remcos | 8f02ecb26530c0a13b7f00020ebca144fc271fe36a5caaba1f4b3270e8e0023c

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
Size

892KB
MD5

636a54861ddd167065f294cc76fca7ba
SHA1

7e3eba28bc4b89801c91de5450aa28da5c6ff941
SHA256

8f02ecb26530c0a13b7f00020ebca144fc271fe36a5caaba1f4b3270e8e0023c
SHA512

cde7be19fc7fa841d22521a6c5ad01129ff604b2f91c1c16e0da7d91434cd962af25a39c8ab43c14915536b47d652eb2e55cf0fab5178a9553ab0f8f74833fc4
SSDEEP

24576:GgkHhAVqHxUrlWy05hMud6hHERSIhO0RDP+dB8:I2V+Ur6MIMHERSIQ0RDr

Score

10^/10

remcos remotehost collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

paygateme.net:2286

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WTDTSU
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3776-91-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/3776-95-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4816-90-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4816-93-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4816-104-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4816-90-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3776-91-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4816-93-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3776-95-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2700-101-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2700-100-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2700-102-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4816-104-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exeSecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

description	pid	process	target process
PID 1864 set thread context of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 set thread context of 4816	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 set thread context of 3776	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 set thread context of 2700	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4628 schtasks.exe

pid	process
4628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.22684.1131.exeSecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

pid	process
1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
1464	powershell.exe
1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
1464	powershell.exe
4816	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
4816	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
2700	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
2700	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
4816	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
4816	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

pid	process
4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

description	pid	process
Token: SeDebugPrivilege	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2700	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

pid process

4280 SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exeSecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tzRVJJzEigd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tzRVJJzEigd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp609E.tmp"
2⤵
- Creates scheduled task(s)
PID:4628

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe"
2⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe"
2⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe /stext "C:\Users\Admin\AppData\Local\Temp\yoklutla"
3⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe /stext "C:\Users\Admin\AppData\Local\Temp\yoklutla"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4816

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe /stext "C:\Users\Admin\AppData\Local\Temp\jipemmvcbuy"
3⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe /stext "C:\Users\Admin\AppData\Local\Temp\jipemmvcbuy"
3⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe /stext "C:\Users\Admin\AppData\Local\Temp\jipemmvcbuy"
3⤵
- Accesses Microsoft Outlook accounts
PID:3776

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe /stext "C:\Users\Admin\AppData\Local\Temp\lcuonegvpcquhs"
3⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe /stext "C:\Users\Admin\AppData\Local\Temp\lcuonegvpcquhs"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
cad6bb30381c4e9a2772262e57ddfeef

SHA1
0ad11145e3b57573a2bbec8c63f5b76bbffe672d

SHA256
adda3c1cc0337973f8629b1430f94ed607c9ba6e068a2f02fd43ee6f2b9580df

SHA512
b797593380f5293713036743748bfa5f789c023b2491c38c9746052710b075405407fd8d1390bd6d7b8f6d6768af1c7f26894b16241d684c7891f9d7df04adbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1efcl2pu.spe.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp609E.tmp
Filesize
1KB

MD5
0a7d22d24cbdb1c02ce6899158a2e759

SHA1
d39b82ac73db64e8eb6dce38e08533fe26349e1f

SHA256
a216c572e7e5ba9ff66eb4f441673ff81e940c15e9ab3f690f04f6d80c090379

SHA512
6dbfa21f1607996720fd71023be49e1c0b9422f2bc8c56a0e300df44e6c8f76963cc3fdd22e143c78c8b0da40a0d0c444bfa00e343e601bd060204cff87173f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoklutla
Filesize
4KB

MD5
1e851ac5c5f7c5086508dddc69063a46

SHA1
ec67b2be1b676dc07b54f92b64cabaa8b5c53656

SHA256
0672c1350202839c50058ce7097f6eac6d3788bac87b932f64a6c5f75674eb04

SHA512
e532fb9a86e913de9272d2314bbbf8688e60932e5cb67b8d780a5904545df5ee3a2669b1875c687fe2aa7281198e00b74f6de0d8e3fd9bfac10b0b28b18f5019

Download Submit
memory/1464-70-0x0000000007800000-0x0000000007814000-memory.dmp

Filesize
80KB

Download
memory/1464-50-0x0000000075350000-0x000000007539C000-memory.dmp

Filesize
304KB

Download
memory/1464-71-0x0000000007900000-0x000000000791A000-memory.dmp

Filesize
104KB

Download
memory/1464-69-0x00000000077F0000-0x00000000077FE000-memory.dmp

Filesize
56KB

Download
memory/1464-68-0x00000000077C0000-0x00000000077D1000-memory.dmp

Filesize
68KB

Download
memory/1464-67-0x0000000007840000-0x00000000078D6000-memory.dmp

Filesize
600KB

Download
memory/1464-14-0x0000000002990000-0x00000000029C6000-memory.dmp

Filesize
216KB

Download
memory/1464-15-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/1464-72-0x00000000078E0000-0x00000000078E8000-memory.dmp

Filesize
32KB

Download
memory/1464-18-0x0000000005370000-0x0000000005998000-memory.dmp

Filesize
6.2MB

Download
memory/1464-40-0x0000000005DB0000-0x0000000006104000-memory.dmp

Filesize
3.3MB

Download
memory/1464-19-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/1464-23-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/1464-20-0x00000000052F0000-0x0000000005312000-memory.dmp

Filesize
136KB

Download
memory/1464-66-0x0000000007630000-0x000000000763A000-memory.dmp

Filesize
40KB

Download
memory/1464-24-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/1464-65-0x00000000075C0000-0x00000000075DA000-memory.dmp

Filesize
104KB

Download
memory/1464-64-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/1464-62-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/1464-63-0x0000000007490000-0x0000000007533000-memory.dmp

Filesize
652KB

Download
memory/1464-17-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/1464-61-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/1464-60-0x0000000007260000-0x000000000727E000-memory.dmp

Filesize
120KB

Download
memory/1464-48-0x000000007EFC0000-0x000000007EFD0000-memory.dmp

Filesize
64KB

Download
memory/1464-49-0x0000000006870000-0x00000000068A2000-memory.dmp

Filesize
200KB

Download
memory/1464-43-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/1464-77-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/1464-45-0x0000000006340000-0x000000000638C000-memory.dmp

Filesize
304KB

Download
memory/1864-5-0x0000000004D80000-0x0000000004D8A000-memory.dmp

Filesize
40KB

Download
memory/1864-1-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/1864-6-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1864-3-0x0000000004DC0000-0x0000000004E52000-memory.dmp

Filesize
584KB

Download
memory/1864-8-0x00000000062A0000-0x0000000006360000-memory.dmp

Filesize
768KB

Download
memory/1864-7-0x0000000005180000-0x000000000518C000-memory.dmp

Filesize
48KB

Download
memory/1864-37-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/1864-4-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/1864-2-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/1864-9-0x0000000008BD0000-0x0000000008C6C000-memory.dmp

Filesize
624KB

Download
memory/1864-0-0x00000000002E0000-0x00000000003C6000-memory.dmp

Filesize
920KB

Download
memory/2700-100-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2700-92-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2700-102-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2700-101-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2700-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3776-95-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3776-84-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3776-91-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3776-88-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4280-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-143-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-106-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4280-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-127-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-110-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4280-109-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4280-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-111-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4280-113-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4280-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-126-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4816-90-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4816-93-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4816-87-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4816-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4816-83-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

description	pid	process	target process
PID 1864 wrote to memory of 1464	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	powershell.exe
PID 1864 wrote to memory of 1464	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	powershell.exe
PID 1864 wrote to memory of 1464	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	powershell.exe
PID 1864 wrote to memory of 4628	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	schtasks.exe
PID 1864 wrote to memory of 4628	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	schtasks.exe
PID 1864 wrote to memory of 4628	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	schtasks.exe
PID 1864 wrote to memory of 548	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 548	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 548	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4968	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4968	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4968	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 1864 wrote to memory of 4280	1864	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 3956	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 3956	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 3956	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 4816	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 4816	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 4816	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 4816	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 3892	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 3892	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 3892	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 2104	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 2104	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 2104	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 3776	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 3776	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 3776	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 3776	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 4296	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 4296	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 4296	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 2700	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 2700	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 2700	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe
PID 4280 wrote to memory of 2700	4280	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe	SecuriteInfo.com.Win32.PWSX-gen.22684.1131.exe