rms | 5e549de7d674bf8a75e399633cfed6d97f87cda9d3821a8716f25ca3ffb50718

General

Target

3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
Size

5.0MB
MD5

3c50bceb888b29de23acb71e9554b815
SHA1

3cf639bdd4e10621ca5c38cae10364b4ce99ecf6
SHA256

5e549de7d674bf8a75e399633cfed6d97f87cda9d3821a8716f25ca3ffb50718
SHA512

a1977b3ce3cbe5b943001d7befc92dece3df8ecf992f3242584770654715c3a8e049fccc7ebe720574875c803a5d3a369a3ad89e7b7e5a8679a2226e6a40952a
SSDEEP

98304:kPcea/pk89+y68+LNxZgMd8ghalIQGx4XY6+j7xN4kxEN9Q9E7pKYFjAD9c:kPfaRB+y6hxcxGqoj7D4kt9E7ppU+

Score

10^/10

rms persistence rat trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe1svnhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1svnhost.exe, explorer.exe"	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1svnhost.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Executes dropped EXE 8 IoCs

Processes:

1svnhost.exerfusclient.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exe

pid process

1696 1svnhost.exe
2800 rfusclient.exe
2580 rutserv.exe
2476 rutserv.exe
2484 rutserv.exe
2792 rutserv.exe
1800 rfusclient.exe
1172 rfusclient.exe

pid	process
1696	1svnhost.exe
2800	rfusclient.exe
2580	rutserv.exe
2476	rutserv.exe
2484	rutserv.exe
2792	rutserv.exe
1800	rfusclient.exe
1172	rfusclient.exe

Loads dropped DLL 5 IoCs

Processes:

3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe1svnhost.execmd.exe

pid	process
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1696	1svnhost.exe
2880	cmd.exe
1696	1svnhost.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\System64\rfusclient.exe	upx
\Windows\System64\rutserv.exe	upx
behavioral1/memory/2580-47-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2800-44-0x0000000000400000-0x00000000009B3000-memory.dmp	upx
behavioral1/memory/2580-49-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2476-51-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2476-52-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2484-54-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2484-61-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/1800-63-0x0000000000400000-0x00000000009B3000-memory.dmp	upx
behavioral1/memory/2792-67-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2792-74-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2792-76-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2792-80-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2792-86-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx

Drops file in Windows directory 15 IoCs

Processes:

3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe1svnhost.execmd.exe

description	ioc	process
File created	C:\Windows\System64\1svnhost.exe	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
File opened for modification	C:\Windows\System64\1svnhost.exe	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
File created	C:\Windows\Zont911\Regedit.reg	1svnhost.exe
File opened for modification	C:\Windows\System64\rfusclient.exe	1svnhost.exe
File created	C:\Windows\System64\vp8encoder.dll	1svnhost.exe
File created	C:\Windows\Zont911\hostor.zip	1svnhost.exe
File created	C:\Windows\System64\rutserv.exe	1svnhost.exe
File opened for modification	C:\Windows\System64\rutserv.exe	1svnhost.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1svnhost.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1svnhost.exe
File created	C:\Windows\System64\svnhost.exe	cmd.exe
File created	C:\Windows\System64\rfusclient.exe	1svnhost.exe
File opened for modification	C:\Windows\System64\svnhost.exe	cmd.exe
File created	C:\Windows\System64\vp8decoder.dll	1svnhost.exe
File created	C:\Windows\Zont911\Tupe.bat	1svnhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

2204 regedit.exe

pid	process
2204	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe

pid	process
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rutserv.exerutserv.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	2580	rutserv.exe
Token: SeDebugPrivilege	2484	rutserv.exe
Token: SeTakeOwnershipPrivilege	2792	rutserv.exe
Token: SeTcbPrivilege	2792	rutserv.exe
Token: SeTcbPrivilege	2792	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exe

pid process

2580 rutserv.exe
2476 rutserv.exe
2484 rutserv.exe
2792 rutserv.exe

pid	process
2580	rutserv.exe
2476	rutserv.exe
2484	rutserv.exe
2792	rutserv.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe1svnhost.execmd.exerutserv.exe

description	pid	process	target process
PID 1684 wrote to memory of 1696	1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe	1svnhost.exe
PID 1684 wrote to memory of 1696	1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe	1svnhost.exe
PID 1684 wrote to memory of 1696	1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe	1svnhost.exe
PID 1684 wrote to memory of 1696	1684	3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe	1svnhost.exe
PID 1696 wrote to memory of 2204	1696	1svnhost.exe	regedit.exe
PID 1696 wrote to memory of 2204	1696	1svnhost.exe	regedit.exe
PID 1696 wrote to memory of 2204	1696	1svnhost.exe	regedit.exe
PID 1696 wrote to memory of 2204	1696	1svnhost.exe	regedit.exe
PID 1696 wrote to memory of 2880	1696	1svnhost.exe	cmd.exe
PID 1696 wrote to memory of 2880	1696	1svnhost.exe	cmd.exe
PID 1696 wrote to memory of 2880	1696	1svnhost.exe	cmd.exe
PID 1696 wrote to memory of 2880	1696	1svnhost.exe	cmd.exe
PID 2880 wrote to memory of 2600	2880	cmd.exe	chcp.com
PID 2880 wrote to memory of 2600	2880	cmd.exe	chcp.com
PID 2880 wrote to memory of 2600	2880	cmd.exe	chcp.com
PID 2880 wrote to memory of 2600	2880	cmd.exe	chcp.com
PID 2880 wrote to memory of 2580	2880	cmd.exe	rutserv.exe
PID 2880 wrote to memory of 2580	2880	cmd.exe	rutserv.exe
PID 2880 wrote to memory of 2580	2880	cmd.exe	rutserv.exe
PID 2880 wrote to memory of 2580	2880	cmd.exe	rutserv.exe
PID 1696 wrote to memory of 2800	1696	1svnhost.exe	rfusclient.exe
PID 1696 wrote to memory of 2800	1696	1svnhost.exe	rfusclient.exe
PID 1696 wrote to memory of 2800	1696	1svnhost.exe	rfusclient.exe
PID 1696 wrote to memory of 2800	1696	1svnhost.exe	rfusclient.exe
PID 2880 wrote to memory of 2476	2880	cmd.exe	rutserv.exe
PID 2880 wrote to memory of 2476	2880	cmd.exe	rutserv.exe
PID 2880 wrote to memory of 2476	2880	cmd.exe	rutserv.exe
PID 2880 wrote to memory of 2476	2880	cmd.exe	rutserv.exe
PID 2880 wrote to memory of 2484	2880	cmd.exe	rutserv.exe
PID 2880 wrote to memory of 2484	2880	cmd.exe	rutserv.exe
PID 2880 wrote to memory of 2484	2880	cmd.exe	rutserv.exe
PID 2880 wrote to memory of 2484	2880	cmd.exe	rutserv.exe
PID 2792 wrote to memory of 1800	2792	rutserv.exe	rfusclient.exe
PID 2792 wrote to memory of 1800	2792	rutserv.exe	rfusclient.exe
PID 2792 wrote to memory of 1800	2792	rutserv.exe	rfusclient.exe
PID 2792 wrote to memory of 1800	2792	rutserv.exe	rfusclient.exe
PID 2792 wrote to memory of 1172	2792	rutserv.exe	rfusclient.exe
PID 2792 wrote to memory of 1172	2792	rutserv.exe	rfusclient.exe
PID 2792 wrote to memory of 1172	2792	rutserv.exe	rfusclient.exe
PID 2792 wrote to memory of 1172	2792	rutserv.exe	rfusclient.exe

C:\Users\Admin\AppData\Local\Temp\3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c50bceb888b29de23acb71e9554b815_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\System64\1svnhost.exe
  "C:\Windows\System64\1svnhost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      PID:2600
  - - C:\Windows\System64\rutserv.exe
      "C:\Windows\System64\rutserv.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2580
  - - C:\Windows\System64\rutserv.exe
      "C:\Windows\System64\rutserv.exe" /firewall
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2476
  - - C:\Windows\System64\rutserv.exe
      "C:\Windows\System64\rutserv.exe" /start
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2484
- - C:\Windows\System64\rfusclient.exe
    "C:\Windows\System64\rfusclient.exe"
    3⤵
    - Executes dropped EXE
    PID:2800

C:\Windows\System64\rutserv.exe
C:\Windows\System64\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System64\rfusclient.exe
  C:\Windows\System64\rfusclient.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System64\rfusclient.exe
  C:\Windows\System64\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\rfusclient.exe

Filesize
1.5MB

MD5
49de7b4f614b538be1d092fe32c6de6e

SHA1
f7dd55b5f5a91313fe232c1c2ca7ab229b4115e5

SHA256
ea38b489d3125e709cf6d022a77a7bbb09088c31616c23e05137231a3fddf679

SHA512
0129a9b92e9d53b7dc0665b4f50079bad35befa8a7e2179e37256060c44e5f1afb4f79a418ea10dc4b220c8a163d5993f298fa43467aaddb8bdaa8f4ddb1d833

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
9eebf9cac83b328bf19f9f43647681af

SHA1
64ead13700bc3b8fa907cd8f3647e1baf8f49bb0

SHA256
375f3d89a1f53d3e0b6d605d1b274f723ba46aedd4d8bc649775b0e7e28f9723

SHA512
960d7c3a3de5ed68e3f2af89624b9b9874666b2c1328b77616752cffc039da19f99349a7a67fd54b09680c4b3ae8697bb320fecc7b82b15727281a339515033f

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
278B

MD5
2aae081f3acb9615cd58a9a05a24bc3f

SHA1
82386fc85643d0aedfddb39a8f628ff1f51de8be

SHA256
4438fb1637120602efbe98aca834c02365b9132fe36ffd8c26d7f5c22d9ec1bd

SHA512
47a68649c4f01e9d084fa2838a7b79fd9719c4bf1dfa35d6efac92423c7423cd01fb9944610b88c73a82a2968aeb956e127308a4b5cc39fd9d8e1ede1bbff958

Download Submit
\Windows\System64\1svnhost.exe

Filesize
5.0MB

MD5
3c50bceb888b29de23acb71e9554b815

SHA1
3cf639bdd4e10621ca5c38cae10364b4ce99ecf6

SHA256
5e549de7d674bf8a75e399633cfed6d97f87cda9d3821a8716f25ca3ffb50718

SHA512
a1977b3ce3cbe5b943001d7befc92dece3df8ecf992f3242584770654715c3a8e049fccc7ebe720574875c803a5d3a369a3ad89e7b7e5a8679a2226e6a40952a

Download Submit
\Windows\System64\rutserv.exe

Filesize
1.8MB

MD5
17354995a6a1baad7e97936dcb29742d

SHA1
69926dfe0f80c4bc48cb566d1e28dbcce2afc797

SHA256
b12fcd0782eea0b0cd8d46ea49ad864aac835dd982161929a72ad34b05f52067

SHA512
854c92f1068212a6f92d0832aa71b1f0fa3c37895534b904b0225421c484ccb1fe90cff6c5e79f99bc1d43f6250eab9c4a5fe62f7dc8ef8853eabbcf15b7896d

Download Submit
memory/1684-10-0x0000000000400000-0x00000000008FC000-memory.dmp

Filesize
5.0MB

Download
memory/1684-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1696-64-0x0000000000400000-0x00000000008FC000-memory.dmp

Filesize
5.0MB

Download
memory/1696-81-0x0000000000400000-0x00000000008FC000-memory.dmp

Filesize
5.0MB

Download
memory/1696-66-0x0000000003EA0000-0x0000000004453000-memory.dmp

Filesize
5.7MB

Download
memory/1696-11-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1696-46-0x0000000003EA0000-0x0000000004453000-memory.dmp

Filesize
5.7MB

Download
memory/1696-65-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1800-63-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/1800-70-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/2476-51-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2476-52-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2484-54-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2484-61-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2580-47-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2580-49-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2792-67-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2792-74-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2792-76-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2792-80-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2792-86-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2800-44-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/2880-45-0x00000000022E0000-0x000000000299A000-memory.dmp

Filesize
6.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads