remcos | 0836bb223ab5657775962a4913387399291103cab772ad0156834f669575e3d3

General

Target

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
Size

524KB
MD5

4ef5d993dfcfced0e8ca4529613c2d7f
SHA1

c9ef68198440a7baed2ff287956a22a2a6da282c
SHA256

0836bb223ab5657775962a4913387399291103cab772ad0156834f669575e3d3
SHA512

ea1422319ae1753bba25d77908c86688ea1f31545d62c147b4937c5e14f3f5b971e0c0b84dd3a6e7b9ab11fff5a0ef5b11a7efe052e66845172f6ec7e0b8b7e8
SSDEEP

3072:sdopXoLkYk+XgOVzM0IsYnNh+MddCbBLNN4WJ9pUwVc6dIIWkJCTnW917h:QohYkPO6znBdC7N4OuXiWkwWB

Score

10^/10

remcos rem95 rat

Malware Config

Extracted

Family

remcos

Version

1.9.5 Pro

Botnet

REM95

C2

casillas.hicam.net:2404

casillasmx.chickenkiller.com:2404

casillas45.hopto.org:2404

casillas.libfoobar.so:2404

du4alr0ute.sendsmtp.com:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
REM95-DM1QMV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 2 IoCs

Processes:

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

description	pid	process	target process
PID 2072 set thread context of 2920	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 2072 set thread context of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe

Drops file in Windows directory 2 IoCs

Processes:

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

regasm.exe

pid	process
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe
1424	regasm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exeregasm.exe

description pid process

Token: SeDebugPrivilege 2072 4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
Token: SeDebugPrivilege 1424 regasm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

pid process

2920 4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
Token: SeDebugPrivilege	1424	regasm.exe

pid	process
2920	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

description	pid	process	target process
PID 2072 wrote to memory of 2920	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 2072 wrote to memory of 2920	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 2072 wrote to memory of 2920	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 2072 wrote to memory of 2920	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 2072 wrote to memory of 2920	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 2072 wrote to memory of 2920	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 2072 wrote to memory of 2920	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 2072 wrote to memory of 2920	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 2072 wrote to memory of 2920	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 2072 wrote to memory of 2920	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 2072 wrote to memory of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 2072 wrote to memory of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 2072 wrote to memory of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 2072 wrote to memory of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 2072 wrote to memory of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 2072 wrote to memory of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 2072 wrote to memory of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 2072 wrote to memory of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 2072 wrote to memory of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 2072 wrote to memory of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 2072 wrote to memory of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 2072 wrote to memory of 1424	2072	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe

C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe" C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe 2920 cd70ae03f3c24299abd87066babcaa52
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab2915.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2937.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
908B

MD5
3a46690923308c4d48784bccbf246c42

SHA1
872f2c1e7ddc0887b9864aa64596d258e37d2e9f

SHA256
0c05a1e24f275d6ef9bc1e5e0cb12cf16846ce5ca181590128071b47411c9f2d

SHA512
a7166da5af50898cf9b9dc8f80c290fb8d5a65b88bc2d1b9c3f0d7588de2d84b2cb2d74fa52d6a4fbdca543a7380581d90aabd7e136dd79c8096a62b4ab77ed8

Download Submit
memory/1424-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1424-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1424-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1424-78-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1424-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1424-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1424-86-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1424-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-0-0x0000000074781000-0x0000000074782000-memory.dmp

Filesize
4KB

Download
memory/2072-97-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-1-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-2-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-60-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-91-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-99-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads