remcos | 9cf41a9b8963753aa8d20e7f1f3ecea05f5ff876b15487682663d115a676117f

General

Target

ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Size

782KB
MD5

ccb20ed4f2e000c0dfea6ffa34bda6b4
SHA1

80f1c218c9a4f006ac26d03d834eaa90ebcf4a5d
SHA256

9cf41a9b8963753aa8d20e7f1f3ecea05f5ff876b15487682663d115a676117f
SHA512

188481f6ae3b706d0c73bb137f9d86af7b2a43d43bc55280d06a5caaaa360f1dcbd240da8bcd18f9b2738a26910e2ff559db3fdfcaed13cca947200196bfc10e

Score

10^/10

remcos wechatx evasion persistence rat

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

wechatx

C2

grace.adds-only.xyz:1619

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
wechatx.exe
copy_folder
wechat
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
wechatxl
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-79O72O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
wechat
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 3 IoCs

Processes:

wechatx.exewechatx.exewechatx.exe

pid process

1992 wechatx.exe
964 wechatx.exe
1336 wechatx.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

pid	process
1992	wechatx.exe
964	wechatx.exe
1336	wechatx.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccb20ed4f2e000c0dfea6ffa34bda6b4.exewechatx.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wechatx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wechatx.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

652 cmd.exe

pid	process
652	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wechatx.execcb20ed4f2e000c0dfea6ffa34bda6b4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\wechat = "\"C:\\Users\\Admin\\AppData\\Roaming\\wechat\\wechatx.exe\""	wechatx.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\wechat = "\"C:\\Users\\Admin\\AppData\\Roaming\\wechat\\wechatx.exe\""	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\	wechatx.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wechatx.execcb20ed4f2e000c0dfea6ffa34bda6b4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wechatx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wechatx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ccb20ed4f2e000c0dfea6ffa34bda6b4.exewechatx.exe

description	pid	process	target process
PID 268 set thread context of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 1992 set thread context of 1336	1992	wechatx.exe	wechatx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

676 schtasks.exe
1028 schtasks.exe

pid	process
676	schtasks.exe
1028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ccb20ed4f2e000c0dfea6ffa34bda6b4.exepowershell.exewechatx.exepowershell.exe

pid	process
268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
908	powershell.exe
1992	wechatx.exe
1992	wechatx.exe
1992	wechatx.exe
1384	powershell.exe
1992	wechatx.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ccb20ed4f2e000c0dfea6ffa34bda6b4.exepowershell.exewechatx.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1992	wechatx.exe
Token: SeDebugPrivilege	1384	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wechatx.exe

pid process

1336 wechatx.exe

pid	process
1336	wechatx.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

ccb20ed4f2e000c0dfea6ffa34bda6b4.execcb20ed4f2e000c0dfea6ffa34bda6b4.exeWScript.execmd.exewechatx.exe

description	pid	process	target process
PID 268 wrote to memory of 908	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	powershell.exe
PID 268 wrote to memory of 908	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	powershell.exe
PID 268 wrote to memory of 908	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	powershell.exe
PID 268 wrote to memory of 908	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	powershell.exe
PID 268 wrote to memory of 676	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	schtasks.exe
PID 268 wrote to memory of 676	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	schtasks.exe
PID 268 wrote to memory of 676	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	schtasks.exe
PID 268 wrote to memory of 676	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	schtasks.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 268 wrote to memory of 1476	268	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 1476 wrote to memory of 1760	1476	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	WScript.exe
PID 1476 wrote to memory of 1760	1476	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	WScript.exe
PID 1476 wrote to memory of 1760	1476	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	WScript.exe
PID 1476 wrote to memory of 1760	1476	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	WScript.exe
PID 1760 wrote to memory of 652	1760	WScript.exe	cmd.exe
PID 1760 wrote to memory of 652	1760	WScript.exe	cmd.exe
PID 1760 wrote to memory of 652	1760	WScript.exe	cmd.exe
PID 1760 wrote to memory of 652	1760	WScript.exe	cmd.exe
PID 652 wrote to memory of 1992	652	cmd.exe	wechatx.exe
PID 652 wrote to memory of 1992	652	cmd.exe	wechatx.exe
PID 652 wrote to memory of 1992	652	cmd.exe	wechatx.exe
PID 652 wrote to memory of 1992	652	cmd.exe	wechatx.exe
PID 1992 wrote to memory of 1384	1992	wechatx.exe	powershell.exe
PID 1992 wrote to memory of 1384	1992	wechatx.exe	powershell.exe
PID 1992 wrote to memory of 1384	1992	wechatx.exe	powershell.exe
PID 1992 wrote to memory of 1384	1992	wechatx.exe	powershell.exe
PID 1992 wrote to memory of 1028	1992	wechatx.exe	schtasks.exe
PID 1992 wrote to memory of 1028	1992	wechatx.exe	schtasks.exe
PID 1992 wrote to memory of 1028	1992	wechatx.exe	schtasks.exe
PID 1992 wrote to memory of 1028	1992	wechatx.exe	schtasks.exe
PID 1992 wrote to memory of 964	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 964	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 964	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 964	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe
PID 1992 wrote to memory of 1336	1992	wechatx.exe	wechatx.exe

C:\Users\Admin\AppData\Local\Temp\ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
"C:\Users\Admin\AppData\Local\Temp\ccb20ed4f2e000c0dfea6ffa34bda6b4.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ccb20ed4f2e000c0dfea6ffa34bda6b4.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nQrtksOG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AF3.tmp"
2⤵
- Creates scheduled task(s)
PID:676

C:\Users\Admin\AppData\Local\Temp\ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
"C:\Users\Admin\AppData\Local\Temp\ccb20ed4f2e000c0dfea6ffa34bda6b4.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nQrtksOG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF622.tmp"
6⤵
- Creates scheduled task(s)
PID:1028

C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
"C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe"
6⤵
- Executes dropped EXE
PID:964

C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
"C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
ab86ba60a3af3f9b667a82309e8f60f3

SHA1
5c72c146abf9f24dbebeb28881e5e9b81479389a

SHA256
0419f5c951fc273722b580ffd350fce4d73d01eb42f2a5a80cf51c7f4b41b205

SHA512
1d78bfdb61d1de007578aa6c363da2dc90d11d7c7b98695f31cd985ef915729bf493bb418088fc36524a3bbdc2f897752debf10be900be913bdbfa153041d716

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
f889dc6dd8115ccfe1bef8c2d7da5fed

SHA1
74277d3a4c489b3f1168afacff900e740b9ac69a

SHA256
684a8a3f4a45064b2c530f3775e668d6d4071cc57bc64249f7ee2389346a14b5

SHA512
770024b6d6fcf3a0ee80b8ded62e5f2ee6420c4adc98029bf0bce1a591d21dc8ae73ca183b28b117e8951dad276bf2d152d2be1f4f9f7821e1e64a84fe699a3e

Download Submit
C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
MD5
ccb20ed4f2e000c0dfea6ffa34bda6b4

SHA1
80f1c218c9a4f006ac26d03d834eaa90ebcf4a5d

SHA256
9cf41a9b8963753aa8d20e7f1f3ecea05f5ff876b15487682663d115a676117f

SHA512
188481f6ae3b706d0c73bb137f9d86af7b2a43d43bc55280d06a5caaaa360f1dcbd240da8bcd18f9b2738a26910e2ff559db3fdfcaed13cca947200196bfc10e

Download Submit
C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
MD5
ccb20ed4f2e000c0dfea6ffa34bda6b4

SHA1
80f1c218c9a4f006ac26d03d834eaa90ebcf4a5d

SHA256
9cf41a9b8963753aa8d20e7f1f3ecea05f5ff876b15487682663d115a676117f

SHA512
188481f6ae3b706d0c73bb137f9d86af7b2a43d43bc55280d06a5caaaa360f1dcbd240da8bcd18f9b2738a26910e2ff559db3fdfcaed13cca947200196bfc10e

Download Submit
C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
MD5
ccb20ed4f2e000c0dfea6ffa34bda6b4

SHA1
80f1c218c9a4f006ac26d03d834eaa90ebcf4a5d

SHA256
9cf41a9b8963753aa8d20e7f1f3ecea05f5ff876b15487682663d115a676117f

SHA512
188481f6ae3b706d0c73bb137f9d86af7b2a43d43bc55280d06a5caaaa360f1dcbd240da8bcd18f9b2738a26910e2ff559db3fdfcaed13cca947200196bfc10e

Download Submit
C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
MD5
ccb20ed4f2e000c0dfea6ffa34bda6b4

SHA1
80f1c218c9a4f006ac26d03d834eaa90ebcf4a5d

SHA256
9cf41a9b8963753aa8d20e7f1f3ecea05f5ff876b15487682663d115a676117f

SHA512
188481f6ae3b706d0c73bb137f9d86af7b2a43d43bc55280d06a5caaaa360f1dcbd240da8bcd18f9b2738a26910e2ff559db3fdfcaed13cca947200196bfc10e

Download Submit
\Users\Admin\AppData\Roaming\wechat\wechatx.exe
MD5
ccb20ed4f2e000c0dfea6ffa34bda6b4

SHA1
80f1c218c9a4f006ac26d03d834eaa90ebcf4a5d

SHA256
9cf41a9b8963753aa8d20e7f1f3ecea05f5ff876b15487682663d115a676117f

SHA512
188481f6ae3b706d0c73bb137f9d86af7b2a43d43bc55280d06a5caaaa360f1dcbd240da8bcd18f9b2738a26910e2ff559db3fdfcaed13cca947200196bfc10e

Download Submit
memory/268-58-0x0000000005C90000-0x0000000005D24000-memory.dmp

Filesize
592KB

Download
memory/268-57-0x0000000000930000-0x0000000000937000-memory.dmp

Filesize
28KB

Download
memory/268-56-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/268-54-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/652-78-0x0000000000000000-mapping.dmp

Download
memory/676-61-0x0000000000000000-mapping.dmp

Download
memory/908-60-0x00000000768C1000-0x00000000768C3000-memory.dmp

Filesize
8KB

Download
memory/908-72-0x00000000023F0000-0x000000000303A000-memory.dmp

Filesize
12.3MB

Download
memory/908-59-0x0000000000000000-mapping.dmp

Download
memory/1028-91-0x0000000000000000-mapping.dmp

Download
memory/1336-108-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1336-102-0x000000000042FC39-mapping.dmp

Download
memory/1384-106-0x0000000000491000-0x0000000000492000-memory.dmp

Filesize
4KB

Download
memory/1384-107-0x0000000000492000-0x0000000000494000-memory.dmp

Filesize
8KB

Download
memory/1384-88-0x0000000000000000-mapping.dmp

Download
memory/1384-105-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1476-64-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1476-77-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1476-68-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1476-70-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1476-71-0x000000000042FC39-mapping.dmp

Download
memory/1476-69-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1476-65-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1476-66-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1476-67-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1476-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1476-62-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1760-74-0x0000000000000000-mapping.dmp

Download
memory/1992-86-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1992-83-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1992-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads