remcos | e588a098e9ceb33f2616e11a3faf28162e5f4b7f3800b22ab3023bc376aeb18c

General

Target

Payment Transfer Request Form.bat.exe
Size

1.2MB
MD5

fc5a80adf45d78ffa834283d0a78f9f6
SHA1

6865dec6f71546ea01420295b7175038c3a81ec4
SHA256

e588a098e9ceb33f2616e11a3faf28162e5f4b7f3800b22ab3023bc376aeb18c
SHA512

27636cd0d31e3b1ff384869f1f2be6c23d7f02ecd70027c5d689de0893835d070218596a941472481d637cc6253ed3f2405991a6af4772596cc88f909a7dd7cb
SSDEEP

24576:RYdgfvzAKzxWCC9vSA6GRdsttHVqowvVpBdlvlOUa:rzAcWFt96ydyQow5dldna

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.162.149.226:9285

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
AppUpdate
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VCJ8ZS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
AppUpdate
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2608 powershell.exe
2740 powershell.exe
2552 powershell.exe
2132 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

328 remcos.exe
2448 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2824 cmd.exe

pid	process
2608	powershell.exe
2740	powershell.exe
2552	powershell.exe
2132	powershell.exe

pid	process
328	remcos.exe
2448	remcos.exe

pid	process
2824	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Payment Transfer Request Form.bat.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\""	Payment Transfer Request Form.bat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\""	Payment Transfer Request Form.bat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Payment Transfer Request Form.bat.exeremcos.exe

description	pid	process	target process
PID 2676 set thread context of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 328 set thread context of 2448	328	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.exeschtasks.exePayment Transfer Request Form.bat.execmd.exeremcos.exepowershell.exepowershell.exeremcos.exePayment Transfer Request Form.bat.exeWScript.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment Transfer Request Form.bat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment Transfer Request Form.bat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2580 schtasks.exe
2136 schtasks.exe

pid	process
2580	schtasks.exe
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Payment Transfer Request Form.bat.exepowershell.exepowershell.exeremcos.exepowershell.exepowershell.exe

pid	process
2676	Payment Transfer Request Form.bat.exe
2676	Payment Transfer Request Form.bat.exe
2676	Payment Transfer Request Form.bat.exe
2676	Payment Transfer Request Form.bat.exe
2740	powershell.exe
2608	powershell.exe
328	remcos.exe
328	remcos.exe
328	remcos.exe
2132	powershell.exe
2552	powershell.exe
328	remcos.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Payment Transfer Request Form.bat.exepowershell.exepowershell.exeremcos.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2676	Payment Transfer Request Form.bat.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	328	remcos.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

Payment Transfer Request Form.bat.exePayment Transfer Request Form.bat.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 2676 wrote to memory of 2608	2676	Payment Transfer Request Form.bat.exe	powershell.exe
PID 2676 wrote to memory of 2608	2676	Payment Transfer Request Form.bat.exe	powershell.exe
PID 2676 wrote to memory of 2608	2676	Payment Transfer Request Form.bat.exe	powershell.exe
PID 2676 wrote to memory of 2608	2676	Payment Transfer Request Form.bat.exe	powershell.exe
PID 2676 wrote to memory of 2740	2676	Payment Transfer Request Form.bat.exe	powershell.exe
PID 2676 wrote to memory of 2740	2676	Payment Transfer Request Form.bat.exe	powershell.exe
PID 2676 wrote to memory of 2740	2676	Payment Transfer Request Form.bat.exe	powershell.exe
PID 2676 wrote to memory of 2740	2676	Payment Transfer Request Form.bat.exe	powershell.exe
PID 2676 wrote to memory of 2580	2676	Payment Transfer Request Form.bat.exe	schtasks.exe
PID 2676 wrote to memory of 2580	2676	Payment Transfer Request Form.bat.exe	schtasks.exe
PID 2676 wrote to memory of 2580	2676	Payment Transfer Request Form.bat.exe	schtasks.exe
PID 2676 wrote to memory of 2580	2676	Payment Transfer Request Form.bat.exe	schtasks.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2676 wrote to memory of 2912	2676	Payment Transfer Request Form.bat.exe	Payment Transfer Request Form.bat.exe
PID 2912 wrote to memory of 2996	2912	Payment Transfer Request Form.bat.exe	WScript.exe
PID 2912 wrote to memory of 2996	2912	Payment Transfer Request Form.bat.exe	WScript.exe
PID 2912 wrote to memory of 2996	2912	Payment Transfer Request Form.bat.exe	WScript.exe
PID 2912 wrote to memory of 2996	2912	Payment Transfer Request Form.bat.exe	WScript.exe
PID 2996 wrote to memory of 2824	2996	WScript.exe	cmd.exe
PID 2996 wrote to memory of 2824	2996	WScript.exe	cmd.exe
PID 2996 wrote to memory of 2824	2996	WScript.exe	cmd.exe
PID 2996 wrote to memory of 2824	2996	WScript.exe	cmd.exe
PID 2824 wrote to memory of 328	2824	cmd.exe	remcos.exe
PID 2824 wrote to memory of 328	2824	cmd.exe	remcos.exe
PID 2824 wrote to memory of 328	2824	cmd.exe	remcos.exe
PID 2824 wrote to memory of 328	2824	cmd.exe	remcos.exe
PID 328 wrote to memory of 2132	328	remcos.exe	powershell.exe
PID 328 wrote to memory of 2132	328	remcos.exe	powershell.exe
PID 328 wrote to memory of 2132	328	remcos.exe	powershell.exe
PID 328 wrote to memory of 2132	328	remcos.exe	powershell.exe
PID 328 wrote to memory of 2552	328	remcos.exe	powershell.exe
PID 328 wrote to memory of 2552	328	remcos.exe	powershell.exe
PID 328 wrote to memory of 2552	328	remcos.exe	powershell.exe
PID 328 wrote to memory of 2552	328	remcos.exe	powershell.exe
PID 328 wrote to memory of 2136	328	remcos.exe	schtasks.exe
PID 328 wrote to memory of 2136	328	remcos.exe	schtasks.exe
PID 328 wrote to memory of 2136	328	remcos.exe	schtasks.exe
PID 328 wrote to memory of 2136	328	remcos.exe	schtasks.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe
PID 328 wrote to memory of 2448	328	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\Payment Transfer Request Form.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Transfer Request Form.bat.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Transfer Request Form.bat.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iKgKaogJ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4AE5.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\Payment Transfer Request Form.bat.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment Transfer Request Form.bat.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\AppUpdate\remcos.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\ProgramData\AppUpdate\remcos.exe
        
        C:\ProgramData\AppUpdate\remcos.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:328
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\AppUpdate\remcos.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iKgKaogJ.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB6C1.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2136
      - C:\ProgramData\AppUpdate\remcos.exe
        
        "C:\ProgramData\AppUpdate\remcos.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AppUpdate\remcos.exe

Filesize
1.2MB

MD5
fc5a80adf45d78ffa834283d0a78f9f6

SHA1
6865dec6f71546ea01420295b7175038c3a81ec4

SHA256
e588a098e9ceb33f2616e11a3faf28162e5f4b7f3800b22ab3023bc376aeb18c

SHA512
27636cd0d31e3b1ff384869f1f2be6c23d7f02ecd70027c5d689de0893835d070218596a941472481d637cc6253ed3f2405991a6af4772596cc88f909a7dd7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
392B

MD5
046708368578d720d91fb9ceecec742e

SHA1
1dc732f67f48a1d5694f4cf14a8d279dbd1d6ee6

SHA256
04f4edc28e97a16f93cf7acac864aba17cc467282550ae61baac719262be6f5e

SHA512
9106f645ee74c9e061fcb396a00d706512d41054a356125f26a10d42390d8f0d3ea3dd785393bf5de358b62464ec3c0f7d2e27411e87bb408581f820c427e7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4AE5.tmp

Filesize
1KB

MD5
9266495575bbdfdee2cbae074fdcb810

SHA1
799a493dc7164c9aaaca0a59cfe4d7d81e76e843

SHA256
aece6d8cc315c0fe19abff064c50e8b1df67fbf01c080997019a841f214bc5ed

SHA512
8e918713a765c73ca05dea8c66277f8a0352c168f97f1cc94b7cd1d3ac6a6668ca99dba2906de3a5f80acad2809e8d7ad11d69daa7fdc0ffe5561fa4fd6c83de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b90de0c65e78841070d5762a368da5b5

SHA1
d181c83b3e2dd906d7849a9363e40a52e5cb6493

SHA256
9e9c036894ed966983b49721d4087e7aedf8101e8f657105512b0475732f1e88

SHA512
46fd3ebcb093bf63fa0a7c48b4b6aa3656f5e934e657d438b49b2de7b6b5150fb90c7efe90ef622e39344f40f9c85126647103af74bd0998f29ef52a35abd2ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1e7e983aa0fa2158edfd9376cd55d70f

SHA1
5cf9f54bcbeac571f8b5daacf7a5b2210785d441

SHA256
1e3d8557680fa9c8d6af0ecc19e3cb4aead3968810ee6ebf331eb65ac1d6a43b

SHA512
541a06101c37765a67b892e0d7f9de384611258ec18ae167eb6bba7ee9ecc9672ad0ecb0eacb4eecb9a817c3130796f999d0f3d4fa195d7d06b943c39975e1d1

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/328-46-0x0000000000950000-0x0000000000A82000-memory.dmp

Filesize
1.2MB

Download
memory/2448-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-92-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-87-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-91-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-82-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-5-0x0000000005570000-0x0000000005630000-memory.dmp

Filesize
768KB

Download
memory/2676-4-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-3-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/2676-2-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-1-0x0000000001080000-0x00000000011B2000-memory.dmp

Filesize
1.2MB

Download
memory/2676-41-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-0-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

Filesize
4KB

Download
memory/2912-35-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2912-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2912-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2912-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2912-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2912-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2912-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2912-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2912-36-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2912-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2912-18-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads