darkcomet | 774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d

General

Target

774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Size

253KB
MD5

a7ed8c789a41a6db77900fb831cdbef9
SHA1

fbbd9acb792edcc840a6fa9d74bd104555c05da9
SHA256

774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d
SHA512

5df51bb5d15bfd4b4d73b19e9478d2609790d8f8977a088f61c7fe331756b2a401dc3d7ecaf4f33c15874e6313449ea6b11a1bcac0fa64d51b776d4cbcb0db8f

Score

10^/10

darkcomet evasion persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Disables RegEdit via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1108 msdcsc.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
1108	msdcsc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

332 notepad.exe

pid	process
332	notepad.exe

Loads dropped DLL 2 IoCs

Processes:

774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe

pid	process
1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msdcsc.exe

pid process

1108 msdcsc.exe

pid	process
1108	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeSecurityPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeTakeOwnershipPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeLoadDriverPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeSystemProfilePrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeSystemtimePrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeProfSingleProcessPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeIncBasePriorityPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeCreatePagefilePrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeBackupPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeRestorePrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeShutdownPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeDebugPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeSystemEnvironmentPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeChangeNotifyPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeRemoteShutdownPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeUndockPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeManageVolumePrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeImpersonatePrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeCreateGlobalPrivilege	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: 33	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: 34	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: 35	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
Token: SeIncreaseQuotaPrivilege	1108	msdcsc.exe
Token: SeSecurityPrivilege	1108	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1108	msdcsc.exe
Token: SeLoadDriverPrivilege	1108	msdcsc.exe
Token: SeSystemProfilePrivilege	1108	msdcsc.exe
Token: SeSystemtimePrivilege	1108	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1108	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1108	msdcsc.exe
Token: SeCreatePagefilePrivilege	1108	msdcsc.exe
Token: SeBackupPrivilege	1108	msdcsc.exe
Token: SeRestorePrivilege	1108	msdcsc.exe
Token: SeShutdownPrivilege	1108	msdcsc.exe
Token: SeDebugPrivilege	1108	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1108	msdcsc.exe
Token: SeChangeNotifyPrivilege	1108	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1108	msdcsc.exe
Token: SeUndockPrivilege	1108	msdcsc.exe
Token: SeManageVolumePrivilege	1108	msdcsc.exe
Token: SeImpersonatePrivilege	1108	msdcsc.exe
Token: SeCreateGlobalPrivilege	1108	msdcsc.exe
Token: 33	1108	msdcsc.exe
Token: 34	1108	msdcsc.exe
Token: 35	1108	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1108 msdcsc.exe

pid	process
1108	msdcsc.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.execmd.execmd.exemsdcsc.exe

description	pid	process	target process
PID 1280 wrote to memory of 996	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	cmd.exe
PID 1280 wrote to memory of 996	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	cmd.exe
PID 1280 wrote to memory of 996	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	cmd.exe
PID 1280 wrote to memory of 996	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	cmd.exe
PID 1280 wrote to memory of 268	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	cmd.exe
PID 1280 wrote to memory of 268	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	cmd.exe
PID 1280 wrote to memory of 268	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	cmd.exe
PID 1280 wrote to memory of 268	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	cmd.exe
PID 996 wrote to memory of 1480	996	cmd.exe	attrib.exe
PID 996 wrote to memory of 1480	996	cmd.exe	attrib.exe
PID 996 wrote to memory of 1480	996	cmd.exe	attrib.exe
PID 996 wrote to memory of 1480	996	cmd.exe	attrib.exe
PID 268 wrote to memory of 1452	268	cmd.exe	attrib.exe
PID 268 wrote to memory of 1452	268	cmd.exe	attrib.exe
PID 268 wrote to memory of 1452	268	cmd.exe	attrib.exe
PID 268 wrote to memory of 1452	268	cmd.exe	attrib.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 332	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	notepad.exe
PID 1280 wrote to memory of 1108	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	msdcsc.exe
PID 1280 wrote to memory of 1108	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	msdcsc.exe
PID 1280 wrote to memory of 1108	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	msdcsc.exe
PID 1280 wrote to memory of 1108	1280	774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe	msdcsc.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe
PID 1108 wrote to memory of 1032	1108	msdcsc.exe	notepad.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1452 attrib.exe
1480 attrib.exe

pid	process
1452	attrib.exe
1480	attrib.exe

C:\Users\Admin\AppData\Local\Temp\774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe
"C:\Users\Admin\AppData\Local\Temp\774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d.exe" +s +h
3⤵
- Views/modifies file attributes
PID:1480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:1452

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:332

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1108

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
253KB

MD5
a7ed8c789a41a6db77900fb831cdbef9

SHA1
fbbd9acb792edcc840a6fa9d74bd104555c05da9

SHA256
774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d

SHA512
5df51bb5d15bfd4b4d73b19e9478d2609790d8f8977a088f61c7fe331756b2a401dc3d7ecaf4f33c15874e6313449ea6b11a1bcac0fa64d51b776d4cbcb0db8f

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
253KB

MD5
a7ed8c789a41a6db77900fb831cdbef9

SHA1
fbbd9acb792edcc840a6fa9d74bd104555c05da9

SHA256
774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d

SHA512
5df51bb5d15bfd4b4d73b19e9478d2609790d8f8977a088f61c7fe331756b2a401dc3d7ecaf4f33c15874e6313449ea6b11a1bcac0fa64d51b776d4cbcb0db8f

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
253KB

MD5
a7ed8c789a41a6db77900fb831cdbef9

SHA1
fbbd9acb792edcc840a6fa9d74bd104555c05da9

SHA256
774e2a55bc641f2c66a14cee1e083d783a13f36fc92de2573baf3a2c5d47a87d

SHA512
5df51bb5d15bfd4b4d73b19e9478d2609790d8f8977a088f61c7fe331756b2a401dc3d7ecaf4f33c15874e6313449ea6b11a1bcac0fa64d51b776d4cbcb0db8f

Download Submit
memory/268-56-0x0000000000000000-mapping.dmp

Download
memory/332-59-0x0000000000000000-mapping.dmp

Download
memory/996-55-0x0000000000000000-mapping.dmp

Download
memory/1032-66-0x0000000000000000-mapping.dmp

Download
memory/1108-63-0x0000000000000000-mapping.dmp

Download
memory/1280-54-0x00000000756E1000-0x00000000756E3000-memory.dmp

Filesize
8KB

Download
memory/1452-58-0x0000000000000000-mapping.dmp

Download
memory/1480-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads