darkcomet | f1d06b078b4ba01577ac77d51b5b817cf0dc5aaf1f42f9a900315d1321a7c95b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2025, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Size

754KB
MD5

620745eb357249f9a22e2fd3ae78e180
SHA1

4ef382dbdc997e84abcccb4e84c1ba9f72f1a7f1
SHA256

f1d06b078b4ba01577ac77d51b5b817cf0dc5aaf1f42f9a900315d1321a7c95b
SHA512

48b65ee65dda9a3490b3c8f9ce96c5738113e856b9d680a9b214e74522cad507df6ee03ba0ee3b66476a3ba351f84c3e8c621269f4c118865dd849c7d1801588
SSDEEP

12288:WyJ5A3o8pLWg8+RTEQUHJrtrloElGDBqj/5VCGPGkHdez:vsZf8+RQpJrZldlGDBqj/jCQGkHi

Score

10^/10

darkcomet latentbot hackedjuajua discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

hackedjuajua

lolandtroll.zapto.org:1

Mutex

DC_MUTEX-5S19488

Attributes

InstallPath
MSdDCSC\msdcfsc.exe
gencode
oRQoqohwZ100
install
true
offline_keylogger
true
password
mortinato
persistence
true
reg_key
MicroUpdates

Extracted

Family

latentbot

lolandtroll.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSdDCSC\\msdcfsc.exe"	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe

Executes dropped EXE 2 IoCs

pid	Process
3116	msdcfsc.exe
2864	msdcfsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdates = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSdDCSC\\msdcfsc.exe"	msdcfsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdates = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSdDCSC\\msdcfsc.exe"	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\Q:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\X:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\B:	msdcfsc.exe
File opened (read-only)	\??\E:	msdcfsc.exe
File opened (read-only)	\??\I:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\M:	msdcfsc.exe
File opened (read-only)	\??\N:	msdcfsc.exe
File opened (read-only)	\??\S:	msdcfsc.exe
File opened (read-only)	\??\O:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\U:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\P:	msdcfsc.exe
File opened (read-only)	\??\W:	msdcfsc.exe
File opened (read-only)	\??\G:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\M:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\R:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\W:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\Y:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\J:	msdcfsc.exe
File opened (read-only)	\??\K:	msdcfsc.exe
File opened (read-only)	\??\O:	msdcfsc.exe
File opened (read-only)	\??\B:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\X:	msdcfsc.exe
File opened (read-only)	\??\G:	msdcfsc.exe
File opened (read-only)	\??\U:	msdcfsc.exe
File opened (read-only)	\??\Z:	msdcfsc.exe
File opened (read-only)	\??\N:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\T:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\H:	msdcfsc.exe
File opened (read-only)	\??\T:	msdcfsc.exe
File opened (read-only)	\??\V:	msdcfsc.exe
File opened (read-only)	\??\P:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\H:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\J:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\S:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\V:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\I:	msdcfsc.exe
File opened (read-only)	\??\L:	msdcfsc.exe
File opened (read-only)	\??\Q:	msdcfsc.exe
File opened (read-only)	\??\A:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\Y:	msdcfsc.exe
File opened (read-only)	\??\K:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\Z:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
File opened (read-only)	\??\A:	msdcfsc.exe
File opened (read-only)	\??\R:	msdcfsc.exe
File opened (read-only)	\??\E:	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 3116 set thread context of 2864	3116	msdcfsc.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcfsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcfsc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeCreatePagefilePrivilege	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeIncreaseQuotaPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeSecurityPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeTakeOwnershipPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeLoadDriverPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeSystemProfilePrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeSystemtimePrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeProfSingleProcessPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeIncBasePriorityPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeCreatePagefilePrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeBackupPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeRestorePrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeShutdownPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeDebugPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeSystemEnvironmentPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeChangeNotifyPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeRemoteShutdownPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeUndockPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeManageVolumePrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeImpersonatePrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeCreateGlobalPrivilege	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: 33	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: 34	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: 35	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: 36	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
Token: SeShutdownPrivilege	3116	msdcfsc.exe
Token: SeCreatePagefilePrivilege	3116	msdcfsc.exe
Token: SeIncreaseQuotaPrivilege	2864	msdcfsc.exe
Token: SeSecurityPrivilege	2864	msdcfsc.exe
Token: SeTakeOwnershipPrivilege	2864	msdcfsc.exe
Token: SeLoadDriverPrivilege	2864	msdcfsc.exe
Token: SeSystemProfilePrivilege	2864	msdcfsc.exe
Token: SeSystemtimePrivilege	2864	msdcfsc.exe
Token: SeProfSingleProcessPrivilege	2864	msdcfsc.exe
Token: SeIncBasePriorityPrivilege	2864	msdcfsc.exe
Token: SeCreatePagefilePrivilege	2864	msdcfsc.exe
Token: SeBackupPrivilege	2864	msdcfsc.exe
Token: SeRestorePrivilege	2864	msdcfsc.exe
Token: SeShutdownPrivilege	2864	msdcfsc.exe
Token: SeDebugPrivilege	2864	msdcfsc.exe
Token: SeSystemEnvironmentPrivilege	2864	msdcfsc.exe
Token: SeChangeNotifyPrivilege	2864	msdcfsc.exe
Token: SeRemoteShutdownPrivilege	2864	msdcfsc.exe
Token: SeUndockPrivilege	2864	msdcfsc.exe
Token: SeManageVolumePrivilege	2864	msdcfsc.exe
Token: SeImpersonatePrivilege	2864	msdcfsc.exe
Token: SeCreateGlobalPrivilege	2864	msdcfsc.exe
Token: 33	2864	msdcfsc.exe
Token: 34	2864	msdcfsc.exe
Token: 35	2864	msdcfsc.exe
Token: 36	2864	msdcfsc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
3116	msdcfsc.exe
2864	msdcfsc.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 4028 wrote to memory of 3764	4028	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	83
PID 3764 wrote to memory of 3116	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	84
PID 3764 wrote to memory of 3116	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	84
PID 3764 wrote to memory of 3116	3764	JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe	84
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85
PID 3116 wrote to memory of 2864	3116	msdcfsc.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_620745eb357249f9a22e2fd3ae78e180.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSdDCSC\msdcfsc.exe
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSdDCSC\msdcfsc.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSdDCSC\msdcfsc.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSdDCSC\msdcfsc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSdDCSC\msdcfsc.exe

Filesize
754KB

MD5
620745eb357249f9a22e2fd3ae78e180

SHA1
4ef382dbdc997e84abcccb4e84c1ba9f72f1a7f1

SHA256
f1d06b078b4ba01577ac77d51b5b817cf0dc5aaf1f42f9a900315d1321a7c95b

SHA512
48b65ee65dda9a3490b3c8f9ce96c5738113e856b9d680a9b214e74522cad507df6ee03ba0ee3b66476a3ba351f84c3e8c621269f4c118865dd849c7d1801588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
memory/2864-97-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-103-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-109-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-108-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-107-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-93-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-91-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-99-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-98-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-96-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-106-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-105-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-92-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-100-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-101-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-102-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-104-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3764-12-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3764-94-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3764-14-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3764-13-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3764-24-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3764-15-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads