remcos | 0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38

General

Target

SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
Size

1.3MB
MD5

33c35598a22a81d9d62986a910bc4d46
SHA1

9177c4636517c04dad78521286ffe8928b3c8672
SHA256

0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38
SHA512

4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0

Score

10^/10

remcos persistence ransomware rat

Malware Config

Extracted

Family

remcos

C2

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

vlc.exevlc.exe

pid process

1856 vlc.exe
1220 vlc.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1068 cmd.exe
1068 cmd.exe

pid	process
1856	vlc.exe
1220	vlc.exe

pid	process
1068	cmd.exe
1068	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exevlc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc.exe\""	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vlc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc.exe\""	vlc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exevlc.exe

pid	process
1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exevlc.exe

description	pid	process	target process
PID 1968 set thread context of 584	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
PID 1856 set thread context of 1220	1856	vlc.exe	vlc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

992 1968 WerFault.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

576 timeout.exe
1656 timeout.exe
1100 timeout.exe
576 timeout.exe
1596 timeout.exe
1172 timeout.exe

pid	pid_target	process	target process
992	1968	WerFault.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe

pid	process
576	timeout.exe
1656	timeout.exe
1100	timeout.exe
576	timeout.exe
1596	timeout.exe
1172	timeout.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exeWerFault.exevlc.exe

pid	process
1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exeWerFault.exevlc.exe

description	pid	process
Token: SeDebugPrivilege	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
Token: SeDebugPrivilege	992	WerFault.exe
Token: SeDebugPrivilege	1856	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

1220 vlc.exe

pid	process
1220	vlc.exe

Suspicious use of WriteProcessMemory 86 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.execmd.execmd.execmd.exeSecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exeWScript.execmd.exevlc.execmd.execmd.exe

description	pid	process	target process
PID 1968 wrote to memory of 1700	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	cmd.exe
PID 1968 wrote to memory of 1700	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	cmd.exe
PID 1968 wrote to memory of 1700	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	cmd.exe
PID 1968 wrote to memory of 1700	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	cmd.exe
PID 1700 wrote to memory of 1656	1700	cmd.exe	timeout.exe
PID 1700 wrote to memory of 1656	1700	cmd.exe	timeout.exe
PID 1700 wrote to memory of 1656	1700	cmd.exe	timeout.exe
PID 1700 wrote to memory of 1656	1700	cmd.exe	timeout.exe
PID 1968 wrote to memory of 792	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	cmd.exe
PID 1968 wrote to memory of 792	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	cmd.exe
PID 1968 wrote to memory of 792	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	cmd.exe
PID 1968 wrote to memory of 792	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	cmd.exe
PID 792 wrote to memory of 1100	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 1100	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 1100	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 1100	792	cmd.exe	timeout.exe
PID 1968 wrote to memory of 268	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	cmd.exe
PID 1968 wrote to memory of 268	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	cmd.exe
PID 1968 wrote to memory of 268	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	cmd.exe
PID 1968 wrote to memory of 268	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	cmd.exe
PID 268 wrote to memory of 576	268	cmd.exe	timeout.exe
PID 268 wrote to memory of 576	268	cmd.exe	timeout.exe
PID 268 wrote to memory of 576	268	cmd.exe	timeout.exe
PID 268 wrote to memory of 576	268	cmd.exe	timeout.exe
PID 1968 wrote to memory of 584	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
PID 1968 wrote to memory of 584	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
PID 1968 wrote to memory of 584	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
PID 1968 wrote to memory of 584	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
PID 1968 wrote to memory of 584	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
PID 1968 wrote to memory of 584	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
PID 1968 wrote to memory of 584	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
PID 1968 wrote to memory of 584	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
PID 1968 wrote to memory of 584	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
PID 1968 wrote to memory of 584	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
PID 1968 wrote to memory of 584	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
PID 1968 wrote to memory of 992	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	WerFault.exe
PID 1968 wrote to memory of 992	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	WerFault.exe
PID 1968 wrote to memory of 992	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	WerFault.exe
PID 1968 wrote to memory of 992	1968	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	WerFault.exe
PID 584 wrote to memory of 1132	584	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	WScript.exe
PID 584 wrote to memory of 1132	584	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	WScript.exe
PID 584 wrote to memory of 1132	584	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	WScript.exe
PID 584 wrote to memory of 1132	584	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe	WScript.exe
PID 1132 wrote to memory of 1068	1132	WScript.exe	cmd.exe
PID 1132 wrote to memory of 1068	1132	WScript.exe	cmd.exe
PID 1132 wrote to memory of 1068	1132	WScript.exe	cmd.exe
PID 1132 wrote to memory of 1068	1132	WScript.exe	cmd.exe
PID 1068 wrote to memory of 1856	1068	cmd.exe	vlc.exe
PID 1068 wrote to memory of 1856	1068	cmd.exe	vlc.exe
PID 1068 wrote to memory of 1856	1068	cmd.exe	vlc.exe
PID 1068 wrote to memory of 1856	1068	cmd.exe	vlc.exe
PID 1856 wrote to memory of 1120	1856	vlc.exe	cmd.exe
PID 1856 wrote to memory of 1120	1856	vlc.exe	cmd.exe
PID 1856 wrote to memory of 1120	1856	vlc.exe	cmd.exe
PID 1856 wrote to memory of 1120	1856	vlc.exe	cmd.exe
PID 1120 wrote to memory of 1596	1120	cmd.exe	timeout.exe
PID 1120 wrote to memory of 1596	1120	cmd.exe	timeout.exe
PID 1120 wrote to memory of 1596	1120	cmd.exe	timeout.exe
PID 1120 wrote to memory of 1596	1120	cmd.exe	timeout.exe
PID 1856 wrote to memory of 1696	1856	vlc.exe	cmd.exe
PID 1856 wrote to memory of 1696	1856	vlc.exe	cmd.exe
PID 1856 wrote to memory of 1696	1856	vlc.exe	cmd.exe
PID 1856 wrote to memory of 1696	1856	vlc.exe	cmd.exe
PID 1696 wrote to memory of 1172	1696	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:576

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\vlc.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Roaming\vlc.exe
C:\Users\Admin\AppData\Roaming\vlc.exe
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:1172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
PID:532

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:576

C:\Users\Admin\AppData\Roaming\vlc.exe
"C:\Users\Admin\AppData\Roaming\vlc.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 936
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
0fd303b21c1a43c6a9078e6f5280ca85

SHA1
0db8f1ae34f4e2e72184e337951fde826c0bd26f

SHA256
5d8c6cfdf8fc198c4fd279487e5c1620ece89e39781c6337f4cb5e111e606ddc

SHA512
be4cdd48940bead0274c7cf08abd9bc75b5db468159cbf883198712d0bb15ad81a069638c628eba62237cfa0a197f845c0d9e1f4727c9608a8d642f7aba38671

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe
MD5
33c35598a22a81d9d62986a910bc4d46

SHA1
9177c4636517c04dad78521286ffe8928b3c8672

SHA256
0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38

SHA512
4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe
MD5
33c35598a22a81d9d62986a910bc4d46

SHA1
9177c4636517c04dad78521286ffe8928b3c8672

SHA256
0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38

SHA512
4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe
MD5
33c35598a22a81d9d62986a910bc4d46

SHA1
9177c4636517c04dad78521286ffe8928b3c8672

SHA256
0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38

SHA512
4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0

Download Submit
\Users\Admin\AppData\Roaming\vlc.exe
MD5
33c35598a22a81d9d62986a910bc4d46

SHA1
9177c4636517c04dad78521286ffe8928b3c8672

SHA256
0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38

SHA512
4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0

Download Submit
\Users\Admin\AppData\Roaming\vlc.exe
MD5
33c35598a22a81d9d62986a910bc4d46

SHA1
9177c4636517c04dad78521286ffe8928b3c8672

SHA256
0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38

SHA512
4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0

Download Submit
memory/268-11-0x0000000000000000-mapping.dmp

Download
memory/532-39-0x0000000000000000-mapping.dmp

Download
memory/576-12-0x0000000000000000-mapping.dmp

Download
memory/576-40-0x0000000000000000-mapping.dmp

Download
memory/584-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/584-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/584-14-0x0000000000413FA4-mapping.dmp

Download
memory/584-15-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/792-9-0x0000000000000000-mapping.dmp

Download
memory/992-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/992-18-0x0000000002250000-0x0000000002261000-memory.dmp

Filesize
68KB

Download
memory/992-16-0x0000000000000000-mapping.dmp

Download
memory/1068-23-0x0000000000000000-mapping.dmp

Download
memory/1100-10-0x0000000000000000-mapping.dmp

Download
memory/1120-34-0x0000000000000000-mapping.dmp

Download
memory/1132-24-0x00000000028F0000-0x00000000028F4000-memory.dmp

Filesize
16KB

Download
memory/1132-17-0x0000000000000000-mapping.dmp

Download
memory/1172-38-0x0000000000000000-mapping.dmp

Download
memory/1220-45-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1220-42-0x0000000000413FA4-mapping.dmp

Download
memory/1596-35-0x0000000000000000-mapping.dmp

Download
memory/1656-8-0x0000000000000000-mapping.dmp

Download
memory/1696-37-0x0000000000000000-mapping.dmp

Download
memory/1700-7-0x0000000000000000-mapping.dmp

Download
memory/1856-31-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1856-36-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1856-30-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/1856-28-0x0000000000000000-mapping.dmp

Download
memory/1968-6-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1968-5-0x00000000006D0000-0x0000000000700000-memory.dmp

Filesize
192KB

Download
memory/1968-3-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1968-2-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads