formbook | 8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7

General

Target

8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
Size

363KB
MD5

8b6be0ea00b0d6a83236ca3884b6b4e7
SHA1

f6567ce57e9ab3bedf98456e1cac5cb9eceeddd0
SHA256

8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7
SHA512

2feb48679b1a2b7ea17144c2825cdfee1a3cdbc0e2d79496bca5842ff479b416a2c3e4e9954bce62246780d2de991b58c66bcab8f548ed7f8f008324171cacf9

Score

10^/10

trojan spyware stealer formbook rat remcos evasion persistence

Malware Config

Extracted

Family

remcos

C2

79.134.225.112:1774

Signatures

Suspicious use of SetThreadContext 7 IoCs

Processes:

8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exebin.exeWindows Essential.exeiexplore.exesvchost.exe

description	pid	process	target process
PID 1516 set thread context of 1292	1516	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
PID 1388 set thread context of 1212	1388	bin.exe	Explorer.EXE
PID 1996 set thread context of 2024	1996	Windows Essential.exe	iexplore.exe
PID 2024 set thread context of 1832	2024	iexplore.exe	svchost.exe
PID 1388 set thread context of 1212	1388	bin.exe	Explorer.EXE
PID 1740 set thread context of 1212	1740	svchost.exe	Explorer.EXE
PID 1740 set thread context of 2024	1740	svchost.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bin.exesvchost.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1388 bin.exe
Token: SeDebugPrivilege 1740 svchost.exe
Token: SeShutdownPrivilege 1212 Explorer.EXE
Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

bin.exesvchost.exe

pid process

1388 bin.exe
1388 bin.exe
1388 bin.exe
1388 bin.exe
1740 svchost.exe
1740 svchost.exe
1740 svchost.exe
1740 svchost.exe
1740 svchost.exe
1740 svchost.exe

description	pid	process
Token: SeDebugPrivilege	1388	bin.exe
Token: SeDebugPrivilege	1740	svchost.exe
Token: SeShutdownPrivilege	1212	Explorer.EXE

Adds Run entry to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos_agent.exeWindows Essential.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos_agent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Essential = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Essential\\Windows Essential.exe\""	remcos_agent.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Windows Essential.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Essential = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Essential\\Windows Essential.exe\""	Windows Essential.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Essential = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Essential\\Windows Essential.exe\""	iexplore.exe

Loads dropped DLL 6 IoCs

Processes:

8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.execmd.exe

pid	process
1292	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
1292	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
1292	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
1292	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
1972	cmd.exe
1972	cmd.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

bin.exesvchost.exe

pid	process
1388	bin.exe
1388	bin.exe
1388	bin.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Program Files (x86)\M5jt\updatekpx4.exe svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exeiexplore.exe

pid process

1292 8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
2024 iexplore.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\M5jt\updatekpx4.exe	svchost.exe

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UR_XNHA82T = "C:\\Program Files (x86)\\M5jt\\updatekpx4.exe"	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exeremcos_agent.exeWScript.execmd.exeWindows Essential.exeiexplore.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1516 wrote to memory of 1292	1516	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
PID 1516 wrote to memory of 1292	1516	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
PID 1516 wrote to memory of 1292	1516	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
PID 1516 wrote to memory of 1292	1516	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
PID 1516 wrote to memory of 1292	1516	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
PID 1516 wrote to memory of 1292	1516	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
PID 1516 wrote to memory of 1292	1516	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
PID 1516 wrote to memory of 1292	1516	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
PID 1516 wrote to memory of 1292	1516	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
PID 1292 wrote to memory of 1388	1292	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	bin.exe
PID 1292 wrote to memory of 1388	1292	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	bin.exe
PID 1292 wrote to memory of 1388	1292	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	bin.exe
PID 1292 wrote to memory of 1388	1292	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	bin.exe
PID 1292 wrote to memory of 1876	1292	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	remcos_agent.exe
PID 1292 wrote to memory of 1876	1292	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	remcos_agent.exe
PID 1292 wrote to memory of 1876	1292	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	remcos_agent.exe
PID 1292 wrote to memory of 1876	1292	8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe	remcos_agent.exe
PID 1876 wrote to memory of 1904	1876	remcos_agent.exe	WScript.exe
PID 1876 wrote to memory of 1904	1876	remcos_agent.exe	WScript.exe
PID 1876 wrote to memory of 1904	1876	remcos_agent.exe	WScript.exe
PID 1876 wrote to memory of 1904	1876	remcos_agent.exe	WScript.exe
PID 1904 wrote to memory of 1972	1904	WScript.exe	cmd.exe
PID 1904 wrote to memory of 1972	1904	WScript.exe	cmd.exe
PID 1904 wrote to memory of 1972	1904	WScript.exe	cmd.exe
PID 1904 wrote to memory of 1972	1904	WScript.exe	cmd.exe
PID 1972 wrote to memory of 1996	1972	cmd.exe	Windows Essential.exe
PID 1972 wrote to memory of 1996	1972	cmd.exe	Windows Essential.exe
PID 1972 wrote to memory of 1996	1972	cmd.exe	Windows Essential.exe
PID 1972 wrote to memory of 1996	1972	cmd.exe	Windows Essential.exe
PID 1996 wrote to memory of 2024	1996	Windows Essential.exe	iexplore.exe
PID 1996 wrote to memory of 2024	1996	Windows Essential.exe	iexplore.exe
PID 1996 wrote to memory of 2024	1996	Windows Essential.exe	iexplore.exe
PID 1996 wrote to memory of 2024	1996	Windows Essential.exe	iexplore.exe
PID 1996 wrote to memory of 2024	1996	Windows Essential.exe	iexplore.exe
PID 1996 wrote to memory of 2024	1996	Windows Essential.exe	iexplore.exe
PID 1996 wrote to memory of 2024	1996	Windows Essential.exe	iexplore.exe
PID 1996 wrote to memory of 2024	1996	Windows Essential.exe	iexplore.exe
PID 1996 wrote to memory of 2024	1996	Windows Essential.exe	iexplore.exe
PID 1996 wrote to memory of 2024	1996	Windows Essential.exe	iexplore.exe
PID 1996 wrote to memory of 2024	1996	Windows Essential.exe	iexplore.exe
PID 2024 wrote to memory of 1832	2024	iexplore.exe	svchost.exe
PID 2024 wrote to memory of 1832	2024	iexplore.exe	svchost.exe
PID 2024 wrote to memory of 1832	2024	iexplore.exe	svchost.exe
PID 2024 wrote to memory of 1832	2024	iexplore.exe	svchost.exe
PID 2024 wrote to memory of 1832	2024	iexplore.exe	svchost.exe
PID 2024 wrote to memory of 1832	2024	iexplore.exe	svchost.exe
PID 2024 wrote to memory of 1832	2024	iexplore.exe	svchost.exe
PID 2024 wrote to memory of 1832	2024	iexplore.exe	svchost.exe
PID 2024 wrote to memory of 1832	2024	iexplore.exe	svchost.exe
PID 2024 wrote to memory of 1832	2024	iexplore.exe	svchost.exe
PID 2024 wrote to memory of 1832	2024	iexplore.exe	svchost.exe
PID 1212 wrote to memory of 1740	1212	Explorer.EXE	svchost.exe
PID 1212 wrote to memory of 1740	1212	Explorer.EXE	svchost.exe
PID 1212 wrote to memory of 1740	1212	Explorer.EXE	svchost.exe
PID 1212 wrote to memory of 1740	1212	Explorer.EXE	svchost.exe
PID 1740 wrote to memory of 1572	1740	svchost.exe	cmd.exe
PID 1740 wrote to memory of 1572	1740	svchost.exe	cmd.exe
PID 1740 wrote to memory of 1572	1740	svchost.exe	cmd.exe
PID 1740 wrote to memory of 1572	1740	svchost.exe	cmd.exe
PID 1740 wrote to memory of 1868	1740	svchost.exe	Firefox.exe
PID 1740 wrote to memory of 1868	1740	svchost.exe	Firefox.exe
PID 1740 wrote to memory of 1868	1740	svchost.exe	Firefox.exe
PID 1740 wrote to memory of 1868	1740	svchost.exe	Firefox.exe
PID 1740 wrote to memory of 1868	1740	svchost.exe	Firefox.exe

Executes dropped EXE 3 IoCs

Processes:

bin.exeremcos_agent.exeWindows Essential.exe

pid process

1388 bin.exe
1876 remcos_agent.exe
1996 Windows Essential.exe
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	svchost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
"C:\Users\Admin\AppData\Local\Temp\8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe
"C:\Users\Admin\AppData\Local\Temp\8e3a1e5e016c43fabdd6b96b788c1bc8d7721fa1fd99fa573089d73a074653c7.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe" 0
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1388

C:\Users\Admin\AppData\Local\Temp\remcos_agent.exe
"C:\Users\Admin\AppData\Local\Temp\remcos_agent.exe" 0
4⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1876

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Windows Essential\Windows Essential.exe"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Roaming\Windows Essential\Windows Essential.exe
"C:\Users\Admin\AppData\Roaming\Windows Essential\Windows Essential.exe"
7⤵
- Suspicious use of SetThreadContext
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1996

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
8⤵
- Suspicious use of SetThreadContext
- Adds Run entry to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
9⤵
PID:1832

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Adds Run entry to policy start application
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1740

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"
3⤵
PID:1572

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bin.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos_agent.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos_agent.exe

Download Submit
C:\Users\Admin\AppData\Roaming\3NAR161B\3NAlogim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\3NAR161B\3NAlogrf.ini

Download Submit
C:\Users\Admin\AppData\Roaming\3NAR161B\3NAlogri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\3NAR161B\3NAlogrv.ini

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Essential\Windows Essential.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Essential\Windows Essential.exe

Download Submit
\Users\Admin\AppData\Local\Temp\bin.exe

Download Submit
\Users\Admin\AppData\Local\Temp\bin.exe

Download Submit
\Users\Admin\AppData\Local\Temp\remcos_agent.exe

Download Submit
\Users\Admin\AppData\Local\Temp\remcos_agent.exe

Download Submit
\Users\Admin\AppData\Roaming\Windows Essential\Windows Essential.exe

Download Submit
\Users\Admin\AppData\Roaming\Windows Essential\Windows Essential.exe

Download Submit
memory/1212-38-0x0000000007AE0000-0x0000000007BF9000-memory.dmp

Filesize
1.1MB

Download
memory/1212-32-0x0000000007940000-0x0000000007ADE000-memory.dmp

Filesize
1.6MB

Download
memory/1292-4-0x000000000040104C-mapping.dmp

Download
memory/1292-5-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1292-3-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1388-10-0x0000000000000000-mapping.dmp

Download
memory/1516-0-0x00000000042CC000-0x00000000042CD000-memory.dmp

Filesize
4KB

Download
memory/1516-2-0x0000000005AE0000-0x0000000005AF1000-memory.dmp

Filesize
68KB

Download
memory/1516-1-0x0000000005AE0000-0x0000000005AF1000-memory.dmp

Filesize
68KB

Download
memory/1572-36-0x0000000000000000-mapping.dmp

Download
memory/1740-37-0x00000000005D0000-0x0000000000675000-memory.dmp

Filesize
660KB

Download
memory/1740-33-0x0000000000000000-mapping.dmp

Download
memory/1740-34-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/1740-40-0x00000000037F0000-0x000000000391A000-memory.dmp

Filesize
1.2MB

Download
memory/1832-30-0x0000000000413B74-mapping.dmp

Download
memory/1868-42-0x000000013F870000-0x000000013F903000-memory.dmp

Filesize
588KB

Download
memory/1868-41-0x0000000000000000-mapping.dmp

Download
memory/1876-14-0x0000000000000000-mapping.dmp

Download
memory/1904-20-0x0000000002550000-0x0000000002554000-memory.dmp

Filesize
16KB

Download
memory/1904-17-0x0000000000000000-mapping.dmp

Download
memory/1972-19-0x0000000000000000-mapping.dmp

Download
memory/1996-24-0x0000000000000000-mapping.dmp

Download
memory/2024-39-0x00000000C0000034-mapping.dmp

Download
memory/2024-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2024-27-0x0000000000413B74-mapping.dmp

Download
memory/2024-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads