darkcomet | da7997129263f41228f9bb5871d5cd89729bfe28e4bde1e3252fd3d5bed8523c

General

Target

82dca3c497740155201cc439e429daca.exe
Size

1.6MB
MD5

82dca3c497740155201cc439e429daca
SHA1

1140867caf5154b1643fc820a134254d6f7714b2
SHA256

da7997129263f41228f9bb5871d5cd89729bfe28e4bde1e3252fd3d5bed8523c
SHA512

321c19525f1a2b04d2f74537a632c336ad440cbe19ab915b8b3602357b2352e4a91e88d451f0b90c26ce21aaad72fb09a79d400afa7e937c56397f115164b7de
SSDEEP

24576:BKOM/uMQP600sErXzeeEqe9BXbSd90D0LcrBQgDON4PO/zFd2AynlN:C/uMQ90brjeeTAX6/gyN4W/zFd2

Score

10^/10

darkcomet sazan evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

laz22.duckdns.org:2222

Mutex

DC_MUTEX-4UDC91U

Attributes

InstallPath
DiscordCrash\DiscordCrash.exe
gencode
lPgqdPijmdCo
install
true
offline_keylogger
true
persistence
true
reg_key
DiscordCrash

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Znrvkvjzhbwgtb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\DiscordCrash\\DiscordCrash.exe"	Znrvkvjzhbwgtb.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

688 attrib.exe
1184 attrib.exe

pid	process
688	attrib.exe
1184	attrib.exe

Executes dropped EXE 7 IoCs

Processes:

Znrvkvjzhbwgtb.exeRvscjrede.exeZnrvkvjzhbwgtb.exeDiscordCrash.exeDiscordCrash.exeDiscordCrash.exeDiscordCrash.exe

pid	process
2316	Znrvkvjzhbwgtb.exe
2748	Rvscjrede.exe
2344	Znrvkvjzhbwgtb.exe
1640	DiscordCrash.exe
2900	DiscordCrash.exe
2904	DiscordCrash.exe
2108	DiscordCrash.exe

Loads dropped DLL 7 IoCs

Processes:

82dca3c497740155201cc439e429daca.exeZnrvkvjzhbwgtb.exeZnrvkvjzhbwgtb.exeDiscordCrash.exe

pid	process
2620	82dca3c497740155201cc439e429daca.exe
2620	82dca3c497740155201cc439e429daca.exe
2316	Znrvkvjzhbwgtb.exe
2344	Znrvkvjzhbwgtb.exe
1640	DiscordCrash.exe
1640	DiscordCrash.exe
1640	DiscordCrash.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Znrvkvjzhbwgtb.exeDiscordCrash.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\DiscordCrash = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DiscordCrash\\DiscordCrash.exe"	Znrvkvjzhbwgtb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\DiscordCrash = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DiscordCrash\\DiscordCrash.exe"	DiscordCrash.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Znrvkvjzhbwgtb.exeDiscordCrash.exe

description	pid	process	target process
PID 2316 set thread context of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 1640 set thread context of 2108	1640	DiscordCrash.exe	DiscordCrash.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DiscordCrash.exe

pid process

1640 DiscordCrash.exe
1640 DiscordCrash.exe
1640 DiscordCrash.exe
1640 DiscordCrash.exe

pid	process
1640	DiscordCrash.exe
1640	DiscordCrash.exe
1640	DiscordCrash.exe
1640	DiscordCrash.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

Znrvkvjzhbwgtb.exeDiscordCrash.exeDiscordCrash.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeSecurityPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeTakeOwnershipPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeLoadDriverPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeSystemProfilePrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeSystemtimePrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeProfSingleProcessPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeIncBasePriorityPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeCreatePagefilePrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeBackupPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeRestorePrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeShutdownPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeDebugPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeSystemEnvironmentPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeChangeNotifyPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeRemoteShutdownPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeUndockPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeManageVolumePrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeImpersonatePrivilege	2344	Znrvkvjzhbwgtb.exe
Token: SeCreateGlobalPrivilege	2344	Znrvkvjzhbwgtb.exe
Token: 33	2344	Znrvkvjzhbwgtb.exe
Token: 34	2344	Znrvkvjzhbwgtb.exe
Token: 35	2344	Znrvkvjzhbwgtb.exe
Token: SeDebugPrivilege	1640	DiscordCrash.exe
Token: SeIncreaseQuotaPrivilege	2108	DiscordCrash.exe
Token: SeSecurityPrivilege	2108	DiscordCrash.exe
Token: SeTakeOwnershipPrivilege	2108	DiscordCrash.exe
Token: SeLoadDriverPrivilege	2108	DiscordCrash.exe
Token: SeSystemProfilePrivilege	2108	DiscordCrash.exe
Token: SeSystemtimePrivilege	2108	DiscordCrash.exe
Token: SeProfSingleProcessPrivilege	2108	DiscordCrash.exe
Token: SeIncBasePriorityPrivilege	2108	DiscordCrash.exe
Token: SeCreatePagefilePrivilege	2108	DiscordCrash.exe
Token: SeBackupPrivilege	2108	DiscordCrash.exe
Token: SeRestorePrivilege	2108	DiscordCrash.exe
Token: SeShutdownPrivilege	2108	DiscordCrash.exe
Token: SeDebugPrivilege	2108	DiscordCrash.exe
Token: SeSystemEnvironmentPrivilege	2108	DiscordCrash.exe
Token: SeChangeNotifyPrivilege	2108	DiscordCrash.exe
Token: SeRemoteShutdownPrivilege	2108	DiscordCrash.exe
Token: SeUndockPrivilege	2108	DiscordCrash.exe
Token: SeManageVolumePrivilege	2108	DiscordCrash.exe
Token: SeImpersonatePrivilege	2108	DiscordCrash.exe
Token: SeCreateGlobalPrivilege	2108	DiscordCrash.exe
Token: 33	2108	DiscordCrash.exe
Token: 34	2108	DiscordCrash.exe
Token: 35	2108	DiscordCrash.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DiscordCrash.exe

pid process

2108 DiscordCrash.exe

pid	process
2108	DiscordCrash.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

82dca3c497740155201cc439e429daca.exeZnrvkvjzhbwgtb.exeZnrvkvjzhbwgtb.execmd.execmd.exeDiscordCrash.exeDiscordCrash.exe

description	pid	process	target process
PID 2620 wrote to memory of 2316	2620	82dca3c497740155201cc439e429daca.exe	Znrvkvjzhbwgtb.exe
PID 2620 wrote to memory of 2316	2620	82dca3c497740155201cc439e429daca.exe	Znrvkvjzhbwgtb.exe
PID 2620 wrote to memory of 2316	2620	82dca3c497740155201cc439e429daca.exe	Znrvkvjzhbwgtb.exe
PID 2620 wrote to memory of 2316	2620	82dca3c497740155201cc439e429daca.exe	Znrvkvjzhbwgtb.exe
PID 2620 wrote to memory of 2748	2620	82dca3c497740155201cc439e429daca.exe	Rvscjrede.exe
PID 2620 wrote to memory of 2748	2620	82dca3c497740155201cc439e429daca.exe	Rvscjrede.exe
PID 2620 wrote to memory of 2748	2620	82dca3c497740155201cc439e429daca.exe	Rvscjrede.exe
PID 2620 wrote to memory of 2748	2620	82dca3c497740155201cc439e429daca.exe	Rvscjrede.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2316 wrote to memory of 2344	2316	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 2344 wrote to memory of 2296	2344	Znrvkvjzhbwgtb.exe	cmd.exe
PID 2344 wrote to memory of 2296	2344	Znrvkvjzhbwgtb.exe	cmd.exe
PID 2344 wrote to memory of 2296	2344	Znrvkvjzhbwgtb.exe	cmd.exe
PID 2344 wrote to memory of 2296	2344	Znrvkvjzhbwgtb.exe	cmd.exe
PID 2344 wrote to memory of 2176	2344	Znrvkvjzhbwgtb.exe	cmd.exe
PID 2344 wrote to memory of 2176	2344	Znrvkvjzhbwgtb.exe	cmd.exe
PID 2344 wrote to memory of 2176	2344	Znrvkvjzhbwgtb.exe	cmd.exe
PID 2344 wrote to memory of 2176	2344	Znrvkvjzhbwgtb.exe	cmd.exe
PID 2296 wrote to memory of 688	2296	cmd.exe	attrib.exe
PID 2296 wrote to memory of 688	2296	cmd.exe	attrib.exe
PID 2296 wrote to memory of 688	2296	cmd.exe	attrib.exe
PID 2296 wrote to memory of 688	2296	cmd.exe	attrib.exe
PID 2176 wrote to memory of 1184	2176	cmd.exe	attrib.exe
PID 2176 wrote to memory of 1184	2176	cmd.exe	attrib.exe
PID 2176 wrote to memory of 1184	2176	cmd.exe	attrib.exe
PID 2176 wrote to memory of 1184	2176	cmd.exe	attrib.exe
PID 2344 wrote to memory of 1640	2344	Znrvkvjzhbwgtb.exe	DiscordCrash.exe
PID 2344 wrote to memory of 1640	2344	Znrvkvjzhbwgtb.exe	DiscordCrash.exe
PID 2344 wrote to memory of 1640	2344	Znrvkvjzhbwgtb.exe	DiscordCrash.exe
PID 2344 wrote to memory of 1640	2344	Znrvkvjzhbwgtb.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2900	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2900	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2900	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2900	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2904	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2904	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2904	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2904	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 1640 wrote to memory of 2108	1640	DiscordCrash.exe	DiscordCrash.exe
PID 2108 wrote to memory of 1952	2108	DiscordCrash.exe	notepad.exe
PID 2108 wrote to memory of 1952	2108	DiscordCrash.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

688 attrib.exe
1184 attrib.exe

pid	process
688	attrib.exe
1184	attrib.exe

C:\Users\Admin\AppData\Local\Temp\82dca3c497740155201cc439e429daca.exe
"C:\Users\Admin\AppData\Local\Temp\82dca3c497740155201cc439e429daca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
"C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
"C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1184

C:\Users\Admin\AppData\Local\Temp\DiscordCrash\DiscordCrash.exe
"C:\Users\Admin\AppData\Local\Temp\DiscordCrash\DiscordCrash.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\DiscordCrash\DiscordCrash.exe
"C:\Users\Admin\AppData\Local\Temp\DiscordCrash\DiscordCrash.exe"
5⤵
- Executes dropped EXE
PID:2900

C:\Users\Admin\AppData\Local\Temp\DiscordCrash\DiscordCrash.exe
"C:\Users\Admin\AppData\Local\Temp\DiscordCrash\DiscordCrash.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\DiscordCrash\DiscordCrash.exe
"C:\Users\Admin\AppData\Local\Temp\DiscordCrash\DiscordCrash.exe"
5⤵
- Executes dropped EXE
PID:2904

C:\Users\Admin\AppData\Local\Temp\Rvscjrede.exe
"C:\Users\Admin\AppData\Local\Temp\Rvscjrede.exe"
2⤵
- Executes dropped EXE
PID:2748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Rvscjrede.exe
Filesize
1.0MB

MD5
db8d22c08ae2dc96460bde6e4c647cf0

SHA1
a5426c57d95d6ded36490477dc70b5f0334620ff

SHA256
4d628afd99939d96ad069d34b6edf1102283f10879f032951e8adad5f997a079

SHA512
f9b15fcb20408b43cbce12a9047fdfc362bfaa9c1ba9f013a5d6792e21cffb2bcc6b9a5a2214ef65aaf71360d3ea3cbe77505aafb7f97b11ac1a90c3d677026c

Download Submit
\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
Filesize
682KB

MD5
ee11b56f08f564c29013caf41b567bbb

SHA1
2b591e906542ac034131ae5e6deee31e22c79958

SHA256
38199fe38695af4989ca59662ec707847a13a3413ea6128fcc4f7f8b58b76f5e

SHA512
f4497a64e113a917026676babaf744d3f82c62fce9667fe608e45d4346eceefc00e6c65fc80fdaed8da6a33575fa8c13770cdfb0709b09ae4d0ec2d2a3a208f0

Download Submit
memory/1640-55-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1640-77-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1640-56-0x0000000000310000-0x00000000003C0000-memory.dmp

Filesize
704KB

Download
memory/1952-109-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1952-81-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2108-111-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2108-110-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2108-116-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2108-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2108-80-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2108-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2316-39-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2316-18-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/2316-12-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2316-13-0x0000000000A00000-0x0000000000AB0000-memory.dmp

Filesize
704KB

Download
memory/2344-41-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2344-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2344-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2344-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2344-38-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2344-30-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2344-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2344-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2344-42-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2344-43-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2344-23-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2344-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2344-28-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2344-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2344-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2620-33-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2620-2-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/2620-1-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2620-0-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2748-48-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/2748-21-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/2748-20-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-47-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/2748-112-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-113-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/2748-114-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/2748-115-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/2748-40-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads