darkcomet | 32c7f3af9df7f9d50047f168e069bd4e06122efe825db2dd0fae34e2c05ce9ab

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2025, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Size

1.2MB
MD5

b64c82d841f0ca478ee4b052973ec8de
SHA1

1d6b7f8243fff0e5cd771e999c9098423e99eeb1
SHA256

32c7f3af9df7f9d50047f168e069bd4e06122efe825db2dd0fae34e2c05ce9ab
SHA512

1d9bfe0e21a6c1639eaa908fef16d3d6777fd0fb08ccd3c014600449fb5df8977fa58986a2afa49c4971b18f63ab802fa779d70e78d4fc3da7314dfbe5c38623
SSDEEP

12288:/V9QZXi5ITtw8xqm8LlO5/8h4+9Ymoxefl5QT5VVpJ5PCf/BPEsKZXCa6jpoLuJl:UTtNkoxBUJjTH6FyTKJ49HGjNA

Score

10^/10

darkcomet devilskartel discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

DEVILSKARTEL

murdak.no-ip.org:100

Mutex

DC_MUTEX-D4UU794

Attributes

InstallPath
MICROSOFTUPDATE.exe
gencode
oF.s0Pyx7UWi
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MICROSOFTUPDATE.exe"	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MICROSOFTUPDATE.exe,C:\\Windows\\system32\\MICROSOFTUPDATE.exe"	MICROSOFTUPDATE.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	MICROSOFTUPDATE.exe

Executes dropped EXE 4 IoCs

pid	Process
844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
1480	MICROSOFTUPDATE.exe
4612	MICROSOFTUPDATE.exe
3124	MICROSOFTUPDATE.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MICROSOFTUPDATE.exe"	MICROSOFTUPDATE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MICROSOFTUPDATE.exe"	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	MICROSOFTUPDATE.exe
File created	C:\Windows\SysWOW64\MICROSOFTUPDATE.exe	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
File opened for modification	C:\Windows\SysWOW64\MICROSOFTUPDATE.exe	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
File opened for modification	C:\Windows\SysWOW64\	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
File opened for modification	C:\Windows\SysWOW64\MICROSOFTUPDATE.exe	MICROSOFTUPDATE.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4500 set thread context of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 1480 set thread context of 4612	1480	MICROSOFTUPDATE.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MICROSOFTUPDATE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MICROSOFTUPDATE.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeSecurityPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeTakeOwnershipPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeLoadDriverPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeSystemProfilePrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeSystemtimePrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeProfSingleProcessPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeIncBasePriorityPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeCreatePagefilePrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeBackupPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeRestorePrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeShutdownPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeDebugPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeSystemEnvironmentPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeChangeNotifyPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeRemoteShutdownPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeUndockPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeManageVolumePrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeImpersonatePrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeCreateGlobalPrivilege	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: 33	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: 34	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: 35	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: 36	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
Token: SeIncreaseQuotaPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeSecurityPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeTakeOwnershipPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeLoadDriverPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeSystemProfilePrivilege	4612	MICROSOFTUPDATE.exe
Token: SeSystemtimePrivilege	4612	MICROSOFTUPDATE.exe
Token: SeProfSingleProcessPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeIncBasePriorityPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeCreatePagefilePrivilege	4612	MICROSOFTUPDATE.exe
Token: SeBackupPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeRestorePrivilege	4612	MICROSOFTUPDATE.exe
Token: SeShutdownPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeDebugPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeSystemEnvironmentPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeChangeNotifyPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeRemoteShutdownPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeUndockPrivilege	4612	MICROSOFTUPDATE.exe
Token: SeManageVolumePrivilege	4612	MICROSOFTUPDATE.exe
Token: SeImpersonatePrivilege	4612	MICROSOFTUPDATE.exe
Token: SeCreateGlobalPrivilege	4612	MICROSOFTUPDATE.exe
Token: 33	4612	MICROSOFTUPDATE.exe
Token: 34	4612	MICROSOFTUPDATE.exe
Token: 35	4612	MICROSOFTUPDATE.exe
Token: 36	4612	MICROSOFTUPDATE.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 1580	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	86
PID 4500 wrote to memory of 1580	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	86
PID 4500 wrote to memory of 1580	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	86
PID 1580 wrote to memory of 2956	1580	vbc.exe	89
PID 1580 wrote to memory of 2956	1580	vbc.exe	89
PID 1580 wrote to memory of 2956	1580	vbc.exe	89
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 4500 wrote to memory of 844	4500	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	90
PID 844 wrote to memory of 1480	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	91
PID 844 wrote to memory of 1480	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	91
PID 844 wrote to memory of 1480	844	JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe	91
PID 1480 wrote to memory of 2088	1480	MICROSOFTUPDATE.exe	92
PID 1480 wrote to memory of 2088	1480	MICROSOFTUPDATE.exe	92
PID 1480 wrote to memory of 2088	1480	MICROSOFTUPDATE.exe	92
PID 2088 wrote to memory of 868	2088	vbc.exe	94
PID 2088 wrote to memory of 868	2088	vbc.exe	94
PID 2088 wrote to memory of 868	2088	vbc.exe	94
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 1480 wrote to memory of 4612	1480	MICROSOFTUPDATE.exe	95
PID 4612 wrote to memory of 3124	4612	MICROSOFTUPDATE.exe	96
PID 4612 wrote to memory of 3124	4612	MICROSOFTUPDATE.exe	96
PID 4612 wrote to memory of 3124	4612	MICROSOFTUPDATE.exe	96

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6zs_r0wq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91B1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB6D7B9AE00A48DBB312B88A2E6ADE79.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2956
- C:\Users\Admin\AppData\Local\Microsoft\Windows\JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\MICROSOFTUPDATE.exe
    "C:\Windows\system32\MICROSOFTUPDATE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aec4ebcz.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9654.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF42CE9467354423B995972FFE349D0.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:868
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe
      C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\SysWOW64\MICROSOFTUPDATE.exe
        
        "C:\Windows\system32\MICROSOFTUPDATE.exe"
        5⤵
        Executes dropped EXE
        
        PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe

Filesize
1024B

MD5
54b1c45da8980b32759042e2c3c78dfb

SHA1
11e8bc2db98786c69e5dadf53d00ff3ee03d64f8

SHA256
9d5efce48ed68dcb4caaa7fbecaf47ce2cab0a023afc6ceed682d1d532823773

SHA512
73169989b97a032fe923272fbe4bc27be77e491d125b360120fc1e02419d99f807b1f62a3edaff85ebfd16e9c240ec295be9431cfe4d6c353f0cf0dbeec4d2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\6zs_r0wq.0.vb

Filesize
682B

MD5
d75bfbe0fa5d960574a8efc837185f48

SHA1
cea7f249ae87d69c4915dbe2159b6c53091a7b4a

SHA256
ef55874d0838b3194bcf3828381c132229825db8c638002bed8402f235e45625

SHA512
02924da7fa09e20ca59dcd6557b1f6d0a016b302f42ee0ec15fa9d080c0476afec19c84622fa496ad02a58b60fa7bdc3fd5305b1401426f0e014fbda9edf076f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6zs_r0wq.cmdline

Filesize
246B

MD5
0f52c5a527c65b9eee183534f3cac37a

SHA1
e083fc908ec681ccb8a30e65cc615d1684e5b720

SHA256
2c226f0f695c417228b92bb45579edc99d06f0c3e7bc74f6025829ec641e547f

SHA512
4cdcfdfcdf95e824c3db8c81a60e2639bd738148f50114f0c02a0d61f7d21ab3f5ef03597ef19959f33f52e5fecaf9e8ffa1948f530bd5fb9851e8f46b0c6213

Download Submit
C:\Users\Admin\AppData\Local\Temp\6zs_r0wq.dll

Filesize
6KB

MD5
377a4d7e6cc0ac609d756fe1d5768bd6

SHA1
ba50f99cbbb6cc70f235c337f22c9220dfce394c

SHA256
2dc96ca68bdda4516934113c48b9698a84969ca4653da91bb47849afe1f28e37

SHA512
82225248a01c59940dadb3996023a8fb7ccfccb3ad54cebb5e80fbdb7270cb8930c26d63aee3b82224e6de688dc404268f2ba00676d4d2ad3096697c84d540c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91B1.tmp

Filesize
1KB

MD5
212751e649650a814d05de75ac1a8542

SHA1
43f222a5f1881d45116a4c8eb77b24fb6975a7ce

SHA256
e346f358fd88e1f62a12c09997d013fd8c4a634ef117ce77ab0381212e65692a

SHA512
e07247d655d21a4522709d82225c7c6b33be1edaa6d4a301664f1a15610d4211194bfbc7a1f3f651a3f79dfddbe43dde9408596fa6983d77b6f073b39bf660ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9654.tmp

Filesize
1KB

MD5
87346a8a55659211c432a420eb550d1c

SHA1
5ac11c2b23333349316492b35a25a7ea6da8e45a

SHA256
3c7d4e7bec61b1d5d628d968eb832c2dc4f146b717db579643fec50234e5f454

SHA512
f6972fb707172b3d8abfc30c999af3aeb16d57470611b48d6cbada596bdf7414692e4871df623285d74dd24df59dd9f9cca4a643ce92a7140a2bde36b4e5923d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aec4ebcz.cmdline

Filesize
246B

MD5
8bb01aab974e78e84124856642549252

SHA1
0986ebf7513414ceefbcc0c980fb128ba58732df

SHA256
103cdc5ef14e53a6e238c743ec2ef69a00802a988332dad32385377a2fa7e3a4

SHA512
b09402ee3890e0bfca7dec8080e9c01536c4265d3eb5bb20ec11622a40c5b3a3e97a4e25698b09a26ee1950adaefc318d46d3117eb8739c0441293cb1e0a28a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aec4ebcz.dll

Filesize
6KB

MD5
f0950d706a8eabd43d344f5962d590e1

SHA1
5f520ac96a41d8b5c99eaaeaf566c4fcaccb68ef

SHA256
688a198728ba0b00c34762d815c8c0e2bd4ab4f5f5cb07aaa098deddc6b8fd5d

SHA512
58ab10b535c4c1ef0d4cdbb2f2219c9e6fe124912df26fb54f56324f7e92487ae767363a62f437bb52c0fff7869766f09c1ba21e35793a87f1416f2a278d10d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAB6D7B9AE00A48DBB312B88A2E6ADE79.TMP

Filesize
652B

MD5
1a085d3094413c264b5ed98328ea628d

SHA1
0bb696f7111cc7b5f34da9f48ea7cd900417699a

SHA256
9e54afe2ec5b972a58d298cc9e717b6846d6b11d66e76e4ca0042f2ea6693501

SHA512
6f5b46bf17e92c4d5ada69cb8959f86da72a12765b8cf524c185f2fc6a22919edb5740988377aff8f2ea80bb39cbc7630d25cbeaa4e8ce023bd8f148b58847d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF42CE9467354423B995972FFE349D0.TMP

Filesize
652B

MD5
239138bf127862e495c610ed7657740d

SHA1
53e2c14f3859ccb9a39ccd5bae16e20c9097e66f

SHA256
60e95936869f15afc28b7d1f4a859e4c206c018757b6eabd4c541dcfe674fc53

SHA512
69cd690477808c62d03423854733da5ebcc58212f5be7db0f2d02f1501c7bb0377c8da5825ceda6f334389294709c8c8df1ea6086120c63a828a17be51999519

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe

Filesize
1.2MB

MD5
b64c82d841f0ca478ee4b052973ec8de

SHA1
1d6b7f8243fff0e5cd771e999c9098423e99eeb1

SHA256
32c7f3af9df7f9d50047f168e069bd4e06122efe825db2dd0fae34e2c05ce9ab

SHA512
1d9bfe0e21a6c1639eaa908fef16d3d6777fd0fb08ccd3c014600449fb5df8977fa58986a2afa49c4971b18f63ab802fa779d70e78d4fc3da7314dfbe5c38623

Download Submit
memory/844-23-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/844-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/844-29-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/844-32-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/844-26-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/844-31-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1480-47-0x0000000001560000-0x0000000001570000-memory.dmp

Filesize
64KB

Download
memory/1580-7-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/1580-16-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/4500-0-0x0000000074662000-0x0000000074663000-memory.dmp

Filesize
4KB

Download
memory/4500-28-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/4500-2-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/4500-1-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/4612-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4612-83-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads