remcos | 0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148

General

Target

4d83e58ab22eda61302b755a827ffa57.exe
Size

1.2MB
MD5

4d83e58ab22eda61302b755a827ffa57
SHA1

e1bfd5c9493aac048af6a03d2003abdfbf64d31c
SHA256

0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148
SHA512

bdb653eab74b49f31c4e9519c0812fb60d6cbd78e982deda74a2a5254140cb7e439bc944faef0daae8917df4918def18ceb02683741f742b39653022ebd99d3a
SSDEEP

24576:QwqpTiwAAgEEY4+FsS9ous35qIw9L7Zl1V3fWGKso5KF9Qgs:ATQp+GZJ/w9Ln1VnzuU9Qgs

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.139.105.174:3111

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-XI5CH7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

1552 remcos.exe
584 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2032 cmd.exe

pid	process
1552	remcos.exe
584	remcos.exe

pid	process
2032	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos.exe4d83e58ab22eda61302b755a827ffa57.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	4d83e58ab22eda61302b755a827ffa57.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	4d83e58ab22eda61302b755a827ffa57.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	4d83e58ab22eda61302b755a827ffa57.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	4d83e58ab22eda61302b755a827ffa57.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

4d83e58ab22eda61302b755a827ffa57.exeremcos.exeremcos.exe

description	pid	process	target process
PID 1392 set thread context of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1552 set thread context of 584	1552	remcos.exe	remcos.exe
PID 584 set thread context of 1972	584	remcos.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FE37B91-71DE-11ED-99B1-EA25B6F29539} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

remcos.exe

pid process

584 remcos.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

880 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

880 iexplore.exe
880 iexplore.exe
1000 IEXPLORE.EXE
1000 IEXPLORE.EXE
1000 IEXPLORE.EXE
1000 IEXPLORE.EXE

pid	process
584	remcos.exe

pid	process
880	iexplore.exe

pid	process
880	iexplore.exe
880	iexplore.exe
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

4d83e58ab22eda61302b755a827ffa57.exe4d83e58ab22eda61302b755a827ffa57.exeWScript.execmd.exeremcos.exeremcos.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 1392 wrote to memory of 2044	1392	4d83e58ab22eda61302b755a827ffa57.exe	4d83e58ab22eda61302b755a827ffa57.exe
PID 2044 wrote to memory of 1932	2044	4d83e58ab22eda61302b755a827ffa57.exe	WScript.exe
PID 2044 wrote to memory of 1932	2044	4d83e58ab22eda61302b755a827ffa57.exe	WScript.exe
PID 2044 wrote to memory of 1932	2044	4d83e58ab22eda61302b755a827ffa57.exe	WScript.exe
PID 2044 wrote to memory of 1932	2044	4d83e58ab22eda61302b755a827ffa57.exe	WScript.exe
PID 1932 wrote to memory of 2032	1932	WScript.exe	cmd.exe
PID 1932 wrote to memory of 2032	1932	WScript.exe	cmd.exe
PID 1932 wrote to memory of 2032	1932	WScript.exe	cmd.exe
PID 1932 wrote to memory of 2032	1932	WScript.exe	cmd.exe
PID 2032 wrote to memory of 1552	2032	cmd.exe	remcos.exe
PID 2032 wrote to memory of 1552	2032	cmd.exe	remcos.exe
PID 2032 wrote to memory of 1552	2032	cmd.exe	remcos.exe
PID 2032 wrote to memory of 1552	2032	cmd.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 1552 wrote to memory of 584	1552	remcos.exe	remcos.exe
PID 584 wrote to memory of 1972	584	remcos.exe	iexplore.exe
PID 584 wrote to memory of 1972	584	remcos.exe	iexplore.exe
PID 584 wrote to memory of 1972	584	remcos.exe	iexplore.exe
PID 584 wrote to memory of 1972	584	remcos.exe	iexplore.exe
PID 584 wrote to memory of 1972	584	remcos.exe	iexplore.exe
PID 1972 wrote to memory of 880	1972	iexplore.exe	iexplore.exe
PID 1972 wrote to memory of 880	1972	iexplore.exe	iexplore.exe
PID 1972 wrote to memory of 880	1972	iexplore.exe	iexplore.exe
PID 1972 wrote to memory of 880	1972	iexplore.exe	iexplore.exe
PID 880 wrote to memory of 1000	880	iexplore.exe	IEXPLORE.EXE
PID 880 wrote to memory of 1000	880	iexplore.exe	IEXPLORE.EXE
PID 880 wrote to memory of 1000	880	iexplore.exe	IEXPLORE.EXE
PID 880 wrote to memory of 1000	880	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\4d83e58ab22eda61302b755a827ffa57.exe
"C:\Users\Admin\AppData\Local\Temp\4d83e58ab22eda61302b755a827ffa57.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\4d83e58ab22eda61302b755a827ffa57.exe
"C:\Users\Admin\AppData\Local\Temp\4d83e58ab22eda61302b755a827ffa57.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fybsyvmovphykzlbtxirzbeeuylar.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:584

\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
8⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:880 CREDAT:275457 /prefetch:2
9⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe
Filesize
1.2MB

MD5
4d83e58ab22eda61302b755a827ffa57

SHA1
e1bfd5c9493aac048af6a03d2003abdfbf64d31c

SHA256
0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148

SHA512
bdb653eab74b49f31c4e9519c0812fb60d6cbd78e982deda74a2a5254140cb7e439bc944faef0daae8917df4918def18ceb02683741f742b39653022ebd99d3a

Download Submit
C:\ProgramData\Remcos\remcos.exe
Filesize
1.2MB

MD5
4d83e58ab22eda61302b755a827ffa57

SHA1
e1bfd5c9493aac048af6a03d2003abdfbf64d31c

SHA256
0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148

SHA512
bdb653eab74b49f31c4e9519c0812fb60d6cbd78e982deda74a2a5254140cb7e439bc944faef0daae8917df4918def18ceb02683741f742b39653022ebd99d3a

Download Submit
C:\ProgramData\Remcos\remcos.exe
Filesize
1.2MB

MD5
4d83e58ab22eda61302b755a827ffa57

SHA1
e1bfd5c9493aac048af6a03d2003abdfbf64d31c

SHA256
0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148

SHA512
bdb653eab74b49f31c4e9519c0812fb60d6cbd78e982deda74a2a5254140cb7e439bc944faef0daae8917df4918def18ceb02683741f742b39653022ebd99d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fybsyvmovphykzlbtxirzbeeuylar.vbs
Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
\ProgramData\Remcos\remcos.exe
Filesize
1.2MB

MD5
4d83e58ab22eda61302b755a827ffa57

SHA1
e1bfd5c9493aac048af6a03d2003abdfbf64d31c

SHA256
0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148

SHA512
bdb653eab74b49f31c4e9519c0812fb60d6cbd78e982deda74a2a5254140cb7e439bc944faef0daae8917df4918def18ceb02683741f742b39653022ebd99d3a

Download Submit
memory/584-108-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/584-110-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/584-103-0x000000000043292E-mapping.dmp

Download
memory/584-107-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1392-59-0x0000000007F20000-0x0000000007FBE000-memory.dmp

Filesize
632KB

Download
memory/1392-54-0x0000000000260000-0x0000000000396000-memory.dmp

Filesize
1.2MB

Download
memory/1392-58-0x0000000005F60000-0x0000000006032000-memory.dmp

Filesize
840KB

Download
memory/1392-57-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/1392-56-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/1392-55-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1552-89-0x0000000000390000-0x00000000003A6000-memory.dmp

Filesize
88KB

Download
memory/1552-87-0x0000000001350000-0x0000000001486000-memory.dmp

Filesize
1.2MB

Download
memory/1552-85-0x0000000000000000-mapping.dmp

Download
memory/1932-78-0x0000000000000000-mapping.dmp

Download
memory/1972-109-0x00000000003E1ADE-mapping.dmp

Download
memory/2032-82-0x0000000000000000-mapping.dmp

Download
memory/2044-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-73-0x000000000043292E-mapping.dmp

Download
memory/2044-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads