darkcomet | e668dd735809a2a08efeda2c037952ebd63b53a82648a9a059b06ba156e914a3

General

Target

695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Size

620KB
MD5

695b90b4aa3f979981153fed0d682528
SHA1

773ab8e2be7cec065f40dfe57c3964878349399e
SHA256

e668dd735809a2a08efeda2c037952ebd63b53a82648a9a059b06ba156e914a3
SHA512

e9c7a055f1f2f1a18b354b32fc007b0dc9e28b9212e9fb3667d3fc148167da7d664f611c08ad167c4c79d15c6e447a8ff26ea9833804358c4b26342ebae7980e
SSDEEP

6144:hVX/Wjw41C4GVx7sADJ2gB701zM4+TeoA+PK5yAyi2/cwRWl2qtmSSSA58FNjmeQ:WRCxx4EJ2gB4bQegx/cSUlTBvxJx9l

Score

10^/10

darkcomet evasion persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\HDAudio\\HDAudio.exe"	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2472 attrib.exe
2488 attrib.exe
Executes dropped EXE 2 IoCs

Processes:

HDAudio.exeHDAudio.exe

pid process

2572 HDAudio.exe
2664 HDAudio.exe
Loads dropped DLL 3 IoCs

Processes:

695b90b4aa3f979981153fed0d682528_JaffaCakes118.exeHDAudio.exe

pid process

2180 695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
2180 695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
2572 HDAudio.exe

pid	process
2472	attrib.exe
2488	attrib.exe

pid	process
2572	HDAudio.exe
2664	HDAudio.exe

pid	process
2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
2572	HDAudio.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2180-4-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2180-10-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2180-12-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2180-11-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2180-6-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2180-9-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2180-15-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2180-14-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2180-16-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2180-13-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2180-32-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2664-47-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2664-45-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2664-46-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2664-50-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2664-51-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2664-49-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2664-48-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2664-44-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2664-52-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2664-54-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

695b90b4aa3f979981153fed0d682528_JaffaCakes118.exeHDAudio.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HDAudio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDAudio\\HDAudio.exe"	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HDAudio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDAudio\\HDAudio.exe"	HDAudio.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

695b90b4aa3f979981153fed0d682528_JaffaCakes118.exeHDAudio.exe

description	pid	process	target process
PID 1692 set thread context of 2180	1692	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
PID 2572 set thread context of 2664	2572	HDAudio.exe	HDAudio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2348 PING.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HDAudio.exe

pid process

2664 HDAudio.exe

pid	process
2348	PING.EXE

pid	process
2664	HDAudio.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

695b90b4aa3f979981153fed0d682528_JaffaCakes118.exeHDAudio.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeSecurityPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeBackupPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeRestorePrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeShutdownPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeDebugPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeUndockPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: 33	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: 34	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: 35	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2664	HDAudio.exe
Token: SeSecurityPrivilege	2664	HDAudio.exe
Token: SeTakeOwnershipPrivilege	2664	HDAudio.exe
Token: SeLoadDriverPrivilege	2664	HDAudio.exe
Token: SeSystemProfilePrivilege	2664	HDAudio.exe
Token: SeSystemtimePrivilege	2664	HDAudio.exe
Token: SeProfSingleProcessPrivilege	2664	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2664	HDAudio.exe
Token: SeCreatePagefilePrivilege	2664	HDAudio.exe
Token: SeBackupPrivilege	2664	HDAudio.exe
Token: SeRestorePrivilege	2664	HDAudio.exe
Token: SeShutdownPrivilege	2664	HDAudio.exe
Token: SeDebugPrivilege	2664	HDAudio.exe
Token: SeSystemEnvironmentPrivilege	2664	HDAudio.exe
Token: SeChangeNotifyPrivilege	2664	HDAudio.exe
Token: SeRemoteShutdownPrivilege	2664	HDAudio.exe
Token: SeUndockPrivilege	2664	HDAudio.exe
Token: SeManageVolumePrivilege	2664	HDAudio.exe
Token: SeImpersonatePrivilege	2664	HDAudio.exe
Token: SeCreateGlobalPrivilege	2664	HDAudio.exe
Token: 33	2664	HDAudio.exe
Token: 34	2664	HDAudio.exe
Token: 35	2664	HDAudio.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

695b90b4aa3f979981153fed0d682528_JaffaCakes118.exeHDAudio.exeHDAudio.exe

pid process

1692 695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
2572 HDAudio.exe
2664 HDAudio.exe

pid	process
1692	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
2572	HDAudio.exe
2664	HDAudio.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe695b90b4aa3f979981153fed0d682528_JaffaCakes118.execmd.execmd.exeHDAudio.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 2180	1692	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
PID 1692 wrote to memory of 2180	1692	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
PID 1692 wrote to memory of 2180	1692	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
PID 1692 wrote to memory of 2180	1692	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
PID 1692 wrote to memory of 2180	1692	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
PID 1692 wrote to memory of 2180	1692	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
PID 1692 wrote to memory of 2180	1692	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
PID 1692 wrote to memory of 2180	1692	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
PID 2180 wrote to memory of 2516	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2516	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2516	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2516	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2536	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2536	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2536	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2536	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	cmd.exe
PID 2536 wrote to memory of 2488	2536	cmd.exe	attrib.exe
PID 2536 wrote to memory of 2488	2536	cmd.exe	attrib.exe
PID 2536 wrote to memory of 2488	2536	cmd.exe	attrib.exe
PID 2536 wrote to memory of 2488	2536	cmd.exe	attrib.exe
PID 2516 wrote to memory of 2472	2516	cmd.exe	attrib.exe
PID 2516 wrote to memory of 2472	2516	cmd.exe	attrib.exe
PID 2516 wrote to memory of 2472	2516	cmd.exe	attrib.exe
PID 2516 wrote to memory of 2472	2516	cmd.exe	attrib.exe
PID 2180 wrote to memory of 2572	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	HDAudio.exe
PID 2180 wrote to memory of 2572	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	HDAudio.exe
PID 2180 wrote to memory of 2572	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	HDAudio.exe
PID 2180 wrote to memory of 2572	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	HDAudio.exe
PID 2180 wrote to memory of 2492	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2492	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2492	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2492	2180	695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe	cmd.exe
PID 2572 wrote to memory of 2664	2572	HDAudio.exe	HDAudio.exe
PID 2572 wrote to memory of 2664	2572	HDAudio.exe	HDAudio.exe
PID 2572 wrote to memory of 2664	2572	HDAudio.exe	HDAudio.exe
PID 2572 wrote to memory of 2664	2572	HDAudio.exe	HDAudio.exe
PID 2572 wrote to memory of 2664	2572	HDAudio.exe	HDAudio.exe
PID 2572 wrote to memory of 2664	2572	HDAudio.exe	HDAudio.exe
PID 2572 wrote to memory of 2664	2572	HDAudio.exe	HDAudio.exe
PID 2572 wrote to memory of 2664	2572	HDAudio.exe	HDAudio.exe
PID 2492 wrote to memory of 2348	2492	cmd.exe	PING.EXE
PID 2492 wrote to memory of 2348	2492	cmd.exe	PING.EXE
PID 2492 wrote to memory of 2348	2492	cmd.exe	PING.EXE
PID 2492 wrote to memory of 2348	2492	cmd.exe	PING.EXE

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2472 attrib.exe
2488 attrib.exe

pid	process
2472	attrib.exe
2488	attrib.exe

C:\Users\Admin\AppData\Local\Temp\695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2488

C:\Users\Admin\AppData\Local\Temp\HDAudio\HDAudio.exe
"C:\Users\Admin\AppData\Local\Temp\HDAudio\HDAudio.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Local\Temp\HDAudio\HDAudio.exe
"C:\Users\Admin\AppData\Local\Temp\HDAudio\HDAudio.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\695b90b4aa3f979981153fed0d682528_JaffaCakes118.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
4⤵
- Runs ping.exe
PID:2348

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\HDAudio\HDAudio.exe
Filesize
620KB

MD5
695b90b4aa3f979981153fed0d682528

SHA1
773ab8e2be7cec065f40dfe57c3964878349399e

SHA256
e668dd735809a2a08efeda2c037952ebd63b53a82648a9a059b06ba156e914a3

SHA512
e9c7a055f1f2f1a18b354b32fc007b0dc9e28b9212e9fb3667d3fc148167da7d664f611c08ad167c4c79d15c6e447a8ff26ea9833804358c4b26342ebae7980e

Download Submit
memory/2180-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2180-4-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2180-13-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2180-11-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2180-6-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2180-2-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2180-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2180-15-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2180-14-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2180-32-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2180-12-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2180-10-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2180-16-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2664-54-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2664-45-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2664-46-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2664-50-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2664-51-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2664-49-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2664-48-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2664-44-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2664-52-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2664-47-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads