darkcomet | 13b52aa0dd2735d4e7c1ee14ac5c205220f4ee40c1ebea03bbda4ed4de3fc8b8

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2025, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
Size

3.9MB
MD5

c22ad1fd682dc055fa785af3a3698173
SHA1

843619a091c73c8229416ed06484f071ae712921
SHA256

13b52aa0dd2735d4e7c1ee14ac5c205220f4ee40c1ebea03bbda4ed4de3fc8b8
SHA512

db6ef91326c7a8b71e5af4f91759ca7694d4143ad6aaa0e654997585ae8c1a619904fa82380833de6e6b2032e71739d046ca63e79aa67532e15531bbc234cf86
SSDEEP

98304:+2o2ByKYfS/qEwaVhNAiI/rXPrKKaq5BTpH2pIAvFclLlZqhPAbTkntBGtPEqADK:+2o2ByKYfS/qEwaVhNAiI/rXPrKKaq5z

Score

10^/10

darkcomet youtube defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Youtube

letsgoboom.no-ip.info:1604

Mutex

DC_MUTEX-JCT2X8G

Attributes

gencode
ou�nXAcHorSd
install
false
offline_keylogger
true
password
runescaped
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Flshcard.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe

Executes dropped EXE 4 IoCs

pid	Process
3556	Flshcard.exe
3584	Flshcard.exe
5960	Flshcard.exe
3388	Flshcard.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mcrosoft = "C:\\Windows\\Flshcard.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Flshcard.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3556 set thread context of 5960	3556	Flshcard.exe	100
PID 3556 set thread context of 3388	3556	Flshcard.exe	101

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1612-0-0x0000000000400000-0x00000000007E8000-memory.dmp	upx
behavioral1/files/0x00080000000241e1-24.dat	upx
behavioral1/memory/5960-41-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-46-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/3584-47-0x0000000000400000-0x00000000007E8000-memory.dmp	upx
behavioral1/memory/5960-49-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-52-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/3388-57-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/3388-55-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/5960-53-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-51-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/3556-60-0x0000000000400000-0x00000000007E8000-memory.dmp	upx
behavioral1/memory/3388-50-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/5960-48-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-45-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1612-40-0x0000000000400000-0x00000000007E8000-memory.dmp	upx
behavioral1/memory/3556-36-0x0000000000400000-0x00000000007E8000-memory.dmp	upx
behavioral1/memory/5960-61-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/3388-64-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/5960-62-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-65-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-67-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-69-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-71-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-73-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-75-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-77-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-79-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-81-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-83-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-85-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-87-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/5960-89-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Flshcard.txt	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
File opened for modification	C:\Windows\Flshcard.txt	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
File created	C:\Windows\Flshcard.exe	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
File opened for modification	C:\Windows\Flshcard.exe	Flshcard.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flshcard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flshcard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flshcard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flshcard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Flshcard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Flshcard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Flshcard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Flshcard.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Flshcard.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5960	Flshcard.exe
Token: SeSecurityPrivilege	5960	Flshcard.exe
Token: SeTakeOwnershipPrivilege	5960	Flshcard.exe
Token: SeLoadDriverPrivilege	5960	Flshcard.exe
Token: SeSystemProfilePrivilege	5960	Flshcard.exe
Token: SeSystemtimePrivilege	5960	Flshcard.exe
Token: SeProfSingleProcessPrivilege	5960	Flshcard.exe
Token: SeIncBasePriorityPrivilege	5960	Flshcard.exe
Token: SeCreatePagefilePrivilege	5960	Flshcard.exe
Token: SeBackupPrivilege	5960	Flshcard.exe
Token: SeRestorePrivilege	5960	Flshcard.exe
Token: SeShutdownPrivilege	5960	Flshcard.exe
Token: SeDebugPrivilege	5960	Flshcard.exe
Token: SeSystemEnvironmentPrivilege	5960	Flshcard.exe
Token: SeChangeNotifyPrivilege	5960	Flshcard.exe
Token: SeRemoteShutdownPrivilege	5960	Flshcard.exe
Token: SeUndockPrivilege	5960	Flshcard.exe
Token: SeManageVolumePrivilege	5960	Flshcard.exe
Token: SeImpersonatePrivilege	5960	Flshcard.exe
Token: SeCreateGlobalPrivilege	5960	Flshcard.exe
Token: 33	5960	Flshcard.exe
Token: 34	5960	Flshcard.exe
Token: 35	5960	Flshcard.exe
Token: 36	5960	Flshcard.exe
Token: SeDebugPrivilege	3388	Flshcard.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1612	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
3556	Flshcard.exe
3584	Flshcard.exe
3584	Flshcard.exe
5960	Flshcard.exe
3388	Flshcard.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 4704	1612	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	88
PID 1612 wrote to memory of 4704	1612	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	88
PID 1612 wrote to memory of 4704	1612	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	88
PID 4704 wrote to memory of 4888	4704	cmd.exe	91
PID 4704 wrote to memory of 4888	4704	cmd.exe	91
PID 4704 wrote to memory of 4888	4704	cmd.exe	91
PID 4704 wrote to memory of 5008	4704	cmd.exe	92
PID 4704 wrote to memory of 5008	4704	cmd.exe	92
PID 4704 wrote to memory of 5008	4704	cmd.exe	92
PID 1612 wrote to memory of 3628	1612	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	93
PID 1612 wrote to memory of 3628	1612	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	93
PID 1612 wrote to memory of 3628	1612	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	93
PID 3628 wrote to memory of 5600	3628	cmd.exe	95
PID 3628 wrote to memory of 5600	3628	cmd.exe	95
PID 3628 wrote to memory of 5600	3628	cmd.exe	95
PID 6104 wrote to memory of 3556	6104	cmd.exe	98
PID 6104 wrote to memory of 3556	6104	cmd.exe	98
PID 6104 wrote to memory of 3556	6104	cmd.exe	98
PID 1612 wrote to memory of 3584	1612	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	99
PID 1612 wrote to memory of 3584	1612	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	99
PID 1612 wrote to memory of 3584	1612	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	99
PID 3556 wrote to memory of 5960	3556	Flshcard.exe	100
PID 3556 wrote to memory of 5960	3556	Flshcard.exe	100
PID 3556 wrote to memory of 5960	3556	Flshcard.exe	100
PID 3556 wrote to memory of 5960	3556	Flshcard.exe	100
PID 3556 wrote to memory of 5960	3556	Flshcard.exe	100
PID 3556 wrote to memory of 5960	3556	Flshcard.exe	100
PID 3556 wrote to memory of 5960	3556	Flshcard.exe	100
PID 3556 wrote to memory of 5960	3556	Flshcard.exe	100
PID 3556 wrote to memory of 3388	3556	Flshcard.exe	101
PID 3556 wrote to memory of 3388	3556	Flshcard.exe	101
PID 3556 wrote to memory of 3388	3556	Flshcard.exe	101
PID 3556 wrote to memory of 3388	3556	Flshcard.exe	101
PID 3556 wrote to memory of 3388	3556	Flshcard.exe	101
PID 3556 wrote to memory of 3388	3556	Flshcard.exe	101
PID 3556 wrote to memory of 3388	3556	Flshcard.exe	101
PID 3556 wrote to memory of 3388	3556	Flshcard.exe	101

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NZVLSI.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4888
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEpSN.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Windows\Flshcard.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5600
- C:\Windows\Flshcard.exe
  "C:\Windows\Flshcard.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Flshcard.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6104
- C:\Windows\Flshcard.exe
  C:\Windows\Flshcard.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\Flshcard.exe
    C:\Windows\Flshcard.exe
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5960
- - C:\Windows\Flshcard.exe
    C:\Windows\Flshcard.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3388

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NZVLSI.txt

Filesize
244B

MD5
e3708580f0f7bcb99300af8f11ecc293

SHA1
7f725aba8aae5108989d67e2a5f0faf8df911bb0

SHA256
14fc24a606777a894fc255a7d5d7b86da9312e888ec1a9226f89ef3128b6d43f

SHA512
fb25caa7b1ba1e0add06a6e7630a672c388e5da404bdf7d346d415237883d450f3ff2a0fe7801ed5514a9c409867ea649d8da83f2546bd27e9c76da9f50dd78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEpSN.bat

Filesize
118B

MD5
67cce5eb6002cfa92099ebd7a3bfc816

SHA1
36f7db5b45acb006aca4767002e6796804ba68d1

SHA256
e08a7e1151319d5bb154fcfc3fdc5089b3ce35136f73e398c8669c113080547e

SHA512
7067f8e0400557dbe3a68622356e196c2928ac39f2a17ca5d6af99ea38c7c4be28cf5081ff1e3ce4bfcbafecd82680cbcef1dc67e3acc4c67b544c412c92f913

Download Submit
C:\Windows\Flshcard.txt

Filesize
3.9MB

MD5
cdfa197065a4efe498622349743241df

SHA1
720c6f7aa387915e7dc3fb6a0bc838800fa711db

SHA256
d332e5cd8ea8886b8cf541fc87e9f9b4393ef6d538953aa7dce124f3a59c4260

SHA512
b16064cb4e1cd3b6cd2cfe6a0701082ca9ad76a6e4e7c0a1d5ebf83ca896c197d5daef27b44e0da432bcb7e3e8ae88dc5d43e8c896e00a7aa07123c55bf56154

Download Submit
memory/1612-0-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/1612-40-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/3388-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3388-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3388-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3388-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3556-60-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/3556-36-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/3584-47-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/5960-62-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-67-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-48-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-45-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-46-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-51-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-41-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-61-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-49-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-53-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-65-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-52-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-69-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-71-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-73-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-75-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-77-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-79-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-81-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-83-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-85-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-87-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5960-89-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads