414180a9f9707cb3501546487051badead26b0d08d0143302c62f84b81a565f5

Resubmissions

26-12-2024 10:52

241226-myqcmatlhx 10

26-12-2024 10:39

241226-mp9pxatjfz 10

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Comet.exe
Size

8.6MB
MD5

1f5d19397b48172aba35885f39e318fa
SHA1

df77020bffc62f386b5ce0ad0cde3d8f8b704b93
SHA256

dd780875686be33910002f91aaeb8f8ec70a2f3972c41c707a59ef18cd900e74
SHA512

4ccec7c602582d467a63e8f6e8fc222e73bb88a589256fac0577452b6ffaaec58adf2b5e216f8a27404c4717a74f239ce73226385133764b75baa775b25de4a0
SSDEEP

196608:u9+8ZspGS5puzUZqVBU6NABaScfR3xeUDyzfS/FNgeLCtNP:u9+EEp5ZqPBOhcftAUDyzqNutNP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 31 IoCs

pid	Process
2948	deltadll.exe
2692	deltadll.exe
576	deltadll.exe
336	deltadll.exe
2772	deltadll.exe
2956	deltadll.exe
2276	deltadll.exe
2064	deltadll.exe
992	deltadll.exe
1576	deltadll.exe
1608	deltadll.exe
1232	Process not Found
2884	deltadll.exe
3016	deltadll.exe
1700	deltadll.exe
2856	deltadll.exe
2544	deltadll.exe
3056	deltadll.exe
2816	deltadll.exe
2364	deltadll.exe
2460	deltadll.exe
2864	deltadll.exe
1716	deltadll.exe
2100	deltadll.exe
572	deltadll.exe
2848	deltadll.exe
1700	deltadll.exe
1096	deltadll.exe
1212	deltadll.exe
1544	deltadll.exe
928	deltadll.exe

Loads dropped DLL 64 IoCs

pid	Process
1548	Comet.exe
1548	Comet.exe
2872	Process not Found
2824	Comet.exe
2824	Comet.exe
2112	Process not Found
2848	Comet.exe
2848	Comet.exe
2764	Process not Found
1844	Comet.exe
1844	Comet.exe
2776	Process not Found
1916	Comet.exe
1916	Comet.exe
2196	Process not Found
908	Comet.exe
908	Comet.exe
2580	Process not Found
2408	Comet.exe
2408	Comet.exe
1544	Process not Found
2032	Comet.exe
2032	Comet.exe
1732	Process not Found
1976	Comet.exe
1976	Comet.exe
1980	Process not Found
1672	Comet.exe
1672	Comet.exe
3020	Process not Found
2392	Comet.exe
2392	Comet.exe
2684	Process not Found
2388	Comet.exe
2388	Comet.exe
2728	Process not Found
2112	Comet.exe
2112	Comet.exe
840	Process not Found
2484	Comet.exe
2484	Comet.exe
1200	Process not Found
1480	Comet.exe
1480	Comet.exe
2164	Process not Found
2144	Comet.exe
2144	Comet.exe
1972	Process not Found
2188	Comet.exe
2188	Comet.exe
988	Process not Found
2160	Comet.exe
2160	Comet.exe
1244	Process not Found
944	Comet.exe
944	Comet.exe
1900	Process not Found
1612	Comet.exe
1612	Comet.exe
1508	Process not Found
3036	Comet.exe
3036	Comet.exe
3020	Process not Found
1648	Comet.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	Comet.exe
Token: SeDebugPrivilege	2824	Comet.exe
Token: SeDebugPrivilege	2848	Comet.exe
Token: SeDebugPrivilege	1844	Comet.exe
Token: SeDebugPrivilege	1916	Comet.exe
Token: SeDebugPrivilege	908	Comet.exe
Token: SeDebugPrivilege	2408	Comet.exe
Token: SeDebugPrivilege	2032	Comet.exe
Token: SeDebugPrivilege	1976	Comet.exe
Token: SeDebugPrivilege	1672	Comet.exe
Token: SeDebugPrivilege	2392	Comet.exe
Token: SeDebugPrivilege	2388	Comet.exe
Token: SeDebugPrivilege	2112	Comet.exe
Token: SeDebugPrivilege	2484	Comet.exe
Token: SeDebugPrivilege	1480	Comet.exe
Token: SeDebugPrivilege	2144	Comet.exe
Token: SeDebugPrivilege	2188	Comet.exe
Token: SeDebugPrivilege	2160	Comet.exe
Token: SeDebugPrivilege	944	Comet.exe
Token: SeDebugPrivilege	1612	Comet.exe
Token: SeDebugPrivilege	3036	Comet.exe
Token: SeDebugPrivilege	1648	Comet.exe
Token: SeDebugPrivilege	2836	Comet.exe
Token: SeDebugPrivilege	844	Comet.exe
Token: SeDebugPrivilege	968	Comet.exe
Token: SeDebugPrivilege	2176	Comet.exe
Token: SeDebugPrivilege	1092	Comet.exe
Token: SeDebugPrivilege	1708	Comet.exe
Token: SeDebugPrivilege	2304	Comet.exe
Token: SeDebugPrivilege	1796	Comet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2824	1548	Comet.exe	31
PID 1548 wrote to memory of 2824	1548	Comet.exe	31
PID 1548 wrote to memory of 2824	1548	Comet.exe	31
PID 1548 wrote to memory of 2948	1548	Comet.exe	32
PID 1548 wrote to memory of 2948	1548	Comet.exe	32
PID 1548 wrote to memory of 2948	1548	Comet.exe	32
PID 2824 wrote to memory of 2848	2824	Comet.exe	35
PID 2824 wrote to memory of 2848	2824	Comet.exe	35
PID 2824 wrote to memory of 2848	2824	Comet.exe	35
PID 2824 wrote to memory of 2692	2824	Comet.exe	36
PID 2824 wrote to memory of 2692	2824	Comet.exe	36
PID 2824 wrote to memory of 2692	2824	Comet.exe	36
PID 2848 wrote to memory of 1844	2848	Comet.exe	38
PID 2848 wrote to memory of 1844	2848	Comet.exe	38
PID 2848 wrote to memory of 1844	2848	Comet.exe	38
PID 2848 wrote to memory of 576	2848	Comet.exe	39
PID 2848 wrote to memory of 576	2848	Comet.exe	39
PID 2848 wrote to memory of 576	2848	Comet.exe	39
PID 1844 wrote to memory of 1916	1844	Comet.exe	41
PID 1844 wrote to memory of 1916	1844	Comet.exe	41
PID 1844 wrote to memory of 1916	1844	Comet.exe	41
PID 1844 wrote to memory of 336	1844	Comet.exe	42
PID 1844 wrote to memory of 336	1844	Comet.exe	42
PID 1844 wrote to memory of 336	1844	Comet.exe	42
PID 1916 wrote to memory of 908	1916	Comet.exe	44
PID 1916 wrote to memory of 908	1916	Comet.exe	44
PID 1916 wrote to memory of 908	1916	Comet.exe	44
PID 1916 wrote to memory of 2772	1916	Comet.exe	45
PID 1916 wrote to memory of 2772	1916	Comet.exe	45
PID 1916 wrote to memory of 2772	1916	Comet.exe	45
PID 908 wrote to memory of 2408	908	Comet.exe	47
PID 908 wrote to memory of 2408	908	Comet.exe	47
PID 908 wrote to memory of 2408	908	Comet.exe	47
PID 908 wrote to memory of 2956	908	Comet.exe	48
PID 908 wrote to memory of 2956	908	Comet.exe	48
PID 908 wrote to memory of 2956	908	Comet.exe	48
PID 2408 wrote to memory of 2032	2408	Comet.exe	50
PID 2408 wrote to memory of 2032	2408	Comet.exe	50
PID 2408 wrote to memory of 2032	2408	Comet.exe	50
PID 2408 wrote to memory of 2276	2408	Comet.exe	51
PID 2408 wrote to memory of 2276	2408	Comet.exe	51
PID 2408 wrote to memory of 2276	2408	Comet.exe	51
PID 2032 wrote to memory of 1976	2032	Comet.exe	53
PID 2032 wrote to memory of 1976	2032	Comet.exe	53
PID 2032 wrote to memory of 1976	2032	Comet.exe	53
PID 2032 wrote to memory of 2064	2032	Comet.exe	54
PID 2032 wrote to memory of 2064	2032	Comet.exe	54
PID 2032 wrote to memory of 2064	2032	Comet.exe	54
PID 1976 wrote to memory of 1672	1976	Comet.exe	56
PID 1976 wrote to memory of 1672	1976	Comet.exe	56
PID 1976 wrote to memory of 1672	1976	Comet.exe	56
PID 1976 wrote to memory of 992	1976	Comet.exe	57
PID 1976 wrote to memory of 992	1976	Comet.exe	57
PID 1976 wrote to memory of 992	1976	Comet.exe	57
PID 1672 wrote to memory of 2392	1672	Comet.exe	59
PID 1672 wrote to memory of 2392	1672	Comet.exe	59
PID 1672 wrote to memory of 2392	1672	Comet.exe	59
PID 1672 wrote to memory of 1576	1672	Comet.exe	60
PID 1672 wrote to memory of 1576	1672	Comet.exe	60
PID 1672 wrote to memory of 1576	1672	Comet.exe	60
PID 2392 wrote to memory of 2388	2392	Comet.exe	62
PID 2392 wrote to memory of 2388	2392	Comet.exe	62
PID 2392 wrote to memory of 2388	2392	Comet.exe	62
PID 2392 wrote to memory of 1608	2392	Comet.exe	63

C:\Users\Admin\AppData\Local\Temp\Comet.exe
"C:\Users\Admin\AppData\Local\Temp\Comet.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\Comet.exe
  "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\Comet.exe
    "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\Comet.exe
      "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        7⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        8⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        9⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        10⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        11⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        12⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        13⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        14⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        15⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        16⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        17⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        18⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        19⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        20⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        21⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        22⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        31⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        31⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        30⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        29⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        28⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        27⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        26⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        25⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        24⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        23⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        22⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        21⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        20⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        19⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        18⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        17⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        16⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        15⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        14⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        13⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        12⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        11⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        10⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        9⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        8⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        7⤵
        Executes dropped EXE
        
        PID:2956
      - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        6⤵
        Executes dropped EXE
        
        PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        5⤵
        Executes dropped EXE
        
        PID:336
  - - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
      "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
      4⤵
      Executes dropped EXE
      PID:576
- - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
    "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
    3⤵
    - Executes dropped EXE
    PID:2692
- C:\Users\Admin\AppData\Local\Temp\deltadll.exe
  "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
  2⤵
  - Executes dropped EXE
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\deltadll.exe

Filesize
14.8MB

MD5
19c446f51d203d1fb7eb23210709417b

SHA1
6e33b8d13d1539630615e581e5ab03de371c0dc6

SHA256
b67cae29bac60920b3edc02081da697c4c6486411c1bc77f29b68cb1f23e3ffc

SHA512
9d8601a0c2e090cd5fc6315c1671d669cd6a6bf20d3ef24cb1a111e344464913fe809c9b27d32608b93b988a37e59c90086ccf68545ce385ef58f96365a439df

Download Submit
memory/1548-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/1548-1-0x000000013F1B0000-0x000000013FA5A000-memory.dmp

Filesize
8.7MB

Download
memory/1548-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1548-12-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2824-3-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2824-23-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download