remcos | f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

General

Target

SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
Size

1.3MB
MD5

8a16967ee620b6d50578ec90143e9b88
SHA1

8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f
SHA256

f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765
SHA512

f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu:1996

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

win.exewin.exe

pid process

2012 win.exe
2508 win.exe

pid	process
2012	win.exe
2508	win.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exewin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\""	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	win.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\""	win.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exewin.exe

pid	process
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
2012	win.exe
2012	win.exe
2012	win.exe
2012	win.exe
2012	win.exe
2012	win.exe
2012	win.exe
2012	win.exe
2012	win.exe
2012	win.exe
2012	win.exe
2012	win.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exewin.exe

description	pid	process	target process
PID 508 set thread context of 1168	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 2012 set thread context of 2508	2012	win.exe	win.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

648 508 WerFault.exe SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
3452 2012 WerFault.exe win.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4012 timeout.exe
3808 timeout.exe
2896 timeout.exe
1232 timeout.exe
724 timeout.exe
2824 timeout.exe

pid	pid_target	process	target process
648	508	WerFault.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
3452	2012	WerFault.exe	win.exe

pid	process
4012	timeout.exe
3808	timeout.exe
2896	timeout.exe
1232	timeout.exe
724	timeout.exe
2824	timeout.exe

Modifies registry class 1 IoCs

Processes:

SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exeWerFault.exewin.exeWerFault.exe

pid	process
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe
2012	win.exe
2012	win.exe
2012	win.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe
3452	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

win.exe

pid process

2508 win.exe

pid	process
2508	win.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exeWerFault.exewin.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
Token: SeRestorePrivilege	648	WerFault.exe
Token: SeBackupPrivilege	648	WerFault.exe
Token: SeDebugPrivilege	648	WerFault.exe
Token: SeDebugPrivilege	2012	win.exe
Token: SeDebugPrivilege	3452	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

win.exe

pid process

2508 win.exe

pid	process
2508	win.exe

Suspicious use of WriteProcessMemory 71 IoCs

Processes:

SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.execmd.execmd.execmd.exeSecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exeWScript.execmd.exewin.execmd.execmd.execmd.exe

description	pid	process	target process
PID 508 wrote to memory of 3556	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	cmd.exe
PID 508 wrote to memory of 3556	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	cmd.exe
PID 508 wrote to memory of 3556	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	cmd.exe
PID 3556 wrote to memory of 2824	3556	cmd.exe	timeout.exe
PID 3556 wrote to memory of 2824	3556	cmd.exe	timeout.exe
PID 3556 wrote to memory of 2824	3556	cmd.exe	timeout.exe
PID 508 wrote to memory of 2608	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	cmd.exe
PID 508 wrote to memory of 2608	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	cmd.exe
PID 508 wrote to memory of 2608	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	cmd.exe
PID 2608 wrote to memory of 4012	2608	cmd.exe	timeout.exe
PID 2608 wrote to memory of 4012	2608	cmd.exe	timeout.exe
PID 2608 wrote to memory of 4012	2608	cmd.exe	timeout.exe
PID 508 wrote to memory of 1836	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	cmd.exe
PID 508 wrote to memory of 1836	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	cmd.exe
PID 508 wrote to memory of 1836	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	cmd.exe
PID 1836 wrote to memory of 3808	1836	cmd.exe	timeout.exe
PID 1836 wrote to memory of 3808	1836	cmd.exe	timeout.exe
PID 1836 wrote to memory of 3808	1836	cmd.exe	timeout.exe
PID 508 wrote to memory of 1172	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1172	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1172	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1312	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1312	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1312	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1168	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1168	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1168	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1168	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1168	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1168	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1168	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1168	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1168	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 508 wrote to memory of 1168	508	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
PID 1168 wrote to memory of 2336	1168	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	WScript.exe
PID 1168 wrote to memory of 2336	1168	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	WScript.exe
PID 1168 wrote to memory of 2336	1168	SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe	WScript.exe
PID 2336 wrote to memory of 3120	2336	WScript.exe	cmd.exe
PID 2336 wrote to memory of 3120	2336	WScript.exe	cmd.exe
PID 2336 wrote to memory of 3120	2336	WScript.exe	cmd.exe
PID 3120 wrote to memory of 2012	3120	cmd.exe	win.exe
PID 3120 wrote to memory of 2012	3120	cmd.exe	win.exe
PID 3120 wrote to memory of 2012	3120	cmd.exe	win.exe
PID 2012 wrote to memory of 60	2012	win.exe	cmd.exe
PID 2012 wrote to memory of 60	2012	win.exe	cmd.exe
PID 2012 wrote to memory of 60	2012	win.exe	cmd.exe
PID 60 wrote to memory of 2896	60	cmd.exe	timeout.exe
PID 60 wrote to memory of 2896	60	cmd.exe	timeout.exe
PID 60 wrote to memory of 2896	60	cmd.exe	timeout.exe
PID 2012 wrote to memory of 3904	2012	win.exe	cmd.exe
PID 2012 wrote to memory of 3904	2012	win.exe	cmd.exe
PID 2012 wrote to memory of 3904	2012	win.exe	cmd.exe
PID 3904 wrote to memory of 1232	3904	cmd.exe	timeout.exe
PID 3904 wrote to memory of 1232	3904	cmd.exe	timeout.exe
PID 3904 wrote to memory of 1232	3904	cmd.exe	timeout.exe
PID 2012 wrote to memory of 3772	2012	win.exe	cmd.exe
PID 2012 wrote to memory of 3772	2012	win.exe	cmd.exe
PID 2012 wrote to memory of 3772	2012	win.exe	cmd.exe
PID 3772 wrote to memory of 724	3772	cmd.exe	timeout.exe
PID 3772 wrote to memory of 724	3772	cmd.exe	timeout.exe
PID 3772 wrote to memory of 724	3772	cmd.exe	timeout.exe
PID 2012 wrote to memory of 2508	2012	win.exe	win.exe
PID 2012 wrote to memory of 2508	2012	win.exe	win.exe
PID 2012 wrote to memory of 2508	2012	win.exe	win.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3808

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe"
2⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe"
2⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\win.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Roaming\win.exe
C:\Users\Admin\AppData\Roaming\win.exe
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:2896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:1232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:724

C:\Users\Admin\AppData\Roaming\win.exe
"C:\Users\Admin\AppData\Roaming\win.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1552
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1528
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
4a74e626596d6e66b4bbc59ee6848f2d

SHA1
047849ac8735ecc0943428c7cd5e00b52eee06ed

SHA256
98bd6dc219a7a3e04d3d67bbec9f0b4d4640831a3a6be0a0078b050041088b0e

SHA512
1cd943482d0f1ce2ffaf6ee4a82895e4d57c52051bb14bbda0548cf072b4c5cbe719d2cdb549b5ae7c0241dd9c68dd9d1674acd26aed684b8145500079cc5403

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
8a16967ee620b6d50578ec90143e9b88

SHA1
8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f

SHA256
f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

SHA512
f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
8a16967ee620b6d50578ec90143e9b88

SHA1
8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f

SHA256
f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

SHA512
f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
8a16967ee620b6d50578ec90143e9b88

SHA1
8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f

SHA256
f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

SHA512
f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

Download Submit
memory/60-36-0x0000000000000000-mapping.dmp

Download
memory/508-8-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/508-6-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/508-3-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/508-9-0x00000000053E0000-0x000000000540F000-memory.dmp

Filesize
188KB

Download
memory/508-7-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/508-5-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/508-2-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/648-21-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/724-41-0x0000000000000000-mapping.dmp

Download
memory/1168-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1168-17-0x0000000000413FA4-mapping.dmp

Download
memory/1168-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1232-39-0x0000000000000000-mapping.dmp

Download
memory/1836-14-0x0000000000000000-mapping.dmp

Download
memory/2012-28-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2012-25-0x0000000000000000-mapping.dmp

Download
memory/2336-19-0x0000000000000000-mapping.dmp

Download
memory/2508-43-0x0000000000413FA4-mapping.dmp

Download
memory/2508-45-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2608-12-0x0000000000000000-mapping.dmp

Download
memory/2824-11-0x0000000000000000-mapping.dmp

Download
memory/2896-37-0x0000000000000000-mapping.dmp

Download
memory/3120-24-0x0000000000000000-mapping.dmp

Download
memory/3452-46-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/3556-10-0x0000000000000000-mapping.dmp

Download
memory/3772-40-0x0000000000000000-mapping.dmp

Download
memory/3808-15-0x0000000000000000-mapping.dmp

Download
memory/3904-38-0x0000000000000000-mapping.dmp

Download
memory/4012-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads