remcos | 81a5a6119a2a82df63150320935426e78fae460ff61b0c38015d36fd6635f205

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
Size

865KB
MD5

45e4f0077714e12a942fbd50b92278ad
SHA1

c6c357965c1c76cb5eece9f8026bc311e6107346
SHA256

1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292
SHA512

204164864343b5320aba96bb1a3bbadc5d66541af40848d5ad77b3b080b5bffc49de37157f6d46fdbaa86978d64a824340587a1af71c84e1f269d6d006816a72
SSDEEP

24576:i4SZJVoqutiR5MZGKVhYGkLlw8DOHs8p:FtxZGK/YGk7asS

Score

10^/10

remcos remotehost collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

paygateme.net:2286

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WTDTSU
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2752-97-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/2752-96-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/2752-100-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3324-90-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3324-104-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3324-90-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2752-97-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2752-96-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2752-100-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2148-101-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2148-102-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3324-104-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

description	pid	process	target process
PID 3948 set thread context of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 set thread context of 3324	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 set thread context of 2752	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 set thread context of 2148	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4500 schtasks.exe

pid	process
4500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exepowershell.exe1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

pid	process
3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
3792	powershell.exe
3792	powershell.exe
3324	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
3324	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
2148	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
2148	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
3324	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
3324	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

pid	process
1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exepowershell.exe1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

description	pid	process
Token: SeDebugPrivilege	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	2148	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

pid process

1544 1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe

C:\Users\Admin\AppData\Local\Temp\1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
"C:\Users\Admin\AppData\Local\Temp\1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\styUezLtZTNtz.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\styUezLtZTNtz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF29.tmp"
2⤵
- Creates scheduled task(s)
PID:4500

C:\Users\Admin\AppData\Local\Temp\1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
"C:\Users\Admin\AppData\Local\Temp\1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
C:\Users\Admin\AppData\Local\Temp\1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe /stext "C:\Users\Admin\AppData\Local\Temp\tnvq"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3324

C:\Users\Admin\AppData\Local\Temp\1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
C:\Users\Admin\AppData\Local\Temp\1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe /stext "C:\Users\Admin\AppData\Local\Temp\vqbjvumc"
3⤵
- Accesses Microsoft Outlook accounts
PID:2752

C:\Users\Admin\AppData\Local\Temp\1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
C:\Users\Admin\AppData\Local\Temp\1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe /stext "C:\Users\Admin\AppData\Local\Temp\fkgbomxvubg"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
b62db5b8dea1cbc98f72eabbdd63b895

SHA1
6f808398a33bf47b51dc85f5b1e7bef76abf6819

SHA256
ffec78984309609605d060b2bcf70f589c086e99a5a79acda67d6cdbe6c8915c

SHA512
1673c11592f808c04d5f100450b499afef74d87ac85f2b85f0908eb5bdd3e463e1822e97526c89e3dd6b8fe3e46d39c0ecf32b098a84a12d2ae1cf7e908b0fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ysykdrc.hdg.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF29.tmp
Filesize
1KB

MD5
c16bfc3e33412c355d135888ec491003

SHA1
9023bccb1bd88a249666881c7ea95b597cc82bcd

SHA256
f61c52491c59ebdd824fa2c37daf608a34ba9051ae0f5983cd5e71b68cf603d3

SHA512
10c919fbf4260c8908b6ee2d0bfdeb9c2b139b66a3653830330b0f8a26d3c8d74c0dfa0d9b819174dbfc5f057b20c22cfe19c5e025ab3557a89b7f3f3a4bc3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnvq
Filesize
4KB

MD5
a27cc48ff664ae83bb51d1a8661252c8

SHA1
96022695f58e11aa3e6072fcc4ce3b531e8b7d17

SHA256
995240dba7a71256a54567cb8a6783facfec91053c4f2e448535936bbb21c3ca

SHA512
03736a43d31b41a40b2778429746e5b0a6868c0448f16c5743e3dab6c4500ab68a683973c2493ec1609923682bbc81dfe0e73a7a5ba7636dda2eb53b349f02e0

Download Submit
memory/1544-119-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1544-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-129-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-120-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-111-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1544-110-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1544-109-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1544-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-106-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1544-138-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-130-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-146-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-147-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2148-101-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2148-92-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2148-102-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2752-96-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2752-100-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2752-97-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2752-86-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2752-91-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3324-84-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3324-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3324-90-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3324-87-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3792-17-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/3792-63-0x00000000060C0000-0x00000000060DE000-memory.dmp

Filesize
120KB

Download
memory/3792-72-0x0000000007170000-0x000000000718A000-memory.dmp

Filesize
104KB

Download
memory/3792-73-0x0000000007150000-0x0000000007158000-memory.dmp

Filesize
32KB

Download
memory/3792-76-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/3792-52-0x0000000071480000-0x00000000714CC000-memory.dmp

Filesize
304KB

Download
memory/3792-51-0x0000000006AC0000-0x0000000006AF2000-memory.dmp

Filesize
200KB

Download
memory/3792-50-0x000000007F1C0000-0x000000007F1D0000-memory.dmp

Filesize
64KB

Download
memory/3792-49-0x0000000005B40000-0x0000000005B8C000-memory.dmp

Filesize
304KB

Download
memory/3792-48-0x0000000005B10000-0x0000000005B2E000-memory.dmp

Filesize
120KB

Download
memory/3792-70-0x0000000007060000-0x000000000706E000-memory.dmp

Filesize
56KB

Download
memory/3792-69-0x0000000007030000-0x0000000007041000-memory.dmp

Filesize
68KB

Download
memory/3792-68-0x00000000070B0000-0x0000000007146000-memory.dmp

Filesize
600KB

Download
memory/3792-67-0x0000000006EA0000-0x0000000006EAA000-memory.dmp

Filesize
40KB

Download
memory/3792-66-0x0000000006E30000-0x0000000006E4A000-memory.dmp

Filesize
104KB

Download
memory/3792-65-0x0000000007470000-0x0000000007AEA000-memory.dmp

Filesize
6.5MB

Download
memory/3792-14-0x00000000021F0000-0x0000000002226000-memory.dmp

Filesize
216KB

Download
memory/3792-32-0x00000000055A0000-0x00000000058F4000-memory.dmp

Filesize
3.3MB

Download
memory/3792-59-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3792-71-0x0000000007070000-0x0000000007084000-memory.dmp

Filesize
80KB

Download
memory/3792-26-0x0000000004D80000-0x0000000004DE6000-memory.dmp

Filesize
408KB

Download
memory/3792-25-0x0000000004B60000-0x0000000004BC6000-memory.dmp

Filesize
408KB

Download
memory/3792-64-0x0000000006B00000-0x0000000006BA3000-memory.dmp

Filesize
652KB

Download
memory/3792-23-0x0000000004A40000-0x0000000004A62000-memory.dmp

Filesize
136KB

Download
memory/3792-19-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3792-18-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/3792-20-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3948-7-0x0000000005570000-0x0000000005582000-memory.dmp

Filesize
72KB

Download
memory/3948-31-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/3948-15-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/3948-1-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/3948-9-0x0000000006870000-0x0000000006930000-memory.dmp

Filesize
768KB

Download
memory/3948-8-0x0000000005740000-0x0000000005752000-memory.dmp

Filesize
72KB

Download
memory/3948-21-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/3948-6-0x0000000005590000-0x000000000562C000-memory.dmp

Filesize
624KB

Download
memory/3948-5-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/3948-4-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/3948-3-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/3948-2-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/3948-0-0x00000000007A0000-0x000000000087E000-memory.dmp

Filesize
888KB

Download

description	pid	process	target process
PID 3948 wrote to memory of 3792	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	powershell.exe
PID 3948 wrote to memory of 3792	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	powershell.exe
PID 3948 wrote to memory of 3792	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	powershell.exe
PID 3948 wrote to memory of 4500	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	schtasks.exe
PID 3948 wrote to memory of 4500	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	schtasks.exe
PID 3948 wrote to memory of 4500	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	schtasks.exe
PID 3948 wrote to memory of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 3948 wrote to memory of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 3948 wrote to memory of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 3948 wrote to memory of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 3948 wrote to memory of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 3948 wrote to memory of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 3948 wrote to memory of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 3948 wrote to memory of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 3948 wrote to memory of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 3948 wrote to memory of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 3948 wrote to memory of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 3948 wrote to memory of 1544	3948	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 wrote to memory of 3324	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 wrote to memory of 3324	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 wrote to memory of 3324	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 wrote to memory of 3324	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 wrote to memory of 2752	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 wrote to memory of 2752	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 wrote to memory of 2752	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 wrote to memory of 2752	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 wrote to memory of 2148	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 wrote to memory of 2148	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 wrote to memory of 2148	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe
PID 1544 wrote to memory of 2148	1544	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe	1c127eebd7d602e5dfd453c901c61d4f41304eaeee33d2aca87db7e08b0a6292.exe