darkcomet | f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625

General

Target

f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
Size

679KB
MD5

5adafaad972e3ba20c8a9381e00ef147
SHA1

f9ea16679b27fa79944b963f8db45ec00e9fb32d
SHA256

f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625
SHA512

be246760efab08d080d6f0c1c5b1f312a0e3155e4191c37e86f8b99a03406d61bd569660d32bee4919da4cbcacffbce2763cbc53e32385eaf3ee22077e91e391
SSDEEP

12288:P1iW3qxJbe973FR15E3plnFWSZVcV88B37adcdwARQzySyQST/ZscO:tBj73FjCZlFWWLUa1zySyXhs

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

dcratted.duckdns.org:3080

Mutex

DCMIN_MUTEX-G22C7RQ

Attributes

gencode
FFUwUJHhLVPu
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 4 IoCs

Processes:

vbc.exesvchost .execsrss .exevbc.exe

pid process

424 vbc.exe
1496 svchost .exe
4820 csrss .exe
980 vbc.exe

pid	process
424	vbc.exe
1496	svchost .exe
4820	csrss .exe
980	vbc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.execsrss .exesvchost .exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost .exe"	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost .exe"	csrss .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost .exe"	svchost .exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.execsrss .exe

description	pid	process	target process
PID 4216 set thread context of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4820 set thread context of 980	4820	csrss .exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.execsrss .exesvchost .exe

pid	process
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4820	csrss .exe
4820	csrss .exe
1496	svchost .exe
1496	svchost .exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4820	csrss .exe
4820	csrss .exe
1496	svchost .exe
1496	svchost .exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4820	csrss .exe
4820	csrss .exe
1496	svchost .exe
1496	svchost .exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4820	csrss .exe
4820	csrss .exe
1496	svchost .exe
1496	svchost .exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4820	csrss .exe
4820	csrss .exe
1496	svchost .exe
1496	svchost .exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4820	csrss .exe
4820	csrss .exe
1496	svchost .exe
1496	svchost .exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4820	csrss .exe
4820	csrss .exe
1496	svchost .exe
1496	svchost .exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4820	csrss .exe
4820	csrss .exe
1496	svchost .exe
1496	svchost .exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4820	csrss .exe
4820	csrss .exe
1496	svchost .exe
1496	svchost .exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
4820	csrss .exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exevbc.exevbc.execsrss .exesvchost .exe

description	pid	process
Token: SeDebugPrivilege	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
Token: SeIncreaseQuotaPrivilege	424	vbc.exe
Token: SeSecurityPrivilege	424	vbc.exe
Token: SeTakeOwnershipPrivilege	424	vbc.exe
Token: SeLoadDriverPrivilege	424	vbc.exe
Token: SeSystemProfilePrivilege	424	vbc.exe
Token: SeSystemtimePrivilege	424	vbc.exe
Token: SeProfSingleProcessPrivilege	424	vbc.exe
Token: SeIncBasePriorityPrivilege	424	vbc.exe
Token: SeCreatePagefilePrivilege	424	vbc.exe
Token: SeBackupPrivilege	424	vbc.exe
Token: SeRestorePrivilege	424	vbc.exe
Token: SeShutdownPrivilege	424	vbc.exe
Token: SeDebugPrivilege	424	vbc.exe
Token: SeSystemEnvironmentPrivilege	424	vbc.exe
Token: SeChangeNotifyPrivilege	424	vbc.exe
Token: SeRemoteShutdownPrivilege	424	vbc.exe
Token: SeUndockPrivilege	424	vbc.exe
Token: SeManageVolumePrivilege	424	vbc.exe
Token: SeImpersonatePrivilege	424	vbc.exe
Token: SeCreateGlobalPrivilege	424	vbc.exe
Token: 33	424	vbc.exe
Token: 34	424	vbc.exe
Token: 35	424	vbc.exe
Token: 36	424	vbc.exe
Token: SeIncreaseQuotaPrivilege	980	vbc.exe
Token: SeSecurityPrivilege	980	vbc.exe
Token: SeTakeOwnershipPrivilege	980	vbc.exe
Token: SeLoadDriverPrivilege	980	vbc.exe
Token: SeSystemProfilePrivilege	980	vbc.exe
Token: SeSystemtimePrivilege	980	vbc.exe
Token: SeProfSingleProcessPrivilege	980	vbc.exe
Token: SeIncBasePriorityPrivilege	980	vbc.exe
Token: SeCreatePagefilePrivilege	980	vbc.exe
Token: SeBackupPrivilege	980	vbc.exe
Token: SeRestorePrivilege	980	vbc.exe
Token: SeShutdownPrivilege	980	vbc.exe
Token: SeDebugPrivilege	980	vbc.exe
Token: SeSystemEnvironmentPrivilege	980	vbc.exe
Token: SeChangeNotifyPrivilege	980	vbc.exe
Token: SeRemoteShutdownPrivilege	980	vbc.exe
Token: SeUndockPrivilege	980	vbc.exe
Token: SeManageVolumePrivilege	980	vbc.exe
Token: SeImpersonatePrivilege	980	vbc.exe
Token: SeCreateGlobalPrivilege	980	vbc.exe
Token: 33	980	vbc.exe
Token: 34	980	vbc.exe
Token: 35	980	vbc.exe
Token: 36	980	vbc.exe
Token: SeDebugPrivilege	4820	csrss .exe
Token: SeDebugPrivilege	1496	svchost .exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

424 vbc.exe

pid	process
424	vbc.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.execsrss .exe

description	pid	process	target process
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 424	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	vbc.exe
PID 4216 wrote to memory of 1496	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	svchost .exe
PID 4216 wrote to memory of 1496	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	svchost .exe
PID 4216 wrote to memory of 1496	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	svchost .exe
PID 4216 wrote to memory of 4820	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	csrss .exe
PID 4216 wrote to memory of 4820	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	csrss .exe
PID 4216 wrote to memory of 4820	4216	f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe	csrss .exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe
PID 4820 wrote to memory of 980	4820	csrss .exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe
"C:\Users\Admin\AppData\Local\Temp\f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:424
- C:\Users\Admin\AppData\Local\Temp\svchost .exe
  "C:\Users\Admin\AppData\Local\Temp\svchost .exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\csrss .exe
  "C:\Users\Admin\AppData\Local\Temp\csrss .exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\vbc.exe
    C:\Users\Admin\AppData\Local\Temp\vbc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System.config

Filesize
658KB

MD5
f7bd5472d2fbc710b770d6c4eaf5882a

SHA1
8769f69d7a410ce92faa2c331ef335fc52b1708e

SHA256
d97bec075cabf338039503a5400a2971aa769630ede37862fc9de742c40a094d

SHA512
78a0159a75bedac15a4c1777a2ead30f8216c6529c1d489ed83bd3c8700cd0989566f30504fa75d988622c1ab1c2c3f9996d647daaa428645db2408787ae3353

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss .exe

Filesize
679KB

MD5
5adafaad972e3ba20c8a9381e00ef147

SHA1
f9ea16679b27fa79944b963f8db45ec00e9fb32d

SHA256
f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625

SHA512
be246760efab08d080d6f0c1c5b1f312a0e3155e4191c37e86f8b99a03406d61bd569660d32bee4919da4cbcacffbce2763cbc53e32385eaf3ee22077e91e391

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss .exe

Filesize
679KB

MD5
5adafaad972e3ba20c8a9381e00ef147

SHA1
f9ea16679b27fa79944b963f8db45ec00e9fb32d

SHA256
f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625

SHA512
be246760efab08d080d6f0c1c5b1f312a0e3155e4191c37e86f8b99a03406d61bd569660d32bee4919da4cbcacffbce2763cbc53e32385eaf3ee22077e91e391

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost .exe

Filesize
679KB

MD5
5adafaad972e3ba20c8a9381e00ef147

SHA1
f9ea16679b27fa79944b963f8db45ec00e9fb32d

SHA256
f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625

SHA512
be246760efab08d080d6f0c1c5b1f312a0e3155e4191c37e86f8b99a03406d61bd569660d32bee4919da4cbcacffbce2763cbc53e32385eaf3ee22077e91e391

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost .exe

Filesize
679KB

MD5
5adafaad972e3ba20c8a9381e00ef147

SHA1
f9ea16679b27fa79944b963f8db45ec00e9fb32d

SHA256
f876d29899bbb047f8f5fbb14c702a3ba88a34989d5ebe62b736ca060c1c4625

SHA512
be246760efab08d080d6f0c1c5b1f312a0e3155e4191c37e86f8b99a03406d61bd569660d32bee4919da4cbcacffbce2763cbc53e32385eaf3ee22077e91e391

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/424-145-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/424-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/424-144-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/424-141-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/424-138-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/424-137-0x0000000000000000-mapping.dmp

Download
memory/424-149-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/980-154-0x0000000000000000-mapping.dmp

Download
memory/980-159-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1496-146-0x0000000000000000-mapping.dmp

Download
memory/4216-132-0x0000000000EC0000-0x0000000000F70000-memory.dmp

Filesize
704KB

Download
memory/4216-135-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/4216-134-0x0000000005940000-0x00000000059D2000-memory.dmp

Filesize
584KB

Download
memory/4216-133-0x0000000005E10000-0x00000000063B4000-memory.dmp

Filesize
5.6MB

Download
memory/4216-136-0x0000000007E50000-0x0000000007EEC000-memory.dmp

Filesize
624KB

Download
memory/4820-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads