darkcomet | 1b5fc2c4f44fcd648bc5857b6efe302817e5ce1e75e15d196bb9910107c99fcc

Analysis

max time kernel
150s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/03/2025, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_724b745767eb299f982fc781c35237a9.exe
Size

1.1MB
MD5

724b745767eb299f982fc781c35237a9
SHA1

8e4b9c069b5f69d4824d768239e468bac36dc23d
SHA256

1b5fc2c4f44fcd648bc5857b6efe302817e5ce1e75e15d196bb9910107c99fcc
SHA512

8c292f366c398c6eff532c67859f3869bcbc2c00632689e30ebea424a4010cb73074cb93bd77c5865357123e53e174b00f8a916e968d568ba920f6f10b2edaf5
SSDEEP

24576:FbptUZveEPJ1IG5tit60xD53XusT5chPZ2k:FvUsQ1Jnit6sNoR

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

Guest16

testconnect.no-ip.org:16006

Mutex

DC_MUTEX-84PNHZ0

Attributes

gencode
udafyT70VUoT
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 1 IoCs

pid	Process
2000	CRYPTEDFILE.EXE

Loads dropped DLL 1 IoCs

pid	Process
432	JaffaCakes118_724b745767eb299f982fc781c35237a9.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAHmIGtYYXAFYrIspK = "C:\\Users\\Admin\\AppData\\Roaming\\NaWJBMoUWtuFZdxaJS.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 2860	2000	CRYPTEDFILE.EXE	36
PID 2000 set thread context of 2296	2000	CRYPTEDFILE.EXE	39

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\NaWJBMoUWtuFZdxaJS.exe:ZONE.identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CRYPTEDFILE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_724b745767eb299f982fc781c35237a9.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\NaWJBMoUWtuFZdxaJS.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	CRYPTEDFILE.EXE
Token: SeIncreaseQuotaPrivilege	2296	vbc.exe
Token: SeSecurityPrivilege	2296	vbc.exe
Token: SeTakeOwnershipPrivilege	2296	vbc.exe
Token: SeLoadDriverPrivilege	2296	vbc.exe
Token: SeSystemProfilePrivilege	2296	vbc.exe
Token: SeSystemtimePrivilege	2296	vbc.exe
Token: SeProfSingleProcessPrivilege	2296	vbc.exe
Token: SeIncBasePriorityPrivilege	2296	vbc.exe
Token: SeCreatePagefilePrivilege	2296	vbc.exe
Token: SeBackupPrivilege	2296	vbc.exe
Token: SeRestorePrivilege	2296	vbc.exe
Token: SeShutdownPrivilege	2296	vbc.exe
Token: SeDebugPrivilege	2296	vbc.exe
Token: SeSystemEnvironmentPrivilege	2296	vbc.exe
Token: SeChangeNotifyPrivilege	2296	vbc.exe
Token: SeRemoteShutdownPrivilege	2296	vbc.exe
Token: SeUndockPrivilege	2296	vbc.exe
Token: SeManageVolumePrivilege	2296	vbc.exe
Token: SeImpersonatePrivilege	2296	vbc.exe
Token: SeCreateGlobalPrivilege	2296	vbc.exe
Token: 33	2296	vbc.exe
Token: 34	2296	vbc.exe
Token: 35	2296	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2860	vbc.exe
2296	vbc.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2000	432	JaffaCakes118_724b745767eb299f982fc781c35237a9.exe	29
PID 432 wrote to memory of 2000	432	JaffaCakes118_724b745767eb299f982fc781c35237a9.exe	29
PID 432 wrote to memory of 2000	432	JaffaCakes118_724b745767eb299f982fc781c35237a9.exe	29
PID 432 wrote to memory of 2000	432	JaffaCakes118_724b745767eb299f982fc781c35237a9.exe	29
PID 2000 wrote to memory of 2836	2000	CRYPTEDFILE.EXE	30
PID 2000 wrote to memory of 2836	2000	CRYPTEDFILE.EXE	30
PID 2000 wrote to memory of 2836	2000	CRYPTEDFILE.EXE	30
PID 2000 wrote to memory of 2836	2000	CRYPTEDFILE.EXE	30
PID 2836 wrote to memory of 2844	2836	vbc.exe	32
PID 2836 wrote to memory of 2844	2836	vbc.exe	32
PID 2836 wrote to memory of 2844	2836	vbc.exe	32
PID 2836 wrote to memory of 2844	2836	vbc.exe	32
PID 2000 wrote to memory of 2696	2000	CRYPTEDFILE.EXE	33
PID 2000 wrote to memory of 2696	2000	CRYPTEDFILE.EXE	33
PID 2000 wrote to memory of 2696	2000	CRYPTEDFILE.EXE	33
PID 2000 wrote to memory of 2696	2000	CRYPTEDFILE.EXE	33
PID 2696 wrote to memory of 3048	2696	vbc.exe	35
PID 2696 wrote to memory of 3048	2696	vbc.exe	35
PID 2696 wrote to memory of 3048	2696	vbc.exe	35
PID 2696 wrote to memory of 3048	2696	vbc.exe	35
PID 2000 wrote to memory of 2860	2000	CRYPTEDFILE.EXE	36
PID 2000 wrote to memory of 2860	2000	CRYPTEDFILE.EXE	36
PID 2000 wrote to memory of 2860	2000	CRYPTEDFILE.EXE	36
PID 2000 wrote to memory of 2860	2000	CRYPTEDFILE.EXE	36
PID 2000 wrote to memory of 2860	2000	CRYPTEDFILE.EXE	36
PID 2000 wrote to memory of 2860	2000	CRYPTEDFILE.EXE	36
PID 2000 wrote to memory of 2860	2000	CRYPTEDFILE.EXE	36
PID 2000 wrote to memory of 2860	2000	CRYPTEDFILE.EXE	36
PID 2000 wrote to memory of 2860	2000	CRYPTEDFILE.EXE	36
PID 2000 wrote to memory of 2756	2000	CRYPTEDFILE.EXE	37
PID 2000 wrote to memory of 2756	2000	CRYPTEDFILE.EXE	37
PID 2000 wrote to memory of 2756	2000	CRYPTEDFILE.EXE	37
PID 2000 wrote to memory of 2756	2000	CRYPTEDFILE.EXE	37
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39
PID 2000 wrote to memory of 2296	2000	CRYPTEDFILE.EXE	39

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_724b745767eb299f982fc781c35237a9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_724b745767eb299f982fc781c35237a9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\CRYPTEDFILE.EXE
  "C:\Users\Admin\AppData\Local\Temp\CRYPTEDFILE.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tfbee2z4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F2A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F1A.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e3dk_k7j.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5034.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5033.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3048
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    "cmd"
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    PID:2756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4F2A.tmp

Filesize
1KB

MD5
0585fdadfae3162b3eba05a74ed30854

SHA1
e36b051b181c68f46b1a3a403bbbe63c18de62bf

SHA256
0b3c7802826b1b3167749b9ba8c649318b0edfe545690f7842d716dde65a894e

SHA512
bb53d50a9cda8f57d488dabad122c912ef5a6345df0a326eaf2f0d42f72ac0bfccbdc720c6b43a533d11c1b15890fd294a76b3bd0f4b38d7005647530c47bdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5034.tmp

Filesize
1KB

MD5
6fbabd97d3344c56d49bd6f8b1a668b5

SHA1
4cdd4bcece7daba50c22e9b03976c98f39794053

SHA256
884e3055540248142f7415f97bc1170080230d7b8edd1dc203f251374d3f10f3

SHA512
69e8223e48340881cb813b028784980e3019d8b76d655e2dacdfba8bd11542bf544a1fff74f9df8ae797d2897de9f47139579696535cea81a3ce7cc4f36ce42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3dk_k7j.cmdline

Filesize
317B

MD5
f2e3cca6f64b3e91dbca6ad651ddaadd

SHA1
9643e7ba39f08a19f0935acf288260b94823a445

SHA256
e36e0ed8cdd1a270190774cbeacd4efc258fe1211de9a4e62aab295f3645ad48

SHA512
db01872baf65af5a1daf5f67e769a4a53d4e5495df08f9031ba2ebf3a9dd6fd875516b2d8ba036ebbb537d8a577e16409f797dd95097fa43f31c1dba889e0a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3dk_k7j.dll

Filesize
6KB

MD5
2729e56cf623de645fa200c66bcfe700

SHA1
1b5cc6a98e924d33f2aa9c414b15270808e139f8

SHA256
451b989eaee0da46389688e2daaafaf45d6f89ca63ca67b2addf97993778e8df

SHA512
42a703bfe004608f96d501810d432d645d7bf4154ff7fd1e9f7865423ea96cf324095677d7c7448b725700ba8fa7418efb6f856e7179d98513bb21ef809bb5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfbee2z4.0.vb

Filesize
468B

MD5
35908ac623598e25e24c1a68f5dfab77

SHA1
91f5a72f103c2541c26768c83aba70daa041635a

SHA256
68f1ada0e587757539b868b22397a1fe764caa07005f24b76327f5e8724683b8

SHA512
f5c4e5c05253a9f0387957d74b11fa00ded8a2afca8898b4ba47b25ae78cfd310a9217f2fcca3d495876c6380fab0d5b3b5d5392641c2c029b84d832d2b85ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfbee2z4.cmdline

Filesize
317B

MD5
3960d4a5376edf90696a402bd41929c4

SHA1
0cd8fe3b9d1a5a209dff6b6d645b0ee54f969820

SHA256
04ef30b5b87e06e5dd0f6943ff4cafae218881f4598ae415db22b0f7ff5351ce

SHA512
7a94bd9ad36c42ee1e3d097a826794765dc978ae1eb9f2a5c73aa55cc21c7120b65a0328f425442c87495c51b96e81b54bc0d0b42d4795cc42045b58d562b9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfbee2z4.dll

Filesize
6KB

MD5
cbbf5648f983f95c4d5442e6cc91ee52

SHA1
eab29eff86cb95ba82308197013994b414e915f6

SHA256
0e1795887b3561253e0f5d15c99e02d2a107f970872eda9de4ffd084f2635b60

SHA512
4373759948d6e0ba5a8bcd0dff0fa17b0fe56a60abac52fe4a7c49820ffc48ac4313caf5003d1f530229e3f95cbd799ba494755bef5e45bca8fd6ea40ce96abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4F1A.tmp

Filesize
652B

MD5
4598983c8dab35e6bd2f151ccb1c8ed6

SHA1
c1fd99126ef39b37c0f10c1e1710529d3000b603

SHA256
b186d70c31409d1adb43c9937c2746aeadc592729558d578156232ab8f7f6dee

SHA512
a5a790ee1968c5d02e93c04336586e308e9c180c16fa3cc87e9a40615af17ebeb4fd3c698dcdd9837feb35cfb1839133c00212b082e8ac9690d41d5d136d13fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5033.tmp

Filesize
652B

MD5
d7ddbab10f0b6518823793d44c6dd283

SHA1
cc26fffd9d43f0d1c1e3bb703c2aace76d576ff4

SHA256
de50f8be58bf7fb9770f708b50365056e7eb0924abb0dbfa9743efe4f8b4aebc

SHA512
4fbf72edffe90a093667681d19e7a57a6ab174e6568c7190c9162067e52600ca5ba92699abee0caf103fcb19db8bd9daa5f4bd4c5ff78c4193983dc5230e186c

Download Submit
C:\Users\Admin\AppData\Roaming\NaWJBMoUWtuFZdxaJS.exe:ZONE.identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
89B

MD5
ae834ac738f172c75ac48dbdeb067880

SHA1
45339f98d1073c86c4d65b7fa88614b7ac54c16d

SHA256
506dddb9ca0a6a93c9241dbca83270214f0e5058de1111a761782a5b3f817e3c

SHA512
7b00e6cd7b55a3ad15956eb28657800cb7e9a5f576e49cb50c57f6300635e1328a2f80500ffff1c66d37a7fa669706094d2b1fd82810be2af843d7c79242c9cc

Download Submit
\Users\Admin\AppData\Local\Temp\CRYPTEDFILE.EXE

Filesize
1017KB

MD5
03591cde01c5bc5de7b93f9dcffc8fc9

SHA1
dc51f03df3b45e1f1dfa298c1684cea7ea744a79

SHA256
24e0b0fe86966a3b8105193050d9f959ba833a06f67ad22fc12537e3ba73658d

SHA512
bb9b790cdd3913d4ecaaab7533bbc07755a20f194892979c568acc599e83c3d631b4b982af2cf20e80d3cdcc58f907d2f3a6eb9e4b7c7a1db222e43171ae13d0

Download Submit
memory/2000-7-0x00000000749E1000-0x00000000749E2000-memory.dmp

Filesize
4KB

Download
memory/2000-9-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-40-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-79-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-8-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-14-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-62-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-86-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-95-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-94-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-93-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-92-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-91-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-63-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-65-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-67-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-69-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-72-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-73-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-76-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-78-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-90-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-80-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-81-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-82-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-83-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-84-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-85-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-89-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-87-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2296-88-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2860-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2860-41-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2860-43-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2860-45-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2860-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2860-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2860-51-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads