darkcomet | 6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7

General

Target

6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
Size

1.5MB
MD5

126f5757d251196b27ca858ca09d4a0f
SHA1

b769b92f612f2cb9b3cee69bcfd60fae8a1909c1
SHA256

6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7
SHA512

b74ba3f24d84ca23a83b0b07d51a9322486aba0497ee5682b45a661437125168eecec98f9a7ae57352cee647efb3ffd218f738fbaaef9cdb7cbda046edcde23d

Score

10^/10

darkcomet runescape persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

C2

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes

gencode
uNwew4gojxtu
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

ichader.exeichader.exeichader.exe

pid process

1060 ichader.exe
3908 ichader.exe
1608 ichader.exe

pid	process
1060	ichader.exe
3908	ichader.exe
1608	ichader.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2080-4-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2080-6-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2080-7-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1608-30-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1608-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1608-39-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\IDM\\ichader.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exeichader.exe

description	pid	process	target process
PID 912 set thread context of 2716	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 912 set thread context of 2080	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 1060 set thread context of 2144	1060	ichader.exe	svchost.exe
PID 1060 set thread context of 3908	1060	ichader.exe	ichader.exe
PID 1060 set thread context of 1608	1060	ichader.exe	ichader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3824 2716 WerFault.exe svchost.exe

pid	pid_target	process	target process
3824	2716	WerFault.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ichader.exeichader.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1608	ichader.exe
Token: SeSecurityPrivilege	1608	ichader.exe
Token: SeTakeOwnershipPrivilege	1608	ichader.exe
Token: SeLoadDriverPrivilege	1608	ichader.exe
Token: SeSystemProfilePrivilege	1608	ichader.exe
Token: SeSystemtimePrivilege	1608	ichader.exe
Token: SeProfSingleProcessPrivilege	1608	ichader.exe
Token: SeIncBasePriorityPrivilege	1608	ichader.exe
Token: SeCreatePagefilePrivilege	1608	ichader.exe
Token: SeBackupPrivilege	1608	ichader.exe
Token: SeRestorePrivilege	1608	ichader.exe
Token: SeShutdownPrivilege	1608	ichader.exe
Token: SeDebugPrivilege	1608	ichader.exe
Token: SeSystemEnvironmentPrivilege	1608	ichader.exe
Token: SeChangeNotifyPrivilege	1608	ichader.exe
Token: SeRemoteShutdownPrivilege	1608	ichader.exe
Token: SeUndockPrivilege	1608	ichader.exe
Token: SeManageVolumePrivilege	1608	ichader.exe
Token: SeImpersonatePrivilege	1608	ichader.exe
Token: SeCreateGlobalPrivilege	1608	ichader.exe
Token: 33	1608	ichader.exe
Token: 34	1608	ichader.exe
Token: 35	1608	ichader.exe
Token: 36	1608	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe
Token: SeDebugPrivilege	3908	ichader.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exeichader.exesvchost.exeichader.exeichader.exe

pid	process
912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
2080	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
1060	ichader.exe
2144	svchost.exe
3908	ichader.exe
1608	ichader.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.execmd.exeichader.exe

description	pid	process	target process
PID 912 wrote to memory of 2716	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 912 wrote to memory of 2716	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 912 wrote to memory of 2716	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 912 wrote to memory of 2716	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 912 wrote to memory of 2080	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 912 wrote to memory of 2080	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 912 wrote to memory of 2080	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 912 wrote to memory of 2080	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 912 wrote to memory of 2080	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 912 wrote to memory of 2080	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 912 wrote to memory of 2080	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 912 wrote to memory of 2080	912	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 2080 wrote to memory of 3176	2080	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	cmd.exe
PID 2080 wrote to memory of 3176	2080	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	cmd.exe
PID 2080 wrote to memory of 3176	2080	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	cmd.exe
PID 3176 wrote to memory of 2696	3176	cmd.exe	reg.exe
PID 3176 wrote to memory of 2696	3176	cmd.exe	reg.exe
PID 3176 wrote to memory of 2696	3176	cmd.exe	reg.exe
PID 2080 wrote to memory of 1060	2080	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	ichader.exe
PID 2080 wrote to memory of 1060	2080	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	ichader.exe
PID 2080 wrote to memory of 1060	2080	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	ichader.exe
PID 1060 wrote to memory of 2144	1060	ichader.exe	svchost.exe
PID 1060 wrote to memory of 2144	1060	ichader.exe	svchost.exe
PID 1060 wrote to memory of 2144	1060	ichader.exe	svchost.exe
PID 1060 wrote to memory of 2144	1060	ichader.exe	svchost.exe
PID 1060 wrote to memory of 2144	1060	ichader.exe	svchost.exe
PID 1060 wrote to memory of 2144	1060	ichader.exe	svchost.exe
PID 1060 wrote to memory of 2144	1060	ichader.exe	svchost.exe
PID 1060 wrote to memory of 2144	1060	ichader.exe	svchost.exe
PID 1060 wrote to memory of 2144	1060	ichader.exe	svchost.exe
PID 1060 wrote to memory of 3908	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 3908	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 3908	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 3908	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 3908	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 3908	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 3908	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 3908	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 1608	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 1608	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 1608	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 1608	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 1608	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 1608	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 1608	1060	ichader.exe	ichader.exe
PID 1060 wrote to memory of 1608	1060	ichader.exe	ichader.exe

C:\Users\Admin\AppData\Local\Temp\6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
"C:\Users\Admin\AppData\Local\Temp\6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 92
3⤵
- Program crash
PID:3824

C:\Users\Admin\AppData\Local\Temp\6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
"C:\Users\Admin\AppData\Local\Temp\6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOKIY.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe" /f
4⤵
- Adds Run key to start application
PID:2696

C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AOKIY.bat

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
37db7da3f5b91c911050ecd861e1c77b

SHA1
c581958664ccdb07feb2c85a5aabe25e8ad262a2

SHA256
e83c23fa1608735d8f89af664557613e51cf05d6a3f6f5e27d976085b3446e75

SHA512
5d4af51951b56fad18c7ad483392dfbc0788aedfc5c0ba2c5a89a688752b9f1ef7e499774b7089013ebec7774812901fd13fc493672ff313fa89dc915b56dfc8

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
37db7da3f5b91c911050ecd861e1c77b

SHA1
c581958664ccdb07feb2c85a5aabe25e8ad262a2

SHA256
e83c23fa1608735d8f89af664557613e51cf05d6a3f6f5e27d976085b3446e75

SHA512
5d4af51951b56fad18c7ad483392dfbc0788aedfc5c0ba2c5a89a688752b9f1ef7e499774b7089013ebec7774812901fd13fc493672ff313fa89dc915b56dfc8

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
37db7da3f5b91c911050ecd861e1c77b

SHA1
c581958664ccdb07feb2c85a5aabe25e8ad262a2

SHA256
e83c23fa1608735d8f89af664557613e51cf05d6a3f6f5e27d976085b3446e75

SHA512
5d4af51951b56fad18c7ad483392dfbc0788aedfc5c0ba2c5a89a688752b9f1ef7e499774b7089013ebec7774812901fd13fc493672ff313fa89dc915b56dfc8

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
37db7da3f5b91c911050ecd861e1c77b

SHA1
c581958664ccdb07feb2c85a5aabe25e8ad262a2

SHA256
e83c23fa1608735d8f89af664557613e51cf05d6a3f6f5e27d976085b3446e75

SHA512
5d4af51951b56fad18c7ad483392dfbc0788aedfc5c0ba2c5a89a688752b9f1ef7e499774b7089013ebec7774812901fd13fc493672ff313fa89dc915b56dfc8

Download Submit
memory/1060-17-0x0000000073340000-0x00000000733D3000-memory.dmp

Filesize
588KB

Download
memory/1060-14-0x0000000000000000-mapping.dmp

Download
memory/1608-30-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1608-39-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1608-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1608-34-0x0000000073340000-0x00000000733D3000-memory.dmp

Filesize
588KB

Download
memory/1608-31-0x00000000004B5210-mapping.dmp

Download
memory/2080-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2080-5-0x00000000004085D0-mapping.dmp

Download
memory/2080-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2080-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2144-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2144-21-0x000000000040B000-mapping.dmp

Download
memory/2144-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2144-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2696-13-0x0000000000000000-mapping.dmp

Download
memory/2716-3-0x000000000040B000-mapping.dmp

Download
memory/3176-11-0x0000000000000000-mapping.dmp

Download
memory/3824-10-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/3908-27-0x00000000004085D0-mapping.dmp

Download
memory/3908-29-0x0000000073340000-0x00000000733D3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads