darkcomet | 13b52aa0dd2735d4e7c1ee14ac5c205220f4ee40c1ebea03bbda4ed4de3fc8b8

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
Size

3.9MB
MD5

c22ad1fd682dc055fa785af3a3698173
SHA1

843619a091c73c8229416ed06484f071ae712921
SHA256

13b52aa0dd2735d4e7c1ee14ac5c205220f4ee40c1ebea03bbda4ed4de3fc8b8
SHA512

db6ef91326c7a8b71e5af4f91759ca7694d4143ad6aaa0e654997585ae8c1a619904fa82380833de6e6b2032e71739d046ca63e79aa67532e15531bbc234cf86
SSDEEP

98304:+2o2ByKYfS/qEwaVhNAiI/rXPrKKaq5BTpH2pIAvFclLlZqhPAbTkntBGtPEqADK:+2o2ByKYfS/qEwaVhNAiI/rXPrKKaq5z

Score

10^/10

darkcomet youtube defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Youtube

letsgoboom.no-ip.info:1604

Mutex

DC_MUTEX-JCT2X8G

Attributes

gencode
ou�nXAcHorSd
install
false
offline_keylogger
true
password
runescaped
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Flshcard.exe

Executes dropped EXE 4 IoCs

pid	Process
4460	Flshcard.exe
5072	Flshcard.exe
4744	Flshcard.exe
4412	Flshcard.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoft = "C:\\Windows\\Flshcard.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Flshcard.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4460 set thread context of 5072	4460	Flshcard.exe	91
PID 4460 set thread context of 4412	4460	Flshcard.exe	92

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5524-0-0x0000000000400000-0x00000000007E8000-memory.dmp	upx
behavioral2/memory/4460-38-0x0000000000400000-0x00000000007E8000-memory.dmp	upx
behavioral2/files/0x001a00000002b171-40.dat	upx
behavioral2/memory/5524-45-0x0000000000400000-0x00000000007E8000-memory.dmp	upx
behavioral2/memory/5072-56-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/4460-58-0x0000000000400000-0x00000000007E8000-memory.dmp	upx
behavioral2/memory/4744-59-0x0000000000400000-0x00000000007E8000-memory.dmp	upx
behavioral2/memory/5072-57-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-55-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-52-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/4412-51-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4412-50-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4412-47-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/5072-44-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-42-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-41-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-39-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-60-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/4412-62-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/5072-61-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-63-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-65-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-67-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-69-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-71-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-73-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-75-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-77-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-79-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-81-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-83-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-85-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5072-87-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Flshcard.exe	Flshcard.exe
File created	C:\Windows\Flshcard.txt	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
File opened for modification	C:\Windows\Flshcard.txt	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
File created	C:\Windows\Flshcard.exe	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flshcard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flshcard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flshcard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flshcard.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Flshcard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Flshcard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Flshcard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Flshcard.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Flshcard.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5072	Flshcard.exe
Token: SeSecurityPrivilege	5072	Flshcard.exe
Token: SeTakeOwnershipPrivilege	5072	Flshcard.exe
Token: SeLoadDriverPrivilege	5072	Flshcard.exe
Token: SeSystemProfilePrivilege	5072	Flshcard.exe
Token: SeSystemtimePrivilege	5072	Flshcard.exe
Token: SeProfSingleProcessPrivilege	5072	Flshcard.exe
Token: SeIncBasePriorityPrivilege	5072	Flshcard.exe
Token: SeCreatePagefilePrivilege	5072	Flshcard.exe
Token: SeBackupPrivilege	5072	Flshcard.exe
Token: SeRestorePrivilege	5072	Flshcard.exe
Token: SeShutdownPrivilege	5072	Flshcard.exe
Token: SeDebugPrivilege	5072	Flshcard.exe
Token: SeSystemEnvironmentPrivilege	5072	Flshcard.exe
Token: SeChangeNotifyPrivilege	5072	Flshcard.exe
Token: SeRemoteShutdownPrivilege	5072	Flshcard.exe
Token: SeUndockPrivilege	5072	Flshcard.exe
Token: SeManageVolumePrivilege	5072	Flshcard.exe
Token: SeImpersonatePrivilege	5072	Flshcard.exe
Token: SeCreateGlobalPrivilege	5072	Flshcard.exe
Token: 33	5072	Flshcard.exe
Token: 34	5072	Flshcard.exe
Token: 35	5072	Flshcard.exe
Token: 36	5072	Flshcard.exe
Token: SeDebugPrivilege	4412	Flshcard.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5524	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
4460	Flshcard.exe
4744	Flshcard.exe
4744	Flshcard.exe
4412	Flshcard.exe
5072	Flshcard.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 5524 wrote to memory of 408	5524	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	78
PID 5524 wrote to memory of 408	5524	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	78
PID 5524 wrote to memory of 408	5524	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	78
PID 408 wrote to memory of 6140	408	cmd.exe	82
PID 408 wrote to memory of 6140	408	cmd.exe	82
PID 408 wrote to memory of 6140	408	cmd.exe	82
PID 408 wrote to memory of 1880	408	cmd.exe	83
PID 408 wrote to memory of 1880	408	cmd.exe	83
PID 408 wrote to memory of 1880	408	cmd.exe	83
PID 5524 wrote to memory of 5172	5524	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	84
PID 5524 wrote to memory of 5172	5524	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	84
PID 5524 wrote to memory of 5172	5524	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	84
PID 5172 wrote to memory of 1044	5172	cmd.exe	86
PID 5172 wrote to memory of 1044	5172	cmd.exe	86
PID 5172 wrote to memory of 1044	5172	cmd.exe	86
PID 2816 wrote to memory of 4460	2816	cmd.exe	89
PID 2816 wrote to memory of 4460	2816	cmd.exe	89
PID 2816 wrote to memory of 4460	2816	cmd.exe	89
PID 5524 wrote to memory of 4744	5524	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	90
PID 5524 wrote to memory of 4744	5524	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	90
PID 5524 wrote to memory of 4744	5524	JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe	90
PID 4460 wrote to memory of 5072	4460	Flshcard.exe	91
PID 4460 wrote to memory of 5072	4460	Flshcard.exe	91
PID 4460 wrote to memory of 5072	4460	Flshcard.exe	91
PID 4460 wrote to memory of 5072	4460	Flshcard.exe	91
PID 4460 wrote to memory of 5072	4460	Flshcard.exe	91
PID 4460 wrote to memory of 5072	4460	Flshcard.exe	91
PID 4460 wrote to memory of 5072	4460	Flshcard.exe	91
PID 4460 wrote to memory of 5072	4460	Flshcard.exe	91
PID 4460 wrote to memory of 4412	4460	Flshcard.exe	92
PID 4460 wrote to memory of 4412	4460	Flshcard.exe	92
PID 4460 wrote to memory of 4412	4460	Flshcard.exe	92
PID 4460 wrote to memory of 4412	4460	Flshcard.exe	92
PID 4460 wrote to memory of 4412	4460	Flshcard.exe	92
PID 4460 wrote to memory of 4412	4460	Flshcard.exe	92
PID 4460 wrote to memory of 4412	4460	Flshcard.exe	92
PID 4460 wrote to memory of 4412	4460	Flshcard.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c22ad1fd682dc055fa785af3a3698173.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NZVLSI.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6140
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oNleH.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5172
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Windows\Flshcard.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1044
- C:\Windows\Flshcard.exe
  "C:\Windows\Flshcard.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Flshcard.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\Flshcard.exe
  C:\Windows\Flshcard.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\Flshcard.exe
    C:\Windows\Flshcard.exe
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5072
- - C:\Windows\Flshcard.exe
    C:\Windows\Flshcard.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4412

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NZVLSI.txt

Filesize
244B

MD5
e3708580f0f7bcb99300af8f11ecc293

SHA1
7f725aba8aae5108989d67e2a5f0faf8df911bb0

SHA256
14fc24a606777a894fc255a7d5d7b86da9312e888ec1a9226f89ef3128b6d43f

SHA512
fb25caa7b1ba1e0add06a6e7630a672c388e5da404bdf7d346d415237883d450f3ff2a0fe7801ed5514a9c409867ea649d8da83f2546bd27e9c76da9f50dd78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oNleH.bat

Filesize
118B

MD5
67cce5eb6002cfa92099ebd7a3bfc816

SHA1
36f7db5b45acb006aca4767002e6796804ba68d1

SHA256
e08a7e1151319d5bb154fcfc3fdc5089b3ce35136f73e398c8669c113080547e

SHA512
7067f8e0400557dbe3a68622356e196c2928ac39f2a17ca5d6af99ea38c7c4be28cf5081ff1e3ce4bfcbafecd82680cbcef1dc67e3acc4c67b544c412c92f913

Download Submit
C:\Windows\Flshcard.exe

Filesize
3.9MB

MD5
0c90baf3a33cd22dc699faf19b97e691

SHA1
cb535d36685f4c7d04e790fe8a3b8ac54c7b38b7

SHA256
558e99ca03ab96afa909a8f43d1025a1a6b9bdd47f2fc5f68df298d1a656baa3

SHA512
2a9753dfec19411349255c8a26df634fb9b0d46d64ba7b207e6d688507765ae11dbe5d8f7a5e57d972eb3929bff1c602707108a7243413c22bf7edf48b94135d

Download Submit
memory/4412-51-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4412-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4412-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4412-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4460-38-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/4460-58-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/4744-59-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/5072-41-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-65-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-55-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-57-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-44-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-42-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-87-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-39-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-56-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-60-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-85-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-61-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-63-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-52-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-67-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-69-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-71-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-73-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-75-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-77-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-79-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-81-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5072-83-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5524-45-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/5524-0-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads