darkcomet | 6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a

General

Target

6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
Size

841KB
MD5

82690a44bde92c0c17564e74658c0524
SHA1

7ec5fce16bc61554da8391667192da0055cf2da4
SHA256

6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a
SHA512

2218d251752a98e5772d343f27d56afcba6d00c63e8ed6eb8e64a40e5bbdac4d90c9af494511477a65d3ff6688fd1bc5e43267a091fd358147f6bf3d2572f1c5
SSDEEP

12288:2sXbaMDaRr5rLe6YtDIMT4Jg7xddVD1zlRWigtENylHVNGdFVCRYFho:32vwDIMT4yFd/v1E7o

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

markgraham.noip.me:2124

Mutex

DCMIN_MUTEX-FUSP59W

Attributes

gencode
Le3UD9gfvz8p
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

WUDHost.exeAcctres.exe

pid process

516 WUDHost.exe
1104 Acctres.exe
Loads dropped DLL 2 IoCs

Processes:

6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exeWUDHost.exe

pid process

1768 6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516 WUDHost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
516	WUDHost.exe
1104	Acctres.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WUDHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exeAcctres.exe

description	pid	process	target process
PID 1768 set thread context of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1104 set thread context of 2016	1104	Acctres.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exeWUDHost.exeAcctres.exe

pid	process
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
516	WUDHost.exe
516	WUDHost.exe
1104	Acctres.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exevbc.exeWUDHost.exeAcctres.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
Token: SeIncreaseQuotaPrivilege	112	vbc.exe
Token: SeSecurityPrivilege	112	vbc.exe
Token: SeTakeOwnershipPrivilege	112	vbc.exe
Token: SeLoadDriverPrivilege	112	vbc.exe
Token: SeSystemProfilePrivilege	112	vbc.exe
Token: SeSystemtimePrivilege	112	vbc.exe
Token: SeProfSingleProcessPrivilege	112	vbc.exe
Token: SeIncBasePriorityPrivilege	112	vbc.exe
Token: SeCreatePagefilePrivilege	112	vbc.exe
Token: SeBackupPrivilege	112	vbc.exe
Token: SeRestorePrivilege	112	vbc.exe
Token: SeShutdownPrivilege	112	vbc.exe
Token: SeDebugPrivilege	112	vbc.exe
Token: SeSystemEnvironmentPrivilege	112	vbc.exe
Token: SeChangeNotifyPrivilege	112	vbc.exe
Token: SeRemoteShutdownPrivilege	112	vbc.exe
Token: SeUndockPrivilege	112	vbc.exe
Token: SeManageVolumePrivilege	112	vbc.exe
Token: SeImpersonatePrivilege	112	vbc.exe
Token: SeCreateGlobalPrivilege	112	vbc.exe
Token: 33	112	vbc.exe
Token: 34	112	vbc.exe
Token: 35	112	vbc.exe
Token: SeDebugPrivilege	516	WUDHost.exe
Token: SeDebugPrivilege	1104	Acctres.exe
Token: SeIncreaseQuotaPrivilege	2016	vbc.exe
Token: SeSecurityPrivilege	2016	vbc.exe
Token: SeTakeOwnershipPrivilege	2016	vbc.exe
Token: SeLoadDriverPrivilege	2016	vbc.exe
Token: SeSystemProfilePrivilege	2016	vbc.exe
Token: SeSystemtimePrivilege	2016	vbc.exe
Token: SeProfSingleProcessPrivilege	2016	vbc.exe
Token: SeIncBasePriorityPrivilege	2016	vbc.exe
Token: SeCreatePagefilePrivilege	2016	vbc.exe
Token: SeBackupPrivilege	2016	vbc.exe
Token: SeRestorePrivilege	2016	vbc.exe
Token: SeShutdownPrivilege	2016	vbc.exe
Token: SeDebugPrivilege	2016	vbc.exe
Token: SeSystemEnvironmentPrivilege	2016	vbc.exe
Token: SeChangeNotifyPrivilege	2016	vbc.exe
Token: SeRemoteShutdownPrivilege	2016	vbc.exe
Token: SeUndockPrivilege	2016	vbc.exe
Token: SeManageVolumePrivilege	2016	vbc.exe
Token: SeImpersonatePrivilege	2016	vbc.exe
Token: SeCreateGlobalPrivilege	2016	vbc.exe
Token: 33	2016	vbc.exe
Token: 34	2016	vbc.exe
Token: 35	2016	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

112 vbc.exe

pid	process
112	vbc.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exeWUDHost.exeAcctres.exe

description	pid	process	target process
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 112	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	vbc.exe
PID 1768 wrote to memory of 516	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	WUDHost.exe
PID 1768 wrote to memory of 516	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	WUDHost.exe
PID 1768 wrote to memory of 516	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	WUDHost.exe
PID 1768 wrote to memory of 516	1768	6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe	WUDHost.exe
PID 516 wrote to memory of 1104	516	WUDHost.exe	Acctres.exe
PID 516 wrote to memory of 1104	516	WUDHost.exe	Acctres.exe
PID 516 wrote to memory of 1104	516	WUDHost.exe	Acctres.exe
PID 516 wrote to memory of 1104	516	WUDHost.exe	Acctres.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe
PID 1104 wrote to memory of 2016	1104	Acctres.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe
"C:\Users\Admin\AppData\Local\Temp\6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:112

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
841KB

MD5
82690a44bde92c0c17564e74658c0524

SHA1
7ec5fce16bc61554da8391667192da0055cf2da4

SHA256
6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a

SHA512
2218d251752a98e5772d343f27d56afcba6d00c63e8ed6eb8e64a40e5bbdac4d90c9af494511477a65d3ff6688fd1bc5e43267a091fd358147f6bf3d2572f1c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
841KB

MD5
82690a44bde92c0c17564e74658c0524

SHA1
7ec5fce16bc61554da8391667192da0055cf2da4

SHA256
6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a

SHA512
2218d251752a98e5772d343f27d56afcba6d00c63e8ed6eb8e64a40e5bbdac4d90c9af494511477a65d3ff6688fd1bc5e43267a091fd358147f6bf3d2572f1c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
6KB

MD5
e60d6745837845b4797f6266fdeb756d

SHA1
bd4a42994d2c4ced86722e5f0cbc770eed89b538

SHA256
af4ccdd2b99f562597f71e67246fe6d759e574a7c521e72bf7ba08853cd635a2

SHA512
2a6a3c10a1f084caca40c7f9b86775df4e0f2e8c17ef9415b73344da87f7a702a9430bbffe5e6d39d5aaebf3841edcbb3754309caf84358718009abf08ac3bcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
6KB

MD5
e60d6745837845b4797f6266fdeb756d

SHA1
bd4a42994d2c4ced86722e5f0cbc770eed89b538

SHA256
af4ccdd2b99f562597f71e67246fe6d759e574a7c521e72bf7ba08853cd635a2

SHA512
2a6a3c10a1f084caca40c7f9b86775df4e0f2e8c17ef9415b73344da87f7a702a9430bbffe5e6d39d5aaebf3841edcbb3754309caf84358718009abf08ac3bcc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
841KB

MD5
82690a44bde92c0c17564e74658c0524

SHA1
7ec5fce16bc61554da8391667192da0055cf2da4

SHA256
6f43888ef7368d6e1228af67754616cfb469b39256bda67618401f3b7dc7d50a

SHA512
2218d251752a98e5772d343f27d56afcba6d00c63e8ed6eb8e64a40e5bbdac4d90c9af494511477a65d3ff6688fd1bc5e43267a091fd358147f6bf3d2572f1c5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
6KB

MD5
e60d6745837845b4797f6266fdeb756d

SHA1
bd4a42994d2c4ced86722e5f0cbc770eed89b538

SHA256
af4ccdd2b99f562597f71e67246fe6d759e574a7c521e72bf7ba08853cd635a2

SHA512
2a6a3c10a1f084caca40c7f9b86775df4e0f2e8c17ef9415b73344da87f7a702a9430bbffe5e6d39d5aaebf3841edcbb3754309caf84358718009abf08ac3bcc

Download Submit
memory/112-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/112-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/112-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/112-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/112-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/112-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/112-72-0x000000000048F888-mapping.dmp

Download
memory/112-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/112-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/112-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/112-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/112-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/112-83-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/112-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-82-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/516-77-0x0000000000000000-mapping.dmp

Download
memory/516-84-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/1104-87-0x0000000000000000-mapping.dmp

Download
memory/1104-90-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/1104-91-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-56-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-55-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-92-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/2016-112-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2016-108-0x000000000048F888-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads