darkcomet | 74f53540e84983f13274e5b0e9f9f73f9a4033306d6829154bfb21842cf38bb8

Analysis

max time kernel
148s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2025, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

712KB
MD5

3d30882dd83cdbcb727fa9fe6f93180a
SHA1

b4a951c7fe04688c25f91ccb887b8dc22fc759fd
SHA256

1491e9e9a7feaba77ea5f3114cf10dc279e57f807bc5ab0a7044b8eb8df1377c
SHA512

d0f2d0d83b5860982debe6118a74cb43d5b1f699deab73c73f79a24c19181bd796ab869d74fc46a8b76e49f0f516fb54b61c10ae5d5c662899f087d035fdda7b
SSDEEP

12288:/kfaC8uq4tpQxf91tnVhKLw8lx+AByjQBDKRXxhXQoy0LEsj+xNcMvbTcvE4Tzgu:J/CD6fntnVX8yASqx0Fq4qbTcef2

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

giviker.zapto.org:100

127.0.0.1:81

Mutex

DC_MUTEX-V8U94FG

Attributes

InstallPath
Windupdate\winupdate.exe
gencode
g4pACYv8bQ%*
install
true
offline_keylogger
true
persistence
true
reg_key
winupdate

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdate\\winupdate.exe"	WIFIWP~1.EXE

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WIFIWP~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
5560	WIFIWP~1.EXE
1036	WIFIWP~1.EXE
2328	winupdate.exe
5044	winupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdate = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdate\\winupdate.exe"	WIFIWP~1.EXE

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 5560 set thread context of 1036	5560	WIFIWP~1.EXE	83
PID 2328 set thread context of 5044	2328	winupdate.exe	87
PID 5044 set thread context of 4780	5044	winupdate.exe	88
PID 4780 set thread context of 4484	4780	explorer.exe	89
PID 1036 set thread context of 4184	1036	WIFIWP~1.EXE	90
PID 4184 set thread context of 1124	4184	explorer.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1640	1124	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WIFIWP~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WIFIWP~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WIFIWP~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WIFIWP~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WIFIWP~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WIFIWP~1.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	WIFIWP~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4484	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5560	WIFIWP~1.EXE
Token: SeIncreaseQuotaPrivilege	1036	WIFIWP~1.EXE
Token: SeSecurityPrivilege	1036	WIFIWP~1.EXE
Token: SeTakeOwnershipPrivilege	1036	WIFIWP~1.EXE
Token: SeLoadDriverPrivilege	1036	WIFIWP~1.EXE
Token: SeSystemProfilePrivilege	1036	WIFIWP~1.EXE
Token: SeSystemtimePrivilege	1036	WIFIWP~1.EXE
Token: SeProfSingleProcessPrivilege	1036	WIFIWP~1.EXE
Token: SeIncBasePriorityPrivilege	1036	WIFIWP~1.EXE
Token: SeCreatePagefilePrivilege	1036	WIFIWP~1.EXE
Token: SeBackupPrivilege	1036	WIFIWP~1.EXE
Token: SeRestorePrivilege	1036	WIFIWP~1.EXE
Token: SeShutdownPrivilege	1036	WIFIWP~1.EXE
Token: SeDebugPrivilege	1036	WIFIWP~1.EXE
Token: SeSystemEnvironmentPrivilege	1036	WIFIWP~1.EXE
Token: SeChangeNotifyPrivilege	1036	WIFIWP~1.EXE
Token: SeRemoteShutdownPrivilege	1036	WIFIWP~1.EXE
Token: SeUndockPrivilege	1036	WIFIWP~1.EXE
Token: SeManageVolumePrivilege	1036	WIFIWP~1.EXE
Token: SeImpersonatePrivilege	1036	WIFIWP~1.EXE
Token: SeCreateGlobalPrivilege	1036	WIFIWP~1.EXE
Token: 33	1036	WIFIWP~1.EXE
Token: 34	1036	WIFIWP~1.EXE
Token: 35	1036	WIFIWP~1.EXE
Token: 36	1036	WIFIWP~1.EXE
Token: SeDebugPrivilege	2328	winupdate.exe
Token: SeIncreaseQuotaPrivilege	5044	winupdate.exe
Token: SeSecurityPrivilege	5044	winupdate.exe
Token: SeTakeOwnershipPrivilege	5044	winupdate.exe
Token: SeLoadDriverPrivilege	5044	winupdate.exe
Token: SeSystemProfilePrivilege	5044	winupdate.exe
Token: SeSystemtimePrivilege	5044	winupdate.exe
Token: SeProfSingleProcessPrivilege	5044	winupdate.exe
Token: SeIncBasePriorityPrivilege	5044	winupdate.exe
Token: SeCreatePagefilePrivilege	5044	winupdate.exe
Token: SeBackupPrivilege	5044	winupdate.exe
Token: SeRestorePrivilege	5044	winupdate.exe
Token: SeShutdownPrivilege	5044	winupdate.exe
Token: SeDebugPrivilege	5044	winupdate.exe
Token: SeSystemEnvironmentPrivilege	5044	winupdate.exe
Token: SeChangeNotifyPrivilege	5044	winupdate.exe
Token: SeRemoteShutdownPrivilege	5044	winupdate.exe
Token: SeUndockPrivilege	5044	winupdate.exe
Token: SeManageVolumePrivilege	5044	winupdate.exe
Token: SeImpersonatePrivilege	5044	winupdate.exe
Token: SeCreateGlobalPrivilege	5044	winupdate.exe
Token: 33	5044	winupdate.exe
Token: 34	5044	winupdate.exe
Token: 35	5044	winupdate.exe
Token: 36	5044	winupdate.exe
Token: SeDebugPrivilege	4780	explorer.exe
Token: SeIncreaseQuotaPrivilege	4484	explorer.exe
Token: SeSecurityPrivilege	4484	explorer.exe
Token: SeTakeOwnershipPrivilege	4484	explorer.exe
Token: SeLoadDriverPrivilege	4484	explorer.exe
Token: SeSystemProfilePrivilege	4484	explorer.exe
Token: SeSystemtimePrivilege	4484	explorer.exe
Token: SeProfSingleProcessPrivilege	4484	explorer.exe
Token: SeIncBasePriorityPrivilege	4484	explorer.exe
Token: SeCreatePagefilePrivilege	4484	explorer.exe
Token: SeBackupPrivilege	4484	explorer.exe
Token: SeRestorePrivilege	4484	explorer.exe
Token: SeShutdownPrivilege	4484	explorer.exe
Token: SeDebugPrivilege	4484	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4484	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6136 wrote to memory of 5560	6136	setup.exe	80
PID 6136 wrote to memory of 5560	6136	setup.exe	80
PID 6136 wrote to memory of 5560	6136	setup.exe	80
PID 1512 wrote to memory of 5556	1512	cmd.exe	82
PID 1512 wrote to memory of 5556	1512	cmd.exe	82
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 5560 wrote to memory of 1036	5560	WIFIWP~1.EXE	83
PID 3712 wrote to memory of 2328	3712	cmd.exe	86
PID 3712 wrote to memory of 2328	3712	cmd.exe	86
PID 3712 wrote to memory of 2328	3712	cmd.exe	86
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 2328 wrote to memory of 5044	2328	winupdate.exe	87
PID 5044 wrote to memory of 4780	5044	winupdate.exe	88
PID 5044 wrote to memory of 4780	5044	winupdate.exe	88
PID 5044 wrote to memory of 4780	5044	winupdate.exe	88
PID 5044 wrote to memory of 4780	5044	winupdate.exe	88
PID 5044 wrote to memory of 4780	5044	winupdate.exe	88
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 4780 wrote to memory of 4484	4780	explorer.exe	89
PID 1036 wrote to memory of 4184	1036	WIFIWP~1.EXE	90
PID 1036 wrote to memory of 4184	1036	WIFIWP~1.EXE	90
PID 1036 wrote to memory of 4184	1036	WIFIWP~1.EXE	90
PID 1036 wrote to memory of 4184	1036	WIFIWP~1.EXE	90
PID 1036 wrote to memory of 4184	1036	WIFIWP~1.EXE	90
PID 4184 wrote to memory of 1124	4184	explorer.exe	91
PID 4184 wrote to memory of 1124	4184	explorer.exe	91
PID 4184 wrote to memory of 1124	4184	explorer.exe	91
PID 4184 wrote to memory of 1124	4184	explorer.exe	91

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIFIWP~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIFIWP~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5560
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIFIWP~1.EXE
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIFIWP~1.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        
        PID:1124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 96
        6⤵
        Program crash
        
        PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
  C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
    "C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1124 -ip 1124
1⤵
PID:6052

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\explorer.exe.log

Filesize
128B

MD5
92bbf9af7d2dce28ff72dad3bbffa852

SHA1
b25288849fb939b02ce73a01a0252c4a2fd6c724

SHA256
6a304948382083a059262e7792a1773ebd35e9e8d77d2cbfebc0e661a8956fa3

SHA512
62f0ee8d580a1b73f4953fa998f6d0c892547bd8c93bb1644d907af7fd2471ce4b599bf6eb6118152a18f42182cb87a3dbf1f24276d171864fee8b9eb4877f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE

Filesize
464KB

MD5
e528c9ceeb7f95c587085b8c81fadd32

SHA1
bf161fcfad797e54d20f21d7c60ad49cddf00856

SHA256
8edbf5024b447b4d9803fa0a47fa1cd815ae37701ecc2967d45e92721574c888

SHA512
feec96236d2a57deaa70c3f029c340bbc74f4650d6176fe362bd7faa9053660f0c82db712f523fe7b6aee6c93cb5c1f3227c0bec11036a5ddbbfeb37106f2382

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIFIWP~1.EXE

Filesize
607KB

MD5
34023d08f16ead8bf2950977c6fd58bb

SHA1
cac710544bdad073f55190781073d52aa0036c41

SHA256
7f23e3050d990f95663fc4cea26673f3052c8f69f57a4f318a26603f344dbcde

SHA512
765f8038e5229e6f93c4b0a239783469b7db0ab0672a0ad846f102bb834c83857111c3d12151ba2d59c79a172e9985c26b1e6dae77918e90dd6aa8bc3b37181d

Download Submit
memory/1036-70-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1036-226-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1036-78-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1036-74-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1036-68-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1036-71-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2328-107-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-92-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-91-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-93-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-96-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-100-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-113-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-94-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-95-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-97-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-99-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-101-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-102-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-103-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-104-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-105-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-106-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-108-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-109-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-82-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-110-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-111-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-112-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-114-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2328-98-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/5560-18-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/5560-51-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-40-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-37-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-41-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-42-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-43-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-44-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-45-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-47-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-48-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-49-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-50-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-16-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/5560-73-0x0000000073880000-0x0000000073E31000-memory.dmp

Filesize
5.7MB

Download
memory/5560-67-0x0000000073880000-0x0000000073E31000-memory.dmp

Filesize
5.7MB

Download
memory/5560-75-0x0000000073880000-0x0000000073E31000-memory.dmp

Filesize
5.7MB

Download
memory/5560-19-0x0000000073881000-0x0000000073882000-memory.dmp

Filesize
4KB

Download
memory/5560-38-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-21-0x0000000073880000-0x0000000073E31000-memory.dmp

Filesize
5.7MB

Download
memory/5560-27-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-22-0x0000000073880000-0x0000000073E31000-memory.dmp

Filesize
5.7MB

Download
memory/5560-46-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-26-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-52-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-39-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-36-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-35-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-34-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-32-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-33-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-28-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-24-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-23-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-30-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-31-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-29-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-25-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/5560-17-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/5560-7-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads