remcos | dfc8e10de69f490f19664c753862ed95466195dfc45dae4f8b43a11565b2cc8e

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document SWIFT Payment Copy Ref#8374837293.exe
Size

1.3MB
MD5

e3504f07ea46e8c5ce1321b44e752556
SHA1

e5c612e6de7696296a13a5c59ee1712084559919
SHA256

dfc8e10de69f490f19664c753862ed95466195dfc45dae4f8b43a11565b2cc8e
SHA512

5aeb6baa9d02cdcfed6a02301bce02460b4b68c06ef3e9038bb4b1ba01ce3ad4884a5271653352527c625801519cfcfffdd9c1d03e005dbe3c21d3b460c4db5d
SSDEEP

24576:qAHnh+eWsN3skA4RV1Hom2KXMmHaYMCcRJjERtK/cfrWIlcf6NyEi5:9h+ZkldoPK8YaYrc/jYK/cf6YcCM

Score

10^/10

remcos dorobumajor discovery evasion rat trojan

Malware Config

Extracted

Family

remcos

Botnet

dorobumajor

84.38.132.40:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
testhostex.exe
copy_folder
dorbion
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WBALP5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 1028	2972	Document SWIFT Payment Copy Ref#8374837293.exe	30
PID 1028 set thread context of 2248	1028	svchost.exe	33
PID 1028 set thread context of 2984	1028	svchost.exe	35
PID 1028 set thread context of 2176	1028	svchost.exe	36
PID 1028 set thread context of 2788	1028	svchost.exe	37
PID 1028 set thread context of 2748	1028	svchost.exe	38
PID 1028 set thread context of 2608	1028	svchost.exe	39
PID 1028 set thread context of 2676	1028	svchost.exe	40
PID 1028 set thread context of 1844	1028	svchost.exe	42
PID 1028 set thread context of 2148	1028	svchost.exe	43
PID 1028 set thread context of 2008	1028	svchost.exe	44
PID 1028 set thread context of 1048	1028	svchost.exe	45
PID 1028 set thread context of 1036	1028	svchost.exe	46
PID 1028 set thread context of 1260	1028	svchost.exe	47
PID 1028 set thread context of 1280	1028	svchost.exe	48
PID 1028 set thread context of 1988	1028	svchost.exe	49
PID 1028 set thread context of 2024	1028	svchost.exe	50
PID 1028 set thread context of 2856	1028	svchost.exe	51
PID 1028 set thread context of 2420	1028	svchost.exe	52
PID 1028 set thread context of 1228	1028	svchost.exe	53
PID 1028 set thread context of 1176	1028	svchost.exe	54
PID 1028 set thread context of 2428	1028	svchost.exe	55
PID 1028 set thread context of 2960	1028	svchost.exe	56
PID 1028 set thread context of 592	1028	svchost.exe	57
PID 1028 set thread context of 3000	1028	svchost.exe	58
PID 1028 set thread context of 264	1028	svchost.exe	59
PID 1028 set thread context of 2996	1028	svchost.exe	60
PID 1028 set thread context of 1240	1028	svchost.exe	61
PID 1028 set thread context of 440	1028	svchost.exe	62
PID 1028 set thread context of 2120	1028	svchost.exe	63
PID 1028 set thread context of 1932	1028	svchost.exe	64
PID 1028 set thread context of 268	1028	svchost.exe	65
PID 1028 set thread context of 2124	1028	svchost.exe	66
PID 1028 set thread context of 1924	1028	svchost.exe	67
PID 1028 set thread context of 1292	1028	svchost.exe	68
PID 1028 set thread context of 2560	1028	svchost.exe	69
PID 1028 set thread context of 920	1028	svchost.exe	70
PID 1028 set thread context of 1712	1028	svchost.exe	71
PID 1028 set thread context of 2444	1028	svchost.exe	72
PID 1028 set thread context of 2988	1028	svchost.exe	73
PID 1028 set thread context of 2440	1028	svchost.exe	74
PID 1028 set thread context of 3032	1028	svchost.exe	75
PID 1028 set thread context of 2020	1028	svchost.exe	76
PID 1028 set thread context of 112	1028	svchost.exe	77
PID 1028 set thread context of 2360	1028	svchost.exe	78
PID 1028 set thread context of 2532	1028	svchost.exe	79
PID 1028 set thread context of 2400	1028	svchost.exe	80
PID 1028 set thread context of 2296	1028	svchost.exe	81
PID 1028 set thread context of 2760	1028	svchost.exe	82
PID 1028 set thread context of 2992	1028	svchost.exe	83
PID 1028 set thread context of 2980	1028	svchost.exe	84
PID 1028 set thread context of 2112	1028	svchost.exe	85
PID 1028 set thread context of 2652	1028	svchost.exe	86
PID 1028 set thread context of 2724	1028	svchost.exe	87
PID 1028 set thread context of 2616	1028	svchost.exe	88
PID 1028 set thread context of 3052	1028	svchost.exe	89
PID 1028 set thread context of 1248	1028	svchost.exe	90
PID 1028 set thread context of 1572	1028	svchost.exe	91
PID 1028 set thread context of 2860	1028	svchost.exe	92
PID 1028 set thread context of 1992	1028	svchost.exe	93
PID 1028 set thread context of 1704	1028	svchost.exe	94
PID 1028 set thread context of 1892	1028	svchost.exe	95
PID 1028 set thread context of 1008	1028	svchost.exe	96
PID 1028 set thread context of 1948	1028	svchost.exe	97

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Document SWIFT Payment Copy Ref#8374837293.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2916	reg.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2972	Document SWIFT Payment Copy Ref#8374837293.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2972	Document SWIFT Payment Copy Ref#8374837293.exe
2972	Document SWIFT Payment Copy Ref#8374837293.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2972	Document SWIFT Payment Copy Ref#8374837293.exe
2972	Document SWIFT Payment Copy Ref#8374837293.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1028	2972	Document SWIFT Payment Copy Ref#8374837293.exe	30
PID 2972 wrote to memory of 1028	2972	Document SWIFT Payment Copy Ref#8374837293.exe	30
PID 2972 wrote to memory of 1028	2972	Document SWIFT Payment Copy Ref#8374837293.exe	30
PID 2972 wrote to memory of 1028	2972	Document SWIFT Payment Copy Ref#8374837293.exe	30
PID 2972 wrote to memory of 1028	2972	Document SWIFT Payment Copy Ref#8374837293.exe	30
PID 1028 wrote to memory of 2104	1028	svchost.exe	31
PID 1028 wrote to memory of 2104	1028	svchost.exe	31
PID 1028 wrote to memory of 2104	1028	svchost.exe	31
PID 1028 wrote to memory of 2104	1028	svchost.exe	31
PID 1028 wrote to memory of 2248	1028	svchost.exe	33
PID 1028 wrote to memory of 2248	1028	svchost.exe	33
PID 1028 wrote to memory of 2248	1028	svchost.exe	33
PID 1028 wrote to memory of 2248	1028	svchost.exe	33
PID 1028 wrote to memory of 2248	1028	svchost.exe	33
PID 2104 wrote to memory of 2916	2104	cmd.exe	34
PID 2104 wrote to memory of 2916	2104	cmd.exe	34
PID 2104 wrote to memory of 2916	2104	cmd.exe	34
PID 2104 wrote to memory of 2916	2104	cmd.exe	34
PID 1028 wrote to memory of 2984	1028	svchost.exe	35
PID 1028 wrote to memory of 2984	1028	svchost.exe	35
PID 1028 wrote to memory of 2984	1028	svchost.exe	35
PID 1028 wrote to memory of 2984	1028	svchost.exe	35
PID 1028 wrote to memory of 2984	1028	svchost.exe	35
PID 1028 wrote to memory of 2176	1028	svchost.exe	36
PID 1028 wrote to memory of 2176	1028	svchost.exe	36
PID 1028 wrote to memory of 2176	1028	svchost.exe	36
PID 1028 wrote to memory of 2176	1028	svchost.exe	36
PID 1028 wrote to memory of 2176	1028	svchost.exe	36
PID 1028 wrote to memory of 2788	1028	svchost.exe	37
PID 1028 wrote to memory of 2788	1028	svchost.exe	37
PID 1028 wrote to memory of 2788	1028	svchost.exe	37
PID 1028 wrote to memory of 2788	1028	svchost.exe	37
PID 1028 wrote to memory of 2788	1028	svchost.exe	37
PID 1028 wrote to memory of 2748	1028	svchost.exe	38
PID 1028 wrote to memory of 2748	1028	svchost.exe	38
PID 1028 wrote to memory of 2748	1028	svchost.exe	38
PID 1028 wrote to memory of 2748	1028	svchost.exe	38
PID 1028 wrote to memory of 2748	1028	svchost.exe	38
PID 1028 wrote to memory of 2608	1028	svchost.exe	39
PID 1028 wrote to memory of 2608	1028	svchost.exe	39
PID 1028 wrote to memory of 2608	1028	svchost.exe	39
PID 1028 wrote to memory of 2608	1028	svchost.exe	39
PID 1028 wrote to memory of 2608	1028	svchost.exe	39
PID 1028 wrote to memory of 2676	1028	svchost.exe	40
PID 1028 wrote to memory of 2676	1028	svchost.exe	40
PID 1028 wrote to memory of 2676	1028	svchost.exe	40
PID 1028 wrote to memory of 2676	1028	svchost.exe	40
PID 1028 wrote to memory of 2676	1028	svchost.exe	40
PID 1028 wrote to memory of 1844	1028	svchost.exe	42
PID 1028 wrote to memory of 1844	1028	svchost.exe	42
PID 1028 wrote to memory of 1844	1028	svchost.exe	42
PID 1028 wrote to memory of 1844	1028	svchost.exe	42
PID 1028 wrote to memory of 1844	1028	svchost.exe	42
PID 1028 wrote to memory of 2148	1028	svchost.exe	43
PID 1028 wrote to memory of 2148	1028	svchost.exe	43
PID 1028 wrote to memory of 2148	1028	svchost.exe	43
PID 1028 wrote to memory of 2148	1028	svchost.exe	43
PID 1028 wrote to memory of 2148	1028	svchost.exe	43
PID 1028 wrote to memory of 2008	1028	svchost.exe	44
PID 1028 wrote to memory of 2008	1028	svchost.exe	44
PID 1028 wrote to memory of 2008	1028	svchost.exe	44
PID 1028 wrote to memory of 2008	1028	svchost.exe	44
PID 1028 wrote to memory of 2008	1028	svchost.exe	44
PID 1028 wrote to memory of 1048	1028	svchost.exe	45

C:\Users\Admin\AppData\Local\Temp\Document SWIFT Payment Copy Ref#8374837293.exe
"C:\Users\Admin\AppData\Local\Temp\Document SWIFT Payment Copy Ref#8374837293.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Document SWIFT Payment Copy Ref#8374837293.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2916
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:592
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:264
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:440
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:268
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:920
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:112
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:636
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:760
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1028-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1028-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1028-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1028-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1028-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1028-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1028-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2176-36-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/2248-24-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/2248-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2248-21-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/2248-23-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/2748-48-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/2788-42-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/2972-10-0x0000000000350000-0x0000000000354000-memory.dmp

Filesize
16KB

Download
memory/2984-29-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/2984-30-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/2984-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2984-27-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads