darkcomet | a45f2cfac684b87635a67fcd3ec67a46b5dda029574f5f3f3ca3c9381a3929c1

General

Target

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
Size

1.0MB
MD5

8bc0e7d1a78d454caaa87d3b7caa92c3
SHA1

d0135e2e13f0d13aa2c49fb0d78f987f8d9ad67f
SHA256

a45f2cfac684b87635a67fcd3ec67a46b5dda029574f5f3f3ca3c9381a3929c1
SHA512

237016f4e9dd9b6a10359926caf886aea96595b20e87117b316019151e361895ba5ae10efd13f1c3066bc07ef4746d9ef59f857da7a6adc5966f75fbfebc4454
SSDEEP

24576:s4SRmIAZ6QGs1ikSHP5hs10Ot1LisENzP:s4SZO5SvOtVisEJP

Score

10^/10

darkcomet v2 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

V2

C2

spamblocker.no-ip.biz:1604

Mutex

DC_MUTEX-NZ2A7W0

Attributes

gencode
ji6MMZDpnHyq
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Executes dropped EXE 3 IoCs

Processes:

pspluginwkr.exewinresume.exepspluginwkr.exe

pid process

2468 pspluginwkr.exe
2088 winresume.exe
1916 pspluginwkr.exe
Loads dropped DLL 2 IoCs

Processes:

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exepspluginwkr.exe

pid process

804 8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
2468 pspluginwkr.exe

pid	process
2468	pspluginwkr.exe
2088	winresume.exe
1916	pspluginwkr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pspluginwkr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor Control = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\pspluginwkr.exe"	pspluginwkr.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exewinresume.exe

description	pid	process	target process
PID 804 set thread context of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 2088 set thread context of 2852	2088	winresume.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AppLaunch.exepspluginwkr.exewinresume.exepspluginwkr.exeAppLaunch.exe8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pspluginwkr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winresume.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pspluginwkr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe

pid	process
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exeAppLaunch.exepspluginwkr.exewinresume.exeAppLaunch.exepspluginwkr.exe

description	pid	process
Token: SeDebugPrivilege	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2036	AppLaunch.exe
Token: SeSecurityPrivilege	2036	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	2036	AppLaunch.exe
Token: SeLoadDriverPrivilege	2036	AppLaunch.exe
Token: SeSystemProfilePrivilege	2036	AppLaunch.exe
Token: SeSystemtimePrivilege	2036	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	2036	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	2036	AppLaunch.exe
Token: SeCreatePagefilePrivilege	2036	AppLaunch.exe
Token: SeBackupPrivilege	2036	AppLaunch.exe
Token: SeRestorePrivilege	2036	AppLaunch.exe
Token: SeShutdownPrivilege	2036	AppLaunch.exe
Token: SeDebugPrivilege	2036	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	2036	AppLaunch.exe
Token: SeChangeNotifyPrivilege	2036	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	2036	AppLaunch.exe
Token: SeUndockPrivilege	2036	AppLaunch.exe
Token: SeManageVolumePrivilege	2036	AppLaunch.exe
Token: SeImpersonatePrivilege	2036	AppLaunch.exe
Token: SeCreateGlobalPrivilege	2036	AppLaunch.exe
Token: 33	2036	AppLaunch.exe
Token: 34	2036	AppLaunch.exe
Token: 35	2036	AppLaunch.exe
Token: SeDebugPrivilege	2468	pspluginwkr.exe
Token: SeDebugPrivilege	2088	winresume.exe
Token: SeIncreaseQuotaPrivilege	2852	AppLaunch.exe
Token: SeSecurityPrivilege	2852	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	2852	AppLaunch.exe
Token: SeLoadDriverPrivilege	2852	AppLaunch.exe
Token: SeSystemProfilePrivilege	2852	AppLaunch.exe
Token: SeSystemtimePrivilege	2852	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	2852	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	2852	AppLaunch.exe
Token: SeCreatePagefilePrivilege	2852	AppLaunch.exe
Token: SeBackupPrivilege	2852	AppLaunch.exe
Token: SeRestorePrivilege	2852	AppLaunch.exe
Token: SeShutdownPrivilege	2852	AppLaunch.exe
Token: SeDebugPrivilege	2852	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	2852	AppLaunch.exe
Token: SeChangeNotifyPrivilege	2852	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	2852	AppLaunch.exe
Token: SeUndockPrivilege	2852	AppLaunch.exe
Token: SeManageVolumePrivilege	2852	AppLaunch.exe
Token: SeImpersonatePrivilege	2852	AppLaunch.exe
Token: SeCreateGlobalPrivilege	2852	AppLaunch.exe
Token: 33	2852	AppLaunch.exe
Token: 34	2852	AppLaunch.exe
Token: 35	2852	AppLaunch.exe
Token: SeDebugPrivilege	1916	pspluginwkr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AppLaunch.exe

pid process

2036 AppLaunch.exe

pid	process
2036	AppLaunch.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exepspluginwkr.exewinresume.exe

description	pid	process	target process
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2036	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	AppLaunch.exe
PID 804 wrote to memory of 2468	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	pspluginwkr.exe
PID 804 wrote to memory of 2468	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	pspluginwkr.exe
PID 804 wrote to memory of 2468	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	pspluginwkr.exe
PID 804 wrote to memory of 2468	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	pspluginwkr.exe
PID 2468 wrote to memory of 2088	2468	pspluginwkr.exe	winresume.exe
PID 2468 wrote to memory of 2088	2468	pspluginwkr.exe	winresume.exe
PID 2468 wrote to memory of 2088	2468	pspluginwkr.exe	winresume.exe
PID 2468 wrote to memory of 2088	2468	pspluginwkr.exe	winresume.exe
PID 804 wrote to memory of 1916	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	pspluginwkr.exe
PID 804 wrote to memory of 1916	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	pspluginwkr.exe
PID 804 wrote to memory of 1916	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	pspluginwkr.exe
PID 804 wrote to memory of 1916	804	8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe	pspluginwkr.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe
PID 2088 wrote to memory of 2852	2088	winresume.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8bc0e7d1a78d454caaa87d3b7caa92c3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2036
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pspluginwkr.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pspluginwkr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winresume.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winresume.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2852
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pspluginwkr.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pspluginwkr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pspluginwkr.exe

Filesize
15KB

MD5
99e0106f89c12144cd3c82216382e110

SHA1
44e1640b98b27aca3530d41a7b853c73172623fc

SHA256
4bef292be3b4fc87d7300408032886248e6bcfa002d3c5e48b7e47d6fedc78c5

SHA512
3b6d8f7679896ab1e69ae94025162116397c8adcf46a95c30dd54b2f8f95e0fc6adc9f068e5ecd4ed070084c646e12368588511756374c62c7525bf3b91e10ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winresume.exe

Filesize
1.0MB

MD5
8bc0e7d1a78d454caaa87d3b7caa92c3

SHA1
d0135e2e13f0d13aa2c49fb0d78f987f8d9ad67f

SHA256
a45f2cfac684b87635a67fcd3ec67a46b5dda029574f5f3f3ca3c9381a3929c1

SHA512
237016f4e9dd9b6a10359926caf886aea96595b20e87117b316019151e361895ba5ae10efd13f1c3066bc07ef4746d9ef59f857da7a6adc5966f75fbfebc4454

Download Submit
memory/804-0-0x00000000741C1000-0x00000000741C2000-memory.dmp

Filesize
4KB

Download
memory/804-1-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/804-2-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/804-3-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-44-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2036-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-16-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-14-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-39-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-38-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-20-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2468-36-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-42-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-35-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-45-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads