remcos | e588a098e9ceb33f2616e11a3faf28162e5f4b7f3800b22ab3023bc376aeb18c

General

Target

PaymentTransferRequestForm.bat.exe
Size

1.2MB
MD5

fc5a80adf45d78ffa834283d0a78f9f6
SHA1

6865dec6f71546ea01420295b7175038c3a81ec4
SHA256

e588a098e9ceb33f2616e11a3faf28162e5f4b7f3800b22ab3023bc376aeb18c
SHA512

27636cd0d31e3b1ff384869f1f2be6c23d7f02ecd70027c5d689de0893835d070218596a941472481d637cc6253ed3f2405991a6af4772596cc88f909a7dd7cb
SSDEEP

24576:RYdgfvzAKzxWCC9vSA6GRdsttHVqowvVpBdlvlOUa:rzAcWFt96ydyQow5dldna

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.162.149.226:9285

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
AppUpdate
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VCJ8ZS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
AppUpdate
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2972 powershell.exe
2808 powershell.exe
1280 powershell.exe
2560 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

2940 remcos.exe
1800 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

536 cmd.exe

pid	process
2972	powershell.exe
2808	powershell.exe
1280	powershell.exe
2560	powershell.exe

pid	process
2940	remcos.exe
1800	remcos.exe

pid	process
536	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PaymentTransferRequestForm.bat.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\""	PaymentTransferRequestForm.bat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\""	PaymentTransferRequestForm.bat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

PaymentTransferRequestForm.bat.exeremcos.exe

description	pid	process	target process
PID 2684 set thread context of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2940 set thread context of 1800	2940	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PaymentTransferRequestForm.bat.exeschtasks.exeWScript.execmd.exeremcos.exeschtasks.exeremcos.exepowershell.exepowershell.exePaymentTransferRequestForm.bat.exepowershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PaymentTransferRequestForm.bat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PaymentTransferRequestForm.bat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2816 schtasks.exe
2480 schtasks.exe

pid	process
2816	schtasks.exe
2480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

PaymentTransferRequestForm.bat.exepowershell.exepowershell.exeremcos.exepowershell.exepowershell.exe

pid	process
2684	PaymentTransferRequestForm.bat.exe
2684	PaymentTransferRequestForm.bat.exe
2684	PaymentTransferRequestForm.bat.exe
2684	PaymentTransferRequestForm.bat.exe
2808	powershell.exe
2972	powershell.exe
2940	remcos.exe
2940	remcos.exe
2940	remcos.exe
1280	powershell.exe
2560	powershell.exe
2940	remcos.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

PaymentTransferRequestForm.bat.exepowershell.exepowershell.exeremcos.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2684	PaymentTransferRequestForm.bat.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2940	remcos.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

PaymentTransferRequestForm.bat.exePaymentTransferRequestForm.bat.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 2684 wrote to memory of 2972	2684	PaymentTransferRequestForm.bat.exe	powershell.exe
PID 2684 wrote to memory of 2972	2684	PaymentTransferRequestForm.bat.exe	powershell.exe
PID 2684 wrote to memory of 2972	2684	PaymentTransferRequestForm.bat.exe	powershell.exe
PID 2684 wrote to memory of 2972	2684	PaymentTransferRequestForm.bat.exe	powershell.exe
PID 2684 wrote to memory of 2808	2684	PaymentTransferRequestForm.bat.exe	powershell.exe
PID 2684 wrote to memory of 2808	2684	PaymentTransferRequestForm.bat.exe	powershell.exe
PID 2684 wrote to memory of 2808	2684	PaymentTransferRequestForm.bat.exe	powershell.exe
PID 2684 wrote to memory of 2808	2684	PaymentTransferRequestForm.bat.exe	powershell.exe
PID 2684 wrote to memory of 2816	2684	PaymentTransferRequestForm.bat.exe	schtasks.exe
PID 2684 wrote to memory of 2816	2684	PaymentTransferRequestForm.bat.exe	schtasks.exe
PID 2684 wrote to memory of 2816	2684	PaymentTransferRequestForm.bat.exe	schtasks.exe
PID 2684 wrote to memory of 2816	2684	PaymentTransferRequestForm.bat.exe	schtasks.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2684 wrote to memory of 2652	2684	PaymentTransferRequestForm.bat.exe	PaymentTransferRequestForm.bat.exe
PID 2652 wrote to memory of 1608	2652	PaymentTransferRequestForm.bat.exe	WScript.exe
PID 2652 wrote to memory of 1608	2652	PaymentTransferRequestForm.bat.exe	WScript.exe
PID 2652 wrote to memory of 1608	2652	PaymentTransferRequestForm.bat.exe	WScript.exe
PID 2652 wrote to memory of 1608	2652	PaymentTransferRequestForm.bat.exe	WScript.exe
PID 1608 wrote to memory of 536	1608	WScript.exe	cmd.exe
PID 1608 wrote to memory of 536	1608	WScript.exe	cmd.exe
PID 1608 wrote to memory of 536	1608	WScript.exe	cmd.exe
PID 1608 wrote to memory of 536	1608	WScript.exe	cmd.exe
PID 536 wrote to memory of 2940	536	cmd.exe	remcos.exe
PID 536 wrote to memory of 2940	536	cmd.exe	remcos.exe
PID 536 wrote to memory of 2940	536	cmd.exe	remcos.exe
PID 536 wrote to memory of 2940	536	cmd.exe	remcos.exe
PID 2940 wrote to memory of 1280	2940	remcos.exe	powershell.exe
PID 2940 wrote to memory of 1280	2940	remcos.exe	powershell.exe
PID 2940 wrote to memory of 1280	2940	remcos.exe	powershell.exe
PID 2940 wrote to memory of 1280	2940	remcos.exe	powershell.exe
PID 2940 wrote to memory of 2560	2940	remcos.exe	powershell.exe
PID 2940 wrote to memory of 2560	2940	remcos.exe	powershell.exe
PID 2940 wrote to memory of 2560	2940	remcos.exe	powershell.exe
PID 2940 wrote to memory of 2560	2940	remcos.exe	powershell.exe
PID 2940 wrote to memory of 2480	2940	remcos.exe	schtasks.exe
PID 2940 wrote to memory of 2480	2940	remcos.exe	schtasks.exe
PID 2940 wrote to memory of 2480	2940	remcos.exe	schtasks.exe
PID 2940 wrote to memory of 2480	2940	remcos.exe	schtasks.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe
PID 2940 wrote to memory of 1800	2940	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\PaymentTransferRequestForm.bat.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentTransferRequestForm.bat.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PaymentTransferRequestForm.bat.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iKgKaogJ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA4D.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\PaymentTransferRequestForm.bat.exe
  "C:\Users\Admin\AppData\Local\Temp\PaymentTransferRequestForm.bat.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\AppUpdate\remcos.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\ProgramData\AppUpdate\remcos.exe
        
        C:\ProgramData\AppUpdate\remcos.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\AppUpdate\remcos.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iKgKaogJ.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp72B0.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2480
      - C:\ProgramData\AppUpdate\remcos.exe
        
        "C:\ProgramData\AppUpdate\remcos.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AppUpdate\remcos.exe

Filesize
1.2MB

MD5
fc5a80adf45d78ffa834283d0a78f9f6

SHA1
6865dec6f71546ea01420295b7175038c3a81ec4

SHA256
e588a098e9ceb33f2616e11a3faf28162e5f4b7f3800b22ab3023bc376aeb18c

SHA512
27636cd0d31e3b1ff384869f1f2be6c23d7f02ecd70027c5d689de0893835d070218596a941472481d637cc6253ed3f2405991a6af4772596cc88f909a7dd7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
392B

MD5
046708368578d720d91fb9ceecec742e

SHA1
1dc732f67f48a1d5694f4cf14a8d279dbd1d6ee6

SHA256
04f4edc28e97a16f93cf7acac864aba17cc467282550ae61baac719262be6f5e

SHA512
9106f645ee74c9e061fcb396a00d706512d41054a356125f26a10d42390d8f0d3ea3dd785393bf5de358b62464ec3c0f7d2e27411e87bb408581f820c427e7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4D.tmp

Filesize
1KB

MD5
416453ad088ce861d0c1be11604eaffb

SHA1
15ab130f07135342295aed87b279a53b13690889

SHA256
10b560c9c272a31fa31b387bb88f7a0b1b656db3927d1730cde370c9893c6db6

SHA512
cf2f6f178b4c5fa3847ce42f0c020e5123749909302330244a60a85e6f51d4e0d7d445482a2bd332c06a6cd0b252722f0b0e93fe72f9b43f642b1e0e8d4af7aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7bcb78d120aaee4a449cc6e89d16ef39

SHA1
7ea1b88e24d7bd51ccab6c61bdedc6a25a46f95c

SHA256
a6b6cab038147b649ce56759a9e4adad4acd880f4b7ba391aacb6e384c537d15

SHA512
2cbb7df4e51f4c6ec5502941d526a7109044530f5e475dd76a22d551f3c12179a42a8f3b4605c41c831e8f97f540f410b2e65e43025890d60332c6668e2e5c9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c5c821782f44a495808f87387f9e56ae

SHA1
d10bb9d036134ff9f5ac104fe29d10827b4f6350

SHA256
78d57d9870c7b1c7ade3ef6e09b38896b84a7640c2ef4168102eef253fd34419

SHA512
60034ff6695e275eca95b57bc6a5a9bb142dbee7204a134a47484205ccfe6e1ba8f1de9f06af66bb01d554abdd632322a509ec3025fa67d852a71b2e2428d9a7

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1800-91-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-85-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1800-92-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-82-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-94-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-93-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-36-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-27-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-31-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-23-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2684-42-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2684-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2684-6-0x0000000004FD0000-0x0000000005090000-memory.dmp

Filesize
768KB

Download
memory/2684-5-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2684-4-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2684-3-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2684-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2684-1-0x0000000000CD0000-0x0000000000E02000-memory.dmp

Filesize
1.2MB

Download
memory/2940-48-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/2940-47-0x0000000000980000-0x0000000000AB2000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads