Malware Analysis Report

2025-04-13 22:43

Sample ID 250227-2r4zrsssfy
Target 6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a
SHA256 6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a
Tags
darkcomet ramnit guest16 banker discovery rat spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a

Threat Level: Known bad

The file 6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a was found to be: Known bad.

Malicious Activity Summary

darkcomet ramnit guest16 banker discovery rat spyware stealer trojan upx worm

Darkcomet

Ramnit family

Darkcomet family

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-27 22:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-27 22:49

Reported

2025-02-27 22:52

Platform

win7-20240903-en

Max time kernel

141s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"

Signatures

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2CEE8701-F55D-11EF-A17D-4A174794FC88} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2CF0E861-F55D-11EF-A17D-4A174794FC88} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446858468" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
PID 2672 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
PID 2672 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
PID 2672 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
PID 2756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2656 wrote to memory of 2800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2656 wrote to memory of 2800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2656 wrote to memory of 2800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2656 wrote to memory of 2800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2736 wrote to memory of 2544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2736 wrote to memory of 2544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2736 wrote to memory of 2544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2736 wrote to memory of 2544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe

"C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp

Files

memory/2672-0-0x0000000000400000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

MD5 d5ca6e1f080abc64bbb11e098acbeabb
SHA1 1849634bf5a65e1baddddd4452c99dfa003e2647
SHA256 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae
SHA512 aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

memory/2756-15-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2756-14-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2756-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2756-12-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2672-11-0x0000000000540000-0x000000000059D000-memory.dmp

memory/2672-10-0x0000000000540000-0x000000000059D000-memory.dmp

memory/2756-17-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2756-16-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2672-18-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/2756-9-0x00000000001F0000-0x00000000001F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2CEE8701-F55D-11EF-A17D-4A174794FC88}.dat

MD5 c19e57e8eec687b1b628a6c97eda6182
SHA1 e1cb3fc02ab3b9a9a03500e6e615ffbb47dc2469
SHA256 a685d2416082c4fd11abf085c23e86e4ab05abd3b72b29ad57e718c41bd93495
SHA512 f1de40f666d888a19f12ba40cc0462ea7f7f45efe8a247a028df01deeeef1b18c185d59e58cf671479e2cfec1f4c92fbc8994302829a07ad4c5d56f8db0aee2c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2CF0E861-F55D-11EF-A17D-4A174794FC88}.dat

MD5 28ec94b93e15858b3dcedf1f59467dde
SHA1 f396fe161f011c928e1693e0d9ba23feeacef4b6
SHA256 a06b126c4c5ae68af827a131a777e2b460847bce16661da3a549d8780d088f97
SHA512 3e8bd02ab4b63bf9d9ee08d64a039ebee196ce6c25985a957a6b9f518ec0551a7200e1d3a991aba1c48e5107f0250dd1ce212e8921b6c74c2f1e52da379e7082

memory/2756-21-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2DF5.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Cab2E86.tmp

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar2E8A.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49599cfa59e94999609fb4c520fe04a7
SHA1 cf1e294fdd7cc4db93091752c856f1571dc4763b
SHA256 f8b23afb63dc629a88e810acb6c889d67ba4dadb1bab21c2781d368a63fe383d
SHA512 d83f4193ec86eb837700da8b7d0df07b0cbea4cc251401ce627a9bfeff0f96b7b166bce6695f7fb2e392c611a7873d05bec14fe8a7e76cee420389ad06239c99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 512874db2896338c9e270e23a8b6b97f
SHA1 24e5bfce1f2f91cf7e39768bb38278adf02e3071
SHA256 4bc8487dd517210e658df2767bd5222af8c637374beb1dbe439b4603f63aaf03
SHA512 a0dac5722b37941a702bfbf42910f2264b998c10e7af6906e102f046c0a5b61e6b72f3942ab72d6b9276e47b66947ceefd68db89b3059ce027df6562e7017fbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22ae47e0e7ed61c748214695e3bba74b
SHA1 f18dd47ecd98cf4f8a2043588a5417ead69d03da
SHA256 e2bfc981ad79debdac128218c7d9d3593dcf4b0890df79258039150a00d8980e
SHA512 4a2dc815ccfd2f104cb64a6f4b996fd3e2e8f61de382b119a45d91c384d41c2b4b27820a005c7942da46527431ba712efb2d11654d2b7084c3c709260d05305c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96a2ba01c79885a66fccdba3df5f0ca8
SHA1 844735c5c58bf553bde805d7fdb2965bf4bbdaf8
SHA256 da7fc1a145be50965d67c91c9cf5000affecd7394fd25dc2bb21628cc0158cfc
SHA512 68fdf51eb0a7034b8704fe122746b43ab7a1fd4dfbca0fc1d8ccf952f1393f5aded5e4f3c87e43c80bf398d4fe008d4761d9517548028cc59c908645422cfbeb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a82bdbe00b34081f9a5f53c5ec21b8d6
SHA1 09b11decd8c9dc9f1b663ccf063dbf70013eab79
SHA256 40f58b20ab50db92d50ba6ff1c343833b315e41fa350bccc05798cb5c996432f
SHA512 332df4c6ffb79eb36871a6b21107ad89108cfeb90e2babc41dc21c1a219b654c26365a547b5506e21a57bda85f7e313ecead36ef2847781c5d59e75d7da6e104

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d815ab791629e6c9be4465b638ab24b5
SHA1 7d2df356626b5aeaff5425d6164ea8c77e32aeba
SHA256 41cab807b4330f058a0e2dec359e41c8cf45eab64cd5b5a046e94cac8ef15c07
SHA512 672eaa3ec54aed05ab164e22bac7031b8d7c0c77d5aa7c6b1e9c84647d1057d3145abc7c6c9504db544e546e26c14cfc43045f2ee25d4e61ee5583b306ddb8b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5adee6e8f33b49493caed41893582d7b
SHA1 1bda57c9f397588b284f2e6f7c7ba1f9d1ce7d7e
SHA256 dc1b50709705ba3a39d9e3cfd15745b4e9ce478b385c7da27073b9492e0fc36a
SHA512 a21b075353cac4727d3b4bbcae1c2f190cef396cd423e496761ec4c62a02eb2cf9554176b016e0e7973f845f253807e8ba2117fb896ba2f7d00d76ec1aef95a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 630ed05d084c6eba62305fa3cb8fee94
SHA1 3a4865a544183671eaf631e27063fbdfd73da714
SHA256 5c1571fc7e4828de5834fb2344f2d6371dae0a0090580b669dac6696b3145639
SHA512 9ef54a866bd2d92dc2de159eefabc5a01e35828de348a4c75a25c7db14db0e717a59b48376560c504114750aece8c944cb7dbca41e9a6ed15eddd34987f173fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9285a530a60601f9dfd338efa80225c
SHA1 88f93d13f046a10b069e44b7557fa9c686ca086a
SHA256 38d0a93b53a3493e9c0ffb158cf2ba48fe52a2ca21612591ae470a2104c336cc
SHA512 40bb8bf4290fe7ed513b1d8f1fb96d9caf3280303592c174bf6b7ef21f93accaf323093529586d463214a42dc14686deb9f5b1a39283a812910ab6aa0dfd47bb

memory/2672-466-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/2672-497-0x0000000000540000-0x000000000059D000-memory.dmp

memory/2672-498-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/2672-499-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/2672-501-0x0000000000400000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcfcd83fd35e5801b5ad7c17726223f1
SHA1 956ea4e2f4e0484d2dedc86ecc9f1bb1872366fc
SHA256 96ceac208c80e5ff10da32ce6b328fa7775b0aa73ebab01967a50dd4a94aedc3
SHA512 0bfef4e3c049cec7aeef8539b80a7522d7c5ed905ce34ce206118c5e6af93722debaf5c443326e428712305237f38aa52f5e6a95a0733c0786bbe5481fb6f579

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc0405d918cb4293fde546e986faae8b
SHA1 564896a2058967ac0bd32b32d8e8712aa989bcad
SHA256 c871888a63f7415116c825d6e12dea87fa4fdac656868750b6bee0b6ddacb98b
SHA512 03276afeb76788acadf88ea2e2e6a44fb9ac05b788a9434df1124e91db2185efacc1aa4e54a75f0bee0643d408f6403995259579f1a39d0603e6b77c4693102b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 608ecb681a0874f6bcb7809828d77344
SHA1 8810f0702d40c5a1065aa938458edbf8194b7800
SHA256 d7b8f77845f2ae0ddd58220f1596331645234f4e2f4a2d794c2c651f693315d1
SHA512 47a5e36c40248e44e3939348de3dcf5d7750d6c0b43c8de06e79e9e05bb2b7d633e012d843a3311ca5f9ccd9b7a5cab15c80d613991f843db17b8c30a5093097

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 047e2ee84a27b656df8a8ff73c355b23
SHA1 fa792ccc826d35f08b99569d6d451c46e81ea88a
SHA256 5e0d741a568db1e8672abb3a14773786b1ce5cd8f90cda6eee8ca89fe44ce656
SHA512 5ba76777422d96eab1732c38c4ff851af72a1e61d05b0513daebeebb954cadebcaee311073cd2ed31932449d67eace525b4d663fd6acc36f8d6c6453d3de8f08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1618a0ecfbb1538fe6471989fe06586f
SHA1 495afe13f851c0d1a09b9db2b2464459d9c42fef
SHA256 babf6f5bb178ac797f11a5d720bcfc3196be0cdf0ece7e16214f6b533b7f091c
SHA512 7d547cf0fbd647617b994a95cae1f0807083283160fa2445940ebdea080010e4b6bbd82f48aa0051fd07223313008cb621e05af541aeb692058a27aa5d6e1a11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f499246395026f00c0d39d4287736d96
SHA1 c934a2bdeb75fcc31fd68a135339f8a60543f2d5
SHA256 d5728d137e92fbbb6529267106e8793f95e73feb80d30331b64c69ab5198adaf
SHA512 3bce98e73d5f7a920afcc92a0b4e2d2251b3b92a3715cd60dabc6768667dd99b1326e8ecf23f4acd8f0c3c5c4389f4337d1cc8035ce0a276dc6479fde779171f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a86bc8a7804d75a814da31d447b311a7
SHA1 21a85540521fb743490033407ee013ec9183f2ca
SHA256 77b17c77fe3a8b3387af68f80217d5003b06b7d735f2d2802f0ce51c197ace36
SHA512 d2ef4f97b67127b184bea665acf8267749c3558cdaba4759d17b67d7577358ce386c0d5a3942ea0d4ec1c544b93de0ad5edfdd5d0abf133ed98f770a7a40b292

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5841e059b6a471e865ebdf496bd656c
SHA1 f192e351baa5c7a7e45b37b4e1e20b92b7b58aa6
SHA256 73233981cedeb7eb089f65ad1a2a9139916cc5febb478711745f79c3f7189f87
SHA512 b3cf60ae7d7f8e557498a7a5d6c471c8933ef632693f1ad281427ad1b05fecbdbb9bb6b026bbbec5ea9e2bf8a32e8aa394d82492cc9b93b4362757e1c0ee4623

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7941b68d6d9aca3eec535401e932b8f8
SHA1 971df1b3560013cc70c583025e065a28d5b5dd08
SHA256 e3e00cd75609be90abd41ec8b9f44a19320fa3344dd6656712d26dc0c89ca331
SHA512 bb28bada3712a5373cb7e728a38b42c625cccf46816b178e8ad3f73b32bd9b8718a157b54a1b602a323aae486f8a2d878fdd2564ae7f70a042d8f183378057df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c96434bce3bb13b3ca289138ede1768
SHA1 01399ef80e53ba23fb718a7c39ac149806fe556c
SHA256 61d8bf33dc1866ca22c9d672d9faa2cea1be84264f131882f8a0ef37850f3eef
SHA512 f6a59742f3360ea36a7ef05fa6869db5dbf7b958b6375705a5ca054e3afe2f0071b0c3d8a8f7169232b2e959c8cd388edbc2290b20732002111ba411ca69ff19

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-27 22:49

Reported

2025-02-27 22:52

Platform

win10v2004-20250217-en

Max time kernel

140s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"

Signatures

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe

"C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 264

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.16.153.224:443 www.bing.com tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp

Files

memory/1008-0-0x0000000000400000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

MD5 d5ca6e1f080abc64bbb11e098acbeabb
SHA1 1849634bf5a65e1baddddd4452c99dfa003e2647
SHA256 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae
SHA512 aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

memory/4272-5-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4272-6-0x0000000001F10000-0x0000000001F11000-memory.dmp

memory/1008-7-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/1008-9-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1008-10-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1008-12-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1008-14-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1008-17-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1008-19-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1008-21-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1008-23-0x0000000000400000-0x00000000004D0000-memory.dmp