darkcomet | 36952b4bf4a7f5b524adb73c6ff3aaa28c38c87d5ede6ecbad670caac7428538

General

Target

b8e9f57718a08d5ce927db8f4789569d.exe
Size

1.2MB
MD5

b8e9f57718a08d5ce927db8f4789569d
SHA1

2c27146487faede087a7c21d27b5663a295ad44d
SHA256

36952b4bf4a7f5b524adb73c6ff3aaa28c38c87d5ede6ecbad670caac7428538
SHA512

ade073fa43b91b3c8e7c8f93f023076a4c0d45c9329f35c6d73fa4995fa156248f2a17842eb2d9ba3f49aedaf80b8239570142ec7aa6f51c09e4c9b6d4d0e659
SSDEEP

24576:iaCwtiqV012KXkJHsYiyGQWgANWGyo70zWGT8y5N7I:W56xi9ZUGFqxM

Score

10^/10

darkcomet parallax !!!!!!!!!!!ddos-spread!!!!!!!!!!!!!!!!!persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

!!!!!!!!!!!DDos-Spread!!!!!!!!!!!!!!!!!

C2

91.234.106.186:9292

Mutex

DC_MUTEX-S03QZ61

Attributes

gencode
uZqfU11u4x0p
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax
Executes dropped EXE 5 IoCs

Processes:

KEOJF.exesecurity.exesecurity.exesecurity.exesecurity.exe

pid process

1700 KEOJF.exe
2868 security.exe
2184 security.exe
1296 security.exe
2700 security.exe

pid	process
1700	KEOJF.exe
2868	security.exe
2184	security.exe
1296	security.exe
2700	security.exe

Loads dropped DLL 9 IoCs

Processes:

b8e9f57718a08d5ce927db8f4789569d.exeb8e9f57718a08d5ce927db8f4789569d.exe

pid	process
2976	b8e9f57718a08d5ce927db8f4789569d.exe
2976	b8e9f57718a08d5ce927db8f4789569d.exe
2976	b8e9f57718a08d5ce927db8f4789569d.exe
2976	b8e9f57718a08d5ce927db8f4789569d.exe
1656	b8e9f57718a08d5ce927db8f4789569d.exe
1656	b8e9f57718a08d5ce927db8f4789569d.exe
1656	b8e9f57718a08d5ce927db8f4789569d.exe
1656	b8e9f57718a08d5ce927db8f4789569d.exe
1656	b8e9f57718a08d5ce927db8f4789569d.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2976-136-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2976-138-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2976-152-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2976-146-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1656-165-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1656-167-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2184-372-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1296-388-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1656-428-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2976-437-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1296-443-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\security.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

b8e9f57718a08d5ce927db8f4789569d.exesecurity.exe

description	pid	process	target process
PID 2340 set thread context of 2976	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 set thread context of 1656	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2868 set thread context of 2184	2868	security.exe	security.exe
PID 2868 set thread context of 1296	2868	security.exe	security.exe
PID 2868 set thread context of 2700	2868	security.exe	security.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

security.exesecurity.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2700	security.exe
Token: SeSecurityPrivilege	2700	security.exe
Token: SeTakeOwnershipPrivilege	2700	security.exe
Token: SeLoadDriverPrivilege	2700	security.exe
Token: SeSystemProfilePrivilege	2700	security.exe
Token: SeSystemtimePrivilege	2700	security.exe
Token: SeProfSingleProcessPrivilege	2700	security.exe
Token: SeIncBasePriorityPrivilege	2700	security.exe
Token: SeCreatePagefilePrivilege	2700	security.exe
Token: SeBackupPrivilege	2700	security.exe
Token: SeRestorePrivilege	2700	security.exe
Token: SeShutdownPrivilege	2700	security.exe
Token: SeDebugPrivilege	2700	security.exe
Token: SeSystemEnvironmentPrivilege	2700	security.exe
Token: SeChangeNotifyPrivilege	2700	security.exe
Token: SeRemoteShutdownPrivilege	2700	security.exe
Token: SeUndockPrivilege	2700	security.exe
Token: SeManageVolumePrivilege	2700	security.exe
Token: SeImpersonatePrivilege	2700	security.exe
Token: SeCreateGlobalPrivilege	2700	security.exe
Token: 33	2700	security.exe
Token: 34	2700	security.exe
Token: 35	2700	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe
Token: SeDebugPrivilege	1296	security.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

b8e9f57718a08d5ce927db8f4789569d.exeb8e9f57718a08d5ce927db8f4789569d.exeb8e9f57718a08d5ce927db8f4789569d.exesecurity.exesecurity.exesecurity.exe

pid	process
2340	b8e9f57718a08d5ce927db8f4789569d.exe
2976	b8e9f57718a08d5ce927db8f4789569d.exe
1656	b8e9f57718a08d5ce927db8f4789569d.exe
2868	security.exe
1296	security.exe
2700	security.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

b8e9f57718a08d5ce927db8f4789569d.exeb8e9f57718a08d5ce927db8f4789569d.exeb8e9f57718a08d5ce927db8f4789569d.execmd.exesecurity.exe

description	pid	process	target process
PID 2340 wrote to memory of 2976	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 2976	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 2976	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 2976	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 2976	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 2976	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 2976	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 2976	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 1656	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 1656	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 1656	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 1656	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 1656	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 1656	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 1656	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2340 wrote to memory of 1656	2340	b8e9f57718a08d5ce927db8f4789569d.exe	b8e9f57718a08d5ce927db8f4789569d.exe
PID 2976 wrote to memory of 1700	2976	b8e9f57718a08d5ce927db8f4789569d.exe	KEOJF.exe
PID 2976 wrote to memory of 1700	2976	b8e9f57718a08d5ce927db8f4789569d.exe	KEOJF.exe
PID 2976 wrote to memory of 1700	2976	b8e9f57718a08d5ce927db8f4789569d.exe	KEOJF.exe
PID 2976 wrote to memory of 1700	2976	b8e9f57718a08d5ce927db8f4789569d.exe	KEOJF.exe
PID 1656 wrote to memory of 2072	1656	b8e9f57718a08d5ce927db8f4789569d.exe	cmd.exe
PID 1656 wrote to memory of 2072	1656	b8e9f57718a08d5ce927db8f4789569d.exe	cmd.exe
PID 1656 wrote to memory of 2072	1656	b8e9f57718a08d5ce927db8f4789569d.exe	cmd.exe
PID 1656 wrote to memory of 2072	1656	b8e9f57718a08d5ce927db8f4789569d.exe	cmd.exe
PID 2072 wrote to memory of 1300	2072	cmd.exe	reg.exe
PID 2072 wrote to memory of 1300	2072	cmd.exe	reg.exe
PID 2072 wrote to memory of 1300	2072	cmd.exe	reg.exe
PID 2072 wrote to memory of 1300	2072	cmd.exe	reg.exe
PID 1656 wrote to memory of 2868	1656	b8e9f57718a08d5ce927db8f4789569d.exe	security.exe
PID 1656 wrote to memory of 2868	1656	b8e9f57718a08d5ce927db8f4789569d.exe	security.exe
PID 1656 wrote to memory of 2868	1656	b8e9f57718a08d5ce927db8f4789569d.exe	security.exe
PID 1656 wrote to memory of 2868	1656	b8e9f57718a08d5ce927db8f4789569d.exe	security.exe
PID 2868 wrote to memory of 2184	2868	security.exe	security.exe
PID 2868 wrote to memory of 2184	2868	security.exe	security.exe
PID 2868 wrote to memory of 2184	2868	security.exe	security.exe
PID 2868 wrote to memory of 2184	2868	security.exe	security.exe
PID 2868 wrote to memory of 2184	2868	security.exe	security.exe
PID 2868 wrote to memory of 2184	2868	security.exe	security.exe
PID 2868 wrote to memory of 2184	2868	security.exe	security.exe
PID 2868 wrote to memory of 2184	2868	security.exe	security.exe
PID 2868 wrote to memory of 1296	2868	security.exe	security.exe
PID 2868 wrote to memory of 1296	2868	security.exe	security.exe
PID 2868 wrote to memory of 1296	2868	security.exe	security.exe
PID 2868 wrote to memory of 1296	2868	security.exe	security.exe
PID 2868 wrote to memory of 1296	2868	security.exe	security.exe
PID 2868 wrote to memory of 1296	2868	security.exe	security.exe
PID 2868 wrote to memory of 1296	2868	security.exe	security.exe
PID 2868 wrote to memory of 1296	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe
PID 2868 wrote to memory of 2700	2868	security.exe	security.exe

C:\Users\Admin\AppData\Local\Temp\b8e9f57718a08d5ce927db8f4789569d.exe
"C:\Users\Admin\AppData\Local\Temp\b8e9f57718a08d5ce927db8f4789569d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\b8e9f57718a08d5ce927db8f4789569d.exe
"C:\Users\Admin\AppData\Local\Temp\b8e9f57718a08d5ce927db8f4789569d.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Roaming\KEOJF.exe
"C:\Users\Admin\AppData\Roaming\KEOJF.exe"
3⤵
- Executes dropped EXE
PID:1700

C:\Users\Admin\AppData\Local\Temp\b8e9f57718a08d5ce927db8f4789569d.exe
"C:\Users\Admin\AppData\Local\Temp\b8e9f57718a08d5ce927db8f4789569d.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ORCHM.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Security" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\security.exe" /f
4⤵
- Adds Run key to start application
PID:1300

C:\Users\Admin\AppData\Roaming\Security\security.exe
"C:\Users\Admin\AppData\Roaming\Security\security.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Roaming\Security\security.exe
"C:\Users\Admin\AppData\Roaming\Security\security.exe"
4⤵
- Executes dropped EXE
PID:2184

C:\Users\Admin\AppData\Roaming\Security\security.exe
"C:\Users\Admin\AppData\Roaming\Security\security.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Users\Admin\AppData\Roaming\Security\security.exe
"C:\Users\Admin\AppData\Roaming\Security\security.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ORCHM.bat
Filesize
147B

MD5
6f473a1ba53e043362047f72e20b34f4

SHA1
e8f121a589e1207ed950453376ee1d21b1223835

SHA256
5fbce2c77a90ba9edbcf60be3851ab81633b7c10b1babb624d475c7be589de4b

SHA512
b4976d40bc708ae6cddf367a5382cd532e4cf235b848cdaa4e4d317e06d9126e50745a7772591bc21dc7380689f4399e57501b0aa73cd231bce32e22d53b0818

Download Submit
C:\Users\Admin\AppData\Roaming\Security\security.exe
Filesize
64KB

MD5
13843b72cf0d0e85e61fc61debf05809

SHA1
6cfda54330609a41ed0190c755ac20e72617f314

SHA256
dd06850673019ec0c1a8c18f06feb308c5e5e69c758bd8f58989319b269556d7

SHA512
8453bdd727e45477fe400c995afcf6d138dc930ecfe0106c74a5fe7beb12fa66b58e788d8b37d061c7b0910bd2c376d6ebab11f2a3b4083dd53b8b2f678e5cf0

Download Submit
\Users\Admin\AppData\Roaming\KEOJF.exe
Filesize
396KB

MD5
97dfac6e0541c19a7cc8adb8fe322d4e

SHA1
3d30f9a61e70ee3970d041a83c5f64ae84bddf0b

SHA256
247c8b720d4ffa93f1b1f72d6df7dcacd80fb91d8f6747a339ba75fe690d89d1

SHA512
61ae747e122fa662035ddb29476a8381f320f8c3ba9dd3ceeb4a91e85eba61104a10a6461d54eca14a90be393745cda09222ddb29985d996ce8855b2bba27888

Download Submit
\Users\Admin\AppData\Roaming\Security\security.exe
Filesize
1.2MB

MD5
18622d07172e6130ed199a1b5965c907

SHA1
0578da5c901db514c7ef779bf25229364b4737dd

SHA256
ab699cf562a925c6ae5982abccb8012f709871404acb76031e12b1fd2e709dc0

SHA512
abc9311f113b01257640ee6984dc47c7dbe32bb2006cb4b2d3333905231cc857ae2bd94a2be168764e8a6b41efdb1b2d0ee52e6cef645997f9a4b149bb180863

Download Submit
memory/1296-443-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1296-388-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-165-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-428-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-167-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1700-185-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2184-372-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2340-36-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2340-58-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2340-12-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2340-4-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2340-2-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2340-96-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2340-130-0x00000000028D0000-0x00000000029A7000-memory.dmp

Filesize
860KB

Download
memory/2340-76-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2340-68-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2340-66-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2340-14-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2340-56-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2340-24-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2340-26-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2340-78-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2340-38-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2340-46-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/2340-48-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/2700-431-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2700-430-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2700-432-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2700-447-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2976-146-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2976-152-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2976-138-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2976-136-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2976-437-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2976-134-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads