remcos | 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56

General

Target

0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
Size

1.0MB
MD5

0be2f1c22f5916d0cdb44ebccc39e18c
SHA1

731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec
SHA256

0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56
SHA512

2e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5
SSDEEP

12288:EOvtwqTEXNkYIYt8+jmfimuZNXO9YM4Dg9Ni8zr0HCUGFiFRSFGM8Ji9up4XyopP:XwqQKYIYW6+18tOqMQcNKF3H2eqiGs

Score

10^/10

remcos eric-host collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

Eric-Host

C2

craigjonson91211.freedynamicdns.net:2011

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
wee.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-3CS7D1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
qos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2868-164-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/4804-165-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/4804-167-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2868-164-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/4804-165-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/4804-167-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

wee.exewee.exewee.exewee.exewee.exe

pid process

804 wee.exe
1124 wee.exe
4804 wee.exe
2868 wee.exe
4584 wee.exe

pid	process
804	wee.exe
1124	wee.exe
4804	wee.exe
2868	wee.exe
4584	wee.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

wee.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wee.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exewee.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\""	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\""	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	wee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\""	wee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	wee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\""	wee.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exewee.exewee.exe

description	pid	process	target process
PID 4832 set thread context of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 804 set thread context of 1124	804	wee.exe	wee.exe
PID 1124 set thread context of 4804	1124	wee.exe	wee.exe
PID 1124 set thread context of 2868	1124	wee.exe	wee.exe
PID 1124 set thread context of 4584	1124	wee.exe	wee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3384 4584 WerFault.exe wee.exe

pid	pid_target	process	target process
3384	4584	WerFault.exe	wee.exe

Modifies registry class 1 IoCs

Processes:

0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

wee.exe

pid process

4804 wee.exe
4804 wee.exe
4804 wee.exe
4804 wee.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

wee.exe

pid process

1124 wee.exe
1124 wee.exe
1124 wee.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wee.exe

pid process

1124 wee.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

wee.exe

pid process

4584 wee.exe

pid	process
4804	wee.exe
4804	wee.exe
4804	wee.exe
4804	wee.exe

pid	process
1124	wee.exe
1124	wee.exe
1124	wee.exe

pid	process
1124	wee.exe

pid	process
4584	wee.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exeWScript.execmd.exewee.exewee.exe

description	pid	process	target process
PID 4832 wrote to memory of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 4832 wrote to memory of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 4832 wrote to memory of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 4832 wrote to memory of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 4832 wrote to memory of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 4832 wrote to memory of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 4832 wrote to memory of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 4832 wrote to memory of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 4832 wrote to memory of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 4832 wrote to memory of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 4832 wrote to memory of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 4832 wrote to memory of 3380	4832	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
PID 3380 wrote to memory of 4740	3380	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	WScript.exe
PID 3380 wrote to memory of 4740	3380	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	WScript.exe
PID 3380 wrote to memory of 4740	3380	0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe	WScript.exe
PID 4740 wrote to memory of 3712	4740	WScript.exe	cmd.exe
PID 4740 wrote to memory of 3712	4740	WScript.exe	cmd.exe
PID 4740 wrote to memory of 3712	4740	WScript.exe	cmd.exe
PID 3712 wrote to memory of 804	3712	cmd.exe	wee.exe
PID 3712 wrote to memory of 804	3712	cmd.exe	wee.exe
PID 3712 wrote to memory of 804	3712	cmd.exe	wee.exe
PID 804 wrote to memory of 1124	804	wee.exe	wee.exe
PID 804 wrote to memory of 1124	804	wee.exe	wee.exe
PID 804 wrote to memory of 1124	804	wee.exe	wee.exe
PID 804 wrote to memory of 1124	804	wee.exe	wee.exe
PID 804 wrote to memory of 1124	804	wee.exe	wee.exe
PID 804 wrote to memory of 1124	804	wee.exe	wee.exe
PID 804 wrote to memory of 1124	804	wee.exe	wee.exe
PID 804 wrote to memory of 1124	804	wee.exe	wee.exe
PID 804 wrote to memory of 1124	804	wee.exe	wee.exe
PID 804 wrote to memory of 1124	804	wee.exe	wee.exe
PID 804 wrote to memory of 1124	804	wee.exe	wee.exe
PID 804 wrote to memory of 1124	804	wee.exe	wee.exe
PID 1124 wrote to memory of 4804	1124	wee.exe	wee.exe
PID 1124 wrote to memory of 4804	1124	wee.exe	wee.exe
PID 1124 wrote to memory of 4804	1124	wee.exe	wee.exe
PID 1124 wrote to memory of 4804	1124	wee.exe	wee.exe
PID 1124 wrote to memory of 2868	1124	wee.exe	wee.exe
PID 1124 wrote to memory of 2868	1124	wee.exe	wee.exe
PID 1124 wrote to memory of 2868	1124	wee.exe	wee.exe
PID 1124 wrote to memory of 2868	1124	wee.exe	wee.exe
PID 1124 wrote to memory of 4584	1124	wee.exe	wee.exe
PID 1124 wrote to memory of 4584	1124	wee.exe	wee.exe
PID 1124 wrote to memory of 4584	1124	wee.exe	wee.exe
PID 1124 wrote to memory of 4584	1124	wee.exe	wee.exe

C:\Users\Admin\AppData\Local\Temp\0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
"C:\Users\Admin\AppData\Local\Temp\0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
"C:\Users\Admin\AppData\Local\Temp\0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ytgytb.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\wee.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Roaming\wee.exe
C:\Users\Admin\AppData\Roaming\wee.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Roaming\wee.exe
"C:\Users\Admin\AppData\Roaming\wee.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Roaming\wee.exe
C:\Users\Admin\AppData\Roaming\wee.exe /stext "C:\Users\Admin\AppData\Local\Temp\rbgwe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4804

C:\Users\Admin\AppData\Roaming\wee.exe
C:\Users\Admin\AppData\Roaming\wee.exe /stext "C:\Users\Admin\AppData\Local\Temp\beuofqwxj"
7⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2868

C:\Users\Admin\AppData\Roaming\wee.exe
C:\Users\Admin\AppData\Roaming\wee.exe /stext "C:\Users\Admin\AppData\Local\Temp\myzhgihrxvki"
7⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 12
8⤵
- Program crash
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4584 -ip 4584
1⤵
PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rbgwe
Filesize
4KB

MD5
952a930b9fe70f809a67cb4e765c9448

SHA1
7e6c235246cc1be14d8a01ee7688a2a2471d44c9

SHA256
bd8156713974af3003c418302d3647fa84f62836fe83613c05e8bc40cb06a867

SHA512
10d12f2412fd2cb9ecf47cccd0261b17d9a3323957602c06795c4b2244306837d0a979ec6e552dc023ee81719ebcb9455bdb6f9d44f07788664994d1498452fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytgytb.vbs
Filesize
398B

MD5
f1536fc12b615b3b046757ce09cc2b41

SHA1
c67cacdb7dd2a1aa58ec9d2f554a831935fea0a2

SHA256
c03a7b60b1a4a6d06dbe6d1fc3444f68a64e1b9e48e1967b60003b0b02c78502

SHA512
39d0bfce41381099628b3d7f184c0aa49a98a9eef90da3b4be953530f3115bb4b72f871c6cf5026cce8d760b088865b63bbab3d8911d3e4513855712a3062207

Download Submit
C:\Users\Admin\AppData\Roaming\wee.exe
Filesize
1.0MB

MD5
0be2f1c22f5916d0cdb44ebccc39e18c

SHA1
731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec

SHA256
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56

SHA512
2e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5

Download Submit
C:\Users\Admin\AppData\Roaming\wee.exe
Filesize
1.0MB

MD5
0be2f1c22f5916d0cdb44ebccc39e18c

SHA1
731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec

SHA256
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56

SHA512
2e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5

Download Submit
C:\Users\Admin\AppData\Roaming\wee.exe
Filesize
1.0MB

MD5
0be2f1c22f5916d0cdb44ebccc39e18c

SHA1
731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec

SHA256
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56

SHA512
2e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5

Download Submit
C:\Users\Admin\AppData\Roaming\wee.exe
Filesize
1.0MB

MD5
0be2f1c22f5916d0cdb44ebccc39e18c

SHA1
731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec

SHA256
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56

SHA512
2e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5

Download Submit
C:\Users\Admin\AppData\Roaming\wee.exe
Filesize
1.0MB

MD5
0be2f1c22f5916d0cdb44ebccc39e18c

SHA1
731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec

SHA256
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56

SHA512
2e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5

Download Submit
C:\Users\Admin\AppData\Roaming\wee.exe
Filesize
1.0MB

MD5
0be2f1c22f5916d0cdb44ebccc39e18c

SHA1
731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec

SHA256
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56

SHA512
2e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5

Download Submit
memory/804-149-0x0000000000000000-mapping.dmp

Download
memory/1124-156-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1124-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1124-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1124-152-0x0000000000000000-mapping.dmp

Download
memory/1124-168-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2868-160-0x0000000000000000-mapping.dmp

Download
memory/2868-164-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3380-146-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3380-144-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3380-143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3380-142-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3380-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3380-140-0x0000000000000000-mapping.dmp

Download
memory/3712-148-0x0000000000000000-mapping.dmp

Download
memory/4584-162-0x0000000000000000-mapping.dmp

Download
memory/4740-145-0x0000000000000000-mapping.dmp

Download
memory/4804-158-0x0000000000000000-mapping.dmp

Download
memory/4804-165-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4804-167-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4832-139-0x0000000009450000-0x00000000094EC000-memory.dmp

Filesize
624KB

Download
memory/4832-138-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download
memory/4832-135-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/4832-137-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/4832-136-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads