remcos | 09c15114a15d5569cb510bbe093d1a9dc1fc7f6dc255aa6b0ef9077156c2f6ac

Analysis

max time kernel
155s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8560d2cdf6bd8ffb30fe031081360c1f.exe
Size

1024.0MB
MD5

a832f6cf4b13db85c4e3d4a5c563800d
SHA1

af788bb64b532ad62a64af98f6eeec316efcbd72
SHA256

52e9fae2db9e0b5af5c4e28c52508a482348c085fd83e3a2d549c5d676b24470
SHA512

7ee6c7c5529ee55f642c79d1ccd160e1d8183b13edf216a9693163f9acf84c6d355dcd028c41c1f022bc1799ba8852eff30f78e3ea68fa505b606e46c08c2547
SSDEEP

12288:75RVeIv1Jyhik2XF62YPtnsMg9t4q78cjNgT8Yz48h7UJ:9RVeIv1JygrV6XtsRVUS81UJ

Score

10^/10

remcos plata discovery rat

Malware Config

Extracted

Family

remcos

Botnet

PLATA

comercio43.con-ip.com:1835

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
data34
mouse_option
false
mutex
kiustong-7N6PEP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
1504	AppData.exe
2460	AppData.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1504 set thread context of 2508	1504	AppData.exe	111
PID 2460 set thread context of 3052	2460	AppData.exe	120

Program crash 1 IoCs

pid	pid_target	Process	procid_target
752	3604	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8560d2cdf6bd8ffb30fe031081360c1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3644	schtasks.exe
1684	schtasks.exe
3528	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2508	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1100 wrote to memory of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1100 wrote to memory of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1100 wrote to memory of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1100 wrote to memory of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1100 wrote to memory of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1100 wrote to memory of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1100 wrote to memory of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1100 wrote to memory of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1100 wrote to memory of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1100 wrote to memory of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1100 wrote to memory of 3604	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	90
PID 1100 wrote to memory of 4496	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	91
PID 1100 wrote to memory of 4496	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	91
PID 1100 wrote to memory of 4496	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	91
PID 1100 wrote to memory of 1732	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	94
PID 1100 wrote to memory of 1732	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	94
PID 1100 wrote to memory of 1732	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	94
PID 1732 wrote to memory of 3644	1732	cmd.exe	97
PID 1732 wrote to memory of 3644	1732	cmd.exe	97
PID 1732 wrote to memory of 3644	1732	cmd.exe	97
PID 1100 wrote to memory of 4396	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	98
PID 1100 wrote to memory of 4396	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	98
PID 1100 wrote to memory of 4396	1100	8560d2cdf6bd8ffb30fe031081360c1f.exe	98
PID 1504 wrote to memory of 2508	1504	AppData.exe	111
PID 1504 wrote to memory of 2508	1504	AppData.exe	111
PID 1504 wrote to memory of 2508	1504	AppData.exe	111
PID 1504 wrote to memory of 2508	1504	AppData.exe	111
PID 1504 wrote to memory of 2508	1504	AppData.exe	111
PID 1504 wrote to memory of 2508	1504	AppData.exe	111
PID 1504 wrote to memory of 2508	1504	AppData.exe	111
PID 1504 wrote to memory of 2508	1504	AppData.exe	111
PID 1504 wrote to memory of 2508	1504	AppData.exe	111
PID 1504 wrote to memory of 2508	1504	AppData.exe	111
PID 1504 wrote to memory of 2508	1504	AppData.exe	111
PID 1504 wrote to memory of 2508	1504	AppData.exe	111
PID 1504 wrote to memory of 1384	1504	AppData.exe	112
PID 1504 wrote to memory of 1384	1504	AppData.exe	112
PID 1504 wrote to memory of 1384	1504	AppData.exe	112
PID 1504 wrote to memory of 3448	1504	AppData.exe	114
PID 1504 wrote to memory of 3448	1504	AppData.exe	114
PID 1504 wrote to memory of 3448	1504	AppData.exe	114
PID 3448 wrote to memory of 1684	3448	cmd.exe	116
PID 3448 wrote to memory of 1684	3448	cmd.exe	116
PID 3448 wrote to memory of 1684	3448	cmd.exe	116
PID 1504 wrote to memory of 2324	1504	AppData.exe	117
PID 1504 wrote to memory of 2324	1504	AppData.exe	117
PID 1504 wrote to memory of 2324	1504	AppData.exe	117
PID 2460 wrote to memory of 3052	2460	AppData.exe	120
PID 2460 wrote to memory of 3052	2460	AppData.exe	120
PID 2460 wrote to memory of 3052	2460	AppData.exe	120
PID 2460 wrote to memory of 3052	2460	AppData.exe	120
PID 2460 wrote to memory of 3052	2460	AppData.exe	120
PID 2460 wrote to memory of 3052	2460	AppData.exe	120
PID 2460 wrote to memory of 3052	2460	AppData.exe	120
PID 2460 wrote to memory of 3052	2460	AppData.exe	120
PID 2460 wrote to memory of 3052	2460	AppData.exe	120
PID 2460 wrote to memory of 3052	2460	AppData.exe	120
PID 2460 wrote to memory of 3052	2460	AppData.exe	120
PID 2460 wrote to memory of 3052	2460	AppData.exe	120
PID 2460 wrote to memory of 3152	2460	AppData.exe	121
PID 2460 wrote to memory of 3152	2460	AppData.exe	121
PID 2460 wrote to memory of 3152	2460	AppData.exe	121
PID 2460 wrote to memory of 1588	2460	AppData.exe	123

C:\Users\Admin\AppData\Local\Temp\8560d2cdf6bd8ffb30fe031081360c1f.exe
"C:\Users\Admin\AppData\Local\Temp\8560d2cdf6bd8ffb30fe031081360c1f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 648
    3⤵
    - Program crash
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4496
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\8560d2cdf6bd8ffb30fe031081360c1f.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=3032 /prefetch:8
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3604 -ip 3604
1⤵
PID:3112

C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2508
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1384
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2324

C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3152
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3528
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\data34\registros.dat

Filesize
144B

MD5
de11d2b4594a0425bd2891e9a66463b4

SHA1
6441434b69ee3685399828f4ade1a01a9fe080e1

SHA256
832c67788d47ae644af5ad4f133f29cbeee147c1eec8507c3f44bd0bebe6826a

SHA512
f8c52515417f0a08b51da8c94b1efdd1ae13fc021a15ffe13a2e1b5ebcaa9a7d1ef464b94c152a85deb8fc7fa00e2396a1db7fd08ce2a19fd14e67cee4808aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppData.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
memory/1100-19-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/1100-1-0x0000000000F20000-0x0000000001006000-memory.dmp

Filesize
920KB

Download
memory/1100-2-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/1100-0-0x000000007533E000-0x000000007533F000-memory.dmp

Filesize
4KB

Download
memory/2508-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2508-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3604-9-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/3604-15-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/3604-4-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/3604-14-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads