remcos | 5f830899b3b1cb680b762b896862e87fb11e68526fda9568d1e135160014413c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mixazed_20210808-071120.exe
Size

542KB
MD5

bdff95108f1380b097200f1a1063775c
SHA1

ae61a14382009adde7b63fc0d2cac23cba715dfe
SHA256

874e9527126f7470fb2482a75d1e8016f988c7ed7b417ae7e0a991e49bc094a5
SHA512

8592f307efeb628e81167f693dc85d8ed54531f9540dc6cab1d35b76546b763448cab7e38380e35c8365678f798ba1a296e72044374a82f40fe7b3157b4f02e2
SSDEEP

12288:3NfcfEpahAGNjIlJbkGaDmZ0uNEQxUbzkMbbzScgC:efSal+kG4w0uNEQxUbIp

Score

10^/10

remcos winslogon discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

winslogon

178.18.247.224:45265

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
winslogon.exe
copy_folder
sys
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
sys
keylog_path
%AppData%
mouse_option
false
mutex
winslogon-QT8NX3
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
systemp
screenshot_path
%AppData%
screenshot_time
1
startup_value
winslogon
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	mixazed_20210808-071120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\""	mixazed_20210808-071120.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winslogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\""	winslogon.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mixazed_20210808-071120.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
560	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	winslogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\""	mixazed_20210808-071120.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\""	winslogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\""	winslogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\""	mixazed_20210808-071120.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 20 IoCs

pid	pid_target	Process	procid_target
4516	3464	WerFault.exe	84
1328	3464	WerFault.exe	84
5104	3464	WerFault.exe	84
3964	3464	WerFault.exe	84
4212	3464	WerFault.exe	84
1316	3464	WerFault.exe	84
4564	3464	WerFault.exe	84
828	3464	WerFault.exe	84
2240	2968	WerFault.exe	113
3772	2968	WerFault.exe	113
4936	2968	WerFault.exe	113
1648	2968	WerFault.exe	113
1500	2968	WerFault.exe	113
720	2968	WerFault.exe	113
3960	2968	WerFault.exe	113
1720	2968	WerFault.exe	113
2388	2968	WerFault.exe	113
4188	2968	WerFault.exe	113
3524	2968	WerFault.exe	113
2216	2968	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winslogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixazed_20210808-071120.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	mixazed_20210808-071120.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4396	reg.exe
4056	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2968	winslogon.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 4624	3464	mixazed_20210808-071120.exe	88
PID 3464 wrote to memory of 4624	3464	mixazed_20210808-071120.exe	88
PID 3464 wrote to memory of 4624	3464	mixazed_20210808-071120.exe	88
PID 4624 wrote to memory of 4396	4624	cmd.exe	90
PID 4624 wrote to memory of 4396	4624	cmd.exe	90
PID 4624 wrote to memory of 4396	4624	cmd.exe	90
PID 3464 wrote to memory of 560	3464	mixazed_20210808-071120.exe	106
PID 3464 wrote to memory of 560	3464	mixazed_20210808-071120.exe	106
PID 3464 wrote to memory of 560	3464	mixazed_20210808-071120.exe	106
PID 560 wrote to memory of 4480	560	WScript.exe	111
PID 560 wrote to memory of 4480	560	WScript.exe	111
PID 560 wrote to memory of 4480	560	WScript.exe	111
PID 4480 wrote to memory of 2968	4480	cmd.exe	113
PID 4480 wrote to memory of 2968	4480	cmd.exe	113
PID 4480 wrote to memory of 2968	4480	cmd.exe	113
PID 2968 wrote to memory of 800	2968	winslogon.exe	117
PID 2968 wrote to memory of 800	2968	winslogon.exe	117
PID 2968 wrote to memory of 800	2968	winslogon.exe	117
PID 800 wrote to memory of 4056	800	cmd.exe	120
PID 800 wrote to memory of 4056	800	cmd.exe	120
PID 800 wrote to memory of 4056	800	cmd.exe	120
PID 2968 wrote to memory of 2864	2968	winslogon.exe	130
PID 2968 wrote to memory of 2864	2968	winslogon.exe	130
PID 2968 wrote to memory of 2864	2968	winslogon.exe	130

C:\Users\Admin\AppData\Local\Temp\mixazed_20210808-071120.exe
"C:\Users\Admin\AppData\Local\Temp\mixazed_20210808-071120.exe"
1⤵
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 684
  2⤵
  - Program crash
  PID:4516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 956
  2⤵
  - Program crash
  PID:1328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1008
  2⤵
  - Program crash
  PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1140
  2⤵
  - Program crash
  PID:3964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 972
  2⤵
  - Program crash
  PID:4212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1128
  2⤵
  - Program crash
  PID:1316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1188
  2⤵
  - Program crash
  PID:4564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\sys\winslogon.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Users\Admin\AppData\Roaming\sys\winslogon.exe
      C:\Users\Admin\AppData\Roaming\sys\winslogon.exe
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:800
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 632
        5⤵
        Program crash
        
        PID:2240
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 632
        5⤵
        Program crash
        
        PID:3772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 692
        5⤵
        Program crash
        
        PID:4936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 772
        5⤵
        Program crash
        
        PID:1648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 772
        5⤵
        Program crash
        
        PID:1500
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        5⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 832
        5⤵
        Program crash
        
        PID:720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 896
        5⤵
        Program crash
        
        PID:3960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 940
        5⤵
        Program crash
        
        PID:1720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 956
        5⤵
        Program crash
        
        PID:2388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1012
        5⤵
        Program crash
        
        PID:4188
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 924
        5⤵
        Program crash
        
        PID:3524
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1088
        5⤵
        Program crash
        
        PID:2216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1224
  2⤵
  - Program crash
  PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3464 -ip 3464
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3464 -ip 3464
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3464 -ip 3464
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3464 -ip 3464
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3464 -ip 3464
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3464 -ip 3464
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3464 -ip 3464
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3464 -ip 3464
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2968 -ip 2968
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2968 -ip 2968
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2968 -ip 2968
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2968 -ip 2968
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2968 -ip 2968
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2968 -ip 2968
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2968 -ip 2968
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2968 -ip 2968
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2968 -ip 2968
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2968 -ip 2968
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2968 -ip 2968
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2968 -ip 2968
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
576B

MD5
7c01e4ef9d70bfb4dd8940a38601a1aa

SHA1
f6464b830b2720844a8867d31a0cef1913334d4e

SHA256
950afb6215d6e9192f80a349f0acf3caf9b4787cb07cc96f1c47808e67e26c3a

SHA512
9614e9112453f511766b369d33a34e3af48060c2e203a35720dadd2856c323ef1debbb3978f21e9d4aac542b7fc1c0f1156d6e5125142d316a78dbd248480e9c

Download Submit
C:\Users\Admin\AppData\Roaming\sys\winslogon.exe

Filesize
542KB

MD5
bdff95108f1380b097200f1a1063775c

SHA1
ae61a14382009adde7b63fc0d2cac23cba715dfe

SHA256
874e9527126f7470fb2482a75d1e8016f988c7ed7b417ae7e0a991e49bc094a5

SHA512
8592f307efeb628e81167f693dc85d8ed54531f9540dc6cab1d35b76546b763448cab7e38380e35c8365678f798ba1a296e72044374a82f40fe7b3157b4f02e2

Download Submit
C:\Users\Admin\AppData\Roaming\systemp\time_20241110_214016.png

Filesize
431KB

MD5
fc7aeb74857b2a596967ffbde1a7a626

SHA1
88ca3b51f1f2824364f2273f90186c0407583562

SHA256
daf6badcde4c2abcebffb41e87e43fbecb5f95fda67c74a53421074b8011a4e1

SHA512
5d3b1a4d2049d638e801ed66253b876a8c6fe4f88dc2ff190f10ba9ec765737fd13530b7d040bc354ef72be968b62b558ede4e2f4706a1dcab65e778ae569250

Download Submit
memory/2968-33-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-26-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-43-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-42-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-37-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-22-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-23-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-24-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-25-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-36-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-27-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-32-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-35-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2968-34-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/3464-1-0x0000000003620000-0x0000000003720000-memory.dmp

Filesize
1024KB

Download
memory/3464-11-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3464-3-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3464-2-0x0000000003530000-0x00000000035A3000-memory.dmp

Filesize
460KB

Download
memory/3464-9-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/3464-10-0x0000000003530000-0x00000000035A3000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads