darkcomet | af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c

General

Target

af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Size

363KB
MD5

6868581b7a7f2803a837171254fe6331
SHA1

80e54e9ae298e949e49e06d927a9a5b31b5db21c
SHA256

af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c
SHA512

78cb03d3409db160f0cf69b951c4352a83227a1205f5a7db7aeacf820b06302d80b06fdc643b615bad3fe56b59224370c05c41f1ab9e753d1a39463ca6f8cead
SSDEEP

6144:mmluhyzPvCVoxWCmzUiQbbHhDPx3IfTYjDQ8g5J/ZAv5lFd+V5WnbFwPYzaYd+J:mwWyztxWdzjQbzhV3pjcpJ/2xMYwPY21

Score

10^/10

darkcomet zombie persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Zombie

C2

microsoftsystem.servehttp.com:1488

Mutex

DC_MUTEX-ADWJ2LM

Attributes

InstallPath
MSNetwork\lsmass.exe
gencode
lajRRURGWL6z
install
true
offline_keylogger
true
password
4nT1Cr4Ck3R3nCrYpT10n
persistence
true
reg_key
Windows-Network Component

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSNetwork\\lsmass.exe"	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe

Executes dropped EXE 2 IoCs

Processes:

lsmass.exelsmass.exe

pid process

2004 lsmass.exe
3152 lsmass.exe

pid	process
2004	lsmass.exe
3152	lsmass.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/824-137-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/824-138-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/824-139-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/824-140-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/824-142-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3152-154-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3152-155-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3152-156-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3152-157-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exeaf300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exelsmass.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	lsmass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exelsmass.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows-Network Component = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSNetwork\\lsmass.exe"	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows-Network Component = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSNetwork\\lsmass.exe"	lsmass.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exelsmass.exe

description	pid	process	target process
PID 3952 set thread context of 824	3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
PID 2004 set thread context of 3152	2004	lsmass.exe	lsmass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exelsmass.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeSecurityPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeTakeOwnershipPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeLoadDriverPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeSystemProfilePrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeSystemtimePrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeProfSingleProcessPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeIncBasePriorityPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeCreatePagefilePrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeBackupPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeRestorePrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeShutdownPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeDebugPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeSystemEnvironmentPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeChangeNotifyPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeRemoteShutdownPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeUndockPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeManageVolumePrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeImpersonatePrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeCreateGlobalPrivilege	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: 33	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: 34	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: 35	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: 36	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
Token: SeIncreaseQuotaPrivilege	3152	lsmass.exe
Token: SeSecurityPrivilege	3152	lsmass.exe
Token: SeTakeOwnershipPrivilege	3152	lsmass.exe
Token: SeLoadDriverPrivilege	3152	lsmass.exe
Token: SeSystemProfilePrivilege	3152	lsmass.exe
Token: SeSystemtimePrivilege	3152	lsmass.exe
Token: SeProfSingleProcessPrivilege	3152	lsmass.exe
Token: SeIncBasePriorityPrivilege	3152	lsmass.exe
Token: SeCreatePagefilePrivilege	3152	lsmass.exe
Token: SeBackupPrivilege	3152	lsmass.exe
Token: SeRestorePrivilege	3152	lsmass.exe
Token: SeShutdownPrivilege	3152	lsmass.exe
Token: SeDebugPrivilege	3152	lsmass.exe
Token: SeSystemEnvironmentPrivilege	3152	lsmass.exe
Token: SeChangeNotifyPrivilege	3152	lsmass.exe
Token: SeRemoteShutdownPrivilege	3152	lsmass.exe
Token: SeUndockPrivilege	3152	lsmass.exe
Token: SeManageVolumePrivilege	3152	lsmass.exe
Token: SeImpersonatePrivilege	3152	lsmass.exe
Token: SeCreateGlobalPrivilege	3152	lsmass.exe
Token: 33	3152	lsmass.exe
Token: 34	3152	lsmass.exe
Token: 35	3152	lsmass.exe
Token: 36	3152	lsmass.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exelsmass.exelsmass.exe

pid process

3952 af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
2004 lsmass.exe
3152 lsmass.exe

pid	process
3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
2004	lsmass.exe
3152	lsmass.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exenet.exeaf300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exelsmass.exenet.exe

description	pid	process	target process
PID 3952 wrote to memory of 2844	3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	net.exe
PID 3952 wrote to memory of 2844	3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	net.exe
PID 3952 wrote to memory of 2844	3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	net.exe
PID 2844 wrote to memory of 220	2844	net.exe	net1.exe
PID 2844 wrote to memory of 220	2844	net.exe	net1.exe
PID 2844 wrote to memory of 220	2844	net.exe	net1.exe
PID 3952 wrote to memory of 824	3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
PID 3952 wrote to memory of 824	3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
PID 3952 wrote to memory of 824	3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
PID 3952 wrote to memory of 824	3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
PID 3952 wrote to memory of 824	3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
PID 3952 wrote to memory of 824	3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
PID 3952 wrote to memory of 824	3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
PID 3952 wrote to memory of 824	3952	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 3512	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	notepad.exe
PID 824 wrote to memory of 2004	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	lsmass.exe
PID 824 wrote to memory of 2004	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	lsmass.exe
PID 824 wrote to memory of 2004	824	af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe	lsmass.exe
PID 2004 wrote to memory of 4904	2004	lsmass.exe	net.exe
PID 2004 wrote to memory of 4904	2004	lsmass.exe	net.exe
PID 2004 wrote to memory of 4904	2004	lsmass.exe	net.exe
PID 4904 wrote to memory of 1300	4904	net.exe	net1.exe
PID 4904 wrote to memory of 1300	4904	net.exe	net1.exe
PID 4904 wrote to memory of 1300	4904	net.exe	net1.exe
PID 2004 wrote to memory of 3152	2004	lsmass.exe	lsmass.exe
PID 2004 wrote to memory of 3152	2004	lsmass.exe	lsmass.exe
PID 2004 wrote to memory of 3152	2004	lsmass.exe	lsmass.exe
PID 2004 wrote to memory of 3152	2004	lsmass.exe	lsmass.exe
PID 2004 wrote to memory of 3152	2004	lsmass.exe	lsmass.exe
PID 2004 wrote to memory of 3152	2004	lsmass.exe	lsmass.exe
PID 2004 wrote to memory of 3152	2004	lsmass.exe	lsmass.exe
PID 2004 wrote to memory of 3152	2004	lsmass.exe	lsmass.exe

C:\Users\Admin\AppData\Local\Temp\af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
"C:\Users\Admin\AppData\Local\Temp\af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" " stop sharedaccess"
2⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 " stop sharedaccess"
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
"C:\Users\Admin\AppData\Local\Temp\af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe
"C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" " stop sharedaccess"
4⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 " stop sharedaccess"
5⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe
"C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe
Filesize
363KB

MD5
6868581b7a7f2803a837171254fe6331

SHA1
80e54e9ae298e949e49e06d927a9a5b31b5db21c

SHA256
af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c

SHA512
78cb03d3409db160f0cf69b951c4352a83227a1205f5a7db7aeacf820b06302d80b06fdc643b615bad3fe56b59224370c05c41f1ab9e753d1a39463ca6f8cead

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe
Filesize
363KB

MD5
6868581b7a7f2803a837171254fe6331

SHA1
80e54e9ae298e949e49e06d927a9a5b31b5db21c

SHA256
af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c

SHA512
78cb03d3409db160f0cf69b951c4352a83227a1205f5a7db7aeacf820b06302d80b06fdc643b615bad3fe56b59224370c05c41f1ab9e753d1a39463ca6f8cead

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe
Filesize
363KB

MD5
6868581b7a7f2803a837171254fe6331

SHA1
80e54e9ae298e949e49e06d927a9a5b31b5db21c

SHA256
af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c

SHA512
78cb03d3409db160f0cf69b951c4352a83227a1205f5a7db7aeacf820b06302d80b06fdc643b615bad3fe56b59224370c05c41f1ab9e753d1a39463ca6f8cead

Download Submit
memory/220-135-0x0000000000000000-mapping.dmp

Download
memory/824-138-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/824-139-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/824-140-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/824-137-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/824-142-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/824-136-0x0000000000000000-mapping.dmp

Download
memory/1300-149-0x0000000000000000-mapping.dmp

Download
memory/2004-143-0x0000000000000000-mapping.dmp

Download
memory/2844-134-0x0000000000000000-mapping.dmp

Download
memory/3152-150-0x0000000000000000-mapping.dmp

Download
memory/3152-154-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3152-155-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3152-156-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3152-157-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3512-141-0x0000000000000000-mapping.dmp

Download
memory/4904-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads