darkcomet | 1b5fc2c4f44fcd648bc5857b6efe302817e5ce1e75e15d196bb9910107c99fcc

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2025, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_724b745767eb299f982fc781c35237a9.exe
Size

1.1MB
MD5

724b745767eb299f982fc781c35237a9
SHA1

8e4b9c069b5f69d4824d768239e468bac36dc23d
SHA256

1b5fc2c4f44fcd648bc5857b6efe302817e5ce1e75e15d196bb9910107c99fcc
SHA512

8c292f366c398c6eff532c67859f3869bcbc2c00632689e30ebea424a4010cb73074cb93bd77c5865357123e53e174b00f8a916e968d568ba920f6f10b2edaf5
SSDEEP

24576:FbptUZveEPJ1IG5tit60xD53XusT5chPZ2k:FvUsQ1Jnit6sNoR

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

testconnect.no-ip.org:16006

Mutex

DC_MUTEX-84PNHZ0

Attributes

gencode
udafyT70VUoT
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JaffaCakes118_724b745767eb299f982fc781c35237a9.exe

Executes dropped EXE 1 IoCs

pid	Process
4652	CRYPTEDFILE.EXE

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAHmIGtYYXAFYrIspK = "C:\\Users\\Admin\\AppData\\Roaming\\NaWJBMoUWtuFZdxaJS.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4652 set thread context of 4312	4652	CRYPTEDFILE.EXE	99
PID 4652 set thread context of 3652	4652	CRYPTEDFILE.EXE	102

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\NaWJBMoUWtuFZdxaJS.exe:ZONE.identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_724b745767eb299f982fc781c35237a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CRYPTEDFILE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\NaWJBMoUWtuFZdxaJS.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	CRYPTEDFILE.EXE
Token: SeIncreaseQuotaPrivilege	3652	vbc.exe
Token: SeSecurityPrivilege	3652	vbc.exe
Token: SeTakeOwnershipPrivilege	3652	vbc.exe
Token: SeLoadDriverPrivilege	3652	vbc.exe
Token: SeSystemProfilePrivilege	3652	vbc.exe
Token: SeSystemtimePrivilege	3652	vbc.exe
Token: SeProfSingleProcessPrivilege	3652	vbc.exe
Token: SeIncBasePriorityPrivilege	3652	vbc.exe
Token: SeCreatePagefilePrivilege	3652	vbc.exe
Token: SeBackupPrivilege	3652	vbc.exe
Token: SeRestorePrivilege	3652	vbc.exe
Token: SeShutdownPrivilege	3652	vbc.exe
Token: SeDebugPrivilege	3652	vbc.exe
Token: SeSystemEnvironmentPrivilege	3652	vbc.exe
Token: SeChangeNotifyPrivilege	3652	vbc.exe
Token: SeRemoteShutdownPrivilege	3652	vbc.exe
Token: SeUndockPrivilege	3652	vbc.exe
Token: SeManageVolumePrivilege	3652	vbc.exe
Token: SeImpersonatePrivilege	3652	vbc.exe
Token: SeCreateGlobalPrivilege	3652	vbc.exe
Token: 33	3652	vbc.exe
Token: 34	3652	vbc.exe
Token: 35	3652	vbc.exe
Token: 36	3652	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4312	vbc.exe
3652	vbc.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 4652	2764	JaffaCakes118_724b745767eb299f982fc781c35237a9.exe	85
PID 2764 wrote to memory of 4652	2764	JaffaCakes118_724b745767eb299f982fc781c35237a9.exe	85
PID 2764 wrote to memory of 4652	2764	JaffaCakes118_724b745767eb299f982fc781c35237a9.exe	85
PID 4652 wrote to memory of 1516	4652	CRYPTEDFILE.EXE	93
PID 4652 wrote to memory of 1516	4652	CRYPTEDFILE.EXE	93
PID 4652 wrote to memory of 1516	4652	CRYPTEDFILE.EXE	93
PID 1516 wrote to memory of 1092	1516	vbc.exe	95
PID 1516 wrote to memory of 1092	1516	vbc.exe	95
PID 1516 wrote to memory of 1092	1516	vbc.exe	95
PID 4652 wrote to memory of 2268	4652	CRYPTEDFILE.EXE	96
PID 4652 wrote to memory of 2268	4652	CRYPTEDFILE.EXE	96
PID 4652 wrote to memory of 2268	4652	CRYPTEDFILE.EXE	96
PID 2268 wrote to memory of 3172	2268	vbc.exe	98
PID 2268 wrote to memory of 3172	2268	vbc.exe	98
PID 2268 wrote to memory of 3172	2268	vbc.exe	98
PID 4652 wrote to memory of 4312	4652	CRYPTEDFILE.EXE	99
PID 4652 wrote to memory of 4312	4652	CRYPTEDFILE.EXE	99
PID 4652 wrote to memory of 4312	4652	CRYPTEDFILE.EXE	99
PID 4652 wrote to memory of 4312	4652	CRYPTEDFILE.EXE	99
PID 4652 wrote to memory of 4312	4652	CRYPTEDFILE.EXE	99
PID 4652 wrote to memory of 4312	4652	CRYPTEDFILE.EXE	99
PID 4652 wrote to memory of 4312	4652	CRYPTEDFILE.EXE	99
PID 4652 wrote to memory of 4312	4652	CRYPTEDFILE.EXE	99
PID 4652 wrote to memory of 5116	4652	CRYPTEDFILE.EXE	100
PID 4652 wrote to memory of 5116	4652	CRYPTEDFILE.EXE	100
PID 4652 wrote to memory of 5116	4652	CRYPTEDFILE.EXE	100
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102
PID 4652 wrote to memory of 3652	4652	CRYPTEDFILE.EXE	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_724b745767eb299f982fc781c35237a9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_724b745767eb299f982fc781c35237a9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\CRYPTEDFILE.EXE
  "C:\Users\Admin\AppData\Local\Temp\CRYPTEDFILE.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uti-g6xm.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1503D4FBE25E4498BFFC4BFE57FC51.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1092
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\optqz2b2.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE55F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C292CAFCB8442299E3BE582103D6175.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3172
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    "cmd"
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    PID:5116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CRYPTEDFILE.EXE

Filesize
1017KB

MD5
03591cde01c5bc5de7b93f9dcffc8fc9

SHA1
dc51f03df3b45e1f1dfa298c1684cea7ea744a79

SHA256
24e0b0fe86966a3b8105193050d9f959ba833a06f67ad22fc12537e3ba73658d

SHA512
bb9b790cdd3913d4ecaaab7533bbc07755a20f194892979c568acc599e83c3d631b4b982af2cf20e80d3cdcc58f907d2f3a6eb9e4b7c7a1db222e43171ae13d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE3D8.tmp

Filesize
1KB

MD5
af75a00b44c43ef5daa88de6c46437e5

SHA1
35ea2eaf50aba227a653bd95382e9e67f7d5cb67

SHA256
bf9626cbdbc401bc34d84a6d55290f4cfab4b672a9ce537a48b4908a0d09e26c

SHA512
2b9ffd14d09dfef68ee89e237184bfc2dabd7ccb8871b3ee2f98914db994c3ea4a985872d202dfbf7fbe56f7cc43d9b6a24b57286cb964cdb9f2140957cdce5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE55F.tmp

Filesize
1KB

MD5
24985ea75c11255d1db407711018e289

SHA1
7dc6a094c5cf4ba4bbc8e592a28649c6f6f03017

SHA256
1e0502d5490711c4221471e793388038da92bf553e52dbae090332752ef434de

SHA512
86dc4968e73e7e0ba6d41b58011791a716443c0fb284f46b48b3b25300d0b3c3d0ccf8bed244653bb47f6c08d9ffda51f3140d194ffb9ac266fad24d600b6f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\optqz2b2.cmdline

Filesize
317B

MD5
e0c1dd0338e755bf18300bbd97ab959f

SHA1
9339d3695f695210414d893ccea7cff23e3ac143

SHA256
f755ce4fda2a979961c283dcd627de0b74435ad76cd80be1e7b7efde4048d1af

SHA512
1276e4e89c70a5be9d7bb7c8c10bba6f41bec2cbe15770d517fda8dcd0bf41f325e0b86e31b55672f94a6f1601dd3b01e4c217d3ba654044bed06544e2d56215

Download Submit
C:\Users\Admin\AppData\Local\Temp\optqz2b2.dll

Filesize
6KB

MD5
2735da5510e1279bacf7ff3a3edd5aa1

SHA1
a48d78c3aa6c49285b4eb20d0a74a6e63ab23fdc

SHA256
0617901d1a0f8f3aa63a0dfa49964277d1689f1a2e605a764a8bb4ad6cc80e98

SHA512
fed2fd48d77adce90d63c6b65e3fb04257fec909ce8baa1c7baa346190a8f47f6100d272f3fe5220e5ecb1eabcec29c9149dd51a68aad41802657b165b3540e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uti-g6xm.0.vb

Filesize
468B

MD5
35908ac623598e25e24c1a68f5dfab77

SHA1
91f5a72f103c2541c26768c83aba70daa041635a

SHA256
68f1ada0e587757539b868b22397a1fe764caa07005f24b76327f5e8724683b8

SHA512
f5c4e5c05253a9f0387957d74b11fa00ded8a2afca8898b4ba47b25ae78cfd310a9217f2fcca3d495876c6380fab0d5b3b5d5392641c2c029b84d832d2b85ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uti-g6xm.cmdline

Filesize
317B

MD5
b8aa7d848271f17d10a4bf82f4c5ee9e

SHA1
7d2c8a365305afa8ef8bb24d685ff64d18c4de8b

SHA256
9f68b8b6968c0afb7ba8b9683043344a06a931722f94b179134796cd11621ba9

SHA512
07d4b9cb8c89054a205ee67eda5927029eacb48c227193d778e8388916516e6e05db4b80e730c50afba39798261e64744fc829d9f409c4851f991a73321ebb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\uti-g6xm.dll

Filesize
6KB

MD5
ead78afe89a4b57b259947bf259d040e

SHA1
985413c94f20610f67bd4e09f817ef74f9e8e084

SHA256
761ab2ffe681bfdddffa6c5f883f497ccd7547ddb9f4a1b070109ab6ba9a4dc6

SHA512
b54845e3b73d780e3e9d2e633b1abf810d6bb270f3e47534657c06b55a6da831cac51bbdaf509d61d9512f6ad6e84d145d4e1e40d5f1ea26752c6cabeae500dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1503D4FBE25E4498BFFC4BFE57FC51.TMP

Filesize
652B

MD5
fa795523be32284889dc61c239a2508c

SHA1
c75e8a79b0e88844e1177573f4967b754e6e0f99

SHA256
881eb0381c987b90e27cc064b34ebbbb8b8798f21e0e8585862977257a0cee62

SHA512
f4bcdf0e2c67d2cbe445249f27956318e5d3a347bd0a30dbc368e346a32073482f65febf39aaa28608de2b722d1b1aa0c09dbc23ed7544985159a7b6679d8b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3C292CAFCB8442299E3BE582103D6175.TMP

Filesize
652B

MD5
b608face6230c4e4a4c2381e3ef44f30

SHA1
4c4b28eb1b35fe20a739d93df160959c65a4782b

SHA256
41a89265f28fdc4fc4d2ee691a6fa4df17cfef57cd9a2131a69821bfb1d63d0c

SHA512
8499d2c2e4375e9696f8965d16463542b90ff316e37e016961a4fbd32870b770d67549111dd4c28890f4832a228c06066b0a5ab6c6072842af2bbffced7c819c

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
89B

MD5
ae834ac738f172c75ac48dbdeb067880

SHA1
45339f98d1073c86c4d65b7fa88614b7ac54c16d

SHA256
506dddb9ca0a6a93c9241dbca83270214f0e5058de1111a761782a5b3f817e3c

SHA512
7b00e6cd7b55a3ad15956eb28657800cb7e9a5f576e49cb50c57f6300635e1328a2f80500ffff1c66d37a7fa669706094d2b1fd82810be2af843d7c79242c9cc

Download Submit
memory/1516-27-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/1516-18-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/3652-66-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-69-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-77-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-76-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-75-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-74-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-73-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-72-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-71-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-70-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-59-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-61-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-68-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-63-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-64-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-65-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3652-67-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4312-54-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/4312-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4312-48-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4312-47-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4652-11-0x0000000074972000-0x0000000074973000-memory.dmp

Filesize
4KB

Download
memory/4652-62-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4652-45-0x0000000074972000-0x0000000074973000-memory.dmp

Filesize
4KB

Download
memory/4652-58-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4652-12-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4652-13-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4652-46-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads