darkcomet | 1b381d766da86aa6b98f53bc3006658909538ee3314f6b713fbec64a266c1623

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_61fdf49099469563aa4442c198855baf.exe
Size

1.1MB
MD5

61fdf49099469563aa4442c198855baf
SHA1

6a9965e6691ed6132dd968e2a1ff08e8594eb672
SHA256

1b381d766da86aa6b98f53bc3006658909538ee3314f6b713fbec64a266c1623
SHA512

a33badc4a7187178dd2609456746951a6347fc26431d4e5ed36cec98d0842f7c1a998e2c4096f947f1deadc364a92702fcd6f410b0882fda55d658efa8b7a78f
SSDEEP

24576:fafGiYtto6oCfd0+X7Q3CiTApWsN1X7Q7Fsx2k2Y:U0pZRHWsL7Us8

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	server.EXE

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	server.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Executes dropped EXE 8 IoCs

pid	Process
2780	server23.exe
1784	server.EXE
1508	server.EXE
2072	notepad.exe
2424	explorer.exe
2736	winupdate.exe
1900	notepad.exe
3112	calc.exe

Loads dropped DLL 16 IoCs

pid	Process
2780	server23.exe
2780	server23.exe
1784	server.EXE
1784	server.EXE
1508	server.EXE
1508	server.EXE
1508	server.EXE
1508	server.EXE
1508	server.EXE
1784	server.EXE
1784	server.EXE
2736	winupdate.exe
2736	winupdate.exe
2736	winupdate.exe
3112	calc.exe
3112	calc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	server.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	server.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 2424	1508	server.EXE	34

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001928c-636.dat	upx
behavioral1/memory/1508-644-0x00000000008F0000-0x00000000009DD000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	server.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	server.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	server.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	server.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	server.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2780	server23.exe
Token: SeIncBasePriorityPrivilege	2780	server23.exe
Token: 33	2780	server23.exe
Token: SeIncBasePriorityPrivilege	2780	server23.exe
Token: 33	2780	server23.exe
Token: SeIncBasePriorityPrivilege	2780	server23.exe
Token: 33	2780	server23.exe
Token: SeIncBasePriorityPrivilege	2780	server23.exe
Token: 33	1784	server.EXE
Token: SeIncBasePriorityPrivilege	1784	server.EXE
Token: SeIncreaseQuotaPrivilege	1508	server.EXE
Token: SeSecurityPrivilege	1508	server.EXE
Token: SeTakeOwnershipPrivilege	1508	server.EXE
Token: SeLoadDriverPrivilege	1508	server.EXE
Token: SeSystemProfilePrivilege	1508	server.EXE
Token: SeSystemtimePrivilege	1508	server.EXE
Token: SeProfSingleProcessPrivilege	1508	server.EXE
Token: SeIncBasePriorityPrivilege	1508	server.EXE
Token: SeCreatePagefilePrivilege	1508	server.EXE
Token: SeBackupPrivilege	1508	server.EXE
Token: SeRestorePrivilege	1508	server.EXE
Token: SeShutdownPrivilege	1508	server.EXE
Token: SeDebugPrivilege	1508	server.EXE
Token: SeSystemEnvironmentPrivilege	1508	server.EXE
Token: SeChangeNotifyPrivilege	1508	server.EXE
Token: SeRemoteShutdownPrivilege	1508	server.EXE
Token: SeUndockPrivilege	1508	server.EXE
Token: SeManageVolumePrivilege	1508	server.EXE
Token: SeImpersonatePrivilege	1508	server.EXE
Token: SeCreateGlobalPrivilege	1508	server.EXE
Token: 33	1508	server.EXE
Token: 34	1508	server.EXE
Token: 35	1508	server.EXE
Token: SeIncreaseQuotaPrivilege	2424	explorer.exe
Token: SeSecurityPrivilege	2424	explorer.exe
Token: SeTakeOwnershipPrivilege	2424	explorer.exe
Token: SeLoadDriverPrivilege	2424	explorer.exe
Token: SeSystemProfilePrivilege	2424	explorer.exe
Token: SeSystemtimePrivilege	2424	explorer.exe
Token: SeProfSingleProcessPrivilege	2424	explorer.exe
Token: SeIncBasePriorityPrivilege	2424	explorer.exe
Token: SeCreatePagefilePrivilege	2424	explorer.exe
Token: SeBackupPrivilege	2424	explorer.exe
Token: SeRestorePrivilege	2424	explorer.exe
Token: SeShutdownPrivilege	2424	explorer.exe
Token: SeDebugPrivilege	2424	explorer.exe
Token: SeSystemEnvironmentPrivilege	2424	explorer.exe
Token: SeChangeNotifyPrivilege	2424	explorer.exe
Token: SeRemoteShutdownPrivilege	2424	explorer.exe
Token: SeUndockPrivilege	2424	explorer.exe
Token: SeManageVolumePrivilege	2424	explorer.exe
Token: SeImpersonatePrivilege	2424	explorer.exe
Token: SeCreateGlobalPrivilege	2424	explorer.exe
Token: 33	2424	explorer.exe
Token: 34	2424	explorer.exe
Token: 35	2424	explorer.exe
Token: SeIncreaseQuotaPrivilege	2736	winupdate.exe
Token: SeSecurityPrivilege	2736	winupdate.exe
Token: SeTakeOwnershipPrivilege	2736	winupdate.exe
Token: SeLoadDriverPrivilege	2736	winupdate.exe
Token: SeSystemProfilePrivilege	2736	winupdate.exe
Token: SeSystemtimePrivilege	2736	winupdate.exe
Token: SeProfSingleProcessPrivilege	2736	winupdate.exe
Token: SeIncBasePriorityPrivilege	2736	winupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 2780	296	JaffaCakes118_61fdf49099469563aa4442c198855baf.exe	30
PID 296 wrote to memory of 2780	296	JaffaCakes118_61fdf49099469563aa4442c198855baf.exe	30
PID 296 wrote to memory of 2780	296	JaffaCakes118_61fdf49099469563aa4442c198855baf.exe	30
PID 296 wrote to memory of 2780	296	JaffaCakes118_61fdf49099469563aa4442c198855baf.exe	30
PID 296 wrote to memory of 2780	296	JaffaCakes118_61fdf49099469563aa4442c198855baf.exe	30
PID 296 wrote to memory of 2780	296	JaffaCakes118_61fdf49099469563aa4442c198855baf.exe	30
PID 296 wrote to memory of 2780	296	JaffaCakes118_61fdf49099469563aa4442c198855baf.exe	30
PID 2780 wrote to memory of 1784	2780	server23.exe	31
PID 2780 wrote to memory of 1784	2780	server23.exe	31
PID 2780 wrote to memory of 1784	2780	server23.exe	31
PID 2780 wrote to memory of 1784	2780	server23.exe	31
PID 2780 wrote to memory of 1784	2780	server23.exe	31
PID 2780 wrote to memory of 1784	2780	server23.exe	31
PID 2780 wrote to memory of 1784	2780	server23.exe	31
PID 1784 wrote to memory of 1508	1784	server.EXE	32
PID 1784 wrote to memory of 1508	1784	server.EXE	32
PID 1784 wrote to memory of 1508	1784	server.EXE	32
PID 1784 wrote to memory of 1508	1784	server.EXE	32
PID 1784 wrote to memory of 1508	1784	server.EXE	32
PID 1784 wrote to memory of 1508	1784	server.EXE	32
PID 1784 wrote to memory of 1508	1784	server.EXE	32
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2072	1508	server.EXE	33
PID 1508 wrote to memory of 2424	1508	server.EXE	34
PID 1508 wrote to memory of 2424	1508	server.EXE	34
PID 1508 wrote to memory of 2424	1508	server.EXE	34
PID 1508 wrote to memory of 2424	1508	server.EXE	34
PID 1508 wrote to memory of 2424	1508	server.EXE	34
PID 1508 wrote to memory of 2424	1508	server.EXE	34
PID 1508 wrote to memory of 2424	1508	server.EXE	34
PID 1508 wrote to memory of 2424	1508	server.EXE	34
PID 1508 wrote to memory of 2424	1508	server.EXE	34
PID 2424 wrote to memory of 1648	2424	explorer.exe	35
PID 2424 wrote to memory of 1648	2424	explorer.exe	35
PID 2424 wrote to memory of 1648	2424	explorer.exe	35
PID 2424 wrote to memory of 1648	2424	explorer.exe	35
PID 2424 wrote to memory of 1648	2424	explorer.exe	35
PID 2424 wrote to memory of 1648	2424	explorer.exe	35
PID 2424 wrote to memory of 1648	2424	explorer.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61fdf49099469563aa4442c198855baf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61fdf49099469563aa4442c198855baf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:296
- C:\Users\Admin\AppData\Local\Temp\server23.exe
  "C:\Users\Admin\AppData\Local\Temp\server23.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\help\1.0.0.0\2011.08.08T20.12\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server.EXE
    "C:\Users\Admin\AppData\Local\Temp\server.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\help\1.0.0.0\2011.08.08T20.12\Native\STUBEXE\@APPDATALOCAL@\Temp\IXP000.TMP\server.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      4⤵
      Modifies WinLogon for persistence
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\help\1.0.0.0\2011.08.08T20.12\Native\STUBEXE\@SYSTEM@\notepad.exe
        
        notepad
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2072
    - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\help\1.0.0.0\2011.08.08T20.12\Native\STUBEXE\@SYSTEM@\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
    - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\help\1.0.0.0\2011.08.08T20.12\Native\STUBEXE\@SYSDRIVE@\Windupdt\winupdate.exe
        
        "C:\Windupdt\winupdate.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\help\1.0.0.0\2011.08.08T20.12\Native\STUBEXE\@SYSTEM@\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1900
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\help\1.0.0.0\2011.08.08T20.12\Native\STUBEXE\@APPDATALOCAL@\Temp\IXP000.TMP\calc.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\calc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
340KB

MD5
16707b0934ac578a499ee0eafd4a6465

SHA1
20994a685fb099ce6a4773e849518979f417ec5c

SHA256
e1c7d2f7b40c919a743fa6cd991d5806fdb5e00bcf253e7cab2751af42a807b3

SHA512
1e19ed0a63cc4817a34fc318fdeabc1c9b46dc4c6d34efb036deb66f9e8ed25ba021802c77808183d24a7da31f5642f0bca55c0b60eb84a6e9b417e89a853654

Download Submit
C:\Users\Admin\AppData\Local\Temp\server23.exe

Filesize
857KB

MD5
f0e57400ba0ced7def4487e8ec031315

SHA1
6d301d92f785f5720bd768317387598da1d0b42e

SHA256
168ad4c18dc7a3d6e8f9f8a7b3370c4de641df217280e868c450074ad042c3ed

SHA512
5466c9fc3059360d346a9ea093375e88602d98a29b4a54b27ffb1d286db4d5e8da563336a26b44988740f313c87dc27e445104f9fa87ea52a2906ff0b75047ac

Download Submit
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\help\1.0.0.0\2011.08.08T20.12\Native\STUBEXE\@APPDATALOCAL@\Temp\IXP000.TMP\calc.exe

Filesize
17KB

MD5
460a34d17e22362ad772f507cd012646

SHA1
ab350107eb752f36e6a322854f0283eabd21dd3f

SHA256
90a842e1b2261d330492b8e4e654204f785e4d45593d34791dcf3db001532baa

SHA512
69050605fe327cf3d194dd82880b7ada32b1e632215f78664f87c895f66d0353bafbb358df2af9836d9aba5c1f92a9cb3a60d39529fc4cefa81cf71941b43c8f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\calc.exe

Filesize
112KB

MD5
829e4805b0e12b383ee09abdc9e2dc3c

SHA1
5a272b7441328e09704b6d7eabdbd51b8858fde4

SHA256
37121ecb7c1e112b735bd21b0dfe3e526352ecb98c434c5f40e6a2a582380cdd

SHA512
356fe701e6788c9e4988ee5338c09170311c2013d6b72d7756b7ada5cda44114945f964668feb440d262fb1c0f9ca180549aafd532d169ceeadf435b9899c8f6

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\help\1.0.0.0\2011.08.08T20.12\Native\STUBEXE\@APPDATALOCAL@\Temp\IXP000.TMP\server.EXE

Filesize
17KB

MD5
99f238c5b88ebb2d88867dbd53498c3a

SHA1
f1acd7b7726aee4add947cb28661cd3908e303e0

SHA256
e28f8fa77b6b76bf0d6290e573b2a01b472bc15353ec4aefecce21b1b86ed597

SHA512
4910aceb5efe8dad20c24e92a6aa77cd40276dfbd41724c6426ab13915e1d97128a23cc003e582b7cf84c9c702fd7eef9f64fe4e4fb293d0908de6f011442e0c

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\help\1.0.0.0\2011.08.08T20.12\Native\STUBEXE\@SYSTEM@\explorer.exe

Filesize
17KB

MD5
3223b2d91d09771570163b77ded2126a

SHA1
8a621210d478fcfaccd635047bd7dfef26f2c930

SHA256
3d50d5904cf1bb004ef06ee2df1a090b813d86a002bf03dc532151f38c15f1f7

SHA512
30bfa9475b98f409157ef81e3c45ff67de817e8ed8836c4ab53f40b5a10df1ef3fbc8a682b8830e715fccce3afebcc2a5cdfd04d01dce34e9e5b81bdd4f26793

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\help\1.0.0.0\2011.08.08T20.12\Native\STUBEXE\@SYSTEM@\notepad.exe

Filesize
17KB

MD5
3ba18ac5ffb29487c89d90f815800a82

SHA1
d87cb9958757ec74da250b8a0213b25458284af6

SHA256
d1234651ab212457acff3a19c1ef89973599cd79d920a3ca32db4bb6c12dd5ce

SHA512
eeb5eec1d59c2f0064b6a66a23a224d68ff3d59486e03b3ce3d99875fbf5758ad0e71dec6ad44498079d58286402e4f1a8cf5f47a48d819a2150649ee5c2dc4c

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\help\1.0.0.0\2011.08.08T20.12\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server.EXE

Filesize
17KB

MD5
06e1c3247c5dacc13692c1289591672a

SHA1
d683917b16a43b16ec1f250b9bfa78562f9627a0

SHA256
dcd1f4202ced54dfa4e83687dd0615cb3c170a2150969be6edc7bd3ebe6de635

SHA512
49edc8cac2b8a7971f1be8f833d229fc6b50ae484093e54b5723d2a035befd795f5cd074194721ea47de774323915b7fc188920e4ae31d277df30e11e817eb7d

Download Submit
memory/296-10-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/296-0-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmp

Filesize
4KB

Download
memory/296-3-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/1508-1387-0x00000000008F0000-0x000000000098C000-memory.dmp

Filesize
624KB

Download
memory/1508-644-0x00000000008F0000-0x00000000009DD000-memory.dmp

Filesize
948KB

Download
memory/1784-2316-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/1784-640-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2736-1699-0x0000000000810000-0x00000000008FD000-memory.dmp

Filesize
948KB

Download
memory/2736-2071-0x0000000000810000-0x00000000008FD000-memory.dmp

Filesize
948KB

Download
memory/2780-66-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-22-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-54-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-52-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-50-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-48-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-46-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-44-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-42-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-40-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-36-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-34-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-32-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-30-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-28-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-26-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-24-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-227-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-20-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-18-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-14-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-13-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-56-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-58-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-60-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-64-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-68-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-70-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-72-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-74-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-16-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-38-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-62-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-76-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-2315-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2780-12-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads