darkcomet | 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

Analysis

max time kernel
7s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe
Size

1.2MB
MD5

c6c22cf761ab226e77e8fff7afc24d35
SHA1

2237f3dce12a12a6888915f06e18760a6b127087
SHA256

3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512

cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
SSDEEP

24576:BxM1a9MVNGety8u3a5UwlNL20403Dtqji:7sa9Mf79uMW0pqj

Score

10^/10

darkcomet csgo persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

csgo

hyptonix.ddns.net:1604

Mutex

DCMIN_MUTEX-BR4A132

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
YwRoYaRknJKS
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	winlogon.exe

Executes dropped EXE 4 IoCs

Processes:

winlogon.exewinlogon.execsrss.exeIMDCSC.exe

pid process

472 winlogon.exe
1564 winlogon.exe
836 csrss.exe
1972 IMDCSC.exe

pid	process
472	winlogon.exe
1564	winlogon.exe
836	csrss.exe
1972	IMDCSC.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1564-72-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1564-75-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1564-77-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1564-82-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1564-83-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1564-84-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exewinlogon.exewinlogon.exe

pid process

2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe
472 winlogon.exe
472 winlogon.exe
1564 winlogon.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	winlogon.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winlogon.exe

description pid process target process

PID 472 set thread context of 1564 472 winlogon.exe winlogon.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 472 set thread context of 1564	472	winlogon.exe	winlogon.exe

NTFS ADS 5 IoCs

Processes:

winlogon.execmd.exe3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.execmd.exewinlogon.exe

description	ioc	process
File created	C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe\:ZONE.identifier:$DATA	winlogon.exe
File created	C:\Users\Admin\AppData\Local\Temp\3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe\:ZONE.identifier:$DATA	3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe\:ZONE.identifier:$DATA	winlogon.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exewinlogon.exe

pid	process
2040	3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe
2040	3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe
472	winlogon.exe
472	winlogon.exe
472	winlogon.exe
472	winlogon.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exewinlogon.exewinlogon.exe

description	pid	process
Token: SeDebugPrivilege	2040	3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe
Token: SeDebugPrivilege	472	winlogon.exe
Token: SeDebugPrivilege	472	winlogon.exe
Token: SeIncreaseQuotaPrivilege	1564	winlogon.exe
Token: SeSecurityPrivilege	1564	winlogon.exe
Token: SeTakeOwnershipPrivilege	1564	winlogon.exe
Token: SeLoadDriverPrivilege	1564	winlogon.exe
Token: SeSystemProfilePrivilege	1564	winlogon.exe
Token: SeSystemtimePrivilege	1564	winlogon.exe
Token: SeProfSingleProcessPrivilege	1564	winlogon.exe
Token: SeIncBasePriorityPrivilege	1564	winlogon.exe
Token: SeCreatePagefilePrivilege	1564	winlogon.exe
Token: SeBackupPrivilege	1564	winlogon.exe
Token: SeRestorePrivilege	1564	winlogon.exe
Token: SeShutdownPrivilege	1564	winlogon.exe
Token: SeDebugPrivilege	1564	winlogon.exe
Token: SeSystemEnvironmentPrivilege	1564	winlogon.exe
Token: SeChangeNotifyPrivilege	1564	winlogon.exe
Token: SeRemoteShutdownPrivilege	1564	winlogon.exe
Token: SeUndockPrivilege	1564	winlogon.exe
Token: SeManageVolumePrivilege	1564	winlogon.exe
Token: SeImpersonatePrivilege	1564	winlogon.exe
Token: SeCreateGlobalPrivilege	1564	winlogon.exe
Token: 33	1564	winlogon.exe
Token: 34	1564	winlogon.exe
Token: 35	1564	winlogon.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 2040 wrote to memory of 588	2040	3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe	cmd.exe
PID 2040 wrote to memory of 588	2040	3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe	cmd.exe
PID 2040 wrote to memory of 588	2040	3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe	cmd.exe
PID 2040 wrote to memory of 588	2040	3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe	cmd.exe
PID 2040 wrote to memory of 472	2040	3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe	winlogon.exe
PID 2040 wrote to memory of 472	2040	3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe	winlogon.exe
PID 2040 wrote to memory of 472	2040	3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe	winlogon.exe
PID 2040 wrote to memory of 472	2040	3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe	winlogon.exe
PID 472 wrote to memory of 1016	472	winlogon.exe	cmd.exe
PID 472 wrote to memory of 1016	472	winlogon.exe	cmd.exe
PID 472 wrote to memory of 1016	472	winlogon.exe	cmd.exe
PID 472 wrote to memory of 1016	472	winlogon.exe	cmd.exe
PID 472 wrote to memory of 1564	472	winlogon.exe	winlogon.exe
PID 472 wrote to memory of 1564	472	winlogon.exe	winlogon.exe
PID 472 wrote to memory of 1564	472	winlogon.exe	winlogon.exe
PID 472 wrote to memory of 1564	472	winlogon.exe	winlogon.exe
PID 472 wrote to memory of 1564	472	winlogon.exe	winlogon.exe
PID 472 wrote to memory of 1564	472	winlogon.exe	winlogon.exe
PID 472 wrote to memory of 1564	472	winlogon.exe	winlogon.exe
PID 472 wrote to memory of 1564	472	winlogon.exe	winlogon.exe
PID 472 wrote to memory of 836	472	winlogon.exe	csrss.exe
PID 472 wrote to memory of 836	472	winlogon.exe	csrss.exe
PID 472 wrote to memory of 836	472	winlogon.exe	csrss.exe
PID 472 wrote to memory of 836	472	winlogon.exe	csrss.exe
PID 1564 wrote to memory of 1972	1564	winlogon.exe	IMDCSC.exe
PID 1564 wrote to memory of 1972	1564	winlogon.exe	IMDCSC.exe
PID 1564 wrote to memory of 1972	1564	winlogon.exe	IMDCSC.exe
PID 1564 wrote to memory of 1972	1564	winlogon.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe
"C:\Users\Admin\AppData\Local\Temp\3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe":ZONE.identifier & exit
2⤵
- NTFS ADS
PID:588

C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe":ZONE.identifier & exit
3⤵
- NTFS ADS
PID:1016

C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
4⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe":ZONE.identifier & exit
5⤵
PID:556

C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe
"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe" -keyhide -prochide 1564 -reg C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe -proc 1564 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
3⤵
- Executes dropped EXE
PID:836

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1.2MB

MD5
c6c22cf761ab226e77e8fff7afc24d35

SHA1
2237f3dce12a12a6888915f06e18760a6b127087

SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd

SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009

Download Submit
memory/472-67-0x0000000073EC0000-0x000000007446B000-memory.dmp

Filesize
5.7MB

Download
memory/472-66-0x0000000000AD6000-0x0000000000AE7000-memory.dmp

Filesize
68KB

Download
memory/472-91-0x0000000000AD6000-0x0000000000AE7000-memory.dmp

Filesize
68KB

Download
memory/472-60-0x0000000000000000-mapping.dmp

Download
memory/472-96-0x0000000073EC0000-0x000000007446B000-memory.dmp

Filesize
5.7MB

Download
memory/588-57-0x0000000000000000-mapping.dmp

Download
memory/836-86-0x0000000000000000-mapping.dmp

Download
memory/836-99-0x0000000073EC0000-0x000000007446B000-memory.dmp

Filesize
5.7MB

Download
memory/1016-68-0x0000000000000000-mapping.dmp

Download
memory/1564-75-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1564-72-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1564-84-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1564-82-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1564-79-0x00000000004B56D0-mapping.dmp

Download
memory/1564-77-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1564-71-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1564-83-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1972-92-0x0000000000000000-mapping.dmp

Download
memory/1972-97-0x0000000073EC0000-0x000000007446B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-98-0x0000000000966000-0x0000000000977000-memory.dmp

Filesize
68KB

Download
memory/2040-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/2040-65-0x0000000000B26000-0x0000000000B37000-memory.dmp

Filesize
68KB

Download
memory/2040-64-0x0000000073EC0000-0x000000007446B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-56-0x0000000000B26000-0x0000000000B37000-memory.dmp

Filesize
68KB

Download
memory/2040-55-0x0000000073EC0000-0x000000007446B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads