darkcomet | 87f6ca66ff40533b63ed610e2e496a9c569be7414501cd2b8469db874692f984

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/10/2024, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe
Size

984KB
MD5

4ad1d7fecf5fe5f53d1089c05633ed2e
SHA1

5cbb0d0da628682454ac4e24fc9550f18cc95bd8
SHA256

87f6ca66ff40533b63ed610e2e496a9c569be7414501cd2b8469db874692f984
SHA512

6cf33f041b0a3201dcdd0a5baa7f32ed16d6792a0ed45836898f02c11763cfdae5ba6f8b228042f5e98f61c962353e2467074e72da599bed0ea36a721b2adb09
SSDEEP

24576:LGr99O099e9X1y99999999999999999999999999999iSB8xopQfrbkcpOP0nNCQ:/6qWpQsH0kK1SYpOqHs8u9

Score

10^/10

darkcomet my slaves discovery evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

My Slaves

lolyfgcycuxu.no-ip.biz:26789

Mutex

DC_MUTEX-J9KGRP9

Attributes

gencode
isjk9gY2A5KA
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	COPY OF INSTAGRAM FOLLOWERS.EXE
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	COPY OF INSTAGRAM FOLLOWERS.EXE
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	COPY OF INSTAGRAM FOLLOWERS.EXE

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	COPY OF INSTAGRAM FOLLOWERS.EXE

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2000	attrib.exe
2672	attrib.exe

Executes dropped EXE 2 IoCs

pid	Process
2776	COPY OF INSTAGRAM AND TWITTER GAINER.EXE
2704	COPY OF INSTAGRAM FOLLOWERS.EXE

Loads dropped DLL 4 IoCs

pid	Process
2344	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe
2344	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe
2344	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe
2344	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 2344	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COPY OF INSTAGRAM AND TWITTER GAINER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COPY OF INSTAGRAM FOLLOWERS.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	COPY OF INSTAGRAM FOLLOWERS.EXE

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeSecurityPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeTakeOwnershipPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeLoadDriverPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeSystemProfilePrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeSystemtimePrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeProfSingleProcessPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeIncBasePriorityPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeCreatePagefilePrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeBackupPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeRestorePrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeShutdownPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeDebugPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeSystemEnvironmentPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeChangeNotifyPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeRemoteShutdownPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeUndockPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeManageVolumePrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeImpersonatePrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: SeCreateGlobalPrivilege	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: 33	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: 34	2704	COPY OF INSTAGRAM FOLLOWERS.EXE
Token: 35	2704	COPY OF INSTAGRAM FOLLOWERS.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2776	COPY OF INSTAGRAM AND TWITTER GAINER.EXE
2704	COPY OF INSTAGRAM FOLLOWERS.EXE

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2344	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2344	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2344	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2344	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2344	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2344	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2344	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2344	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2344	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2344	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2344	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2676	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	32
PID 2460 wrote to memory of 2676	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	32
PID 2460 wrote to memory of 2676	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	32
PID 2460 wrote to memory of 2676	2460	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2776	2344	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	33
PID 2344 wrote to memory of 2776	2344	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	33
PID 2344 wrote to memory of 2776	2344	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	33
PID 2344 wrote to memory of 2776	2344	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	33
PID 2344 wrote to memory of 2704	2344	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	34
PID 2344 wrote to memory of 2704	2344	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	34
PID 2344 wrote to memory of 2704	2344	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	34
PID 2344 wrote to memory of 2704	2344	4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe	34
PID 2704 wrote to memory of 1252	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	36
PID 2704 wrote to memory of 1252	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	36
PID 2704 wrote to memory of 1252	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	36
PID 2704 wrote to memory of 1252	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	36
PID 2704 wrote to memory of 920	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	37
PID 2704 wrote to memory of 920	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	37
PID 2704 wrote to memory of 920	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	37
PID 2704 wrote to memory of 920	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	37
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 2704 wrote to memory of 1624	2704	COPY OF INSTAGRAM FOLLOWERS.EXE	40
PID 1252 wrote to memory of 2000	1252	cmd.exe	41
PID 1252 wrote to memory of 2000	1252	cmd.exe	41
PID 1252 wrote to memory of 2000	1252	cmd.exe	41
PID 1252 wrote to memory of 2000	1252	cmd.exe	41
PID 920 wrote to memory of 2672	920	cmd.exe	42
PID 920 wrote to memory of 2672	920	cmd.exe	42
PID 920 wrote to memory of 2672	920	cmd.exe	42
PID 920 wrote to memory of 2672	920	cmd.exe	42

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2000	attrib.exe
2672	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\4ad1d7fecf5fe5f53d1089c05633ed2e_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\COPY OF INSTAGRAM AND TWITTER GAINER.EXE
    "C:\Users\Admin\AppData\Local\Temp\COPY OF INSTAGRAM AND TWITTER GAINER.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2776
- - C:\Users\Admin\AppData\Local\Temp\COPY OF INSTAGRAM FOLLOWERS.EXE
    "C:\Users\Admin\AppData\Local\Temp\COPY OF INSTAGRAM FOLLOWERS.EXE"
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\COPY OF INSTAGRAM FOLLOWERS.EXE" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\COPY OF INSTAGRAM FOLLOWERS.EXE" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2672
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:1624
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KGzEl.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\COPY OF INSTAGRAM AND TWITTER GAINER.EXE

Filesize
24KB

MD5
34842dc59aa299425b9f125db179d5b6

SHA1
73dea64a659198801dc71580ce17408c1400a3eb

SHA256
580b44e49a4857a7eb74fb92080768621341b41dee26e9640cc34fa2e943c0a6

SHA512
4c9314a8eae22bb458d78114586981c5061406296e1199b5fa60b318339f1b63558223a2117a2fc319a2e0d3de2c8072d44e32757887292569497a45be196016

Download Submit
C:\Users\Admin\AppData\Local\Temp\COPY OF INSTAGRAM FOLLOWERS.EXE

Filesize
731KB

MD5
52dd6aad70b2935a100ce2ae2a30fd2d

SHA1
a5a0744d280db9bf959d9d46b538f37c89fac82b

SHA256
e9df7c14f8b68f2de7599e2bd88a2ebbff1f9b96292735523f219c9c4823a08d

SHA512
067ddd779efe582e69d37376319542c217b8f88dd3839e869dc9bcb47d065bbefea3ebb73827903285d62d6d878ca64ad78b514642888b604d3aff97de95b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGzEl.vbs

Filesize
408B

MD5
1dfca4a085536d0351398141ec4ad428

SHA1
8fb8cb61367c01807426c681633d77a086b6980f

SHA256
0be4987a21b264b8ff1f7b926d2204b9e4c6b85e76c311b9b2f923376207aa48

SHA512
5d52ac8355ac97f06860694e467f0b85c0a200d4bc84a50c2a808fbfcecbeda1f0b27af359ded52595ef630c3e4e2d813ce03e6327633d7316fdff8e1dc4d91a

Download Submit
memory/1624-88-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1624-50-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2344-13-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2344-22-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2344-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2344-44-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2344-11-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2344-9-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2344-7-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2344-5-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2344-17-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2344-20-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2344-4-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2460-37-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2460-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

Filesize
4KB

Download
memory/2460-2-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2460-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-89-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2704-90-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2704-91-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2704-92-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2704-93-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2704-94-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2704-95-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2704-96-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads