remcos | 3c74031a1ddcfbff9691d2992ecd540eb82c4b781bda9ffc5125d40ec712589d

Analysis

max time kernel
1048s
max time network
1034s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jhl_service.exe
Size

3.5MB
MD5

2e5655f2cfebe6357e6388e678f3c073
SHA1

f1d6b68d73a8da906368837c1cde74a26a900858
SHA256

3c74031a1ddcfbff9691d2992ecd540eb82c4b781bda9ffc5125d40ec712589d
SHA512

13477f0bc9a73809e7b069dc441c7fb0023178811f4fe3f39ccbc4b4c412516b612439d8025b0c79c33201c791b343cdcf7dec4a3fe7eabcd3e28b1cf520747f
SSDEEP

98304:cUROmKjJqajychmAfNKcA+hv5r61JD4XEdGic/7FW:TsqzcEAfhrr0D4UdGb/hW

Score

10^/10

remcos remotehost discovery evasion persistence rat themida trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.3.101.172:9674

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Log
keylog_path
%Temp%
mouse_option
false
mutex
Rmc-54ZTI0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	jhl_service.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jhl_service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	jhl_service.exe

Loads dropped DLL 1 IoCs

pid	Process
2796	jhl_service.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2796-44-0x00000000000E0000-0x0000000000A42000-memory.dmp	themida
behavioral1/memory/2796-43-0x00000000000E0000-0x0000000000A42000-memory.dmp	themida
behavioral1/memory/2796-67-0x0000000007E80000-0x00000000087E2000-memory.dmp	themida
behavioral1/memory/2796-85-0x0000000007E80000-0x00000000087E2000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhl_service.exe"	jhl_service.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhl_service.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2796	jhl_service.exe

Suspicious use of SetThreadContext 30 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 2168	2796	jhl_service.exe	32
PID 2796 set thread context of 2872	2796	jhl_service.exe	33
PID 2796 set thread context of 2428	2796	jhl_service.exe	34
PID 2796 set thread context of 2300	2796	jhl_service.exe	35
PID 2796 set thread context of 1932	2796	jhl_service.exe	36
PID 2796 set thread context of 2328	2796	jhl_service.exe	37
PID 2796 set thread context of 1412	2796	jhl_service.exe	38
PID 2796 set thread context of 2668	2796	jhl_service.exe	39
PID 2796 set thread context of 3020	2796	jhl_service.exe	40
PID 2796 set thread context of 2756	2796	jhl_service.exe	41
PID 2796 set thread context of 1624	2796	jhl_service.exe	42
PID 2796 set thread context of 1912	2796	jhl_service.exe	43
PID 2796 set thread context of 780	2796	jhl_service.exe	44
PID 2796 set thread context of 1552	2796	jhl_service.exe	45
PID 2796 set thread context of 2276	2796	jhl_service.exe	46
PID 2796 set thread context of 2420	2796	jhl_service.exe	47
PID 2796 set thread context of 2952	2796	jhl_service.exe	48
PID 2796 set thread context of 2432	2796	jhl_service.exe	49
PID 2796 set thread context of 2324	2796	jhl_service.exe	50
PID 2796 set thread context of 2292	2796	jhl_service.exe	51
PID 2796 set thread context of 1556	2796	jhl_service.exe	52
PID 2796 set thread context of 2008	2796	jhl_service.exe	53
PID 2796 set thread context of 1480	2796	jhl_service.exe	54
PID 2796 set thread context of 1648	2796	jhl_service.exe	55
PID 2796 set thread context of 444	2796	jhl_service.exe	56
PID 2796 set thread context of 1604	2796	jhl_service.exe	57
PID 2796 set thread context of 1892	2796	jhl_service.exe	58
PID 2796 set thread context of 1540	2796	jhl_service.exe	59
PID 2796 set thread context of 952	2796	jhl_service.exe	60
PID 2796 set thread context of 2632	2796	jhl_service.exe	61

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhl_service.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	jhl_service.exe

Suspicious behavior: MapViewOfSection 30 IoCs

pid	Process
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe
2796	jhl_service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2796	jhl_service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2168	2796	jhl_service.exe	32
PID 2796 wrote to memory of 2168	2796	jhl_service.exe	32
PID 2796 wrote to memory of 2168	2796	jhl_service.exe	32
PID 2796 wrote to memory of 2168	2796	jhl_service.exe	32
PID 2796 wrote to memory of 2168	2796	jhl_service.exe	32
PID 2796 wrote to memory of 2872	2796	jhl_service.exe	33
PID 2796 wrote to memory of 2872	2796	jhl_service.exe	33
PID 2796 wrote to memory of 2872	2796	jhl_service.exe	33
PID 2796 wrote to memory of 2872	2796	jhl_service.exe	33
PID 2796 wrote to memory of 2872	2796	jhl_service.exe	33
PID 2796 wrote to memory of 2428	2796	jhl_service.exe	34
PID 2796 wrote to memory of 2428	2796	jhl_service.exe	34
PID 2796 wrote to memory of 2428	2796	jhl_service.exe	34
PID 2796 wrote to memory of 2428	2796	jhl_service.exe	34
PID 2796 wrote to memory of 2428	2796	jhl_service.exe	34
PID 2796 wrote to memory of 2300	2796	jhl_service.exe	35
PID 2796 wrote to memory of 2300	2796	jhl_service.exe	35
PID 2796 wrote to memory of 2300	2796	jhl_service.exe	35
PID 2796 wrote to memory of 2300	2796	jhl_service.exe	35
PID 2796 wrote to memory of 2300	2796	jhl_service.exe	35
PID 2796 wrote to memory of 1932	2796	jhl_service.exe	36
PID 2796 wrote to memory of 1932	2796	jhl_service.exe	36
PID 2796 wrote to memory of 1932	2796	jhl_service.exe	36
PID 2796 wrote to memory of 1932	2796	jhl_service.exe	36
PID 2796 wrote to memory of 1932	2796	jhl_service.exe	36
PID 2796 wrote to memory of 2328	2796	jhl_service.exe	37
PID 2796 wrote to memory of 2328	2796	jhl_service.exe	37
PID 2796 wrote to memory of 2328	2796	jhl_service.exe	37
PID 2796 wrote to memory of 2328	2796	jhl_service.exe	37
PID 2796 wrote to memory of 2328	2796	jhl_service.exe	37
PID 2796 wrote to memory of 1412	2796	jhl_service.exe	38
PID 2796 wrote to memory of 1412	2796	jhl_service.exe	38
PID 2796 wrote to memory of 1412	2796	jhl_service.exe	38
PID 2796 wrote to memory of 1412	2796	jhl_service.exe	38
PID 2796 wrote to memory of 1412	2796	jhl_service.exe	38
PID 2796 wrote to memory of 2668	2796	jhl_service.exe	39
PID 2796 wrote to memory of 2668	2796	jhl_service.exe	39
PID 2796 wrote to memory of 2668	2796	jhl_service.exe	39
PID 2796 wrote to memory of 2668	2796	jhl_service.exe	39
PID 2796 wrote to memory of 2668	2796	jhl_service.exe	39
PID 2796 wrote to memory of 3020	2796	jhl_service.exe	40
PID 2796 wrote to memory of 3020	2796	jhl_service.exe	40
PID 2796 wrote to memory of 3020	2796	jhl_service.exe	40
PID 2796 wrote to memory of 3020	2796	jhl_service.exe	40
PID 2796 wrote to memory of 3020	2796	jhl_service.exe	40
PID 2796 wrote to memory of 2756	2796	jhl_service.exe	41
PID 2796 wrote to memory of 2756	2796	jhl_service.exe	41
PID 2796 wrote to memory of 2756	2796	jhl_service.exe	41
PID 2796 wrote to memory of 2756	2796	jhl_service.exe	41
PID 2796 wrote to memory of 2756	2796	jhl_service.exe	41
PID 2796 wrote to memory of 1624	2796	jhl_service.exe	42
PID 2796 wrote to memory of 1624	2796	jhl_service.exe	42
PID 2796 wrote to memory of 1624	2796	jhl_service.exe	42
PID 2796 wrote to memory of 1624	2796	jhl_service.exe	42
PID 2796 wrote to memory of 1624	2796	jhl_service.exe	42
PID 2796 wrote to memory of 1912	2796	jhl_service.exe	43
PID 2796 wrote to memory of 1912	2796	jhl_service.exe	43
PID 2796 wrote to memory of 1912	2796	jhl_service.exe	43
PID 2796 wrote to memory of 1912	2796	jhl_service.exe	43
PID 2796 wrote to memory of 1912	2796	jhl_service.exe	43
PID 2796 wrote to memory of 780	2796	jhl_service.exe	44
PID 2796 wrote to memory of 780	2796	jhl_service.exe	44
PID 2796 wrote to memory of 780	2796	jhl_service.exe	44
PID 2796 wrote to memory of 780	2796	jhl_service.exe	44

C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
"C:\Users\Admin\AppData\Local\Temp\jhl_service.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\awirqordrk"
  2⤵
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\cqobrgjxfsoed"
  2⤵
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\nstuszuytagjgreoa"
  2⤵
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\scuepyrec"
  2⤵
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\uwzpqicfqmvu"
  2⤵
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\fynhqbnzevnzpsp"
  2⤵
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\zfbz"
  2⤵
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\jhgroas"
  2⤵
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\mbtkoscfch"
  2⤵
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\gqhblrxrpefdzhbhgmkcoizzlumuqf"
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\rtumlkhtdmxibvxlxxwvzntqubvdrqnfa"
  2⤵
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\bnaem"
  2⤵
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\vcowibeyfrugycpdimxqsbsho"
  2⤵
  PID:780
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\gwbojtpztzmtaidhrwkjdomqozbz"
  2⤵
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\iyghkmitpheykwzlihelgshgxgsifdgg"
  2⤵
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\nhhjhdfgqlawzdsvtexfggf"
  2⤵
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\ybnbivqaeusjjkozcpszrlagrey"
  2⤵
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\aesujoabscknlqcltaeauyuxatimtp"
  2⤵
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\utomfuvngyohxrhrme"
  2⤵
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\fntegnggcggmifvvepfvvm"
  2⤵
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\phzpgxqiqoyyklrznzsoyrnxu"
  2⤵
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\kwugdeltdldswm"
  2⤵
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\myazdwvnrtvxgskjx"
  2⤵
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\wsnrepgpfbnbjggnphnc"
  2⤵
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\rhbjbosat"
  2⤵
  PID:444
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\bcgbbgdupgja"
  2⤵
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\eeumczovcobnhum"
  2⤵
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\jnvwzqt"
  2⤵
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\thaoaiecsb"
  2⤵
  PID:952
- C:\Users\Admin\AppData\Local\Temp\jhl_service.exe
  C:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\vjfzbbowgjicqv"
  2⤵
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Log\logs.dat

Filesize
230B

MD5
817ad332ae9bf624907988bceb5714cb

SHA1
172ccd6f67e49f809d021923bc323d75ad5d0f8e

SHA256
2f60f6b98bbbd5f80f61b170d6236fc5fd3becb69e3a2402cd9533030f06ee97

SHA512
d1a8e57720684a10dbe7bdefe1cab939edb529ae52575b249069e83ed6d31a0900dce66831ed6441ebc0d096521642695f87ae6f3202394abebd3d849aeb6d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log\logs.dat

Filesize
144B

MD5
907e962b1333c14ca86c60f9c4127c5e

SHA1
5916a7ce491d32718c80b78f52ed9add0763fc6e

SHA256
6bd0009e2a96d0aadcebabef56f60056a245cd8344d3ffdaabb3c8f3cd6f102c

SHA512
ebaa4a57fbadb34a92c9e319c011c16d43c2bfd646ebbdf39832ad2283dcc66689dc126a40ba87f22b88b8b14b92a950dfeacfc3ee25ded74123d791028f0e77

Download Submit
\Users\Admin\AppData\Local\Temp\57613b55.dll

Filesize
8KB

MD5
e1db733e43aa8d065fb7e8669db76524

SHA1
3f9c62ee28959959271632fdc7f5387d539a1d23

SHA256
9e65d9e8ebb895f3b03c95ce64f044c70251fff444a4bcbee83f558b599a614d

SHA512
3f6106f32932e72d197865f7b796eba072c8ab20c22b4d205f27de9b9fc6c139be8450ae25541fbdac37a06bc3ec2d1fab3f9b3216201a9231b70fcde6fb8eb3

Download Submit
memory/2168-58-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2168-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2300-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2428-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-41-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-44-0x00000000000E0000-0x0000000000A42000-memory.dmp

Filesize
9.4MB

Download
memory/2796-22-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-21-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-20-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-19-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-18-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-15-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-14-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-13-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-12-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-11-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-10-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-9-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-8-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-7-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-6-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-4-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-3-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-37-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-42-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-0-0x00000000000E0000-0x0000000000A42000-memory.dmp

Filesize
9.4MB

Download
memory/2796-38-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-36-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-25-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-23-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-43-0x00000000000E0000-0x0000000000A42000-memory.dmp

Filesize
9.4MB

Download
memory/2796-46-0x0000000076301000-0x0000000076302000-memory.dmp

Filesize
4KB

Download
memory/2796-45-0x00000000000E0000-0x0000000000A42000-memory.dmp

Filesize
9.4MB

Download
memory/2796-48-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-47-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-50-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-49-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-52-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-56-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-57-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-24-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-16-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-1-0x0000000076301000-0x0000000076302000-memory.dmp

Filesize
4KB

Download
memory/2796-17-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-67-0x0000000007E80000-0x00000000087E2000-memory.dmp

Filesize
9.4MB

Download
memory/2796-5-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-75-0x0000000007E80000-0x00000000087E2000-memory.dmp

Filesize
9.4MB

Download
memory/2796-76-0x0000000007E80000-0x00000000087E2000-memory.dmp

Filesize
9.4MB

Download
memory/2796-85-0x0000000007E80000-0x00000000087E2000-memory.dmp

Filesize
9.4MB

Download
memory/2796-86-0x0000000007E80000-0x00000000087E2000-memory.dmp

Filesize
9.4MB

Download
memory/2796-2-0x00000000762F0000-0x0000000076400000-memory.dmp

Filesize
1.1MB

Download
memory/2796-112-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2796-113-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2872-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads