darkcomet | 29e7af74c058023ada93e20484abf4c4e56e9d97d2b95bd61d6afcd9bfa042e0

Analysis

max time kernel
12s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
Size

774KB
MD5

80b57fded2545f6117d2bb61c4f1abc3
SHA1

0759097ed2ffdf783d6d62aecdee4cac62a917c3
SHA256

29e7af74c058023ada93e20484abf4c4e56e9d97d2b95bd61d6afcd9bfa042e0
SHA512

de9f1ab6ffd7c9c3def72e6f512387b2132a6e36c69f5b5d3fada6af21c74a373fbc8639c140f23a4e8b43c67efe0f06100bb84e231c7556af8f86956eff2590
SSDEEP

12288:nLneYlTwlTdwjfzDROheKRPtbQtzSSG/5NhFrJQMaL2Evn0vCNC1X4hWHw9v:nLF2mBOhe+CC51JQfvn0lREgw

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

fifou-rien.sytes.net:1604

Mutex

DC_MUTEX-QM0YRRP

Attributes

gencode
Gq$T�9niz*CK
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 6 IoCs

pid	Process
1848	crss.exe
2704	rrMOO.exe
1848	crss.exe
2704	rrMOO.exe
1848	crss.exe
2704	rrMOO.exe

Loads dropped DLL 9 IoCs

pid	Process
2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javaw.exe"	crss.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2496 set thread context of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 set thread context of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 set thread context of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rrMOO.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
Token: SeIncreaseQuotaPrivilege	2704	rrMOO.exe
Token: SeSecurityPrivilege	2704	rrMOO.exe
Token: SeTakeOwnershipPrivilege	2704	rrMOO.exe
Token: SeLoadDriverPrivilege	2704	rrMOO.exe
Token: SeSystemProfilePrivilege	2704	rrMOO.exe
Token: SeSystemtimePrivilege	2704	rrMOO.exe
Token: SeProfSingleProcessPrivilege	2704	rrMOO.exe
Token: SeIncBasePriorityPrivilege	2704	rrMOO.exe
Token: SeCreatePagefilePrivilege	2704	rrMOO.exe
Token: SeBackupPrivilege	2704	rrMOO.exe
Token: SeRestorePrivilege	2704	rrMOO.exe
Token: SeShutdownPrivilege	2704	rrMOO.exe
Token: SeDebugPrivilege	2704	rrMOO.exe
Token: SeSystemEnvironmentPrivilege	2704	rrMOO.exe
Token: SeChangeNotifyPrivilege	2704	rrMOO.exe
Token: SeRemoteShutdownPrivilege	2704	rrMOO.exe
Token: SeUndockPrivilege	2704	rrMOO.exe
Token: SeManageVolumePrivilege	2704	rrMOO.exe
Token: SeImpersonatePrivilege	2704	rrMOO.exe
Token: SeCreateGlobalPrivilege	2704	rrMOO.exe
Token: 33	2704	rrMOO.exe
Token: 34	2704	rrMOO.exe
Token: 35	2704	rrMOO.exe
Token: SeDebugPrivilege	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
Token: SeIncreaseQuotaPrivilege	2704	rrMOO.exe
Token: SeSecurityPrivilege	2704	rrMOO.exe
Token: SeTakeOwnershipPrivilege	2704	rrMOO.exe
Token: SeLoadDriverPrivilege	2704	rrMOO.exe
Token: SeSystemProfilePrivilege	2704	rrMOO.exe
Token: SeSystemtimePrivilege	2704	rrMOO.exe
Token: SeProfSingleProcessPrivilege	2704	rrMOO.exe
Token: SeIncBasePriorityPrivilege	2704	rrMOO.exe
Token: SeCreatePagefilePrivilege	2704	rrMOO.exe
Token: SeBackupPrivilege	2704	rrMOO.exe
Token: SeRestorePrivilege	2704	rrMOO.exe
Token: SeShutdownPrivilege	2704	rrMOO.exe
Token: SeDebugPrivilege	2704	rrMOO.exe
Token: SeSystemEnvironmentPrivilege	2704	rrMOO.exe
Token: SeChangeNotifyPrivilege	2704	rrMOO.exe
Token: SeRemoteShutdownPrivilege	2704	rrMOO.exe
Token: SeUndockPrivilege	2704	rrMOO.exe
Token: SeManageVolumePrivilege	2704	rrMOO.exe
Token: SeImpersonatePrivilege	2704	rrMOO.exe
Token: SeCreateGlobalPrivilege	2704	rrMOO.exe
Token: 33	2704	rrMOO.exe
Token: 34	2704	rrMOO.exe
Token: 35	2704	rrMOO.exe
Token: SeDebugPrivilege	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
Token: SeIncreaseQuotaPrivilege	2704	rrMOO.exe
Token: SeSecurityPrivilege	2704	rrMOO.exe
Token: SeTakeOwnershipPrivilege	2704	rrMOO.exe
Token: SeLoadDriverPrivilege	2704	rrMOO.exe
Token: SeSystemProfilePrivilege	2704	rrMOO.exe
Token: SeSystemtimePrivilege	2704	rrMOO.exe
Token: SeProfSingleProcessPrivilege	2704	rrMOO.exe
Token: SeIncBasePriorityPrivilege	2704	rrMOO.exe
Token: SeCreatePagefilePrivilege	2704	rrMOO.exe
Token: SeBackupPrivilege	2704	rrMOO.exe
Token: SeRestorePrivilege	2704	rrMOO.exe
Token: SeShutdownPrivilege	2704	rrMOO.exe
Token: SeDebugPrivilege	2704	rrMOO.exe
Token: SeSystemEnvironmentPrivilege	2704	rrMOO.exe
Token: SeChangeNotifyPrivilege	2704	rrMOO.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2324	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	31
PID 2496 wrote to memory of 2324	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	31
PID 2496 wrote to memory of 2324	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	31
PID 2496 wrote to memory of 2324	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	31
PID 2324 wrote to memory of 2992	2324	csc.exe	33
PID 2324 wrote to memory of 2992	2324	csc.exe	33
PID 2324 wrote to memory of 2992	2324	csc.exe	33
PID 2324 wrote to memory of 2992	2324	csc.exe	33
PID 2496 wrote to memory of 1848	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	34
PID 2496 wrote to memory of 1848	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	34
PID 2496 wrote to memory of 1848	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	34
PID 2496 wrote to memory of 1848	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	34
PID 2496 wrote to memory of 2860	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	35
PID 2496 wrote to memory of 2860	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	35
PID 2496 wrote to memory of 2860	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	35
PID 2496 wrote to memory of 2860	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	35
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2324	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	31
PID 2496 wrote to memory of 2324	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	31
PID 2496 wrote to memory of 2324	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	31
PID 2496 wrote to memory of 2324	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	31
PID 2324 wrote to memory of 2992	2324	csc.exe	33
PID 2324 wrote to memory of 2992	2324	csc.exe	33
PID 2324 wrote to memory of 2992	2324	csc.exe	33
PID 2324 wrote to memory of 2992	2324	csc.exe	33
PID 2496 wrote to memory of 1848	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	34
PID 2496 wrote to memory of 1848	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	34
PID 2496 wrote to memory of 1848	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	34
PID 2496 wrote to memory of 1848	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	34
PID 2496 wrote to memory of 2860	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	35
PID 2496 wrote to memory of 2860	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	35
PID 2496 wrote to memory of 2860	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	35
PID 2496 wrote to memory of 2860	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	35
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2704	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	37
PID 2496 wrote to memory of 2324	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	31
PID 2496 wrote to memory of 2324	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	31
PID 2496 wrote to memory of 2324	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	31
PID 2496 wrote to memory of 2324	2496	JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe	31
PID 2324 wrote to memory of 2992	2324	csc.exe	33
PID 2324 wrote to memory of 2992	2324	csc.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80b57fded2545f6117d2bb61c4f1abc3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1vcbfjnp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4EC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD4DC.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
- C:\Users\Admin\AppData\Local\Temp\crss.exe
  "C:\Users\Admin\AppData\Local\Temp\crss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ajc7y3x7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Users\Admin\AppData\Local\Temp\rrMOO.exe
  C:\Users\Admin\AppData\Local\Temp\rrMOO.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD4EC.tmp

Filesize
1KB

MD5
80b8eae6f3b8249d5d5c1167bb27db3e

SHA1
679cf21a28f0638aab51c179324a998fdd1f01fe

SHA256
65a02b11150aa2e9d669c03ca7912ab03de77fa92a2bd8645c7ee114e4a80130

SHA512
ff2dfb7981856d3c3d66888d8a04446b3684ae63da6552c93f644fe47cf0b137418b42b141dbdac297ca23b521e6ffa2ba7826b6ca55414d5595b6019f41017e

Download Submit
C:\Users\Admin\AppData\Local\Temp\crss.exe

Filesize
4KB

MD5
9f23a008870c29b4b97aba3049a93ad1

SHA1
75ce547397f58fff0c814445fb546e8d9e7f3a76

SHA256
063ba59ea6afe7045132d692adfd996b371e5415d9852dbb89e71350e096f5c8

SHA512
abc76614f222d3c751c4eb1a8be4e2e7a704f56fc5df296fb83d837e16bcbd2f194a91fc28d744f6e9bc89e33d77b1c02550ba577c104cebadfdea0402138245

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1vcbfjnp.0.cs

Filesize
1KB

MD5
69f0076b82b8f15f22c3a20e0a1b1645

SHA1
ca6eca9e20380f86c4dc97af6e2fe3794d66df7f

SHA256
cb972c445e5d5db444eb74294bcec10b305c196fbd36ec16df76cd503df68839

SHA512
001059096ed771fb132a799fb4b1fd401b4ad95dfc65a3e57fbf9c418792c8ee7a7ddb2714b070809b6782d3c3e5d76677c2e13083a6dbed87f1c709263259f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1vcbfjnp.cmdline

Filesize
257B

MD5
0197ecbc51f2dbab7d8b57a683c5d796

SHA1
b1b8627731044a1bf1861d8ad8618710eee1016d

SHA256
7641634a192f757f3cc9cb2be67d44a0a00ab5f97f1c3615041effca570b9c33

SHA512
9c1d42eecceb5e56d44f3d4cb492b41b7c452bc91397db871d2c72640cd8e93acb1c708a17dbaa3fbfcf26cd64ea7351c5fb03f32cf91eddabe38a1baeb6c844

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD4DC.tmp

Filesize
636B

MD5
c8c25f9346d8f994362fd8112f852c56

SHA1
a2697059cc8f7b3ae707d7728eaa87b93938371d

SHA256
67ab7a6bf53032421711a620f7897305c05d28ff24434fc2abf0f43ccba6c7a1

SHA512
cc07a8719de0ab4a356d689cc51bb47a629d388dca1a57bf32fff4b8f2354b05ec7b38d015516f7387e4448cebe3239400ffa207f690f2a92e5df1823d2bb7f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ajc7y3x7.0.cs

Filesize
3KB

MD5
1b792088d4a26069d7e991449e500e01

SHA1
33cfa03d7d4e7fc224a55d486c55077c36475df9

SHA256
792fa93acb954ee152cc2ee0ffe4bafb21d14632cdebad56f437aa48a5a5c1f1

SHA512
f91a19734d56a179bc4c14f248ba13805288a40c8b394721bfe5943ec37ecd608f66cb3e5b98fb76f176f68c97e42de4b5c33c38c72eb666b0d565293a35ea05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ajc7y3x7.cmdline

Filesize
319B

MD5
eabf76fec96f04c0079a2d2b2ca7099c

SHA1
bbee9911d57d48d942e1a10859972db49ff756f3

SHA256
c70f475ad663fe546d4afec5c96fc2a4ba2c02166082ee5a7c29613aee1a88a1

SHA512
9273c5e6461ff154b94f7a4b8076442c40a89570dd2f19506f6b4d9085e8d028023d9f41b94e6fb2e2c9a97b3b00a0bfeeb750c6e79f90b237d30d41bd550c78

Download Submit
\Users\Admin\AppData\Local\Temp\rrMOO.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/2324-15-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-8-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-8-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-15-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-15-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-8-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

Filesize
4KB

Download
memory/2496-56-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-56-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

Filesize
4KB

Download
memory/2496-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-2-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

Filesize
4KB

Download
memory/2496-56-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-2-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-2-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-52-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-60-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-60-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-58-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-40-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-41-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-43-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-45-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-35-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-37-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-47-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-55-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-52-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-49-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-57-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-47-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-45-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-43-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-41-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-40-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-58-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-59-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-59-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-57-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-49-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-55-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-37-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-35-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-37-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-35-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-55-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-52-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-49-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-57-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-47-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-45-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-43-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-41-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-40-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-58-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-59-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2704-60-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads