remcos | f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b

General

Target

f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
Size

908KB
MD5

0a91b0a960e1cb925434f0ded97e30b7
SHA1

ea0ed432c0cdb5f86cde1b17850a77b68ad71af4
SHA256

f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b
SHA512

37d4fbd29f3a5b274545f4864f9005b814410e35abc94c106e433ecd5c403a230eb2ca38d1d20aaa1f29ad0fbef5997c0c0cae37c2237b165e2eb5778dd2f7e4
SSDEEP

24576:Mo7x/alQteiW/C+sHTTPrCehcxQv4Zj6CSy:Mc/zhWK+vC4ZIy

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

206.189.218.238:4782

206.189.218.238:2286

206.189.218.238:3363

206.189.218.238:3386

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NJK093
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2168 powershell.exe
2172 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

2840 remcos.exe
1528 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe

pid process

2904 f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe

pid	process
2168	powershell.exe
2172	powershell.exe

pid	process
2840	remcos.exe
1528	remcos.exe

pid	process
2904	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

remcos.exef57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-NJK093 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-NJK093 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-NJK093 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-NJK093 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exeremcos.exe

description	pid	process	target process
PID 2272 set thread context of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2840 set thread context of 1528	2840	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

remcos.exeschtasks.exepowershell.exeremcos.exef57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exepowershell.exeschtasks.exef57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2772 schtasks.exe
2244 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2168 powershell.exe
2172 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2168 powershell.exe
Token: SeDebugPrivilege 2172 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1528 remcos.exe

pid	process
2772	schtasks.exe
2244	schtasks.exe

pid	process
2168	powershell.exe
2172	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe

pid	process
1528	remcos.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exef57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exeremcos.exe

description	pid	process	target process
PID 2272 wrote to memory of 2168	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	powershell.exe
PID 2272 wrote to memory of 2168	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	powershell.exe
PID 2272 wrote to memory of 2168	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	powershell.exe
PID 2272 wrote to memory of 2168	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	powershell.exe
PID 2272 wrote to memory of 2772	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	schtasks.exe
PID 2272 wrote to memory of 2772	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	schtasks.exe
PID 2272 wrote to memory of 2772	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	schtasks.exe
PID 2272 wrote to memory of 2772	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	schtasks.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2272 wrote to memory of 2904	2272	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
PID 2904 wrote to memory of 2840	2904	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	remcos.exe
PID 2904 wrote to memory of 2840	2904	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	remcos.exe
PID 2904 wrote to memory of 2840	2904	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	remcos.exe
PID 2904 wrote to memory of 2840	2904	f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe	remcos.exe
PID 2840 wrote to memory of 2172	2840	remcos.exe	powershell.exe
PID 2840 wrote to memory of 2172	2840	remcos.exe	powershell.exe
PID 2840 wrote to memory of 2172	2840	remcos.exe	powershell.exe
PID 2840 wrote to memory of 2172	2840	remcos.exe	powershell.exe
PID 2840 wrote to memory of 2244	2840	remcos.exe	schtasks.exe
PID 2840 wrote to memory of 2244	2840	remcos.exe	schtasks.exe
PID 2840 wrote to memory of 2244	2840	remcos.exe	schtasks.exe
PID 2840 wrote to memory of 2244	2840	remcos.exe	schtasks.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe
PID 2840 wrote to memory of 1528	2840	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
"C:\Users\Admin\AppData\Local\Temp\f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wGvcmEX.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wGvcmEX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA110.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe
  "C:\Users\Admin\AppData\Local\Temp\f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wGvcmEX.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2172
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wGvcmEX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp28A6.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2244
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
144B

MD5
478c984ea2b8b19f63b9f3186a2a71bc

SHA1
995671e5a1c8740697a6726c329dff9538296de1

SHA256
0f2cf33bff64870f11af716992209e74459bb58624564e9727ae35df3c76b6b3

SHA512
1d3b420f63761984d39fdad382aaaac18ac14eb213fd5fc6065819549bd592aa23cfd8b0aaf11e485138be5a62079a350658b85ae4de65ad3efaca7183df2766

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
908KB

MD5
0a91b0a960e1cb925434f0ded97e30b7

SHA1
ea0ed432c0cdb5f86cde1b17850a77b68ad71af4

SHA256
f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b

SHA512
37d4fbd29f3a5b274545f4864f9005b814410e35abc94c106e433ecd5c403a230eb2ca38d1d20aaa1f29ad0fbef5997c0c0cae37c2237b165e2eb5778dd2f7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA110.tmp

Filesize
1KB

MD5
525024d19d4abe6ff9902ec77d1de173

SHA1
83e9a73c10faa2cc901030eea3524e6758d151ff

SHA256
612a65da10a0960e39150e8889e4932d99dedfd6f6a53806ed61bfb7e5973d05

SHA512
e56014e316c49a20ab9257b294752cdc8a11eba897567c845551ea7474873116de8be207faed84a2556e5ce8ac360e939bb70aa6c6ab776fa9380b5f9ff20725

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X1ZK9NFAQNKOFLTVQODL.temp

Filesize
7KB

MD5
5ca32abc2d988961962b0b7ac832101a

SHA1
4bdaf4a70b4a336d425f453cf4572ea97af749d5

SHA256
ba27c39b42e56ff5ff3b4637ac57f06b2ede61f4e020e7cdb94e26a05ed3e34a

SHA512
0d565e1c1a1eec875d22a5fd33f1a5731eb018672f13fbb7faad18abe4bb4b86d7ff5b8b5af277b8b06fa8d5a125f2cbaa755b166b743ad289235728c40e54ee

Download Submit
memory/1528-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1528-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-5-0x0000000004D90000-0x0000000004E54000-memory.dmp

Filesize
784KB

Download
memory/2272-31-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2272-2-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2272-1-0x0000000000CD0000-0x0000000000DBA000-memory.dmp

Filesize
936KB

Download
memory/2272-4-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2272-3-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/2272-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/2840-38-0x00000000010B0000-0x000000000119A000-memory.dmp

Filesize
936KB

Download
memory/2840-41-0x0000000005BD0000-0x0000000005C94000-memory.dmp

Filesize
784KB

Download
memory/2904-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2904-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2904-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2904-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2904-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2904-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2904-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2904-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2904-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2904-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2904-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads