darkcomet | 547832a55c6686cae074d6cf038493da2930962fd2c1e4dd176fee4c6d60abbf

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-07-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Size

1.7MB
MD5

45c31a6657d85a83a327a9b907843e67
SHA1

db82cb13bbb044eac8cbe2c26e6652c51d84740d
SHA256

547832a55c6686cae074d6cf038493da2930962fd2c1e4dd176fee4c6d60abbf
SHA512

dccef6bde2f5eb79252a64832c72adfcfe728844e28caf3a7be07f1bc3421724ee33bd5bd993513d2fb728b0f0ca47f134738422af7afcd188bc885dd043ecb4
SSDEEP

49152:/JZoQrbTFZY1iaBOkJmZeQvV/AvT6qzL9Uutxr7:/trbTA1SZeQYTFzL9UC7

Score

10^/10

darkcomet latentbot bot guest16 evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:1608

Mutex

DC_MUTEX-DD5EEWG

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
1fP8x3gpGubE
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

darkcomet

Botnet

BOT

kl0w.no-ip.org:1604

mozillaproxy.zapto.org:1604

Mutex

DC_MUTEX-A5603PV

Attributes

gencode
8UDgycR8v6YU
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

mozillaproxy.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3024	attrib.exe
3028	attrib.exe

Executes dropped EXE 4 IoCs

pid	Process
2572	file2.exe
1392	msdcsc.exe
2628	msdcsc.exe
1744	file2.exe

Loads dropped DLL 6 IoCs

pid	Process
2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
1392	msdcsc.exe
1392	msdcsc.exe
1392	msdcsc.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000170da-21.dat	upx
behavioral1/memory/2572-33-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1744-57-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1744-59-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-61-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-62-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-63-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-64-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-65-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-66-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-67-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-68-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-69-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-70-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-71-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-72-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-73-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-74-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2572-75-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe"	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\msdcsc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000017226-37.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 2732	2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeSecurityPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeBackupPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeRestorePrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeShutdownPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeDebugPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeUndockPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: 33	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: 34	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: 35	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2572	file2.exe
Token: SeSecurityPrivilege	2572	file2.exe
Token: SeTakeOwnershipPrivilege	2572	file2.exe
Token: SeLoadDriverPrivilege	2572	file2.exe
Token: SeSystemProfilePrivilege	2572	file2.exe
Token: SeSystemtimePrivilege	2572	file2.exe
Token: SeProfSingleProcessPrivilege	2572	file2.exe
Token: SeIncBasePriorityPrivilege	2572	file2.exe
Token: SeCreatePagefilePrivilege	2572	file2.exe
Token: SeBackupPrivilege	2572	file2.exe
Token: SeRestorePrivilege	2572	file2.exe
Token: SeShutdownPrivilege	2572	file2.exe
Token: SeDebugPrivilege	2572	file2.exe
Token: SeSystemEnvironmentPrivilege	2572	file2.exe
Token: SeChangeNotifyPrivilege	2572	file2.exe
Token: SeRemoteShutdownPrivilege	2572	file2.exe
Token: SeUndockPrivilege	2572	file2.exe
Token: SeManageVolumePrivilege	2572	file2.exe
Token: SeImpersonatePrivilege	2572	file2.exe
Token: SeCreateGlobalPrivilege	2572	file2.exe
Token: 33	2572	file2.exe
Token: 34	2572	file2.exe
Token: 35	2572	file2.exe
Token: SeIncreaseQuotaPrivilege	1744	file2.exe
Token: SeSecurityPrivilege	1744	file2.exe
Token: SeTakeOwnershipPrivilege	1744	file2.exe
Token: SeLoadDriverPrivilege	1744	file2.exe
Token: SeSystemProfilePrivilege	1744	file2.exe
Token: SeSystemtimePrivilege	1744	file2.exe
Token: SeProfSingleProcessPrivilege	1744	file2.exe
Token: SeIncBasePriorityPrivilege	1744	file2.exe
Token: SeCreatePagefilePrivilege	1744	file2.exe
Token: SeBackupPrivilege	1744	file2.exe
Token: SeRestorePrivilege	1744	file2.exe
Token: SeShutdownPrivilege	1744	file2.exe
Token: SeDebugPrivilege	1744	file2.exe
Token: SeSystemEnvironmentPrivilege	1744	file2.exe
Token: SeChangeNotifyPrivilege	1744	file2.exe
Token: SeRemoteShutdownPrivilege	1744	file2.exe
Token: SeUndockPrivilege	1744	file2.exe
Token: SeManageVolumePrivilege	1744	file2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2572	file2.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2732	2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2732	2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2732	2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2732	2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2732	2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2732	2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2572	2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2572	2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2572	2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2572	2276	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2776	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	32
PID 2732 wrote to memory of 2776	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	32
PID 2732 wrote to memory of 2776	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	32
PID 2732 wrote to memory of 2776	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	32
PID 2732 wrote to memory of 2540	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	33
PID 2732 wrote to memory of 2540	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	33
PID 2732 wrote to memory of 2540	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	33
PID 2732 wrote to memory of 2540	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	33
PID 2776 wrote to memory of 3024	2776	cmd.exe	36
PID 2776 wrote to memory of 3024	2776	cmd.exe	36
PID 2776 wrote to memory of 3024	2776	cmd.exe	36
PID 2776 wrote to memory of 3024	2776	cmd.exe	36
PID 2540 wrote to memory of 3028	2540	cmd.exe	37
PID 2540 wrote to memory of 3028	2540	cmd.exe	37
PID 2540 wrote to memory of 3028	2540	cmd.exe	37
PID 2540 wrote to memory of 3028	2540	cmd.exe	37
PID 2732 wrote to memory of 1392	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	38
PID 2732 wrote to memory of 1392	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	38
PID 2732 wrote to memory of 1392	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	38
PID 2732 wrote to memory of 1392	2732	45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe	38
PID 1392 wrote to memory of 2628	1392	msdcsc.exe	39
PID 1392 wrote to memory of 2628	1392	msdcsc.exe	39
PID 1392 wrote to memory of 2628	1392	msdcsc.exe	39
PID 1392 wrote to memory of 2628	1392	msdcsc.exe	39
PID 1392 wrote to memory of 1744	1392	msdcsc.exe	40
PID 1392 wrote to memory of 1744	1392	msdcsc.exe	40
PID 1392 wrote to memory of 1744	1392	msdcsc.exe	40
PID 1392 wrote to memory of 1744	1392	msdcsc.exe	40

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3024	attrib.exe
3028	attrib.exe

C:\Users\Admin\AppData\Local\Temp\45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\45c31a6657d85a83a327a9b907843e67_JaffaCakes118.exe" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3028
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      4⤵
      Executes dropped EXE
      PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\file2.exe
      C:\Users\Admin\AppData\Local\Temp\file2.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1744
- C:\Users\Admin\AppData\Local\Temp\file2.exe
  C:\Users\Admin\AppData\Local\Temp\file2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ampere2.dat

Filesize
658KB

MD5
25d38f718beec7710b42aa6f7c943cc7

SHA1
938b4b54c9382d0e32280dfa7af9a3913ae93208

SHA256
f2f6ffd11982ca134735ef6f4a217025182b1ccbed33ade7a772aea2254dbad1

SHA512
3e4e629fdd0b2552bbf3da3456d43019a9845ed7498aea75a425e29925a1d31f18198435423d3b6aded6e97cdad9d9680ee95496f1249a63b963d407337f2761

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
1.7MB

MD5
45c31a6657d85a83a327a9b907843e67

SHA1
db82cb13bbb044eac8cbe2c26e6652c51d84740d

SHA256
547832a55c6686cae074d6cf038493da2930962fd2c1e4dd176fee4c6d60abbf

SHA512
dccef6bde2f5eb79252a64832c72adfcfe728844e28caf3a7be07f1bc3421724ee33bd5bd993513d2fb728b0f0ca47f134738422af7afcd188bc885dd043ecb4

Download Submit
\Users\Admin\AppData\Local\Temp\file2.exe

Filesize
251KB

MD5
a5ad8b98c7926fb36260d646b2a4ac84

SHA1
bdf2b831b7410302a9862b062e5df5ee8d291bb5

SHA256
fff90629f05521a70169667523060bd93f022518054983c889705273e59a2641

SHA512
21fdf907a36d98617f55d81249812ffcd95777da336071926c6a6126eba15ef79a4e0771157d9ec2b78b68af596fcbc2325b76f13f3e69a4f7740aae59547376

Download Submit
memory/1392-55-0x0000000002CB0000-0x0000000002D67000-memory.dmp

Filesize
732KB

Download
memory/1392-56-0x0000000002CB0000-0x0000000002D67000-memory.dmp

Filesize
732KB

Download
memory/1744-59-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1744-57-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2276-28-0x0000000004490000-0x0000000004547000-memory.dmp

Filesize
732KB

Download
memory/2276-27-0x0000000004490000-0x0000000004547000-memory.dmp

Filesize
732KB

Download
memory/2572-75-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-70-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-34-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2572-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-72-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-71-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-33-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-69-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-61-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-68-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-62-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-63-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-64-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-65-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2572-67-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2732-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-13-0x00000000000C0000-0x0000000000172000-memory.dmp

Filesize
712KB

Download
memory/2732-7-0x00000000000C0000-0x0000000000172000-memory.dmp

Filesize
712KB

Download
memory/2732-15-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2732-14-0x00000000000C0000-0x0000000000172000-memory.dmp

Filesize
712KB

Download
memory/2732-12-0x00000000000C0000-0x0000000000172000-memory.dmp

Filesize
712KB

Download
memory/2732-11-0x00000000000C0000-0x0000000000172000-memory.dmp

Filesize
712KB

Download
memory/2732-60-0x00000000000C0000-0x0000000000172000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads