darkcomet | 80b29c7ba8d66770d736268a9c1c145cb9e947bbba564953a63818f4b75057df

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe
Size

1.0MB
MD5

69a54a68512b406bb10f4ee129efb0a0
SHA1

e9b60b8eae1d28b90f4b8c60e862d8a979640533
SHA256

80b29c7ba8d66770d736268a9c1c145cb9e947bbba564953a63818f4b75057df
SHA512

0d6a836ba5613aff5f08c5776b345b036e4f95b3db6dbeb03e84e3366d807ad7762d5a4c2919ca14b0d80e061b42bbfc90c055c3b4815f7fa042a80f866beb1b
SSDEEP

24576:KlgFu58LljQYSa+Ze0Q7Jw1NCY+masfXfNMsgVIt:igFu5c7gZCVmVfXlMs2It

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2408	ƳƕƏƄȜ.exe
4568	vbc.exe
1048	OWNBall07.5.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000234e0-33.dat	upx
behavioral2/memory/1048-42-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-48-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-50-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-53-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-55-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-57-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-59-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-61-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-63-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-65-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-67-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-69-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-71-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-73-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1048-75-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	ƳƕƏƄȜ.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1048-48-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-50-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-53-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-55-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-57-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-59-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-61-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-63-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-65-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-67-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-69-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-71-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-73-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/1048-75-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 384 set thread context of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OWNBall07.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ƳƕƏƄȜ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1048	OWNBall07.5.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4568	vbc.exe
Token: SeSecurityPrivilege	4568	vbc.exe
Token: SeTakeOwnershipPrivilege	4568	vbc.exe
Token: SeLoadDriverPrivilege	4568	vbc.exe
Token: SeSystemProfilePrivilege	4568	vbc.exe
Token: SeSystemtimePrivilege	4568	vbc.exe
Token: SeProfSingleProcessPrivilege	4568	vbc.exe
Token: SeIncBasePriorityPrivilege	4568	vbc.exe
Token: SeCreatePagefilePrivilege	4568	vbc.exe
Token: SeBackupPrivilege	4568	vbc.exe
Token: SeRestorePrivilege	4568	vbc.exe
Token: SeShutdownPrivilege	4568	vbc.exe
Token: SeDebugPrivilege	4568	vbc.exe
Token: SeSystemEnvironmentPrivilege	4568	vbc.exe
Token: SeChangeNotifyPrivilege	4568	vbc.exe
Token: SeRemoteShutdownPrivilege	4568	vbc.exe
Token: SeUndockPrivilege	4568	vbc.exe
Token: SeManageVolumePrivilege	4568	vbc.exe
Token: SeImpersonatePrivilege	4568	vbc.exe
Token: SeCreateGlobalPrivilege	4568	vbc.exe
Token: 33	4568	vbc.exe
Token: 34	4568	vbc.exe
Token: 35	4568	vbc.exe
Token: 36	4568	vbc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe
1048	OWNBall07.5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4568	vbc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 2052	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	85
PID 384 wrote to memory of 2052	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	85
PID 384 wrote to memory of 2052	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	85
PID 2052 wrote to memory of 3820	2052	csc.exe	89
PID 2052 wrote to memory of 3820	2052	csc.exe	89
PID 2052 wrote to memory of 3820	2052	csc.exe	89
PID 384 wrote to memory of 2408	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	90
PID 384 wrote to memory of 2408	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	90
PID 384 wrote to memory of 2408	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	90
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 4568	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	91
PID 384 wrote to memory of 1048	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	92
PID 384 wrote to memory of 1048	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	92
PID 384 wrote to memory of 1048	384	69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ucgs-iny.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC19.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDC08.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3820
- C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe
  "C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4568
- C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe
  "C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe

Filesize
344KB

MD5
b923303580b759e74b4b0246c2e64d93

SHA1
e71eccd0e1324729807d42be43f2ec45cbe9ddc0

SHA256
3626c3f6518741f077d27a0f16fccb41d428c6fe1b18f432ccef3719663d8827

SHA512
1edf71ac4a21ea4a5eccc8759c9ab2e4ea5d312fb48e1b9ad7b2d655db7834b33f8b1cf08a670c6e9ce4348ee5dd237f9b316bc05d6e8c4cc49326800ac6a54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDC19.tmp

Filesize
1KB

MD5
c7828076e67a469fca4642ebe704c49b

SHA1
7ddd8c716b43a2d2fad9ccbc68c97d9ade3e55d9

SHA256
49030174a0100088ec7e0b93f9fca165320835eec00a7b69a8df5be547d1067f

SHA512
385358ce94aab6482c44719637586f82a9ef73de26f85dea228fbe78ba7541b4b525c62783463041de2b6ce0bfea6b5f9ebb22582f704b270de5251b284ce13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe

Filesize
4KB

MD5
60a0dc65fd8ea55115e402bbb113e5cf

SHA1
8802f836de9bebb9ec6e6ba0f5a5fe19c0d12588

SHA256
0fef8cd18e22089323538b7f4ba2238775bb5cd5066216dfba8088c5499b5bd8

SHA512
0ad921b1cd11a347b853a71b4811fc372d957aa9eaf0b43a2c4422bbc807adadded6afb005a3e12898f6c551fe10a03fc9fab68d70ca75f96f95ca4204f1f138

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDC08.tmp

Filesize
636B

MD5
cabe319c211b0235717de2ce3fa02ce0

SHA1
d7e876e7b1a3d957e91bd927756f782704258247

SHA256
81cda2f92eaab8bce309a65f24e1e0a5fe753e352f5f3de122c15dbd1fce4c7e

SHA512
0f6a8cc6dea5fc33389a2323c0ee43334fd73e91424dcded01d5feb700d3fc112996f9511a914552e942de7c5541d2e011aee3ae1c30b580060af4b8b5421cc6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ucgs-iny.0.cs

Filesize
1KB

MD5
ff633b592af11cb80f35b58901a1ec2d

SHA1
fb2e0a6beae8b9cd23102aabed44778e4f5eecf5

SHA256
e41802aa34ef5aae074052f7c774792cdedcd2d64cb3fed158a3a1c5554005ef

SHA512
3d4a1695af31238236a7211ce4df66b904fac151f9076972fc9e17a7b538abcaed96dc0def4e20b4d2bb9eb14ab50545bb7aa5f971c8cacf1d6243a66cc9b5c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ucgs-iny.cmdline

Filesize
263B

MD5
47a74f389ab458c28f554dcd623a0225

SHA1
1f218b7df203b691d5eea0642a031f2eecc2d225

SHA256
18c353e8096239851ea6a1c3c72ff3b7c81af105832c5740112917e9d6385abd

SHA512
53c053e8566814c2943c75643a5d9c2077115e933090f3a4c5d73390cf514b762afad1ef64bfed18ad8f4cfff22cf574ecf59eee76801b24765443cff3fd44bb

Download Submit
memory/384-0-0x0000000074A42000-0x0000000074A43000-memory.dmp

Filesize
4KB

Download
memory/384-1-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/384-46-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/384-2-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/1048-65-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-53-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-75-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-50-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-73-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-69-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-42-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-55-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-67-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-71-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-63-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-61-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-48-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-59-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1048-57-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2052-8-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/2052-15-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/2408-27-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/4568-54-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-52-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-56-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-51-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-58-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-49-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-60-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-47-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-62-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-43-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-64-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-44-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-66-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-45-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-68-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-38-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-70-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-29-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-72-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-22-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-74-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4568-25-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads