remcos | 57f458ba299ffb24f922e3ad863f510ccdc1fd0fee44c3ab8b134186d9ddfc01

Analysis

max time kernel
153s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe
Size

1023.0MB
MD5

91e9ce49b650ce147c174a6e17001c70
SHA1

bc427a785e32378edffcd314179fc08510d8237a
SHA256

4704066f7fdf1f819c4d8a25a07dbf021a5a3e47949edfdacc10fa6d98f23225
SHA512

cfdd721244deba2c449a2af27072e43dd8475c61b1ce2fad02abb83e86c7d9c8a5d1678f2f2ece01a8f7d3d4a84b50e9a89c69417b925f7f4af9d998f7c9e178
SSDEEP

12288:75RVeIv1Jyhik2XF62YPtnsMg9t4q78cjNgT8Yz48h7UJ:9RVeIv1JygrV6XtsRVUS81UJ

Score

10^/10

remcos plata discovery rat

Malware Config

Extracted

Family

remcos

Botnet

PLATA

comercio43.con-ip.com:1835

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
data34
mouse_option
false
mutex
kiustong-7N6PEP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
3492	AppData.exe
800	AppData.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1132 set thread context of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 3492 set thread context of 4580	3492	AppData.exe	98
PID 800 set thread context of 2032	800	AppData.exe	107

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4264	2032	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2184	schtasks.exe
3352	schtasks.exe
2588	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3316	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3316	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 1132 wrote to memory of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 1132 wrote to memory of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 1132 wrote to memory of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 1132 wrote to memory of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 1132 wrote to memory of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 1132 wrote to memory of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 1132 wrote to memory of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 1132 wrote to memory of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 1132 wrote to memory of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 1132 wrote to memory of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 1132 wrote to memory of 3316	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	84
PID 1132 wrote to memory of 2756	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	85
PID 1132 wrote to memory of 2756	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	85
PID 1132 wrote to memory of 2756	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	85
PID 1132 wrote to memory of 212	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	87
PID 1132 wrote to memory of 212	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	87
PID 1132 wrote to memory of 212	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	87
PID 212 wrote to memory of 2184	212	cmd.exe	89
PID 212 wrote to memory of 2184	212	cmd.exe	89
PID 212 wrote to memory of 2184	212	cmd.exe	89
PID 1132 wrote to memory of 4636	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	90
PID 1132 wrote to memory of 4636	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	90
PID 1132 wrote to memory of 4636	1132	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	90
PID 3492 wrote to memory of 4580	3492	AppData.exe	98
PID 3492 wrote to memory of 4580	3492	AppData.exe	98
PID 3492 wrote to memory of 4580	3492	AppData.exe	98
PID 3492 wrote to memory of 4580	3492	AppData.exe	98
PID 3492 wrote to memory of 4580	3492	AppData.exe	98
PID 3492 wrote to memory of 4580	3492	AppData.exe	98
PID 3492 wrote to memory of 4580	3492	AppData.exe	98
PID 3492 wrote to memory of 4580	3492	AppData.exe	98
PID 3492 wrote to memory of 4580	3492	AppData.exe	98
PID 3492 wrote to memory of 4580	3492	AppData.exe	98
PID 3492 wrote to memory of 4580	3492	AppData.exe	98
PID 3492 wrote to memory of 4580	3492	AppData.exe	98
PID 3492 wrote to memory of 4484	3492	AppData.exe	99
PID 3492 wrote to memory of 4484	3492	AppData.exe	99
PID 3492 wrote to memory of 4484	3492	AppData.exe	99
PID 3492 wrote to memory of 5036	3492	AppData.exe	101
PID 3492 wrote to memory of 5036	3492	AppData.exe	101
PID 3492 wrote to memory of 5036	3492	AppData.exe	101
PID 5036 wrote to memory of 3352	5036	cmd.exe	103
PID 5036 wrote to memory of 3352	5036	cmd.exe	103
PID 5036 wrote to memory of 3352	5036	cmd.exe	103
PID 3492 wrote to memory of 208	3492	AppData.exe	104
PID 3492 wrote to memory of 208	3492	AppData.exe	104
PID 3492 wrote to memory of 208	3492	AppData.exe	104
PID 800 wrote to memory of 2032	800	AppData.exe	107
PID 800 wrote to memory of 2032	800	AppData.exe	107
PID 800 wrote to memory of 2032	800	AppData.exe	107
PID 800 wrote to memory of 2032	800	AppData.exe	107
PID 800 wrote to memory of 2032	800	AppData.exe	107
PID 800 wrote to memory of 2032	800	AppData.exe	107
PID 800 wrote to memory of 2032	800	AppData.exe	107
PID 800 wrote to memory of 2032	800	AppData.exe	107
PID 800 wrote to memory of 2032	800	AppData.exe	107
PID 800 wrote to memory of 2032	800	AppData.exe	107
PID 800 wrote to memory of 2032	800	AppData.exe	107
PID 800 wrote to memory of 2032	800	AppData.exe	107
PID 800 wrote to memory of 404	800	AppData.exe	108
PID 800 wrote to memory of 404	800	AppData.exe	108
PID 800 wrote to memory of 404	800	AppData.exe	108
PID 800 wrote to memory of 2496	800	AppData.exe	111

C:\Users\Admin\AppData\Local\Temp\ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe
"C:\Users\Admin\AppData\Local\Temp\ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3316
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4636

C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4580
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3352
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:208

C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 648
    3⤵
    - Program crash
    PID:4264
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:404
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2032 -ip 2032
1⤵
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\data34\registros.dat

Filesize
144B

MD5
13b738c423c24b9e4505aeb88bfa775d

SHA1
0818d78486e753fcdf99611697749e22d0e59bc4

SHA256
03307a5dee8f824576d44cd51e312d049f368bf33b30275e3e1ecf799fdc4521

SHA512
c9a1f68fce0ecb07d66f44d89bcf9469afd2925ebca878d6b45357a67c34a2bb9139a1a91094f3252f948d74b0c9e08d795918a4680a09d77f1818c7de346ea5

Download Submit
C:\ProgramData\data34\registros.dat

Filesize
230B

MD5
46416d2b17332c6c16dc8d32a69535fa

SHA1
acce15268089823fc1e9b4dff5eb6313d6d88b6a

SHA256
47668c67b070ab0c16c174c75c12fcbe70376837d4e1207e1604b5c0acb25ef1

SHA512
a688dc61b74eb39d72eafa7d83442332557d4a00139d08dc6d5ce60c16bf893cd2b48c316a5f44a6bd37530449641c701860eb650894430cef63270dc403314e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppData.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
memory/1132-1-0x00000000008F0000-0x00000000009D6000-memory.dmp

Filesize
920KB

Download
memory/1132-2-0x00007FF962B70000-0x00007FF962D65000-memory.dmp

Filesize
2.0MB

Download
memory/1132-0-0x00007FF962B70000-0x00007FF962D65000-memory.dmp

Filesize
2.0MB

Download
memory/2032-70-0x0000000000370000-0x00000000003F2000-memory.dmp

Filesize
520KB

Download
memory/2032-69-0x0000000000370000-0x00000000003F2000-memory.dmp

Filesize
520KB

Download
memory/2032-64-0x0000000000370000-0x00000000003F2000-memory.dmp

Filesize
520KB

Download
memory/3316-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-4-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-3-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4580-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4580-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads