darkcomet | ad10bd209a0400769c98b80be60c4eb4962731830d374e7f76ba3455d92c7e67

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 04:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a0e9c48de4b99b90d67b003e9e159447.exe
Size

1.2MB
MD5

a0e9c48de4b99b90d67b003e9e159447
SHA1

b2d59745cdf8b1aa44e46f8ae0857aca4dfb4368
SHA256

ad10bd209a0400769c98b80be60c4eb4962731830d374e7f76ba3455d92c7e67
SHA512

3c6a5cb1b53dbc504f8f49aedd44daa5d9b167072b4dce8ad0a970255d9648e8e0d1b59721fec93c7fec34544aa4b770834309c0dc287f4dd6e94dc945da0b8f
SSDEEP

12288:SF1bx4wVjyTavQOtx7dFXrrnYvIGIFyhLFbSl/WnLqIioAneMnFuCwvbHODHxfuK:SRyG9hdBGol/WOdpruIQIWAGSTDCNM3

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe,C:\\Windupdt\\winupdate.exe"	vbc.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	vbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	vbc.exe

Executes dropped EXE 5 IoCs

pid	Process
3376	vbc.exe
3960	winupdate.exe
1640	vbc.exe
2352	winupdate.exe
3796	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2356 set thread context of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 3960 set thread context of 1640	3960	winupdate.exe	96
PID 2352 set thread context of 3796	2352	winupdate.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1360	PING.EXE
4176	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3376	vbc.exe
Token: SeSecurityPrivilege	3376	vbc.exe
Token: SeTakeOwnershipPrivilege	3376	vbc.exe
Token: SeLoadDriverPrivilege	3376	vbc.exe
Token: SeSystemProfilePrivilege	3376	vbc.exe
Token: SeSystemtimePrivilege	3376	vbc.exe
Token: SeProfSingleProcessPrivilege	3376	vbc.exe
Token: SeIncBasePriorityPrivilege	3376	vbc.exe
Token: SeCreatePagefilePrivilege	3376	vbc.exe
Token: SeBackupPrivilege	3376	vbc.exe
Token: SeRestorePrivilege	3376	vbc.exe
Token: SeShutdownPrivilege	3376	vbc.exe
Token: SeDebugPrivilege	3376	vbc.exe
Token: SeSystemEnvironmentPrivilege	3376	vbc.exe
Token: SeChangeNotifyPrivilege	3376	vbc.exe
Token: SeRemoteShutdownPrivilege	3376	vbc.exe
Token: SeUndockPrivilege	3376	vbc.exe
Token: SeManageVolumePrivilege	3376	vbc.exe
Token: SeImpersonatePrivilege	3376	vbc.exe
Token: SeCreateGlobalPrivilege	3376	vbc.exe
Token: 33	3376	vbc.exe
Token: 34	3376	vbc.exe
Token: 35	3376	vbc.exe
Token: 36	3376	vbc.exe
Token: SeIncreaseQuotaPrivilege	1640	vbc.exe
Token: SeSecurityPrivilege	1640	vbc.exe
Token: SeTakeOwnershipPrivilege	1640	vbc.exe
Token: SeLoadDriverPrivilege	1640	vbc.exe
Token: SeSystemProfilePrivilege	1640	vbc.exe
Token: SeSystemtimePrivilege	1640	vbc.exe
Token: SeProfSingleProcessPrivilege	1640	vbc.exe
Token: SeIncBasePriorityPrivilege	1640	vbc.exe
Token: SeCreatePagefilePrivilege	1640	vbc.exe
Token: SeBackupPrivilege	1640	vbc.exe
Token: SeRestorePrivilege	1640	vbc.exe
Token: SeShutdownPrivilege	1640	vbc.exe
Token: SeDebugPrivilege	1640	vbc.exe
Token: SeSystemEnvironmentPrivilege	1640	vbc.exe
Token: SeChangeNotifyPrivilege	1640	vbc.exe
Token: SeRemoteShutdownPrivilege	1640	vbc.exe
Token: SeUndockPrivilege	1640	vbc.exe
Token: SeManageVolumePrivilege	1640	vbc.exe
Token: SeImpersonatePrivilege	1640	vbc.exe
Token: SeCreateGlobalPrivilege	1640	vbc.exe
Token: 33	1640	vbc.exe
Token: 34	1640	vbc.exe
Token: 35	1640	vbc.exe
Token: 36	1640	vbc.exe
Token: SeIncreaseQuotaPrivilege	3796	vbc.exe
Token: SeSecurityPrivilege	3796	vbc.exe
Token: SeTakeOwnershipPrivilege	3796	vbc.exe
Token: SeLoadDriverPrivilege	3796	vbc.exe
Token: SeSystemProfilePrivilege	3796	vbc.exe
Token: SeSystemtimePrivilege	3796	vbc.exe
Token: SeProfSingleProcessPrivilege	3796	vbc.exe
Token: SeIncBasePriorityPrivilege	3796	vbc.exe
Token: SeCreatePagefilePrivilege	3796	vbc.exe
Token: SeBackupPrivilege	3796	vbc.exe
Token: SeRestorePrivilege	3796	vbc.exe
Token: SeShutdownPrivilege	3796	vbc.exe
Token: SeDebugPrivilege	3796	vbc.exe
Token: SeSystemEnvironmentPrivilege	3796	vbc.exe
Token: SeChangeNotifyPrivilege	3796	vbc.exe
Token: SeRemoteShutdownPrivilege	3796	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3796	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 2356 wrote to memory of 3376	2356	a0e9c48de4b99b90d67b003e9e159447.exe	91
PID 3376 wrote to memory of 3960	3376	vbc.exe	92
PID 3376 wrote to memory of 3960	3376	vbc.exe	92
PID 3376 wrote to memory of 3960	3376	vbc.exe	92
PID 3376 wrote to memory of 2296	3376	vbc.exe	93
PID 3376 wrote to memory of 2296	3376	vbc.exe	93
PID 3376 wrote to memory of 2296	3376	vbc.exe	93
PID 2296 wrote to memory of 1360	2296	cmd.exe	95
PID 2296 wrote to memory of 1360	2296	cmd.exe	95
PID 2296 wrote to memory of 1360	2296	cmd.exe	95
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 3960 wrote to memory of 1640	3960	winupdate.exe	96
PID 1640 wrote to memory of 2352	1640	vbc.exe	103
PID 1640 wrote to memory of 2352	1640	vbc.exe	103
PID 1640 wrote to memory of 2352	1640	vbc.exe	103
PID 1640 wrote to memory of 2080	1640	vbc.exe	99
PID 1640 wrote to memory of 2080	1640	vbc.exe	99
PID 1640 wrote to memory of 2080	1640	vbc.exe	99
PID 2080 wrote to memory of 4176	2080	cmd.exe	100
PID 2080 wrote to memory of 4176	2080	cmd.exe	100
PID 2080 wrote to memory of 4176	2080	cmd.exe	100
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102
PID 2352 wrote to memory of 3796	2352	winupdate.exe	102

C:\Users\Admin\AppData\Local\Temp\a0e9c48de4b99b90d67b003e9e159447.exe
"C:\Users\Admin\AppData\Local\Temp\a0e9c48de4b99b90d67b003e9e159447.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windupdt\winupdate.exe
    "C:\Windupdt\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\vbc.exe
      C:\Users\Admin\AppData\Local\Temp\vbc.exe
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        6⤵
        Runs ping.exe
        
        PID:4176
    - - C:\Windupdt\winupdate.exe
        
        "C:\Windupdt\winupdate.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\a0e9c48de4b99b90d67b003e9e159447.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      Runs ping.exe
      PID:1360

C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\winupdate.exe.log

Filesize
411B

MD5
b75d63217c5d10a12e60be6d73af5e9a

SHA1
d25477a0a74ec499326e7db6c1f962f8fe77b818

SHA256
fa5feaf188800d777889d204daa15cff40715badfd65ddf0a818b9d130378e11

SHA512
07f390be438c0542b40984ce43b33aac495fe2eb7e564d415ed296783704fc6d3946eea24ec6c86a88e7a742c100c30e56a9c5e4d8eee2a5efe936126a615273

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
261KB

MD5
d2b89a7355eec9db8b81c667cdbe59c7

SHA1
515f86ec82edef5ec4c8f0b848ac5eaf3179936c

SHA256
3dbca12e9080f871d6063679ed399911226f9e57b1d7a2bc99d0b4cc29944f17

SHA512
c2dab0d2125d0dd01c976028ae9ef0d65f16bf72da5dbf2037da93029b45702a89e6c79889dc567bfd853cadfb291e4ace8e6e34bdf55daef0652607fb44f787

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
728KB

MD5
4bdb8d5d102bd82812b6fbec60522675

SHA1
cf4fd3f6b20d0f9fa41e87e88c6bfcb31a9df072

SHA256
a96d0268064e480fdc8b4cabc2c6928897853113d4b92b8d216d8af6d0fc0051

SHA512
3045d2ef16b67dc091c7096b9e36b3410f8ee9a8be64e93a81221bb7052f5f32b1b0a72e404a6d0f05f0a28548972e7150b3ffc1ce3dc484ad541861e725c2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
29KB

MD5
28f12f2d4cfbaa12636ac5997cbec643

SHA1
fbf0dd5de954424336d08c78b1d1011875d18f6c

SHA256
aef7f944b0293370e2f7d5ac93dc577662c22551fef1dc89a00d507c72b2b09a

SHA512
af8ac7fe677c88d2944a85da5ab3d4df180c4ca073a93f37e6c4254d87e878a7dc3ee29e7eb0baab4c65f1abdc9a328fbe1f6a1b76d5cbd26f87b4b6b7cf1c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
170KB

MD5
2a3e9aa7245e68e0eb8175e74beb84d2

SHA1
1af426b344a49d436decb70a822f2e708f8e8561

SHA256
262c2aa2dd3c02cf696703b26360534fac184175097445ccd82eeac6b47c09a1

SHA512
aaa0cf162779a076edad26145a4ec955b88c549aec6ae9af4b8b035dedefce4e625fbef4fc9383f7c3c34359cf8da8be34afc08957b1cb7fc251d998244f279b

Download Submit
C:\Windupdt\winupdate.exe

Filesize
1.2MB

MD5
a0e9c48de4b99b90d67b003e9e159447

SHA1
b2d59745cdf8b1aa44e46f8ae0857aca4dfb4368

SHA256
ad10bd209a0400769c98b80be60c4eb4962731830d374e7f76ba3455d92c7e67

SHA512
3c6a5cb1b53dbc504f8f49aedd44daa5d9b167072b4dce8ad0a970255d9648e8e0d1b59721fec93c7fec34544aa4b770834309c0dc287f4dd6e94dc945da0b8f

Download Submit
C:\Windupdt\winupdate.exe

Filesize
500KB

MD5
ff9200c2e0df48db171d84825431551f

SHA1
e72b57e16ee0a3b9c75ab22994a19b15c7c3e258

SHA256
537aaf8e44ff9b6e2561fcd93d9735c1c5e0237b7f7d1e583f18ef1e017cbbd2

SHA512
fa9837913afdedaff3c552d3cbb58312d7205843cfa2124f70dc53b7826812a1dba8a30495df4526909309ebe10c999b42fd00932fe4131842da820bfad25acc

Download Submit
C:\Windupdt\winupdate.exe

Filesize
320KB

MD5
0ffdefffb5e96f81c624239fb4f44d28

SHA1
65d62be92f134890a6bc2d58225575a0d8ebfa33

SHA256
ebab64d917773cfbd259b4d14434ef6f9a7e47e1c9d9432cf279d65e6bc98904

SHA512
2b6ca7d0adc518c699368f6ab1289c51baf69ff312ccbb67f6f2c9b3a02fe17c0da7a2f44c3c6fc88bf8ba9c3cfa2a6c56aae47ed600480ddee997ef15fb3d39

Download Submit
C:\Windupdt\winupdate.exe

Filesize
186KB

MD5
7792831cf3fa40859f7a72dbac89a3e0

SHA1
a6ac2e8db823c1bf8627ae6fbc4fe16303f2b41c

SHA256
f5b2636669c26cecf7742496bf69f5556c70fefad5e42fce76fd6bc4871dff11

SHA512
c861afa3085fe40e5cf9b9fa2f5a56759e3046cb9e82cc81eea2108b529f43b0daa21fffef82793e4131d953cfad7341023017b9bde23ae2df5cdc08b50e23ec

Download Submit
memory/1640-87-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1640-90-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1640-93-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1640-89-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2352-106-0x00000000723A0000-0x0000000072951000-memory.dmp

Filesize
5.7MB

Download
memory/2352-96-0x00000000723A0000-0x0000000072951000-memory.dmp

Filesize
5.7MB

Download
memory/2352-98-0x00000000723A0000-0x0000000072951000-memory.dmp

Filesize
5.7MB

Download
memory/2352-97-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/2356-10-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/2356-1-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/2356-2-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/2356-0-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/3376-11-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3376-5-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3376-12-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3376-16-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3376-9-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3376-75-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3376-7-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3796-108-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3796-105-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3796-110-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3796-109-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3796-107-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3796-104-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3796-111-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3796-113-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3796-114-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3960-76-0x00000000730C0000-0x0000000073671000-memory.dmp

Filesize
5.7MB

Download
memory/3960-78-0x00000000730C0000-0x0000000073671000-memory.dmp

Filesize
5.7MB

Download
memory/3960-79-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3960-88-0x00000000730C0000-0x0000000073671000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads