	94
PID 932 wrote to memory of 4844	932	jar.exe	94
PID 932 wrote to memory of 4844	932	jar.exe	94
PID 932 wrote to memory of 4844	932	jar.exe	94
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 4844 wrote to memory of 3560	4844	jar.exe	95
PID 3156 wrote to memory of 2136	3156	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe	96
PID 3156 wrote to memory of 2136	3156	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe	96
PID 3156 wrote to memory of 2136	3156	d604a165826a3df124f663479b0607b5_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\Temp\out.exe
  "C:\Users\Admin\AppData\Local\Temp\out.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Users\Admin\AppData\Local\Temp\out.exe
    "C:\Users\Admin\AppData\Local\Temp\out.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:4140
  - - C:\Users\Admin\AppData\Roaming\java\jar.exe
      "C:\Users\Admin\AppData\Roaming\java\jar.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:932
    - - C:\Users\Admin\AppData\Roaming\java\jar.exe
        
        "C:\Users\Admin\AppData\Roaming\java\jar.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
- C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\wFc7VddpIi.ini"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkVhrbN.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GkVhrbN.bat

Filesize
263B

MD5
f6fa97ac595aab50b7ffb2d6592865fb

SHA1
76530c92e501d4619cceee8901a23862fc4638d9

SHA256
98036dba5197d400c3d31412523c877bda50ebd0e9212275100b3ea6cef55570

SHA512
b421a379a14c90cb59cb6e3ad10d507496d86cc227af0ce574bdd18891e4adedb187c3c91435d5c61f25d40a2b5772b46a93ec105deaffec3b00b30a9a3d4248

Download Submit
C:\Users\Admin\AppData\Local\Temp\out.exe

Filesize
301KB

MD5
1075f5bdeae2dae8ed0be96c0772cbde

SHA1
05e761c27139288d04cbf222c6d711fa8b907e75

SHA256
42f3493aa0a0a755f92f7773838ddf19d9f7f93ac64eaf2e85f7ea36e16e14ed

SHA512
267bae9e05e32c1be45f688ade0d2beb895f415bf156927fc42aaee7f51a5fb4ef8c815f9153c7bd46f38329338b1e6f790f5e7c6775a7a88a3399b09d04ca05

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
748KB

MD5
d604a165826a3df124f663479b0607b5

SHA1
f3afcb70f500c2dcdb2fc0edd6869c31b43dc792

SHA256
1001065dcc00ff8d14c2166940a2936b1ff78c3cffa17eb75b502a2a9a932a2c

SHA512
00f0c02b13fd7806cd8664b5278b3a21785f8dd8871655d7af24794c46a0c39514648d25f33d1b33b7967dd3bec0882051205d26decc12a10f2a6a54589a9ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wFc7VddpIi.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/932-70-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/932-59-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2136-93-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2136-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2136-75-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-10-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3180-18-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3560-72-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/4104-57-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4104-19-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4104-13-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4104-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4104-20-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4104-21-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4104-22-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4140-25-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4576-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4576-84-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4576-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4576-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4844-68-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-98-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-71-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-66-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-67-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-73-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-95-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-96-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-97-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-99-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-100-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-101-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-102-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-103-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-104-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-105-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4844-106-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads