darkcomet | 8ed58fccd0234e53dd1b82468875c8e34e02c4b6d51c93041077bc412fb482bf

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe
Size

7.3MB
MD5

c24b23d3c854fceb5e4af9d151ffe7fc
SHA1

90419748e89d38f964db9e8eac4ca62b6a355460
SHA256

8ed58fccd0234e53dd1b82468875c8e34e02c4b6d51c93041077bc412fb482bf
SHA512

fe9b05ef5bb9551f7d6f8d72afad2e6e40a646e8c897213c0aaed84f7b3960c8ea45c2f3a48a35a0f3140cd97e79f9b5c8d376ff140b270b3fffce87504c78b8
SSDEEP

98304:3Xo61VhZXRqa3KNLY1zNwrTPzQAqZto4OP2+95Zohk95TadWSMBoAI5Ku77v:no61LtRnaNM1zBOPjdohk9Ra0Ss9

Score

10^/10

darkcomet hacking discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Hacking

127.0.0.1:82

kindos223.zapto.org:82

Mutex

DC_MUTEX-A3AJRZF

Attributes

gencode
kPer*-ghPCmM
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vbc.exe

Executes dropped EXE 5 IoCs

pid	Process
5180	winlogon.exe
1844	winlogon.exe
3636	Client.exe
4744	Client.exe
4824	Client.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System\\Services\\Winlog\\winlogon.exe"	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System\\Services\\Winlog\\winlogon.exe"	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5288 set thread context of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5180 set thread context of 4980	5180	winlogon.exe	86
PID 1844 set thread context of 4948	1844	winlogon.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	vbc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4744	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2756	vbc.exe
Token: SeSecurityPrivilege	2756	vbc.exe
Token: SeTakeOwnershipPrivilege	2756	vbc.exe
Token: SeLoadDriverPrivilege	2756	vbc.exe
Token: SeSystemProfilePrivilege	2756	vbc.exe
Token: SeSystemtimePrivilege	2756	vbc.exe
Token: SeProfSingleProcessPrivilege	2756	vbc.exe
Token: SeIncBasePriorityPrivilege	2756	vbc.exe
Token: SeCreatePagefilePrivilege	2756	vbc.exe
Token: SeBackupPrivilege	2756	vbc.exe
Token: SeRestorePrivilege	2756	vbc.exe
Token: SeShutdownPrivilege	2756	vbc.exe
Token: SeDebugPrivilege	2756	vbc.exe
Token: SeSystemEnvironmentPrivilege	2756	vbc.exe
Token: SeChangeNotifyPrivilege	2756	vbc.exe
Token: SeRemoteShutdownPrivilege	2756	vbc.exe
Token: SeUndockPrivilege	2756	vbc.exe
Token: SeManageVolumePrivilege	2756	vbc.exe
Token: SeImpersonatePrivilege	2756	vbc.exe
Token: SeCreateGlobalPrivilege	2756	vbc.exe
Token: 33	2756	vbc.exe
Token: 34	2756	vbc.exe
Token: 35	2756	vbc.exe
Token: 36	2756	vbc.exe
Token: SeIncreaseQuotaPrivilege	4948	vbc.exe
Token: SeSecurityPrivilege	4948	vbc.exe
Token: SeTakeOwnershipPrivilege	4948	vbc.exe
Token: SeLoadDriverPrivilege	4948	vbc.exe
Token: SeSystemProfilePrivilege	4948	vbc.exe
Token: SeSystemtimePrivilege	4948	vbc.exe
Token: SeProfSingleProcessPrivilege	4948	vbc.exe
Token: SeIncBasePriorityPrivilege	4948	vbc.exe
Token: SeCreatePagefilePrivilege	4948	vbc.exe
Token: SeBackupPrivilege	4948	vbc.exe
Token: SeRestorePrivilege	4948	vbc.exe
Token: SeShutdownPrivilege	4948	vbc.exe
Token: SeDebugPrivilege	4948	vbc.exe
Token: SeSystemEnvironmentPrivilege	4948	vbc.exe
Token: SeChangeNotifyPrivilege	4948	vbc.exe
Token: SeRemoteShutdownPrivilege	4948	vbc.exe
Token: SeUndockPrivilege	4948	vbc.exe
Token: SeManageVolumePrivilege	4948	vbc.exe
Token: SeImpersonatePrivilege	4948	vbc.exe
Token: SeCreateGlobalPrivilege	4948	vbc.exe
Token: 33	4948	vbc.exe
Token: 34	4948	vbc.exe
Token: 35	4948	vbc.exe
Token: 36	4948	vbc.exe
Token: SeIncreaseQuotaPrivilege	4980	vbc.exe
Token: SeSecurityPrivilege	4980	vbc.exe
Token: SeTakeOwnershipPrivilege	4980	vbc.exe
Token: SeLoadDriverPrivilege	4980	vbc.exe
Token: SeSystemProfilePrivilege	4980	vbc.exe
Token: SeSystemtimePrivilege	4980	vbc.exe
Token: SeProfSingleProcessPrivilege	4980	vbc.exe
Token: SeIncBasePriorityPrivilege	4980	vbc.exe
Token: SeCreatePagefilePrivilege	4980	vbc.exe
Token: SeBackupPrivilege	4980	vbc.exe
Token: SeRestorePrivilege	4980	vbc.exe
Token: SeShutdownPrivilege	4980	vbc.exe
Token: SeDebugPrivilege	4980	vbc.exe
Token: SeSystemEnvironmentPrivilege	4980	vbc.exe
Token: SeChangeNotifyPrivilege	4980	vbc.exe
Token: SeRemoteShutdownPrivilege	4980	vbc.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4744	Client.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5288 wrote to memory of 2756	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	79
PID 5352 wrote to memory of 5180	5352	cmd.exe	85
PID 5352 wrote to memory of 5180	5352	cmd.exe	85
PID 5352 wrote to memory of 5180	5352	cmd.exe	85
PID 5328 wrote to memory of 1844	5328	cmd.exe	84
PID 5328 wrote to memory of 1844	5328	cmd.exe	84
PID 5328 wrote to memory of 1844	5328	cmd.exe	84
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 5180 wrote to memory of 4980	5180	winlogon.exe	86
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 4948	1844	winlogon.exe	87
PID 1844 wrote to memory of 3636	1844	winlogon.exe	90
PID 1844 wrote to memory of 3636	1844	winlogon.exe	90
PID 1844 wrote to memory of 3636	1844	winlogon.exe	90
PID 5288 wrote to memory of 4744	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	88
PID 5288 wrote to memory of 4744	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	88
PID 5288 wrote to memory of 4744	5288	JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe	88
PID 5180 wrote to memory of 4824	5180	winlogon.exe	89
PID 5180 wrote to memory of 4824	5180	winlogon.exe	89
PID 5180 wrote to memory of 4824	5180	winlogon.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c24b23d3c854fceb5e4af9d151ffe7fc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5288
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Checks BIOS information in registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\System\Services\Winlog\winlogon.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5352
- C:\Users\Admin\AppData\Roaming\Microsoft\System\Services\Winlog\winlogon.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\System\Services\Winlog\winlogon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5180
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\System\Services\Winlog\winlogon.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5328
- C:\Users\Admin\AppData\Roaming\Microsoft\System\Services\Winlog\winlogon.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\System\Services\Winlog\winlogon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4948
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3636

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\winlogon.exe.log

Filesize
319B

MD5
e7df52bc2fea4cb49c9c749bd9f8d618

SHA1
fd956953e48f15d113f59be5e6a6534d32f2a25a

SHA256
65a906ff066056f5d93198115645da23ab4f880aad5d85f2fab41248b5831373

SHA512
538d0e3958b2b6a2d876e64ed70518aeba857b4effece13c930417754e2df23b612c7368bc4d8344bb9b10b721916d4ff2529cbac86142993170aa1d1918bae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
6.5MB

MD5
0182a6151011cb541780f4ed789a72fe

SHA1
7d5e2c14edbd010f838af179d261cd0603fe8681

SHA256
4a1ddb308d9bde6b5238bb907e52834705f2a5280ba8c69ce7af36447e8ba923

SHA512
e78f42385076acfc95abb00ffca888dacb6ea50fba69620a75f7c244e6214ecc2b98c50fc6df01633c5f8359646e903317ab621bb00b7decd627e64ccdfe50c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
20B

MD5
8bb400d926ed7f40be31fada430f45ea

SHA1
27826dc07859a23a11bcbd1317912de9593bb074

SHA256
68a10a393c2fe6e8e1f47bd3b42564456cf55a7fc881550b1d7dcc765462c405

SHA512
f84f346c73a5ddc1ab0c3484e20402b236f3bff186c0d45c38cb770acecb4d3a26a318d772007c298082f4111125cba9b2473a0bee38e0dfcb91e7d8b4c1e8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
20B

MD5
8b95c8c3b5a785465f8e2f868e20cc30

SHA1
2787db459289b44cde9107db26cbadc589883ce3

SHA256
976c786397ad5cd5f0d2ac8e96dc67bc904f3eeffa10d08bc2c975a213ebd041

SHA512
e51500409551a44b22582a1b8c3d5d25f5b708a0a443a714373da402b25f6a8044d0d2d39198ccc4b4729cb5c3cc68b201fbf164aded78054378291df09f7ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\System\Services\Winlog\winlogon.exe

Filesize
7.3MB

MD5
c24b23d3c854fceb5e4af9d151ffe7fc

SHA1
90419748e89d38f964db9e8eac4ca62b6a355460

SHA256
8ed58fccd0234e53dd1b82468875c8e34e02c4b6d51c93041077bc412fb482bf

SHA512
fe9b05ef5bb9551f7d6f8d72afad2e6e40a646e8c897213c0aaed84f7b3960c8ea45c2f3a48a35a0f3140cd97e79f9b5c8d376ff140b270b3fffce87504c78b8

Download Submit
memory/2756-89-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-78-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-8-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-9-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-12-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-7-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-6-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-4-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-93-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-64-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-86-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-82-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-3-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-10-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-96-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-61-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-75-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-52-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-53-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-54-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-100-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-57-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-71-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2756-68-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3636-51-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-55-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-97-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-69-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-62-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-58-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-73-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-101-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-87-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-76-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-65-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-94-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-80-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-90-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4744-83-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4824-50-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4948-32-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4948-36-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4980-37-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4980-35-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5180-25-0x0000000074E81000-0x0000000074E82000-memory.dmp

Filesize
4KB

Download
memory/5288-49-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/5288-2-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/5288-1-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/5288-0-0x0000000074E81000-0x0000000074E82000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads