darkcomet | c08fbf1f549669dd048f5008b7f5f3150d1fb0dc7f6a420b369eb7469dfbc3e2

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Size

5.9MB
MD5

19962480e1ea3d8a3c00250e8e7867e7
SHA1

d0240accf1b93436deb4d681bdbf1882420c1ff2
SHA256

c08fbf1f549669dd048f5008b7f5f3150d1fb0dc7f6a420b369eb7469dfbc3e2
SHA512

ae7f73c7e600a1b4d27b871af2962cfffcbe7f8fdae87f0344c8396c7326bd06a2ea89273d8ac03974c2ed0eb96bdcb28d4759132d43fdb81bbd286530364267
SSDEEP

98304:cLILI6zcwPD3WCvdmVoyfgqo8BRqSTOUhNJsiTN1G1ja+ps5mIWWx:cLz6wwb3WdHIqo8BhSUhN/RCj7i5mvK

Score

10^/10

darkcomet test1 evasion persistence rat themida trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Test1

fttpsrvr.serveftp.com:81

Mutex

DC_MUTEX-KC4MATP

Attributes

gencode
bwdrBTvAAiq3
install
false
offline_keylogger
true
password
0137982645
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

THE SERVER.SCR

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows\\svchost.com"	THE SERVER.SCR

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

THE SERVER.SCRsvchost.com

pid process

2748 THE SERVER.SCR
2832 svchost.com
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine 19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Loads dropped DLL 4 IoCs

Processes:

19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exeTHE SERVER.SCR

pid process

2412 19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
2412 19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
2748 THE SERVER.SCR
2748 THE SERVER.SCR

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe

pid	process
2748	THE SERVER.SCR
2832	svchost.com

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe

pid	process
2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
2748	THE SERVER.SCR
2748	THE SERVER.SCR

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2412-0-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-2-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-3-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-7-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-6-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-4-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-17-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-22-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-112-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-113-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-120-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-121-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-122-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-123-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-124-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida
behavioral1/memory/2412-125-0x0000000000400000-0x0000000000A4D000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

THE SERVER.SCRsvchost.com

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows\\svchost.com"	THE SERVER.SCR
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows\\svchost.com"	svchost.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe

pid process

2412 19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2772 vlc.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe

pid process

2412 19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

vlc.exe19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exesvchost.com

pid process

2772 vlc.exe
2412 19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
2832 svchost.com

pid	process
2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe

pid	process
2772	vlc.exe

pid	process
2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe

pid	process
2772	vlc.exe
2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
2832	svchost.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exeTHE SERVER.SCRsvchost.com

description	pid	process
Token: SeIncreaseQuotaPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeSecurityPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeBackupPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeRestorePrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeShutdownPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeDebugPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeUndockPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: 33	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: 34	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: 35	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2748	THE SERVER.SCR
Token: SeSecurityPrivilege	2748	THE SERVER.SCR
Token: SeTakeOwnershipPrivilege	2748	THE SERVER.SCR
Token: SeLoadDriverPrivilege	2748	THE SERVER.SCR
Token: SeSystemProfilePrivilege	2748	THE SERVER.SCR
Token: SeSystemtimePrivilege	2748	THE SERVER.SCR
Token: SeProfSingleProcessPrivilege	2748	THE SERVER.SCR
Token: SeIncBasePriorityPrivilege	2748	THE SERVER.SCR
Token: SeCreatePagefilePrivilege	2748	THE SERVER.SCR
Token: SeBackupPrivilege	2748	THE SERVER.SCR
Token: SeRestorePrivilege	2748	THE SERVER.SCR
Token: SeShutdownPrivilege	2748	THE SERVER.SCR
Token: SeDebugPrivilege	2748	THE SERVER.SCR
Token: SeSystemEnvironmentPrivilege	2748	THE SERVER.SCR
Token: SeChangeNotifyPrivilege	2748	THE SERVER.SCR
Token: SeRemoteShutdownPrivilege	2748	THE SERVER.SCR
Token: SeUndockPrivilege	2748	THE SERVER.SCR
Token: SeManageVolumePrivilege	2748	THE SERVER.SCR
Token: SeImpersonatePrivilege	2748	THE SERVER.SCR
Token: SeCreateGlobalPrivilege	2748	THE SERVER.SCR
Token: 33	2748	THE SERVER.SCR
Token: 34	2748	THE SERVER.SCR
Token: 35	2748	THE SERVER.SCR
Token: SeIncreaseQuotaPrivilege	2832	svchost.com
Token: SeSecurityPrivilege	2832	svchost.com
Token: SeTakeOwnershipPrivilege	2832	svchost.com
Token: SeLoadDriverPrivilege	2832	svchost.com
Token: SeSystemProfilePrivilege	2832	svchost.com
Token: SeSystemtimePrivilege	2832	svchost.com
Token: SeProfSingleProcessPrivilege	2832	svchost.com
Token: SeIncBasePriorityPrivilege	2832	svchost.com
Token: SeCreatePagefilePrivilege	2832	svchost.com
Token: SeBackupPrivilege	2832	svchost.com
Token: SeRestorePrivilege	2832	svchost.com
Token: SeShutdownPrivilege	2832	svchost.com
Token: SeDebugPrivilege	2832	svchost.com
Token: SeSystemEnvironmentPrivilege	2832	svchost.com
Token: SeChangeNotifyPrivilege	2832	svchost.com
Token: SeRemoteShutdownPrivilege	2832	svchost.com
Token: SeUndockPrivilege	2832	svchost.com
Token: SeManageVolumePrivilege	2832	svchost.com

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

vlc.exe

pid process

2772 vlc.exe
2772 vlc.exe
2772 vlc.exe
2772 vlc.exe
2772 vlc.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

vlc.exe

pid process

2772 vlc.exe
2772 vlc.exe
2772 vlc.exe
2772 vlc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

svchost.com19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exevlc.exe

pid process

2832 svchost.com
2412 19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
2772 vlc.exe

pid	process
2772	vlc.exe
2772	vlc.exe
2772	vlc.exe
2772	vlc.exe
2772	vlc.exe

pid	process
2772	vlc.exe
2772	vlc.exe
2772	vlc.exe
2772	vlc.exe

pid	process
2832	svchost.com
2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
2772	vlc.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exeTHE SERVER.SCRsvchost.com

description	pid	process	target process
PID 2412 wrote to memory of 2748	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	THE SERVER.SCR
PID 2412 wrote to memory of 2748	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	THE SERVER.SCR
PID 2412 wrote to memory of 2748	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	THE SERVER.SCR
PID 2412 wrote to memory of 2748	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	THE SERVER.SCR
PID 2412 wrote to memory of 2772	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	vlc.exe
PID 2412 wrote to memory of 2772	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	vlc.exe
PID 2412 wrote to memory of 2772	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	vlc.exe
PID 2412 wrote to memory of 2772	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	vlc.exe
PID 2748 wrote to memory of 2832	2748	THE SERVER.SCR	svchost.com
PID 2748 wrote to memory of 2832	2748	THE SERVER.SCR	svchost.com
PID 2748 wrote to memory of 2832	2748	THE SERVER.SCR	svchost.com
PID 2748 wrote to memory of 2832	2748	THE SERVER.SCR	svchost.com
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2832 wrote to memory of 2532	2832	svchost.com	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe
PID 2412 wrote to memory of 1280	2412	19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19962480e1ea3d8a3c00250e8e7867e7_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\THE SERVER.SCR
"C:\Users\Admin\AppData\Local\Temp\THE SERVER.SCR" /S
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows\svchost.com
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows\svchost.com"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:2532

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\TWILIGHT_MOVIE_SOUND_TRACK.MP3"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2772

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\THE SERVER.SCR
Filesize
661KB

MD5
6ab345c7ac302d1c52dc70f6d8a5d9fb

SHA1
3c99ea4a7f270c7001fa90f84ce3292b18e1b945

SHA256
1d1f68ec9078e388708f845467463afb1da88b313e72fe80154e1c2832f94283

SHA512
c3194442bf5bff21828533d096c602923922f4d6e778cff838aa89500ca1cdd74cd79a9bcdb56b4ab37c51f2e82d86f063f8d5ac4f7d195ea90d76aae8c0a2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWILIGHT_MOVIE_SOUND_TRACK.MP3
Filesize
3.9MB

MD5
a8068500eceff27539780e6f96fa963f

SHA1
71640dcad4347b529a45605c69720a46e8e41a6b

SHA256
45d12a1995f2b1476f1d2e84a93de0de6b8b71e70a0f8c22d4862d93b284006b

SHA512
adf1b9225504cbc845f4e68640de5788a77ef8624373908f8a374bdd76e3d281751c546cb0092ec52ffab50b3831a1df8227a5b21e64c64728d446d2651e7667

Download Submit
memory/2412-113-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-0-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-7-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-6-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-4-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-2-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-17-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-22-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-125-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-124-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-123-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-1-0x0000000000401000-0x0000000000450000-memory.dmp

Filesize
316KB

Download
memory/2412-112-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-3-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-120-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-121-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2412-122-0x0000000000400000-0x0000000000A4D000-memory.dmp

Filesize
6.3MB

Download
memory/2532-32-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2532-70-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2748-30-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download