remcos | fdd7a11713768ea1228de9054ac3d7ae9f85fac1d6f3461f8192daf8c385b6d1

General

Target

SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
Size

1.3MB
MD5

022d116c9e8cc50f7b3d837b69eef49a
SHA1

15acead8bc9052f5716454e21e99493123e1cd42
SHA256

fdd7a11713768ea1228de9054ac3d7ae9f85fac1d6f3461f8192daf8c385b6d1
SHA512

f3b174d2deea097ae25da281d79e3f46c65cf3f809a8b2a5dd7603b95191032ef0996230ccc8b68de56e2e2cbe229491e5dc4f8239fcf0c47b8dfb64cb6b47b2

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

vlc.exevlc.exe

pid process

2984 vlc.exe
3624 vlc.exe

pid	process
2984	vlc.exe
3624	vlc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vlc.exeSecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc.exe\""	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc.exe\""	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vlc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exevlc.exe

pid	process
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exevlc.exe

description	pid	process	target process
PID 4056 set thread context of 1176	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
PID 2984 set thread context of 3624	2984	vlc.exe	vlc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

988 4056 WerFault.exe SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
2652 2984 WerFault.exe vlc.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

3968 timeout.exe
1892 timeout.exe
3620 timeout.exe
3216 timeout.exe
4000 timeout.exe
2808 timeout.exe

pid	pid_target	process	target process
988	4056	WerFault.exe	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
2652	2984	WerFault.exe	vlc.exe

pid	process
3968	timeout.exe
1892	timeout.exe
3620	timeout.exe
3216	timeout.exe
4000	timeout.exe
2808	timeout.exe

Modifies registry class 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exeWerFault.exevlc.exeWerFault.exe

pid	process
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

3624 vlc.exe

pid	process
3624	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exeWerFault.exevlc.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
Token: SeRestorePrivilege	988	WerFault.exe
Token: SeBackupPrivilege	988	WerFault.exe
Token: SeDebugPrivilege	988	WerFault.exe
Token: SeDebugPrivilege	2984	vlc.exe
Token: SeDebugPrivilege	2652	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

3624 vlc.exe

pid	process
3624	vlc.exe

Suspicious use of WriteProcessMemory 65 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.execmd.execmd.execmd.exeSecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exeWScript.execmd.exevlc.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4056 wrote to memory of 3964	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	cmd.exe
PID 4056 wrote to memory of 3964	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	cmd.exe
PID 4056 wrote to memory of 3964	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	cmd.exe
PID 3964 wrote to memory of 3968	3964	cmd.exe	timeout.exe
PID 3964 wrote to memory of 3968	3964	cmd.exe	timeout.exe
PID 3964 wrote to memory of 3968	3964	cmd.exe	timeout.exe
PID 4056 wrote to memory of 732	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	cmd.exe
PID 4056 wrote to memory of 732	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	cmd.exe
PID 4056 wrote to memory of 732	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	cmd.exe
PID 732 wrote to memory of 1892	732	cmd.exe	timeout.exe
PID 732 wrote to memory of 1892	732	cmd.exe	timeout.exe
PID 732 wrote to memory of 1892	732	cmd.exe	timeout.exe
PID 4056 wrote to memory of 1984	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	cmd.exe
PID 4056 wrote to memory of 1984	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	cmd.exe
PID 4056 wrote to memory of 1984	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	cmd.exe
PID 1984 wrote to memory of 3620	1984	cmd.exe	timeout.exe
PID 1984 wrote to memory of 3620	1984	cmd.exe	timeout.exe
PID 1984 wrote to memory of 3620	1984	cmd.exe	timeout.exe
PID 4056 wrote to memory of 1176	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
PID 4056 wrote to memory of 1176	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
PID 4056 wrote to memory of 1176	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
PID 4056 wrote to memory of 1176	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
PID 4056 wrote to memory of 1176	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
PID 4056 wrote to memory of 1176	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
PID 4056 wrote to memory of 1176	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
PID 4056 wrote to memory of 1176	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
PID 4056 wrote to memory of 1176	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
PID 4056 wrote to memory of 1176	4056	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
PID 1176 wrote to memory of 652	1176	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	WScript.exe
PID 1176 wrote to memory of 652	1176	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	WScript.exe
PID 1176 wrote to memory of 652	1176	SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe	WScript.exe
PID 652 wrote to memory of 3376	652	WScript.exe	cmd.exe
PID 652 wrote to memory of 3376	652	WScript.exe	cmd.exe
PID 652 wrote to memory of 3376	652	WScript.exe	cmd.exe
PID 3376 wrote to memory of 2984	3376	cmd.exe	vlc.exe
PID 3376 wrote to memory of 2984	3376	cmd.exe	vlc.exe
PID 3376 wrote to memory of 2984	3376	cmd.exe	vlc.exe
PID 2984 wrote to memory of 2136	2984	vlc.exe	cmd.exe
PID 2984 wrote to memory of 2136	2984	vlc.exe	cmd.exe
PID 2984 wrote to memory of 2136	2984	vlc.exe	cmd.exe
PID 2136 wrote to memory of 3216	2136	cmd.exe	timeout.exe
PID 2136 wrote to memory of 3216	2136	cmd.exe	timeout.exe
PID 2136 wrote to memory of 3216	2136	cmd.exe	timeout.exe
PID 2984 wrote to memory of 3972	2984	vlc.exe	cmd.exe
PID 2984 wrote to memory of 3972	2984	vlc.exe	cmd.exe
PID 2984 wrote to memory of 3972	2984	vlc.exe	cmd.exe
PID 3972 wrote to memory of 4000	3972	cmd.exe	timeout.exe
PID 3972 wrote to memory of 4000	3972	cmd.exe	timeout.exe
PID 3972 wrote to memory of 4000	3972	cmd.exe	timeout.exe
PID 2984 wrote to memory of 2380	2984	vlc.exe	cmd.exe
PID 2984 wrote to memory of 2380	2984	vlc.exe	cmd.exe
PID 2984 wrote to memory of 2380	2984	vlc.exe	cmd.exe
PID 2380 wrote to memory of 2808	2380	cmd.exe	timeout.exe
PID 2380 wrote to memory of 2808	2380	cmd.exe	timeout.exe
PID 2380 wrote to memory of 2808	2380	cmd.exe	timeout.exe
PID 2984 wrote to memory of 3624	2984	vlc.exe	vlc.exe
PID 2984 wrote to memory of 3624	2984	vlc.exe	vlc.exe
PID 2984 wrote to memory of 3624	2984	vlc.exe	vlc.exe
PID 2984 wrote to memory of 3624	2984	vlc.exe	vlc.exe
PID 2984 wrote to memory of 3624	2984	vlc.exe	vlc.exe
PID 2984 wrote to memory of 3624	2984	vlc.exe	vlc.exe
PID 2984 wrote to memory of 3624	2984	vlc.exe	vlc.exe
PID 2984 wrote to memory of 3624	2984	vlc.exe	vlc.exe
PID 2984 wrote to memory of 3624	2984	vlc.exe	vlc.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3620

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.510.21742.1465.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\vlc.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\AppData\Roaming\vlc.exe
C:\Users\Admin\AppData\Roaming\vlc.exe
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:3216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:4000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:2808

C:\Users\Admin\AppData\Roaming\vlc.exe
"C:\Users\Admin\AppData\Roaming\vlc.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1556
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1644
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
0fd303b21c1a43c6a9078e6f5280ca85

SHA1
0db8f1ae34f4e2e72184e337951fde826c0bd26f

SHA256
5d8c6cfdf8fc198c4fd279487e5c1620ece89e39781c6337f4cb5e111e606ddc

SHA512
be4cdd48940bead0274c7cf08abd9bc75b5db468159cbf883198712d0bb15ad81a069638c628eba62237cfa0a197f845c0d9e1f4727c9608a8d642f7aba38671

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe
MD5
022d116c9e8cc50f7b3d837b69eef49a

SHA1
15acead8bc9052f5716454e21e99493123e1cd42

SHA256
fdd7a11713768ea1228de9054ac3d7ae9f85fac1d6f3461f8192daf8c385b6d1

SHA512
f3b174d2deea097ae25da281d79e3f46c65cf3f809a8b2a5dd7603b95191032ef0996230ccc8b68de56e2e2cbe229491e5dc4f8239fcf0c47b8dfb64cb6b47b2

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe
MD5
022d116c9e8cc50f7b3d837b69eef49a

SHA1
15acead8bc9052f5716454e21e99493123e1cd42

SHA256
fdd7a11713768ea1228de9054ac3d7ae9f85fac1d6f3461f8192daf8c385b6d1

SHA512
f3b174d2deea097ae25da281d79e3f46c65cf3f809a8b2a5dd7603b95191032ef0996230ccc8b68de56e2e2cbe229491e5dc4f8239fcf0c47b8dfb64cb6b47b2

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe
MD5
022d116c9e8cc50f7b3d837b69eef49a

SHA1
15acead8bc9052f5716454e21e99493123e1cd42

SHA256
fdd7a11713768ea1228de9054ac3d7ae9f85fac1d6f3461f8192daf8c385b6d1

SHA512
f3b174d2deea097ae25da281d79e3f46c65cf3f809a8b2a5dd7603b95191032ef0996230ccc8b68de56e2e2cbe229491e5dc4f8239fcf0c47b8dfb64cb6b47b2

Download Submit
memory/652-19-0x0000000000000000-mapping.dmp

Download
memory/732-13-0x0000000000000000-mapping.dmp

Download
memory/988-20-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/1176-18-0x0000000000413FA4-mapping.dmp

Download
memory/1176-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1892-14-0x0000000000000000-mapping.dmp

Download
memory/1984-15-0x0000000000000000-mapping.dmp

Download
memory/2136-35-0x0000000000000000-mapping.dmp

Download
memory/2380-40-0x0000000000000000-mapping.dmp

Download
memory/2652-45-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/2808-41-0x0000000000000000-mapping.dmp

Download
memory/2984-37-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/2984-24-0x0000000000000000-mapping.dmp

Download
memory/2984-27-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/3216-36-0x0000000000000000-mapping.dmp

Download
memory/3376-23-0x0000000000000000-mapping.dmp

Download
memory/3620-16-0x0000000000000000-mapping.dmp

Download
memory/3624-48-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3624-43-0x0000000000413FA4-mapping.dmp

Download
memory/3964-10-0x0000000000000000-mapping.dmp

Download
memory/3968-12-0x0000000000000000-mapping.dmp

Download
memory/3972-38-0x0000000000000000-mapping.dmp

Download
memory/4000-39-0x0000000000000000-mapping.dmp

Download
memory/4056-2-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/4056-8-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4056-7-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/4056-6-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/4056-5-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/4056-9-0x0000000005150000-0x000000000517F000-memory.dmp

Filesize
188KB

Download
memory/4056-3-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4056-11-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads