darkcomet | 3af9c2594cfbde7fbd180c37be3f4444274c785f16a82564bd37aa275a649b98

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Size

560KB
MD5

b6a36a6ffa1364de26b7687312b3591a
SHA1

01bd3f5ab08674fb2e5976eb3535c8eb89a52a22
SHA256

3af9c2594cfbde7fbd180c37be3f4444274c785f16a82564bd37aa275a649b98
SHA512

f2362ec3ce599fdbd3d7a366c2d36512147e9a879c631fd5adfa349a80ba5cf71f4d3edfe2c481f4573615fc86af5a3c442f3c0f8adb191e4f4faaf5e4cc4694
SSDEEP

12288:v6Wq4aaE6KwyF5L0Y2D1PqL8KAuU50ico0w5KJV7g:tthEVaPqLNUjn5KJu

Score

10^/10

darkcomet guest16 discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

dc1604.no-ip.org:1604

Mutex

DC_MUTEX-JXX3KY6

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
NR5NBa7Z8U9b
install
true
offline_keylogger
true
persistence
true
reg_key
WinUpdate

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe

Executes dropped EXE 34 IoCs

pid	Process
5640	msdcsc.exe
5224	msdcsc.exe
4924	msdcsc.exe
4852	msdcsc.exe
984	msdcsc.exe
400	msdcsc.exe
5980	msdcsc.exe
2304	msdcsc.exe
4272	msdcsc.exe
5276	msdcsc.exe
4896	msdcsc.exe
4764	msdcsc.exe
4016	msdcsc.exe
5832	msdcsc.exe
5728	msdcsc.exe
1556	msdcsc.exe
5676	msdcsc.exe
3320	msdcsc.exe
5408	msdcsc.exe
656	msdcsc.exe
3520	msdcsc.exe
4860	msdcsc.exe
4540	msdcsc.exe
5528	msdcsc.exe
1740	msdcsc.exe
5012	msdcsc.exe
440	msdcsc.exe
2128	msdcsc.exe
5180	msdcsc.exe
3656	msdcsc.exe
2428	msdcsc.exe
2956	msdcsc.exe
4064	msdcsc.exe
3868	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe

AutoIT Executable 20 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1904-11-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/5640-33-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/4924-52-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/984-72-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/5980-92-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/4272-111-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/4896-118-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/4896-130-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/4016-148-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/5728-169-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/5676-189-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/5408-208-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/3520-215-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/3520-227-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/4540-246-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1740-267-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/440-286-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/5180-305-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2428-323-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/4064-344-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 18 IoCs

description	pid	Process	procid_target
PID 1904 set thread context of 100	1904	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe	86
PID 5640 set thread context of 5224	5640	msdcsc.exe	91
PID 4924 set thread context of 4852	4924	msdcsc.exe	96
PID 984 set thread context of 400	984	msdcsc.exe	101
PID 5980 set thread context of 2304	5980	msdcsc.exe	105
PID 4272 set thread context of 5276	4272	msdcsc.exe	109
PID 4896 set thread context of 4764	4896	msdcsc.exe	116
PID 4016 set thread context of 5832	4016	msdcsc.exe	120
PID 5728 set thread context of 1556	5728	msdcsc.exe	124
PID 5676 set thread context of 3320	5676	msdcsc.exe	128
PID 5408 set thread context of 656	5408	msdcsc.exe	133
PID 3520 set thread context of 4860	3520	msdcsc.exe	137
PID 4540 set thread context of 5528	4540	msdcsc.exe	141
PID 1740 set thread context of 5012	1740	msdcsc.exe	146
PID 440 set thread context of 2128	440	msdcsc.exe	150
PID 5180 set thread context of 3656	5180	msdcsc.exe	154
PID 2428 set thread context of 2956	2428	msdcsc.exe	158
PID 4064 set thread context of 3868	4064	msdcsc.exe	162

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1904-0-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/100-12-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/100-10-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/100-14-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/100-13-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1904-11-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/100-15-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/100-8-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/files/0x00090000000241e9-18.dat	upx
behavioral1/memory/5640-33-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/5224-34-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5224-35-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5224-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5224-38-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4924-52-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/4852-53-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4852-54-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/100-56-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5224-57-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5224-59-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/984-72-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/400-74-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/400-73-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/100-76-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5224-78-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2304-90-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5980-92-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2304-93-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2304-94-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5224-97-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4272-111-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/5276-110-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5276-112-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5276-115-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5224-117-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4896-118-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/4896-130-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/4764-133-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4764-132-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5224-136-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4016-148-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/5832-153-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5832-150-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5224-155-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1556-167-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5728-169-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1556-173-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3320-187-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5676-189-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/3320-193-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5408-208-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/656-212-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3520-215-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/3520-227-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/4860-232-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4540-246-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/5528-251-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1740-254-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1740-267-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/5012-271-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/440-286-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2128-290-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5180-305-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/3656-309-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeSecurityPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeTakeOwnershipPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeLoadDriverPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeSystemProfilePrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeSystemtimePrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeProfSingleProcessPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeIncBasePriorityPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeCreatePagefilePrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeBackupPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeRestorePrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeShutdownPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeDebugPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeSystemEnvironmentPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeChangeNotifyPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeRemoteShutdownPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeUndockPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeManageVolumePrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeImpersonatePrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeCreateGlobalPrivilege	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: 33	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: 34	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: 35	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: 36	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
Token: SeIncreaseQuotaPrivilege	5224	msdcsc.exe
Token: SeSecurityPrivilege	5224	msdcsc.exe
Token: SeTakeOwnershipPrivilege	5224	msdcsc.exe
Token: SeLoadDriverPrivilege	5224	msdcsc.exe
Token: SeSystemProfilePrivilege	5224	msdcsc.exe
Token: SeSystemtimePrivilege	5224	msdcsc.exe
Token: SeProfSingleProcessPrivilege	5224	msdcsc.exe
Token: SeIncBasePriorityPrivilege	5224	msdcsc.exe
Token: SeCreatePagefilePrivilege	5224	msdcsc.exe
Token: SeBackupPrivilege	5224	msdcsc.exe
Token: SeRestorePrivilege	5224	msdcsc.exe
Token: SeShutdownPrivilege	5224	msdcsc.exe
Token: SeDebugPrivilege	5224	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	5224	msdcsc.exe
Token: SeChangeNotifyPrivilege	5224	msdcsc.exe
Token: SeRemoteShutdownPrivilege	5224	msdcsc.exe
Token: SeUndockPrivilege	5224	msdcsc.exe
Token: SeManageVolumePrivilege	5224	msdcsc.exe
Token: SeImpersonatePrivilege	5224	msdcsc.exe
Token: SeCreateGlobalPrivilege	5224	msdcsc.exe
Token: 33	5224	msdcsc.exe
Token: 34	5224	msdcsc.exe
Token: 35	5224	msdcsc.exe
Token: 36	5224	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	4852	msdcsc.exe
Token: SeSecurityPrivilege	4852	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4852	msdcsc.exe
Token: SeLoadDriverPrivilege	4852	msdcsc.exe
Token: SeSystemProfilePrivilege	4852	msdcsc.exe
Token: SeSystemtimePrivilege	4852	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4852	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4852	msdcsc.exe
Token: SeCreatePagefilePrivilege	4852	msdcsc.exe
Token: SeBackupPrivilege	4852	msdcsc.exe
Token: SeRestorePrivilege	4852	msdcsc.exe
Token: SeShutdownPrivilege	4852	msdcsc.exe
Token: SeDebugPrivilege	4852	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4852	msdcsc.exe
Token: SeChangeNotifyPrivilege	4852	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4852	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5224	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 100	1904	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe	86
PID 1904 wrote to memory of 100	1904	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe	86
PID 1904 wrote to memory of 100	1904	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe	86
PID 1904 wrote to memory of 100	1904	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe	86
PID 1904 wrote to memory of 100	1904	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe	86
PID 1904 wrote to memory of 100	1904	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe	86
PID 4336 wrote to memory of 5640	4336	cmd.exe	89
PID 4336 wrote to memory of 5640	4336	cmd.exe	89
PID 4336 wrote to memory of 5640	4336	cmd.exe	89
PID 5640 wrote to memory of 5224	5640	msdcsc.exe	91
PID 5640 wrote to memory of 5224	5640	msdcsc.exe	91
PID 5640 wrote to memory of 5224	5640	msdcsc.exe	91
PID 5640 wrote to memory of 5224	5640	msdcsc.exe	91
PID 5640 wrote to memory of 5224	5640	msdcsc.exe	91
PID 5640 wrote to memory of 5224	5640	msdcsc.exe	91
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 5224 wrote to memory of 4584	5224	msdcsc.exe	93
PID 4900 wrote to memory of 4924	4900	cmd.exe	95
PID 4900 wrote to memory of 4924	4900	cmd.exe	95
PID 4900 wrote to memory of 4924	4900	cmd.exe	95
PID 4924 wrote to memory of 4852	4924	msdcsc.exe	96
PID 4924 wrote to memory of 4852	4924	msdcsc.exe	96
PID 4924 wrote to memory of 4852	4924	msdcsc.exe	96
PID 4924 wrote to memory of 4852	4924	msdcsc.exe	96
PID 4924 wrote to memory of 4852	4924	msdcsc.exe	96
PID 4924 wrote to memory of 4852	4924	msdcsc.exe	96
PID 100 wrote to memory of 984	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe	100
PID 100 wrote to memory of 984	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe	100
PID 100 wrote to memory of 984	100	JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe	100
PID 984 wrote to memory of 400	984	msdcsc.exe	101
PID 984 wrote to memory of 400	984	msdcsc.exe	101
PID 984 wrote to memory of 400	984	msdcsc.exe	101
PID 984 wrote to memory of 400	984	msdcsc.exe	101
PID 984 wrote to memory of 400	984	msdcsc.exe	101
PID 984 wrote to memory of 400	984	msdcsc.exe	101
PID 5192 wrote to memory of 5980	5192	cmd.exe	104
PID 5192 wrote to memory of 5980	5192	cmd.exe	104
PID 5192 wrote to memory of 5980	5192	cmd.exe	104
PID 5980 wrote to memory of 2304	5980	msdcsc.exe	105
PID 5980 wrote to memory of 2304	5980	msdcsc.exe	105
PID 5980 wrote to memory of 2304	5980	msdcsc.exe	105
PID 5980 wrote to memory of 2304	5980	msdcsc.exe	105
PID 5980 wrote to memory of 2304	5980	msdcsc.exe	105
PID 5980 wrote to memory of 2304	5980	msdcsc.exe	105

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6a36a6ffa1364de26b7687312b3591a.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5640
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5224
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5192
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:1812
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4092
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:1472
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5728
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:6076
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5676
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:3180
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5408
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:5752
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:5144
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:3880
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:1540
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:440
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:2008
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5180
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4304
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:2840
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3868

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
560KB

MD5
b6a36a6ffa1364de26b7687312b3591a

SHA1
01bd3f5ab08674fb2e5976eb3535c8eb89a52a22

SHA256
3af9c2594cfbde7fbd180c37be3f4444274c785f16a82564bd37aa275a649b98

SHA512
f2362ec3ce599fdbd3d7a366c2d36512147e9a879c631fd5adfa349a80ba5cf71f4d3edfe2c481f4573615fc86af5a3c442f3c0f8adb191e4f4faaf5e4cc4694

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut4DB2.tmp

Filesize
2KB

MD5
8b17be525222ce118ed2f6edabf206ed

SHA1
4608005e13d0ec6d05f5f1bd2b32e3b3ab3acab1

SHA256
8e34d85d8f6eb61258bfebb318992eb011f005fcd7de79cffc1e3a2ed7b90982

SHA512
a0fdddbaa66f986351ef57ce20a8a981d2b66cc4b83619341ef4273a730cbd3279627d37a8901b977d8f3eb54c876a91dc9d8c079f376a22ee1b37e6f3d7db00

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnhwrtj

Filesize
8KB

MD5
c4c5e2fcbdf54f80a53006ec9077b536

SHA1
13e30e3d3ce5abdd35954ae2ce729cb271547955

SHA256
d2c8de06ec89cf4643bb180b0a860e9d2d8af97356b6a694f4c1a967d22c7ccf

SHA512
e353c8e697215f67d81ad6b40c92436d95ab588d1228213a2eeeb9b24f1768cc90539a50d04c44b2a2316c9c1a93f2b0cb152f95833bed8ce94fb21ac850486b

Download Submit
memory/100-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/100-14-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/100-15-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/100-8-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/100-10-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/100-12-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/100-56-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/100-76-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/400-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/400-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-286-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/656-212-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/984-72-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1556-167-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1556-173-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1740-254-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1740-267-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1904-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1904-11-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2128-290-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2304-93-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2304-90-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2304-94-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2428-323-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2956-328-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3320-193-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3320-187-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3520-215-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3520-227-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3656-309-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3868-342-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3868-348-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4016-148-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4064-344-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4272-111-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4540-246-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4584-36-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/4764-133-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4764-132-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-54-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4860-232-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4896-130-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4896-118-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4924-52-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/5012-271-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5180-305-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/5224-57-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5224-155-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5224-34-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5224-35-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5224-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5224-136-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5224-97-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5224-38-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5224-117-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5224-59-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5224-78-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5276-110-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5276-112-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5276-115-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5408-208-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/5528-251-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5640-33-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/5676-189-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/5728-169-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/5832-150-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5832-153-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5980-92-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads