darkcomet | 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafde

General

Target

3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Size

929KB
MD5

92ff8539eb093582609a7a8083f38930
SHA1

fde8cc65fdd5ab825f1be7daa9c9e422d32a3c7f
SHA256

3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafde
SHA512

bd3303b7b73b0e2460db1cbd2428b3e55ed56d8c6258d016613c762190a3196ecfade2c98ba59a23e207a67c9efa67b3e0da880bc299020eb4130a6092a024fd
SSDEEP

24576:I+QawCFbpfu2X0UOkcBk8NPktcNrUBC0lyE:YjupvOzpZSrX

Score

10^/10

darkcomet tp discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

TP

C2

eviloton.no-ip.biz:1604

Mutex

DCMIN_MUTEX-QZP3U75

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
hrLBKzjjkYGB
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe

Executes dropped EXE 2 IoCs

Processes:

IMDCSC.exeIMDCSC.exe

pid process

3712 IMDCSC.exe
1712 IMDCSC.exe

pid	process
3712	IMDCSC.exe
1712	IMDCSC.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exeIMDCSC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartupProgram = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe"	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartupProgram = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	IMDCSC.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exeIMDCSC.exe

description	pid	process	target process
PID 2980 set thread context of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 3712 set thread context of 1712	3712	IMDCSC.exe	IMDCSC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exeIMDCSC.exeIMDCSC.exe3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeSecurityPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeTakeOwnershipPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeLoadDriverPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeSystemProfilePrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeSystemtimePrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeProfSingleProcessPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeIncBasePriorityPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeCreatePagefilePrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeBackupPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeRestorePrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeShutdownPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeDebugPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeSystemEnvironmentPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeChangeNotifyPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeRemoteShutdownPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeUndockPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeManageVolumePrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeImpersonatePrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeCreateGlobalPrivilege	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: 33	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: 34	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: 35	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: 36	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Token: SeIncreaseQuotaPrivilege	1712	IMDCSC.exe
Token: SeSecurityPrivilege	1712	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	1712	IMDCSC.exe
Token: SeLoadDriverPrivilege	1712	IMDCSC.exe
Token: SeSystemProfilePrivilege	1712	IMDCSC.exe
Token: SeSystemtimePrivilege	1712	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	1712	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	1712	IMDCSC.exe
Token: SeCreatePagefilePrivilege	1712	IMDCSC.exe
Token: SeBackupPrivilege	1712	IMDCSC.exe
Token: SeRestorePrivilege	1712	IMDCSC.exe
Token: SeShutdownPrivilege	1712	IMDCSC.exe
Token: SeDebugPrivilege	1712	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	1712	IMDCSC.exe
Token: SeChangeNotifyPrivilege	1712	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	1712	IMDCSC.exe
Token: SeUndockPrivilege	1712	IMDCSC.exe
Token: SeManageVolumePrivilege	1712	IMDCSC.exe
Token: SeImpersonatePrivilege	1712	IMDCSC.exe
Token: SeCreateGlobalPrivilege	1712	IMDCSC.exe
Token: 33	1712	IMDCSC.exe
Token: 34	1712	IMDCSC.exe
Token: 35	1712	IMDCSC.exe
Token: 36	1712	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

1712 IMDCSC.exe

pid	process
1712	IMDCSC.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exeIMDCSC.exe

description	pid	process	target process
PID 2980 wrote to memory of 4288	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4288	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4288	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 2980 wrote to memory of 4932	2980	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
PID 4932 wrote to memory of 3712	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	IMDCSC.exe
PID 4932 wrote to memory of 3712	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	IMDCSC.exe
PID 4932 wrote to memory of 3712	4932	3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe
PID 3712 wrote to memory of 1712	3712	IMDCSC.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
"C:\Users\Admin\AppData\Local\Temp\3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
  "C:\Users\Admin\AppData\Local\Temp\3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe"
  2⤵
  PID:4288
- C:\Users\Admin\AppData\Local\Temp\3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
  "C:\Users\Admin\AppData\Local\Temp\3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
    "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
      "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
929KB

MD5
92ff8539eb093582609a7a8083f38930

SHA1
fde8cc65fdd5ab825f1be7daa9c9e422d32a3c7f

SHA256
3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafde

SHA512
bd3303b7b73b0e2460db1cbd2428b3e55ed56d8c6258d016613c762190a3196ecfade2c98ba59a23e207a67c9efa67b3e0da880bc299020eb4130a6092a024fd

Download Submit
memory/1712-18-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1712-23-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/1712-22-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1712-21-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1712-20-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1712-19-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/1712-17-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4932-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4932-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4932-4-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/4932-0-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4932-2-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4932-1-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads