darkcomet | 80b29c7ba8d66770d736268a9c1c145cb9e947bbba564953a63818f4b75057df

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe
Size

1.0MB
MD5

69a54a68512b406bb10f4ee129efb0a0
SHA1

e9b60b8eae1d28b90f4b8c60e862d8a979640533
SHA256

80b29c7ba8d66770d736268a9c1c145cb9e947bbba564953a63818f4b75057df
SHA512

0d6a836ba5613aff5f08c5776b345b036e4f95b3db6dbeb03e84e3366d807ad7762d5a4c2919ca14b0d80e061b42bbfc90c055c3b4815f7fa042a80f866beb1b
SSDEEP

24576:KlgFu58LljQYSa+Ze0Q7Jw1NCY+masfXfNMsgVIt:igFu5c7gZCVmVfXlMs2It

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 3 IoCs

pid	Process
2792	ƳƕƏƄȜ.exe
2868	vbc.exe
2892	OWNBall07.5.exe

Loads dropped DLL 4 IoCs

pid	Process
2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe
2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe
2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe
2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016d3a-51.dat	upx
behavioral1/memory/2892-53-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-60-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-62-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-64-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-66-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-68-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-70-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-72-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-74-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-76-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-78-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-80-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-82-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-84-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2892-86-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	ƳƕƏƄȜ.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2892-53-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-60-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-62-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-64-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-66-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-68-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-70-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-72-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-74-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-76-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-78-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-80-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-82-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-84-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2892-86-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ƳƕƏƄȜ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OWNBall07.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2892	OWNBall07.5.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2868	vbc.exe
Token: SeSecurityPrivilege	2868	vbc.exe
Token: SeTakeOwnershipPrivilege	2868	vbc.exe
Token: SeLoadDriverPrivilege	2868	vbc.exe
Token: SeSystemProfilePrivilege	2868	vbc.exe
Token: SeSystemtimePrivilege	2868	vbc.exe
Token: SeProfSingleProcessPrivilege	2868	vbc.exe
Token: SeIncBasePriorityPrivilege	2868	vbc.exe
Token: SeCreatePagefilePrivilege	2868	vbc.exe
Token: SeBackupPrivilege	2868	vbc.exe
Token: SeRestorePrivilege	2868	vbc.exe
Token: SeShutdownPrivilege	2868	vbc.exe
Token: SeDebugPrivilege	2868	vbc.exe
Token: SeSystemEnvironmentPrivilege	2868	vbc.exe
Token: SeChangeNotifyPrivilege	2868	vbc.exe
Token: SeRemoteShutdownPrivilege	2868	vbc.exe
Token: SeUndockPrivilege	2868	vbc.exe
Token: SeManageVolumePrivilege	2868	vbc.exe
Token: SeImpersonatePrivilege	2868	vbc.exe
Token: SeCreateGlobalPrivilege	2868	vbc.exe
Token: 33	2868	vbc.exe
Token: 34	2868	vbc.exe
Token: 35	2868	vbc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe
2892	OWNBall07.5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	vbc.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1436	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	30
PID 2504 wrote to memory of 1436	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	30
PID 2504 wrote to memory of 1436	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	30
PID 2504 wrote to memory of 1436	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	30
PID 1436 wrote to memory of 2584	1436	csc.exe	32
PID 1436 wrote to memory of 2584	1436	csc.exe	32
PID 1436 wrote to memory of 2584	1436	csc.exe	32
PID 1436 wrote to memory of 2584	1436	csc.exe	32
PID 2504 wrote to memory of 2792	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	33
PID 2504 wrote to memory of 2792	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	33
PID 2504 wrote to memory of 2792	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	33
PID 2504 wrote to memory of 2792	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	33
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2868	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2892	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	35
PID 2504 wrote to memory of 2892	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	35
PID 2504 wrote to memory of 2892	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	35
PID 2504 wrote to memory of 2892	2504	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jqbj0yce.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D42.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe
  "C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe
  "C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe

Filesize
344KB

MD5
b923303580b759e74b4b0246c2e64d93

SHA1
e71eccd0e1324729807d42be43f2ec45cbe9ddc0

SHA256
3626c3f6518741f077d27a0f16fccb41d428c6fe1b18f432ccef3719663d8827

SHA512
1edf71ac4a21ea4a5eccc8759c9ab2e4ea5d312fb48e1b9ad7b2d655db7834b33f8b1cf08a670c6e9ce4348ee5dd237f9b316bc05d6e8c4cc49326800ac6a54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D43.tmp

Filesize
1KB

MD5
6f3883922d35a9a9b508741c985f7c78

SHA1
4062fd29bb07ae332afc94e655ff15bc64adde33

SHA256
4b554cb94a8ba85224013ee8c7813fa70107a57e8ebe0b2af04d4dc4bb9e8782

SHA512
0d7875374bb8337b15e4997da04c6251c63a17973daae1f37a5e07f7e3876d920bb5b37135d5c0980e3f42df551a52f52fdbba8b2aea69855f29e75a5ddeaab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe

Filesize
4KB

MD5
2e62a95db262cda9a345597e97040a14

SHA1
9408097b29af6778f705b9689a0d781da4e39883

SHA256
e93eca970720321f28b6468ca3ddac8b69f6a7deaa6c60124691ef877cda5df6

SHA512
a2baf90ec1a7b40069bb3306b8553fb9580f478e7a024c989e69e7d83eefda669f29c42a0329f54ff053faea2db55d251737a7034aa1fee66ea361d524bb0631

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8D42.tmp

Filesize
636B

MD5
cabe319c211b0235717de2ce3fa02ce0

SHA1
d7e876e7b1a3d957e91bd927756f782704258247

SHA256
81cda2f92eaab8bce309a65f24e1e0a5fe753e352f5f3de122c15dbd1fce4c7e

SHA512
0f6a8cc6dea5fc33389a2323c0ee43334fd73e91424dcded01d5feb700d3fc112996f9511a914552e942de7c5541d2e011aee3ae1c30b580060af4b8b5421cc6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqbj0yce.0.cs

Filesize
1KB

MD5
ff633b592af11cb80f35b58901a1ec2d

SHA1
fb2e0a6beae8b9cd23102aabed44778e4f5eecf5

SHA256
e41802aa34ef5aae074052f7c774792cdedcd2d64cb3fed158a3a1c5554005ef

SHA512
3d4a1695af31238236a7211ce4df66b904fac151f9076972fc9e17a7b538abcaed96dc0def4e20b4d2bb9eb14ab50545bb7aa5f971c8cacf1d6243a66cc9b5c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqbj0yce.cmdline

Filesize
263B

MD5
644f91396b418549934348bf79e17e27

SHA1
cf145e9222d8412b982503e7470ae8984691934c

SHA256
8c1e5e4357773e6a5c00c2377a80ded1ff765360c8584ff9ac7e71b6a36b5d33

SHA512
fd16fbcfee48df3f93ca3071cb3c94738006a22462a91e4d8e9346508e0bcca8c1fcc486e8d076123695a5f0d177df4479e8ab5ed50fc84d3b9f075f359d093c

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/1436-8-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/1436-15-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2504-44-0x0000000000370000-0x0000000000470000-memory.dmp

Filesize
1024KB

Download
memory/2504-2-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2504-1-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2504-58-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2504-52-0x0000000006C90000-0x0000000006D51000-memory.dmp

Filesize
772KB

Download
memory/2504-0-0x0000000073E41000-0x0000000073E42000-memory.dmp

Filesize
4KB

Download
memory/2868-42-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-65-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-35-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-33-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-31-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-29-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-27-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-25-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-39-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-57-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-56-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-55-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-47-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-85-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-59-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-83-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-61-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-81-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-63-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-79-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-38-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-77-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-75-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-67-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-69-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-73-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2868-71-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2892-78-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-82-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-74-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-68-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-76-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-66-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-70-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-80-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-72-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-62-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-64-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-60-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-84-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-53-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-86-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads