darkcomet | 6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715

General

Target

6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Size

349KB
MD5

a95e3e4dbedcc98e826cc682ef8b3fd6
SHA1

54008e19ea4b5b4a452905fa5f7d78b3ecfbfe6e
SHA256

6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715
SHA512

b73e4c4834e0b9de45c0efa8d589264e06b5f858bd393732fde1813c0d64ccc5e054625eaad5dd054f15d34e529d30a5505f84443e749640c5d68b00a8c4c4f5

Score

10^/10

darkcomet 22 evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

22

C2

kvejo991.ddns.net:1604

Mutex

DC_MUTEX-B50G4BJ

Attributes

InstallPath
MSDCSC\explorer.exe
gencode
JLac09ou37rj
install
true
offline_keylogger
true
persistence
true
reg_key
explorer

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\explorer.exe"	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	explorer.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

explorer.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe
Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

1364 explorer.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

852 attrib.exe
1732 attrib.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe

pid	process
1364	explorer.exe

pid	process
852	attrib.exe
1732	attrib.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\MSDCSC\explorer.exe	upx
\Users\Admin\AppData\Roaming\MSDCSC\explorer.exe	upx
C:\Users\Admin\AppData\Roaming\MSDCSC\explorer.exe	upx
C:\Users\Admin\AppData\Roaming\MSDCSC\explorer.exe	upx
behavioral1/memory/1752-69-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1364-71-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1364-72-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1956 notepad.exe
Loads dropped DLL 2 IoCs

Processes:

6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe

pid process

1752 6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
1752 6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe

pid	process
1956	notepad.exe

pid	process
1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\explorer.exe"	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\explorer.exe"	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exeexplorer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeSecurityPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeTakeOwnershipPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeLoadDriverPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeSystemProfilePrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeSystemtimePrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeProfSingleProcessPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeIncBasePriorityPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeCreatePagefilePrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeBackupPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeRestorePrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeShutdownPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeDebugPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeSystemEnvironmentPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeChangeNotifyPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeRemoteShutdownPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeUndockPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeManageVolumePrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeImpersonatePrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeCreateGlobalPrivilege	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: 33	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: 34	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: 35	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Token: SeIncreaseQuotaPrivilege	1364	explorer.exe
Token: SeSecurityPrivilege	1364	explorer.exe
Token: SeTakeOwnershipPrivilege	1364	explorer.exe
Token: SeLoadDriverPrivilege	1364	explorer.exe
Token: SeSystemProfilePrivilege	1364	explorer.exe
Token: SeSystemtimePrivilege	1364	explorer.exe
Token: SeProfSingleProcessPrivilege	1364	explorer.exe
Token: SeIncBasePriorityPrivilege	1364	explorer.exe
Token: SeCreatePagefilePrivilege	1364	explorer.exe
Token: SeBackupPrivilege	1364	explorer.exe
Token: SeRestorePrivilege	1364	explorer.exe
Token: SeShutdownPrivilege	1364	explorer.exe
Token: SeDebugPrivilege	1364	explorer.exe
Token: SeSystemEnvironmentPrivilege	1364	explorer.exe
Token: SeChangeNotifyPrivilege	1364	explorer.exe
Token: SeRemoteShutdownPrivilege	1364	explorer.exe
Token: SeUndockPrivilege	1364	explorer.exe
Token: SeManageVolumePrivilege	1364	explorer.exe
Token: SeImpersonatePrivilege	1364	explorer.exe
Token: SeCreateGlobalPrivilege	1364	explorer.exe
Token: 33	1364	explorer.exe
Token: 34	1364	explorer.exe
Token: 35	1364	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1364 explorer.exe

pid	process
1364	explorer.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.execmd.execmd.exeexplorer.exe

description	pid	process	target process
PID 1752 wrote to memory of 2008	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	cmd.exe
PID 1752 wrote to memory of 2008	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	cmd.exe
PID 1752 wrote to memory of 2008	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	cmd.exe
PID 1752 wrote to memory of 2008	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	cmd.exe
PID 1752 wrote to memory of 1960	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	cmd.exe
PID 1752 wrote to memory of 1960	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	cmd.exe
PID 1752 wrote to memory of 1960	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	cmd.exe
PID 1752 wrote to memory of 1960	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	cmd.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 2008 wrote to memory of 852	2008	cmd.exe	attrib.exe
PID 2008 wrote to memory of 852	2008	cmd.exe	attrib.exe
PID 2008 wrote to memory of 852	2008	cmd.exe	attrib.exe
PID 2008 wrote to memory of 852	2008	cmd.exe	attrib.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1752 wrote to memory of 1956	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	notepad.exe
PID 1960 wrote to memory of 1732	1960	cmd.exe	attrib.exe
PID 1960 wrote to memory of 1732	1960	cmd.exe	attrib.exe
PID 1960 wrote to memory of 1732	1960	cmd.exe	attrib.exe
PID 1960 wrote to memory of 1732	1960	cmd.exe	attrib.exe
PID 1752 wrote to memory of 1364	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	explorer.exe
PID 1752 wrote to memory of 1364	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	explorer.exe
PID 1752 wrote to memory of 1364	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	explorer.exe
PID 1752 wrote to memory of 1364	1752	6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe	explorer.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe
PID 1364 wrote to memory of 1768	1364	explorer.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

852 attrib.exe
1732 attrib.exe

pid	process
852	attrib.exe
1732	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
"C:\Users\Admin\AppData\Local\Temp\6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1732

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:1956

C:\Users\Admin\AppData\Roaming\MSDCSC\explorer.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\explorer.exe"
2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

2

T1031

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

6

T1112

Disabling Security Tools

2

T1089

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MSDCSC\explorer.exe
Filesize
349KB

MD5
a95e3e4dbedcc98e826cc682ef8b3fd6

SHA1
54008e19ea4b5b4a452905fa5f7d78b3ecfbfe6e

SHA256
6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715

SHA512
b73e4c4834e0b9de45c0efa8d589264e06b5f858bd393732fde1813c0d64ccc5e054625eaad5dd054f15d34e529d30a5505f84443e749640c5d68b00a8c4c4f5

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\explorer.exe
Filesize
349KB

MD5
a95e3e4dbedcc98e826cc682ef8b3fd6

SHA1
54008e19ea4b5b4a452905fa5f7d78b3ecfbfe6e

SHA256
6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715

SHA512
b73e4c4834e0b9de45c0efa8d589264e06b5f858bd393732fde1813c0d64ccc5e054625eaad5dd054f15d34e529d30a5505f84443e749640c5d68b00a8c4c4f5

Download Submit
\Users\Admin\AppData\Roaming\MSDCSC\explorer.exe
Filesize
349KB

MD5
a95e3e4dbedcc98e826cc682ef8b3fd6

SHA1
54008e19ea4b5b4a452905fa5f7d78b3ecfbfe6e

SHA256
6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715

SHA512
b73e4c4834e0b9de45c0efa8d589264e06b5f858bd393732fde1813c0d64ccc5e054625eaad5dd054f15d34e529d30a5505f84443e749640c5d68b00a8c4c4f5

Download Submit
\Users\Admin\AppData\Roaming\MSDCSC\explorer.exe
Filesize
349KB

MD5
a95e3e4dbedcc98e826cc682ef8b3fd6

SHA1
54008e19ea4b5b4a452905fa5f7d78b3ecfbfe6e

SHA256
6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715

SHA512
b73e4c4834e0b9de45c0efa8d589264e06b5f858bd393732fde1813c0d64ccc5e054625eaad5dd054f15d34e529d30a5505f84443e749640c5d68b00a8c4c4f5

Download Submit
memory/852-58-0x0000000000000000-mapping.dmp

Download
memory/1364-63-0x0000000000000000-mapping.dmp

Download
memory/1364-71-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1364-72-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1732-60-0x0000000000000000-mapping.dmp

Download
memory/1752-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1752-69-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1752-70-0x00000000039F0000-0x0000000003AD8000-memory.dmp

Filesize
928KB

Download
memory/1768-67-0x0000000000000000-mapping.dmp

Download
memory/1956-57-0x0000000000000000-mapping.dmp

Download
memory/1960-56-0x0000000000000000-mapping.dmp

Download
memory/2008-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads