remcos | 9cf41a9b8963753aa8d20e7f1f3ecea05f5ff876b15487682663d115a676117f

General

Target

ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Size

782KB
MD5

ccb20ed4f2e000c0dfea6ffa34bda6b4
SHA1

80f1c218c9a4f006ac26d03d834eaa90ebcf4a5d
SHA256

9cf41a9b8963753aa8d20e7f1f3ecea05f5ff876b15487682663d115a676117f
SHA512

188481f6ae3b706d0c73bb137f9d86af7b2a43d43bc55280d06a5caaaa360f1dcbd240da8bcd18f9b2738a26910e2ff559db3fdfcaed13cca947200196bfc10e

Score

10^/10

remcos wechatx evasion persistence rat

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

wechatx

C2

grace.adds-only.xyz:1619

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
wechatx.exe
copy_folder
wechat
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
wechatxl
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-79O72O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
wechat
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

wechatx.exewechatx.exe

pid process

3576 wechatx.exe
656 wechatx.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

pid	process
3576	wechatx.exe
656	wechatx.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wechatx.execcb20ed4f2e000c0dfea6ffa34bda6b4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wechatx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wechatx.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wechatx.execcb20ed4f2e000c0dfea6ffa34bda6b4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\	wechatx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\wechat = "\"C:\\Users\\Admin\\AppData\\Roaming\\wechat\\wechatx.exe\""	wechatx.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\wechat = "\"C:\\Users\\Admin\\AppData\\Roaming\\wechat\\wechatx.exe\""	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ccb20ed4f2e000c0dfea6ffa34bda6b4.exewechatx.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wechatx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	wechatx.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ccb20ed4f2e000c0dfea6ffa34bda6b4.exewechatx.exe

description	pid	process	target process
PID 2580 set thread context of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 3576 set thread context of 656	3576	wechatx.exe	wechatx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3420 schtasks.exe
3776 schtasks.exe

pid	process
3420	schtasks.exe
3776	schtasks.exe

Modifies registry class 1 IoCs

Processes:

ccb20ed4f2e000c0dfea6ffa34bda6b4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

ccb20ed4f2e000c0dfea6ffa34bda6b4.exepowershell.exewechatx.exepowershell.exe

pid	process
2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
1444	powershell.exe
2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
1444	powershell.exe
1444	powershell.exe
3576	wechatx.exe
2156	powershell.exe
3576	wechatx.exe
2156	powershell.exe
2156	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ccb20ed4f2e000c0dfea6ffa34bda6b4.exepowershell.exewechatx.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	3576	wechatx.exe
Token: SeDebugPrivilege	2156	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wechatx.exe

pid process

656 wechatx.exe

pid	process
656	wechatx.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

ccb20ed4f2e000c0dfea6ffa34bda6b4.execcb20ed4f2e000c0dfea6ffa34bda6b4.exeWScript.execmd.exewechatx.exe

description	pid	process	target process
PID 2580 wrote to memory of 1444	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	powershell.exe
PID 2580 wrote to memory of 1444	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	powershell.exe
PID 2580 wrote to memory of 1444	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	powershell.exe
PID 2580 wrote to memory of 3420	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	schtasks.exe
PID 2580 wrote to memory of 3420	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	schtasks.exe
PID 2580 wrote to memory of 3420	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	schtasks.exe
PID 2580 wrote to memory of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 2580 wrote to memory of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 2580 wrote to memory of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 2580 wrote to memory of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 2580 wrote to memory of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 2580 wrote to memory of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 2580 wrote to memory of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 2580 wrote to memory of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 2580 wrote to memory of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 2580 wrote to memory of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 2580 wrote to memory of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 2580 wrote to memory of 2212	2580	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
PID 2212 wrote to memory of 1980	2212	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	WScript.exe
PID 2212 wrote to memory of 1980	2212	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	WScript.exe
PID 2212 wrote to memory of 1980	2212	ccb20ed4f2e000c0dfea6ffa34bda6b4.exe	WScript.exe
PID 1980 wrote to memory of 3964	1980	WScript.exe	cmd.exe
PID 1980 wrote to memory of 3964	1980	WScript.exe	cmd.exe
PID 1980 wrote to memory of 3964	1980	WScript.exe	cmd.exe
PID 3964 wrote to memory of 3576	3964	cmd.exe	wechatx.exe
PID 3964 wrote to memory of 3576	3964	cmd.exe	wechatx.exe
PID 3964 wrote to memory of 3576	3964	cmd.exe	wechatx.exe
PID 3576 wrote to memory of 2156	3576	wechatx.exe	powershell.exe
PID 3576 wrote to memory of 2156	3576	wechatx.exe	powershell.exe
PID 3576 wrote to memory of 2156	3576	wechatx.exe	powershell.exe
PID 3576 wrote to memory of 3776	3576	wechatx.exe	schtasks.exe
PID 3576 wrote to memory of 3776	3576	wechatx.exe	schtasks.exe
PID 3576 wrote to memory of 3776	3576	wechatx.exe	schtasks.exe
PID 3576 wrote to memory of 656	3576	wechatx.exe	wechatx.exe
PID 3576 wrote to memory of 656	3576	wechatx.exe	wechatx.exe
PID 3576 wrote to memory of 656	3576	wechatx.exe	wechatx.exe
PID 3576 wrote to memory of 656	3576	wechatx.exe	wechatx.exe
PID 3576 wrote to memory of 656	3576	wechatx.exe	wechatx.exe
PID 3576 wrote to memory of 656	3576	wechatx.exe	wechatx.exe
PID 3576 wrote to memory of 656	3576	wechatx.exe	wechatx.exe
PID 3576 wrote to memory of 656	3576	wechatx.exe	wechatx.exe
PID 3576 wrote to memory of 656	3576	wechatx.exe	wechatx.exe
PID 3576 wrote to memory of 656	3576	wechatx.exe	wechatx.exe
PID 3576 wrote to memory of 656	3576	wechatx.exe	wechatx.exe
PID 3576 wrote to memory of 656	3576	wechatx.exe	wechatx.exe

C:\Users\Admin\AppData\Local\Temp\ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
"C:\Users\Admin\AppData\Local\Temp\ccb20ed4f2e000c0dfea6ffa34bda6b4.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ccb20ed4f2e000c0dfea6ffa34bda6b4.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nQrtksOG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E44.tmp"
2⤵
- Creates scheduled task(s)
PID:3420

C:\Users\Admin\AppData\Local\Temp\ccb20ed4f2e000c0dfea6ffa34bda6b4.exe
"C:\Users\Admin\AppData\Local\Temp\ccb20ed4f2e000c0dfea6ffa34bda6b4.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nQrtksOG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp44D.tmp"
6⤵
- Creates scheduled task(s)
PID:3776

C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
"C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
08f3a79e0110c3b3727608898e36cef8

SHA1
c43a66b1e8a6c8ca56fdae650c62198e020ab7cf

SHA256
c12361f2900de2477044b110a90ea510bc8adee2222c680da7ba37bc882bd7ff

SHA512
96adfa8a646450ac06632de97b6fa87ee75c039e3f30d383aa45116265aed4afd387f51ce7724697c2c27f8c8be113ba56cc8eae93a85edb67338e305a549fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
ab86ba60a3af3f9b667a82309e8f60f3

SHA1
5c72c146abf9f24dbebeb28881e5e9b81479389a

SHA256
0419f5c951fc273722b580ffd350fce4d73d01eb42f2a5a80cf51c7f4b41b205

SHA512
1d78bfdb61d1de007578aa6c363da2dc90d11d7c7b98695f31cd985ef915729bf493bb418088fc36524a3bbdc2f897752debf10be900be913bdbfa153041d716

Download Submit
C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
MD5
ccb20ed4f2e000c0dfea6ffa34bda6b4

SHA1
80f1c218c9a4f006ac26d03d834eaa90ebcf4a5d

SHA256
9cf41a9b8963753aa8d20e7f1f3ecea05f5ff876b15487682663d115a676117f

SHA512
188481f6ae3b706d0c73bb137f9d86af7b2a43d43bc55280d06a5caaaa360f1dcbd240da8bcd18f9b2738a26910e2ff559db3fdfcaed13cca947200196bfc10e

Download Submit
C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
MD5
ccb20ed4f2e000c0dfea6ffa34bda6b4

SHA1
80f1c218c9a4f006ac26d03d834eaa90ebcf4a5d

SHA256
9cf41a9b8963753aa8d20e7f1f3ecea05f5ff876b15487682663d115a676117f

SHA512
188481f6ae3b706d0c73bb137f9d86af7b2a43d43bc55280d06a5caaaa360f1dcbd240da8bcd18f9b2738a26910e2ff559db3fdfcaed13cca947200196bfc10e

Download Submit
C:\Users\Admin\AppData\Roaming\wechat\wechatx.exe
MD5
ccb20ed4f2e000c0dfea6ffa34bda6b4

SHA1
80f1c218c9a4f006ac26d03d834eaa90ebcf4a5d

SHA256
9cf41a9b8963753aa8d20e7f1f3ecea05f5ff876b15487682663d115a676117f

SHA512
188481f6ae3b706d0c73bb137f9d86af7b2a43d43bc55280d06a5caaaa360f1dcbd240da8bcd18f9b2738a26910e2ff559db3fdfcaed13cca947200196bfc10e

Download Submit
memory/656-414-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/656-403-0x000000000042FC39-mapping.dmp

Download
memory/1444-142-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/1444-180-0x00000000043E3000-0x00000000043E4000-memory.dmp

Filesize
4KB

Download
memory/1444-127-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1444-126-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1444-128-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1444-129-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/1444-130-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/1444-179-0x000000007F330000-0x000000007F331000-memory.dmp

Filesize
4KB

Download
memory/1444-132-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/1444-176-0x0000000009020000-0x0000000009021000-memory.dmp

Filesize
4KB

Download
memory/1444-175-0x0000000008E50000-0x0000000008E51000-memory.dmp

Filesize
4KB

Download
memory/1444-136-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/1444-137-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/1444-138-0x00000000043E2000-0x00000000043E3000-memory.dmp

Filesize
4KB

Download
memory/1444-170-0x0000000008AC0000-0x0000000008AC1000-memory.dmp

Filesize
4KB

Download
memory/1444-163-0x0000000008AE0000-0x0000000008B13000-memory.dmp

Filesize
204KB

Download
memory/1444-124-0x0000000000000000-mapping.dmp

Download
memory/1444-146-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1444-143-0x0000000007F70000-0x0000000007F71000-memory.dmp

Filesize
4KB

Download
memory/1444-144-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/1980-140-0x0000000000000000-mapping.dmp

Download
memory/2156-441-0x0000000007243000-0x0000000007244000-memory.dmp

Filesize
4KB

Download
memory/2156-413-0x0000000007242000-0x0000000007243000-memory.dmp

Filesize
4KB

Download
memory/2156-394-0x0000000000000000-mapping.dmp

Download
memory/2156-412-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/2156-439-0x000000007F070000-0x000000007F071000-memory.dmp

Filesize
4KB

Download
memory/2212-135-0x000000000042FC39-mapping.dmp

Download
memory/2212-139-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2212-133-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2580-122-0x0000000007250000-0x0000000007251000-memory.dmp

Filesize
4KB

Download
memory/2580-117-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/2580-125-0x00000000097D0000-0x00000000097D1000-memory.dmp

Filesize
4KB

Download
memory/2580-123-0x0000000008BC0000-0x0000000008C54000-memory.dmp

Filesize
592KB

Download
memory/2580-121-0x0000000005ED0000-0x0000000005ED7000-memory.dmp

Filesize
28KB

Download
memory/2580-115-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2580-120-0x0000000005060000-0x00000000050F2000-memory.dmp

Filesize
584KB

Download
memory/2580-119-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2580-118-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3420-131-0x0000000000000000-mapping.dmp

Download
memory/3576-158-0x0000000004ED0000-0x00000000053CE000-memory.dmp

Filesize
5.0MB

Download
memory/3576-148-0x0000000000000000-mapping.dmp

Download
memory/3776-401-0x0000000000000000-mapping.dmp

Download
memory/3964-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads