darkcomet | a29e150b2ff91da057487b87d420e394347f3e0364742705705b103a2d518f61

General

Target

148da8473a260935979977ade797e718_JaffaCakes118.exe
Size

3.0MB
MD5

148da8473a260935979977ade797e718
SHA1

18d0286962802911133a5ab6ae5016c9cda08b6d
SHA256

a29e150b2ff91da057487b87d420e394347f3e0364742705705b103a2d518f61
SHA512

9c38ab2950450a0c22c5cb7dcf8cb99dd421344ac14e4d66890a1de11ab9a0185cbca967f6120a121bb720fae53774ea4545e48fca16ee501bdaa84d73d4ba81
SSDEEP

49152:hxxxK/o/y7wmmD9gukh9wiNInkjCG8mzD0W357/0nsj7a3LTK4U:hBykVCnh/InmCGACTj+TK4U

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

leifstresser.ddns.net:1604

127.0.0.1:1604

Mutex

cuntface

Attributes

InstallPath
Windows/Explorer
gencode
pG07ARK2K01Z
install
true
offline_keylogger
true
password
lolamoomoo1
persistence
true
reg_key
Updater

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

UDP FLOODER 1.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\pG07ARK2K01Z\\Windows/Explorer"	UDP FLOODER 1.EXE

Executes dropped EXE 2 IoCs

Processes:

[email protected]UDP FLOODER 1.EXE

pid process

1752 [email protected]
2432 UDP FLOODER 1.EXE

pid	process
1752	[email protected]
2432	UDP FLOODER 1.EXE

Loads dropped DLL 3 IoCs

Processes:

148da8473a260935979977ade797e718_JaffaCakes118.exe

pid	process
768	148da8473a260935979977ade797e718_JaffaCakes118.exe
768	148da8473a260935979977ade797e718_JaffaCakes118.exe
768	148da8473a260935979977ade797e718_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE	upx
behavioral1/memory/2432-123-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2432-167-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UDP FLOODER 1.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\pG07ARK2K01Z\\Windows/Explorer"	UDP FLOODER 1.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exe

description	pid	process	target process
PID 1636 set thread context of 2516	1636	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 set thread context of 2492	2516	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 set thread context of 768	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UDP FLOODER 1.EXE

pid process

2432 UDP FLOODER 1.EXE

pid	process
2432	UDP FLOODER 1.EXE

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exeUDP FLOODER 1.EXE

description	pid	process
Token: SeDebugPrivilege	1636	148da8473a260935979977ade797e718_JaffaCakes118.exe
Token: SeDebugPrivilege	2516	148da8473a260935979977ade797e718_JaffaCakes118.exe
Token: SeDebugPrivilege	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2432	UDP FLOODER 1.EXE
Token: SeSecurityPrivilege	2432	UDP FLOODER 1.EXE
Token: SeTakeOwnershipPrivilege	2432	UDP FLOODER 1.EXE
Token: SeLoadDriverPrivilege	2432	UDP FLOODER 1.EXE
Token: SeSystemProfilePrivilege	2432	UDP FLOODER 1.EXE
Token: SeSystemtimePrivilege	2432	UDP FLOODER 1.EXE
Token: SeProfSingleProcessPrivilege	2432	UDP FLOODER 1.EXE
Token: SeIncBasePriorityPrivilege	2432	UDP FLOODER 1.EXE
Token: SeCreatePagefilePrivilege	2432	UDP FLOODER 1.EXE
Token: SeBackupPrivilege	2432	UDP FLOODER 1.EXE
Token: SeRestorePrivilege	2432	UDP FLOODER 1.EXE
Token: SeShutdownPrivilege	2432	UDP FLOODER 1.EXE
Token: SeDebugPrivilege	2432	UDP FLOODER 1.EXE
Token: SeSystemEnvironmentPrivilege	2432	UDP FLOODER 1.EXE
Token: SeChangeNotifyPrivilege	2432	UDP FLOODER 1.EXE
Token: SeRemoteShutdownPrivilege	2432	UDP FLOODER 1.EXE
Token: SeUndockPrivilege	2432	UDP FLOODER 1.EXE
Token: SeManageVolumePrivilege	2432	UDP FLOODER 1.EXE
Token: SeImpersonatePrivilege	2432	UDP FLOODER 1.EXE
Token: SeCreateGlobalPrivilege	2432	UDP FLOODER 1.EXE
Token: 33	2432	UDP FLOODER 1.EXE
Token: 34	2432	UDP FLOODER 1.EXE
Token: 35	2432	UDP FLOODER 1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

UDP FLOODER 1.EXE

pid process

2432 UDP FLOODER 1.EXE

pid	process
2432	UDP FLOODER 1.EXE

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exe148da8473a260935979977ade797e718_JaffaCakes118.exeUDP FLOODER 1.EXE

description	pid	process	target process
PID 1636 wrote to memory of 2516	1636	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516	1636	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516	1636	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516	1636	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516	1636	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516	1636	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516	1636	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516	1636	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516	1636	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492	2516	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492	2516	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492	2516	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492	2516	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492	2516	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492	2516	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492	2516	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492	2516	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492	2516	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768	2492	148da8473a260935979977ade797e718_JaffaCakes118.exe	148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 768 wrote to memory of 1752	768	148da8473a260935979977ade797e718_JaffaCakes118.exe	[email protected]
PID 768 wrote to memory of 1752	768	148da8473a260935979977ade797e718_JaffaCakes118.exe	[email protected]
PID 768 wrote to memory of 1752	768	148da8473a260935979977ade797e718_JaffaCakes118.exe	[email protected]
PID 768 wrote to memory of 1752	768	148da8473a260935979977ade797e718_JaffaCakes118.exe	[email protected]
PID 768 wrote to memory of 1752	768	148da8473a260935979977ade797e718_JaffaCakes118.exe	[email protected]
PID 768 wrote to memory of 1752	768	148da8473a260935979977ade797e718_JaffaCakes118.exe	[email protected]
PID 768 wrote to memory of 1752	768	148da8473a260935979977ade797e718_JaffaCakes118.exe	[email protected]
PID 768 wrote to memory of 2432	768	148da8473a260935979977ade797e718_JaffaCakes118.exe	UDP FLOODER 1.EXE
PID 768 wrote to memory of 2432	768	148da8473a260935979977ade797e718_JaffaCakes118.exe	UDP FLOODER 1.EXE
PID 768 wrote to memory of 2432	768	148da8473a260935979977ade797e718_JaffaCakes118.exe	UDP FLOODER 1.EXE
PID 768 wrote to memory of 2432	768	148da8473a260935979977ade797e718_JaffaCakes118.exe	UDP FLOODER 1.EXE
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe
PID 2432 wrote to memory of 1556	2432	UDP FLOODER 1.EXE	notepad.exe

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
5⤵
- Executes dropped EXE
PID:1752

C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE
"C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
192728619f78efb972ec5e202d64e6a9

SHA1
3a422dfe3c888d9b78599cc9d31122b971c9dcca

SHA256
f24f556810a44fafdc3b55530194d5740b871cd97c12cd1f5fc2e7f0c687daf0

SHA512
1553e280341bf520516d0cb7d693cc754cf496c45418a00bf974813877406ec31fd131fa1008805309f895a393f64ef42d2820297f65cc83c17a6befbdd1e2f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2a59afeb397e77a51c973f2a6f7f3211

SHA1
47bdd384fd496f43803710bc81d66c0d2eab7b0f

SHA256
dcf08b1d47e0bbda9e85e2f7888d608712de69b8b4e80c5fdf2b083262aae16c

SHA512
955771827761f1c3d52ec78a7a93be7d728198fb9a53055a40be592bd5ae1dee5ab268b3baedbf5b3e9c965bf9dc598a4ec7d1d9077d9396690d916f7e467b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab12A6.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1393.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\[email protected]
Filesize
105KB

MD5
7cd2da0120e9b08e0a81d4bc8efef66f

SHA1
850d6c6fd6c308526381fd3445e4836dd7a0e1f0

SHA256
4750f78dd654a8b02cc5c0f10569f364673f03b407e2291279e30cae449c6f8b

SHA512
c2333eb54e5ce17dc2fd7ce25803fe0fb8b7e8d41be0ea6b57bba5e0fe73f8956f0867e78537c2c2f8f3581d83e67b6cd5ed8706beddcaf1c6654cbe2d7331f4

Download Submit
\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE
Filesize
251KB

MD5
211945ebdfe62b019a73cfba4e15592c

SHA1
33a9822aa4a68379c5e50950bce5946a9bd6b4ac

SHA256
27cbae331070b3643799b7d6143f7e7d3e8492b2c743d7771e5331c78d0eccaf

SHA512
1bf2f4096ea79ab7bd5a6759b8f83623d789002d0ccf32ae9e0d45a9ec15a55cc619abf2ee2baa91251b8c7af2ad810098363387ff43def19ebe0edd66451b4d

Download Submit
memory/768-103-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/768-90-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/768-104-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/768-96-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/768-94-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/768-98-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/768-122-0x0000000002D50000-0x0000000002E07000-memory.dmp

Filesize
732KB

Download
memory/768-100-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/768-93-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1556-125-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1636-0-0x0000000074A61000-0x0000000074A62000-memory.dmp

Filesize
4KB

Download
memory/1636-2-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-1-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-46-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-164-0x0000000000CB0000-0x0000000000CD0000-memory.dmp

Filesize
128KB

Download
memory/2432-123-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2432-167-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2492-62-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2492-60-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2492-58-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2492-71-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-66-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2492-70-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2492-68-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2492-56-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2492-106-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-24-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2516-89-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-21-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2516-30-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2516-22-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2516-26-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2516-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-34-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2516-32-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2516-36-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-35-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads