darkcomet | bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742

General

Target

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Size

251KB
MD5

42c4dc5105eff86f69d8c3d0d1e9e773
SHA1

a4c1c4f627ac87cb180f3e70751bf525ef658def
SHA256

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742
SHA512

8017b10da3f275a719dee0d7cdea1fc066af93a99748501d4d2519827f651d1dd7dbab5bab8f8ed268ef5cb72573c6f95a0e77e4e5e0af68a08a524feab8d91f

Score

10^/10

darkcomet user evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

User

C2

tarkovbanned.hopto.org:1337

Mutex

DC_MUTEX-BBUXYWX

Attributes

InstallPath
nVidiaExpe\nvmdch.exe
gencode
bZniVw7x2f7P
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\nVidiaExpe\\nvmdch.exe"	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe

Disables RegEdit via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

nvmdch.exe

pid process

1740 nvmdch.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
1740	nvmdch.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe	upx
C:\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe	upx
\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe	upx
C:\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe	upx
behavioral1/memory/1724-12-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1724-14-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1724-15-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2024 notepad.exe

pid	process
2024	notepad.exe

Loads dropped DLL 2 IoCs

Processes:

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe

pid	process
1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exenvmdch.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\nVidiaExpe\\nvmdch.exe"	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\nVidiaExpe\\nvmdch.exe"	nvmdch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\nVidiaExpe\\nvmdch.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

nvmdch.exe

description pid process target process

PID 1740 set thread context of 1724 1740 nvmdch.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1724 iexplore.exe

description	pid	process	target process
PID 1740 set thread context of 1724	1740	nvmdch.exe	iexplore.exe

pid	process
1724	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exenvmdch.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeSecurityPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeTakeOwnershipPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeLoadDriverPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeSystemProfilePrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeSystemtimePrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeProfSingleProcessPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeIncBasePriorityPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeCreatePagefilePrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeBackupPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeRestorePrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeShutdownPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeDebugPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeSystemEnvironmentPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeChangeNotifyPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeRemoteShutdownPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeUndockPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeManageVolumePrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeImpersonatePrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeCreateGlobalPrivilege	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: 33	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: 34	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: 35	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeIncreaseQuotaPrivilege	1740	nvmdch.exe
Token: SeSecurityPrivilege	1740	nvmdch.exe
Token: SeTakeOwnershipPrivilege	1740	nvmdch.exe
Token: SeLoadDriverPrivilege	1740	nvmdch.exe
Token: SeSystemProfilePrivilege	1740	nvmdch.exe
Token: SeSystemtimePrivilege	1740	nvmdch.exe
Token: SeProfSingleProcessPrivilege	1740	nvmdch.exe
Token: SeIncBasePriorityPrivilege	1740	nvmdch.exe
Token: SeCreatePagefilePrivilege	1740	nvmdch.exe
Token: SeBackupPrivilege	1740	nvmdch.exe
Token: SeRestorePrivilege	1740	nvmdch.exe
Token: SeShutdownPrivilege	1740	nvmdch.exe
Token: SeDebugPrivilege	1740	nvmdch.exe
Token: SeSystemEnvironmentPrivilege	1740	nvmdch.exe
Token: SeChangeNotifyPrivilege	1740	nvmdch.exe
Token: SeRemoteShutdownPrivilege	1740	nvmdch.exe
Token: SeUndockPrivilege	1740	nvmdch.exe
Token: SeManageVolumePrivilege	1740	nvmdch.exe
Token: SeImpersonatePrivilege	1740	nvmdch.exe
Token: SeCreateGlobalPrivilege	1740	nvmdch.exe
Token: 33	1740	nvmdch.exe
Token: 34	1740	nvmdch.exe
Token: 35	1740	nvmdch.exe
Token: SeIncreaseQuotaPrivilege	1724	iexplore.exe
Token: SeSecurityPrivilege	1724	iexplore.exe
Token: SeTakeOwnershipPrivilege	1724	iexplore.exe
Token: SeLoadDriverPrivilege	1724	iexplore.exe
Token: SeSystemProfilePrivilege	1724	iexplore.exe
Token: SeSystemtimePrivilege	1724	iexplore.exe
Token: SeProfSingleProcessPrivilege	1724	iexplore.exe
Token: SeIncBasePriorityPrivilege	1724	iexplore.exe
Token: SeCreatePagefilePrivilege	1724	iexplore.exe
Token: SeBackupPrivilege	1724	iexplore.exe
Token: SeRestorePrivilege	1724	iexplore.exe
Token: SeShutdownPrivilege	1724	iexplore.exe
Token: SeDebugPrivilege	1724	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1724	iexplore.exe
Token: SeChangeNotifyPrivilege	1724	iexplore.exe
Token: SeRemoteShutdownPrivilege	1724	iexplore.exe
Token: SeUndockPrivilege	1724	iexplore.exe
Token: SeManageVolumePrivilege	1724	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

1724 iexplore.exe

pid	process
1724	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.execmd.execmd.exenvmdch.exeiexplore.exe

description	pid	process	target process
PID 1688 wrote to memory of 1136	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 1688 wrote to memory of 1136	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 1688 wrote to memory of 1136	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 1688 wrote to memory of 1136	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 1688 wrote to memory of 1332	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 1688 wrote to memory of 1332	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 1688 wrote to memory of 1332	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 1688 wrote to memory of 1332	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1688 wrote to memory of 2024	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 1332 wrote to memory of 588	1332	cmd.exe	attrib.exe
PID 1332 wrote to memory of 588	1332	cmd.exe	attrib.exe
PID 1332 wrote to memory of 588	1332	cmd.exe	attrib.exe
PID 1332 wrote to memory of 588	1332	cmd.exe	attrib.exe
PID 1136 wrote to memory of 268	1136	cmd.exe	attrib.exe
PID 1136 wrote to memory of 268	1136	cmd.exe	attrib.exe
PID 1136 wrote to memory of 268	1136	cmd.exe	attrib.exe
PID 1136 wrote to memory of 268	1136	cmd.exe	attrib.exe
PID 1688 wrote to memory of 1740	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	nvmdch.exe
PID 1688 wrote to memory of 1740	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	nvmdch.exe
PID 1688 wrote to memory of 1740	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	nvmdch.exe
PID 1688 wrote to memory of 1740	1688	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	nvmdch.exe
PID 1740 wrote to memory of 1724	1740	nvmdch.exe	iexplore.exe
PID 1740 wrote to memory of 1724	1740	nvmdch.exe	iexplore.exe
PID 1740 wrote to memory of 1724	1740	nvmdch.exe	iexplore.exe
PID 1740 wrote to memory of 1724	1740	nvmdch.exe	iexplore.exe
PID 1740 wrote to memory of 1724	1740	nvmdch.exe	iexplore.exe
PID 1740 wrote to memory of 1724	1740	nvmdch.exe	iexplore.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe
PID 1724 wrote to memory of 1664	1724	iexplore.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

268 attrib.exe
588 attrib.exe

pid	process
268	attrib.exe
588	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
"C:\Users\Admin\AppData\Local\Temp\bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe" +s +h
3⤵
- Views/modifies file attributes
PID:268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:588

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:2024

C:\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe
"C:\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe
MD5
42c4dc5105eff86f69d8c3d0d1e9e773

SHA1
a4c1c4f627ac87cb180f3e70751bf525ef658def

SHA256
bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742

SHA512
8017b10da3f275a719dee0d7cdea1fc066af93a99748501d4d2519827f651d1dd7dbab5bab8f8ed268ef5cb72573c6f95a0e77e4e5e0af68a08a524feab8d91f

Download Submit
C:\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe
MD5
42c4dc5105eff86f69d8c3d0d1e9e773

SHA1
a4c1c4f627ac87cb180f3e70751bf525ef658def

SHA256
bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742

SHA512
8017b10da3f275a719dee0d7cdea1fc066af93a99748501d4d2519827f651d1dd7dbab5bab8f8ed268ef5cb72573c6f95a0e77e4e5e0af68a08a524feab8d91f

Download Submit
\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe
MD5
42c4dc5105eff86f69d8c3d0d1e9e773

SHA1
a4c1c4f627ac87cb180f3e70751bf525ef658def

SHA256
bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742

SHA512
8017b10da3f275a719dee0d7cdea1fc066af93a99748501d4d2519827f651d1dd7dbab5bab8f8ed268ef5cb72573c6f95a0e77e4e5e0af68a08a524feab8d91f

Download Submit
\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe
MD5
42c4dc5105eff86f69d8c3d0d1e9e773

SHA1
a4c1c4f627ac87cb180f3e70751bf525ef658def

SHA256
bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742

SHA512
8017b10da3f275a719dee0d7cdea1fc066af93a99748501d4d2519827f651d1dd7dbab5bab8f8ed268ef5cb72573c6f95a0e77e4e5e0af68a08a524feab8d91f

Download Submit
memory/268-6-0x0000000000000000-mapping.dmp

Download
memory/588-5-0x0000000000000000-mapping.dmp

Download
memory/1136-0-0x0000000000000000-mapping.dmp

Download
memory/1332-1-0x0000000000000000-mapping.dmp

Download
memory/1664-18-0x0000000000000000-mapping.dmp

Download
memory/1664-17-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1664-16-0x0000000000000000-mapping.dmp

Download
memory/1724-12-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1724-13-0x00000000004B57C0-mapping.dmp

Download
memory/1724-14-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1724-15-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1740-9-0x0000000000000000-mapping.dmp

Download
memory/2024-3-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2024-4-0x0000000000000000-mapping.dmp

Download
memory/2024-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads