remcos | b938ff358f891462489b2dc54b8d4cb2486eeebae2fa2dcd5a2e5c0de679b426

General

Target

9963a82f9d9f9a95de0ed2976f93318e.exe
Size

734KB
MD5

9963a82f9d9f9a95de0ed2976f93318e
SHA1

5e40457e41dfc0aaa2bdf725f4f87b0d82ae6f94
SHA256

b938ff358f891462489b2dc54b8d4cb2486eeebae2fa2dcd5a2e5c0de679b426
SHA512

ad175d8825f2086e8e350e1b49f8acb2ca00e483798a75ff6ae1bf4f261c066c2e7741e9ecab6bac915f5bd1668ab2dfd9468737cdaa24ee4c64fd25f28648b3
SSDEEP

12288:SFlLKHFjcsqUWDPaadszMbFSs7Wb1wfQKJ40X6A4Xh/lB7f+/fLCliy9KLbUW6UW:IDPaadszGlib1jG40Xwx/lwnmlL9Ye

Score

10^/10

remcos update evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Update

C2

ytuna1709.duckdns.org:3035

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Windows Start-Up Audio.exe
copy_folder
Microsoft Start-Up Media
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Display
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Microsoft Sound Endpoint
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

Processes:

Windows Start-Up Audio.exeWindows Start-Up Audio.exeWindows Start-Up Audio.exe

pid process

1736 Windows Start-Up Audio.exe
2020 Windows Start-Up Audio.exe
432 Windows Start-Up Audio.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1240 cmd.exe

pid	process
1736	Windows Start-Up Audio.exe
2020	Windows Start-Up Audio.exe
432	Windows Start-Up Audio.exe

pid	process
1240	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9963a82f9d9f9a95de0ed2976f93318e.exeWindows Start-Up Audio.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound Endpoint = "\"C:\\Windows\\Microsoft Start-Up Media\\Windows Start-Up Audio.exe\""	9963a82f9d9f9a95de0ed2976f93318e.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Windows Start-Up Audio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound Endpoint = "\"C:\\Windows\\Microsoft Start-Up Media\\Windows Start-Up Audio.exe\""	Windows Start-Up Audio.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\	9963a82f9d9f9a95de0ed2976f93318e.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9963a82f9d9f9a95de0ed2976f93318e.exeWindows Start-Up Audio.exe

description	pid	process	target process
PID 1684 set thread context of 268	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1736 set thread context of 432	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe

Drops file in Windows directory 5 IoCs

Processes:

9963a82f9d9f9a95de0ed2976f93318e.exeWindows Start-Up Audio.exe

description	ioc	process
File created	C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
File opened for modification	C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
File opened for modification	C:\Windows\Microsoft Start-Up Media	9963a82f9d9f9a95de0ed2976f93318e.exe
File opened for modification	C:\Windows\Windows Display\logs.dat	Windows Start-Up Audio.exe
File created	C:\Windows\Windows Display\logs.dat	Windows Start-Up Audio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

564 reg.exe
1368 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1516 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9963a82f9d9f9a95de0ed2976f93318e.exeWindows Start-Up Audio.exe

pid process

1684 9963a82f9d9f9a95de0ed2976f93318e.exe
1736 Windows Start-Up Audio.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9963a82f9d9f9a95de0ed2976f93318e.exeWindows Start-Up Audio.exe

description pid process

Token: SeDebugPrivilege 1684 9963a82f9d9f9a95de0ed2976f93318e.exe
Token: SeDebugPrivilege 1736 Windows Start-Up Audio.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Start-Up Audio.exe

pid process

432 Windows Start-Up Audio.exe

pid	process
564	reg.exe
1368	reg.exe

pid	process
1516	PING.EXE

pid	process
1684	9963a82f9d9f9a95de0ed2976f93318e.exe
1736	Windows Start-Up Audio.exe

description	pid	process
Token: SeDebugPrivilege	1684	9963a82f9d9f9a95de0ed2976f93318e.exe
Token: SeDebugPrivilege	1736	Windows Start-Up Audio.exe

pid	process
432	Windows Start-Up Audio.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

9963a82f9d9f9a95de0ed2976f93318e.exe9963a82f9d9f9a95de0ed2976f93318e.execmd.execmd.exeWindows Start-Up Audio.exeWindows Start-Up Audio.execmd.exe

description	pid	process	target process
PID 1684 wrote to memory of 752	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 752	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 752	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 752	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 268	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 268	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 268	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 268	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 268	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 268	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 268	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 268	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 268	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 1684 wrote to memory of 268	1684	9963a82f9d9f9a95de0ed2976f93318e.exe	9963a82f9d9f9a95de0ed2976f93318e.exe
PID 268 wrote to memory of 1852	268	9963a82f9d9f9a95de0ed2976f93318e.exe	cmd.exe
PID 268 wrote to memory of 1852	268	9963a82f9d9f9a95de0ed2976f93318e.exe	cmd.exe
PID 268 wrote to memory of 1852	268	9963a82f9d9f9a95de0ed2976f93318e.exe	cmd.exe
PID 268 wrote to memory of 1852	268	9963a82f9d9f9a95de0ed2976f93318e.exe	cmd.exe
PID 1852 wrote to memory of 564	1852	cmd.exe	reg.exe
PID 1852 wrote to memory of 564	1852	cmd.exe	reg.exe
PID 1852 wrote to memory of 564	1852	cmd.exe	reg.exe
PID 1852 wrote to memory of 564	1852	cmd.exe	reg.exe
PID 268 wrote to memory of 1240	268	9963a82f9d9f9a95de0ed2976f93318e.exe	cmd.exe
PID 268 wrote to memory of 1240	268	9963a82f9d9f9a95de0ed2976f93318e.exe	cmd.exe
PID 268 wrote to memory of 1240	268	9963a82f9d9f9a95de0ed2976f93318e.exe	cmd.exe
PID 268 wrote to memory of 1240	268	9963a82f9d9f9a95de0ed2976f93318e.exe	cmd.exe
PID 268 wrote to memory of 1240	268	9963a82f9d9f9a95de0ed2976f93318e.exe	cmd.exe
PID 268 wrote to memory of 1240	268	9963a82f9d9f9a95de0ed2976f93318e.exe	cmd.exe
PID 268 wrote to memory of 1240	268	9963a82f9d9f9a95de0ed2976f93318e.exe	cmd.exe
PID 1240 wrote to memory of 1516	1240	cmd.exe	PING.EXE
PID 1240 wrote to memory of 1516	1240	cmd.exe	PING.EXE
PID 1240 wrote to memory of 1516	1240	cmd.exe	PING.EXE
PID 1240 wrote to memory of 1516	1240	cmd.exe	PING.EXE
PID 1240 wrote to memory of 1736	1240	cmd.exe	Windows Start-Up Audio.exe
PID 1240 wrote to memory of 1736	1240	cmd.exe	Windows Start-Up Audio.exe
PID 1240 wrote to memory of 1736	1240	cmd.exe	Windows Start-Up Audio.exe
PID 1240 wrote to memory of 1736	1240	cmd.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 2020	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 2020	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 2020	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 2020	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 432	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 432	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 432	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 432	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 432	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 432	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 432	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 432	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 432	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1736 wrote to memory of 432	1736	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 432 wrote to memory of 1524	432	Windows Start-Up Audio.exe	cmd.exe
PID 432 wrote to memory of 1524	432	Windows Start-Up Audio.exe	cmd.exe
PID 432 wrote to memory of 1524	432	Windows Start-Up Audio.exe	cmd.exe
PID 432 wrote to memory of 1524	432	Windows Start-Up Audio.exe	cmd.exe
PID 1524 wrote to memory of 1368	1524	cmd.exe	reg.exe
PID 1524 wrote to memory of 1368	1524	cmd.exe	reg.exe
PID 1524 wrote to memory of 1368	1524	cmd.exe	reg.exe
PID 1524 wrote to memory of 1368	1524	cmd.exe	reg.exe
PID 432 wrote to memory of 1312	432	Windows Start-Up Audio.exe	iexplore.exe
PID 432 wrote to memory of 1312	432	Windows Start-Up Audio.exe	iexplore.exe
PID 432 wrote to memory of 1312	432	Windows Start-Up Audio.exe	iexplore.exe
PID 432 wrote to memory of 1312	432	Windows Start-Up Audio.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\9963a82f9d9f9a95de0ed2976f93318e.exe
"C:\Users\Admin\AppData\Local\Temp\9963a82f9d9f9a95de0ed2976f93318e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\9963a82f9d9f9a95de0ed2976f93318e.exe
"C:\Users\Admin\AppData\Local\Temp\9963a82f9d9f9a95de0ed2976f93318e.exe"
2⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\9963a82f9d9f9a95de0ed2976f93318e.exe
"C:\Users\Admin\AppData\Local\Temp\9963a82f9d9f9a95de0ed2976f93318e.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- UAC bypass
- Modifies registry key
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:1516

C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
"C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
"C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe"
5⤵
- Executes dropped EXE
PID:2020

C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
"C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- UAC bypass
- Modifies registry key
PID:1368

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
6⤵
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
113B

MD5
21a89f377d5ca02b88a7a634ea4cfdd6

SHA1
b99266d236a7fdd6bdd47551dc3b9148e2802c12

SHA256
c6c7ea0fe3766e0ab22bc0b66467cd1685f58207c13c8f231e85646661666051

SHA512
de71b19a079f7f57537fe53ede5b4113de7e5fe6315b83933ad145b19de9a2eec893ca0bd18989a929c74d17631d3bb9fe44d71940743a4438de700c848ccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
113B

MD5
21a89f377d5ca02b88a7a634ea4cfdd6

SHA1
b99266d236a7fdd6bdd47551dc3b9148e2802c12

SHA256
c6c7ea0fe3766e0ab22bc0b66467cd1685f58207c13c8f231e85646661666051

SHA512
de71b19a079f7f57537fe53ede5b4113de7e5fe6315b83933ad145b19de9a2eec893ca0bd18989a929c74d17631d3bb9fe44d71940743a4438de700c848ccfc2

Download Submit
C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
Filesize
734KB

MD5
9963a82f9d9f9a95de0ed2976f93318e

SHA1
5e40457e41dfc0aaa2bdf725f4f87b0d82ae6f94

SHA256
b938ff358f891462489b2dc54b8d4cb2486eeebae2fa2dcd5a2e5c0de679b426

SHA512
ad175d8825f2086e8e350e1b49f8acb2ca00e483798a75ff6ae1bf4f261c066c2e7741e9ecab6bac915f5bd1668ab2dfd9468737cdaa24ee4c64fd25f28648b3

Download Submit
C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
Filesize
734KB

MD5
9963a82f9d9f9a95de0ed2976f93318e

SHA1
5e40457e41dfc0aaa2bdf725f4f87b0d82ae6f94

SHA256
b938ff358f891462489b2dc54b8d4cb2486eeebae2fa2dcd5a2e5c0de679b426

SHA512
ad175d8825f2086e8e350e1b49f8acb2ca00e483798a75ff6ae1bf4f261c066c2e7741e9ecab6bac915f5bd1668ab2dfd9468737cdaa24ee4c64fd25f28648b3

Download Submit
C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
Filesize
734KB

MD5
9963a82f9d9f9a95de0ed2976f93318e

SHA1
5e40457e41dfc0aaa2bdf725f4f87b0d82ae6f94

SHA256
b938ff358f891462489b2dc54b8d4cb2486eeebae2fa2dcd5a2e5c0de679b426

SHA512
ad175d8825f2086e8e350e1b49f8acb2ca00e483798a75ff6ae1bf4f261c066c2e7741e9ecab6bac915f5bd1668ab2dfd9468737cdaa24ee4c64fd25f28648b3

Download Submit
C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
Filesize
734KB

MD5
9963a82f9d9f9a95de0ed2976f93318e

SHA1
5e40457e41dfc0aaa2bdf725f4f87b0d82ae6f94

SHA256
b938ff358f891462489b2dc54b8d4cb2486eeebae2fa2dcd5a2e5c0de679b426

SHA512
ad175d8825f2086e8e350e1b49f8acb2ca00e483798a75ff6ae1bf4f261c066c2e7741e9ecab6bac915f5bd1668ab2dfd9468737cdaa24ee4c64fd25f28648b3

Download Submit
\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
Filesize
734KB

MD5
9963a82f9d9f9a95de0ed2976f93318e

SHA1
5e40457e41dfc0aaa2bdf725f4f87b0d82ae6f94

SHA256
b938ff358f891462489b2dc54b8d4cb2486eeebae2fa2dcd5a2e5c0de679b426

SHA512
ad175d8825f2086e8e350e1b49f8acb2ca00e483798a75ff6ae1bf4f261c066c2e7741e9ecab6bac915f5bd1668ab2dfd9468737cdaa24ee4c64fd25f28648b3

Download Submit
memory/268-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/268-80-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-101-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-106-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-112-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-111-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-110-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-107-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/432-103-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-98-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/432-99-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1684-54-0x00000000012B0000-0x000000000136C000-memory.dmp

Filesize
752KB

Download
memory/1684-55-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/1684-56-0x00000000011D0000-0x0000000001210000-memory.dmp

Filesize
256KB

Download
memory/1684-60-0x0000000000730000-0x0000000000750000-memory.dmp

Filesize
128KB

Download
memory/1684-57-0x00000000011D0000-0x0000000001210000-memory.dmp

Filesize
256KB

Download
memory/1684-58-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/1684-59-0x0000000005560000-0x00000000055F6000-memory.dmp

Filesize
600KB

Download
memory/1736-87-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/1736-86-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/1736-85-0x0000000000C70000-0x0000000000D2C000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads