remcos | 95ede7a41b3ab0fb0b9d71d30eb506ae0c37354fd48772b0bcdc59ff7deea692

General

Target

60793dd7cdaf080ab5ba21a3c1294e32.exe
Size

1024.0MB
MD5

932f4060cc31b4dbaffa1bb6d3991c20
SHA1

989f4fb91c3a30a0789c0d61c1b8c5dad659747e
SHA256

a40084ddc1d6655c2f78365a9ef6a9b81997cfa98a6f81c8d7dfe9619ef6b853
SHA512

7bb952847d5bacff9275415ba02a6fbeb180d16b2ef23591a60f9fe302f51301d7c967af5eaa5dc9135ceb108cdf25afdf745a3875b5b0655924452d1f753ba5
SSDEEP

6144:AxjCbYJafbpsBSM/HVFku/7AGLr5lw2H3SgoXraFjvVpQ+QW8uR3OoJWwvTTZlIY:+PozpsBzkuHPgDsvELuv7ZlIgCjIDF

Score

10^/10

remcos billete rat

Malware Config

Extracted

Family

remcos

Botnet

BILLETE

C2

cactus.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9927QM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60793dd7cdaf080ab5ba21a3c1294e32.exeAppData.exeAppData.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	60793dd7cdaf080ab5ba21a3c1294e32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	AppData.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	AppData.exe

Executes dropped EXE 2 IoCs

Processes:

AppData.exeAppData.exe

pid process

1728 AppData.exe
3212 AppData.exe

pid	process
1728	AppData.exe
3212	AppData.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

60793dd7cdaf080ab5ba21a3c1294e32.exeAppData.exeAppData.exe

description	pid	process	target process
PID 2884 set thread context of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 1728 set thread context of 1780	1728	AppData.exe	csc.exe
PID 3212 set thread context of 2252	3212	AppData.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1064 1912 WerFault.exe csc.exe
3832 1780 WerFault.exe csc.exe
1908 2252 WerFault.exe csc.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4460 schtasks.exe
2324 schtasks.exe
4372 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

452 powershell.exe
452 powershell.exe
1244 powershell.exe
1244 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 452 powershell.exe
Token: SeDebugPrivilege 1244 powershell.exe

pid	pid_target	process	target process
1064	1912	WerFault.exe	csc.exe
3832	1780	WerFault.exe	csc.exe
1908	2252	WerFault.exe	csc.exe

pid	process
4460	schtasks.exe
2324	schtasks.exe
4372	schtasks.exe

pid	process
452	powershell.exe
452	powershell.exe
1244	powershell.exe
1244	powershell.exe

description	pid	process
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

60793dd7cdaf080ab5ba21a3c1294e32.execmd.exeAppData.execmd.exeAppData.execmd.exe

description	pid	process	target process
PID 2884 wrote to memory of 1152	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	cmd.exe
PID 2884 wrote to memory of 1152	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	cmd.exe
PID 2884 wrote to memory of 1152	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	cmd.exe
PID 2884 wrote to memory of 4568	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	cmd.exe
PID 2884 wrote to memory of 4568	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	cmd.exe
PID 2884 wrote to memory of 4568	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	cmd.exe
PID 1152 wrote to memory of 4460	1152	cmd.exe	schtasks.exe
PID 1152 wrote to memory of 4460	1152	cmd.exe	schtasks.exe
PID 1152 wrote to memory of 4460	1152	cmd.exe	schtasks.exe
PID 2884 wrote to memory of 452	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	powershell.exe
PID 2884 wrote to memory of 452	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	powershell.exe
PID 2884 wrote to memory of 452	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	powershell.exe
PID 2884 wrote to memory of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 2884 wrote to memory of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 2884 wrote to memory of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 2884 wrote to memory of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 2884 wrote to memory of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 2884 wrote to memory of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 2884 wrote to memory of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 2884 wrote to memory of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 2884 wrote to memory of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 2884 wrote to memory of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 2884 wrote to memory of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 2884 wrote to memory of 1912	2884	60793dd7cdaf080ab5ba21a3c1294e32.exe	csc.exe
PID 1728 wrote to memory of 2056	1728	AppData.exe	cmd.exe
PID 1728 wrote to memory of 2056	1728	AppData.exe	cmd.exe
PID 1728 wrote to memory of 2056	1728	AppData.exe	cmd.exe
PID 1728 wrote to memory of 4656	1728	AppData.exe	cmd.exe
PID 1728 wrote to memory of 4656	1728	AppData.exe	cmd.exe
PID 1728 wrote to memory of 4656	1728	AppData.exe	cmd.exe
PID 2056 wrote to memory of 2324	2056	cmd.exe	schtasks.exe
PID 2056 wrote to memory of 2324	2056	cmd.exe	schtasks.exe
PID 2056 wrote to memory of 2324	2056	cmd.exe	schtasks.exe
PID 1728 wrote to memory of 1244	1728	AppData.exe	powershell.exe
PID 1728 wrote to memory of 1244	1728	AppData.exe	powershell.exe
PID 1728 wrote to memory of 1244	1728	AppData.exe	powershell.exe
PID 1728 wrote to memory of 1780	1728	AppData.exe	csc.exe
PID 1728 wrote to memory of 1780	1728	AppData.exe	csc.exe
PID 1728 wrote to memory of 1780	1728	AppData.exe	csc.exe
PID 1728 wrote to memory of 1780	1728	AppData.exe	csc.exe
PID 1728 wrote to memory of 1780	1728	AppData.exe	csc.exe
PID 1728 wrote to memory of 1780	1728	AppData.exe	csc.exe
PID 1728 wrote to memory of 1780	1728	AppData.exe	csc.exe
PID 1728 wrote to memory of 1780	1728	AppData.exe	csc.exe
PID 1728 wrote to memory of 1780	1728	AppData.exe	csc.exe
PID 1728 wrote to memory of 1780	1728	AppData.exe	csc.exe
PID 1728 wrote to memory of 1780	1728	AppData.exe	csc.exe
PID 1728 wrote to memory of 1780	1728	AppData.exe	csc.exe
PID 3212 wrote to memory of 3512	3212	AppData.exe	cmd.exe
PID 3212 wrote to memory of 3512	3212	AppData.exe	cmd.exe
PID 3212 wrote to memory of 3512	3212	AppData.exe	cmd.exe
PID 3212 wrote to memory of 2736	3212	AppData.exe	cmd.exe
PID 3212 wrote to memory of 2736	3212	AppData.exe	cmd.exe
PID 3212 wrote to memory of 2736	3212	AppData.exe	cmd.exe
PID 3512 wrote to memory of 4372	3512	cmd.exe	schtasks.exe
PID 3512 wrote to memory of 4372	3512	cmd.exe	schtasks.exe
PID 3512 wrote to memory of 4372	3512	cmd.exe	schtasks.exe
PID 3212 wrote to memory of 368	3212	AppData.exe	powershell.exe
PID 3212 wrote to memory of 368	3212	AppData.exe	powershell.exe
PID 3212 wrote to memory of 368	3212	AppData.exe	powershell.exe
PID 3212 wrote to memory of 2252	3212	AppData.exe	csc.exe
PID 3212 wrote to memory of 2252	3212	AppData.exe	csc.exe
PID 3212 wrote to memory of 2252	3212	AppData.exe	csc.exe
PID 3212 wrote to memory of 2252	3212	AppData.exe	csc.exe

C:\Users\Admin\AppData\Local\Temp\60793dd7cdaf080ab5ba21a3c1294e32.exe
"C:\Users\Admin\AppData\Local\Temp\60793dd7cdaf080ab5ba21a3c1294e32.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4460

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\60793dd7cdaf080ab5ba21a3c1294e32.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
2⤵
PID:4568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Local\Temp\60793dd7cdaf080ab5ba21a3c1294e32.exe'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 512
3⤵
- Program crash
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1912 -ip 1912
1⤵
PID:5028

C:\Users\Admin\AppData\Roaming\AppData.exe
C:\Users\Admin\AppData\Roaming\AppData.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
2⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 520
3⤵
- Program crash
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1780 -ip 1780
1⤵
PID:540

C:\Users\Admin\AppData\Roaming\AppData.exe
C:\Users\Admin\AppData\Roaming\AppData.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4372

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
2⤵
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 512
3⤵
- Program crash
PID:1908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
2⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2252 -ip 2252
1⤵
PID:3948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppData.exe.log
Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
3432925f79b885c6e3a32e3e68abd969

SHA1
ebf1856c4eab4ecdced80b0cabded846e72b444d

SHA256
8518db6d8e079badf4762c75cd411771509e790d73487a527d6b54a01a1817b7

SHA512
9d28ca41f46b055064db99f9973d06804688c5dbef0b7eb962da917302e30a21138faa11f46e65b1535aa732c573ae9c6dec19e8db612da8ea304f0f69da053e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
8b66728258db2c81b1f95972a4d0eba2

SHA1
80ac2f8cc8f8102a9404f1c4e374b67cbc8ef7a4

SHA256
f95b1c06b9372531dcdc5468752fef9478c18b3e1eef4ab284ff876ac6ae4e59

SHA512
890a68e23d194566b175a570e73d9d4b4c03b2ce336472b31152c6f764e4ffe8cd807cccd3ca02e11e85bd1e68bfef8c4eaabb2aede365e15ee52a2bd0467538

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1addmgd.xfb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe
Filesize
441.9MB

MD5
069b64df8e782c7b55ab3e93f40cff48

SHA1
c267dbb770ffdb9fe26d3a6cb6965d11bb2a8bf4

SHA256
e392c41e4a77903b24603cb5319518ed278bf56b9fc8728089d12b054f815b39

SHA512
55f358ec843745f8936701ad16d64f89997d394ae80310ea90c40ba863872a165f51ec0e27b868e7fb880360d2960f7ecabed04c9bf0ce37f79f63111d4c077e

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe
Filesize
445.1MB

MD5
c5f8d10a757fa8e0e1250b47c58ed577

SHA1
23a20846853c9d9f54abd9facdcef142fc8b123e

SHA256
ec2786e3a5e2348a09355c00dcaa9195910bf7a73f667d4878a1edcfb5c49e9d

SHA512
f85c7e906fddb9dadf6865c576194abe7eea82c8256cfc217e2cb0b38b856bd5e30389185a5d0dd3273b6525b543bf48024c545f639aa93a9e109cca69761920

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe
Filesize
113.8MB

MD5
d0ffa719816cc30d7efac35c503e24a3

SHA1
6b4d6e9a805e69d82b4897e7774289f4ab61f629

SHA256
e76251627043bc7815672d2a6a2c81d65273e492f6df2ef85d55c348b066f84c

SHA512
b506f2be76e87c0a23765488d4cf02a5a8cb63bd15b9794f2d8325ed2ce9fd8fda84ad748ad8c8fa9854f6df3a6a27971d13cef5ae007e64bac04deadfd00169

Download Submit
memory/368-258-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/368-257-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/368-259-0x0000000072F20000-0x0000000072F6C000-memory.dmp

Filesize
304KB

Download
memory/368-269-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/368-270-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/452-186-0x0000000007710000-0x000000000771E000-memory.dmp

Filesize
56KB

Download
memory/452-184-0x0000000007550000-0x000000000755A000-memory.dmp

Filesize
40KB

Download
memory/452-168-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/452-169-0x0000000006770000-0x00000000067A2000-memory.dmp

Filesize
200KB

Download
memory/452-170-0x000000006FB80000-0x000000006FBCC000-memory.dmp

Filesize
304KB

Download
memory/452-180-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/452-181-0x0000000007B90000-0x000000000820A000-memory.dmp

Filesize
6.5MB

Download
memory/452-182-0x0000000007210000-0x000000000722A000-memory.dmp

Filesize
104KB

Download
memory/452-183-0x000000007EF80000-0x000000007EF90000-memory.dmp

Filesize
64KB

Download
memory/452-167-0x00000000061D0000-0x00000000061EE000-memory.dmp

Filesize
120KB

Download
memory/452-185-0x0000000007740000-0x00000000077D6000-memory.dmp

Filesize
600KB

Download
memory/452-137-0x0000000004BF0000-0x0000000004C26000-memory.dmp

Filesize
216KB

Download
memory/452-187-0x0000000007810000-0x000000000782A000-memory.dmp

Filesize
104KB

Download
memory/452-188-0x0000000007800000-0x0000000007808000-memory.dmp

Filesize
32KB

Download
memory/452-138-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/452-157-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/452-139-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/452-140-0x0000000005360000-0x0000000005988000-memory.dmp

Filesize
6.2MB

Download
memory/452-144-0x0000000005110000-0x0000000005132000-memory.dmp

Filesize
136KB

Download
memory/452-155-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/1244-231-0x000000007F950000-0x000000007F960000-memory.dmp

Filesize
64KB

Download
memory/1244-209-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1244-210-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1244-220-0x0000000074F00000-0x0000000074F4C000-memory.dmp

Filesize
304KB

Download
memory/1244-230-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1780-200-0x0000000000610000-0x0000000000690000-memory.dmp

Filesize
512KB

Download
memory/1780-206-0x0000000000610000-0x0000000000690000-memory.dmp

Filesize
512KB

Download
memory/1912-142-0x0000000000600000-0x0000000000680000-memory.dmp

Filesize
512KB

Download
memory/1912-150-0x0000000000600000-0x0000000000680000-memory.dmp

Filesize
512KB

Download
memory/1912-156-0x0000000000600000-0x0000000000680000-memory.dmp

Filesize
512KB

Download
memory/2252-246-0x0000000000610000-0x0000000000690000-memory.dmp

Filesize
512KB

Download
memory/2884-146-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/2884-191-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/2884-133-0x0000000000990000-0x0000000000AC2000-memory.dmp

Filesize
1.2MB

Download
memory/2884-134-0x0000000005B60000-0x0000000006104000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads