remcos | bc08562e6e3a026e383c9c11a2b2f04cc5d7e60630efb0a93c01f09ea254392d

General

Target

CamScanner-594026496-pdf.exe
Size

300.0MB
MD5

f42ad96a95669ad8c5b90e40eb210be5
SHA1

d370218dcf08cc47c6cecec61aa41f65e098bacd
SHA256

bc08562e6e3a026e383c9c11a2b2f04cc5d7e60630efb0a93c01f09ea254392d
SHA512

6ad7973fe43508de7dbf25f8a7c0b15ad2c497963d9047e12104393d45de327e68b6b0caabd011d0fd4a296663ecaeaa23ca1299c3a9a463061300dcf6267ac5
SSDEEP

12288:ywnu/K2uzLZnO0Ex19/7D4FBq/gJSdyAzc02egHZESOmoMNVRb:Lv2sFs3D4FBG8zpoYR

Score

10^/10

remcos navidad rat

Malware Config

Extracted

Family

remcos

Botnet

NAVIDAD

C2

hotsdefender.webredirect.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Key
keylog_path
%AppData%
mouse_option
false
mutex
DicRtgBn6Uy7K8ollH5RfBnFadTyGn9Mj6T5RbNoskj-PRYOGS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 5 IoCs

Processes:

trxs.exetrxs.exetrxs.exetrxs.exetrxs.exe

pid process

1660 trxs.exe
1632 trxs.exe
1596 trxs.exe
632 trxs.exe
1320 trxs.exe

pid	process
1660	trxs.exe
1632	trxs.exe
1596	trxs.exe
632	trxs.exe
1320	trxs.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

CamScanner-594026496-pdf.exetrxs.exetrxs.exetrxs.exetrxs.exetrxs.exe

description	pid	process	target process
PID 2044 set thread context of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 1660 set thread context of 1844	1660	trxs.exe	csc.exe
PID 1632 set thread context of 1216	1632	trxs.exe	csc.exe
PID 1596 set thread context of 892	1596	trxs.exe	csc.exe
PID 632 set thread context of 1936	632	trxs.exe	csc.exe
PID 1320 set thread context of 960	1320	trxs.exe	csc.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

432 schtasks.exe
1532 schtasks.exe
684 schtasks.exe
360 schtasks.exe
324 schtasks.exe
1732 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csc.exe

pid process

1464 csc.exe

pid	process
432	schtasks.exe
1532	schtasks.exe
684	schtasks.exe
360	schtasks.exe
324	schtasks.exe
1732	schtasks.exe

pid	process
1464	csc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	2016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2016	AUDIODG.EXE
Token: 33	2016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2016	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csc.exe

pid process

1464 csc.exe

pid	process
1464	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CamScanner-594026496-pdf.execmd.exetaskeng.exetrxs.execmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 1464	2044	CamScanner-594026496-pdf.exe	csc.exe
PID 2044 wrote to memory of 568	2044	CamScanner-594026496-pdf.exe	cmd.exe
PID 2044 wrote to memory of 568	2044	CamScanner-594026496-pdf.exe	cmd.exe
PID 2044 wrote to memory of 568	2044	CamScanner-594026496-pdf.exe	cmd.exe
PID 2044 wrote to memory of 568	2044	CamScanner-594026496-pdf.exe	cmd.exe
PID 2044 wrote to memory of 540	2044	CamScanner-594026496-pdf.exe	cmd.exe
PID 2044 wrote to memory of 540	2044	CamScanner-594026496-pdf.exe	cmd.exe
PID 2044 wrote to memory of 540	2044	CamScanner-594026496-pdf.exe	cmd.exe
PID 2044 wrote to memory of 540	2044	CamScanner-594026496-pdf.exe	cmd.exe
PID 2044 wrote to memory of 1680	2044	CamScanner-594026496-pdf.exe	cmd.exe
PID 2044 wrote to memory of 1680	2044	CamScanner-594026496-pdf.exe	cmd.exe
PID 2044 wrote to memory of 1680	2044	CamScanner-594026496-pdf.exe	cmd.exe
PID 2044 wrote to memory of 1680	2044	CamScanner-594026496-pdf.exe	cmd.exe
PID 540 wrote to memory of 1532	540	cmd.exe	schtasks.exe
PID 540 wrote to memory of 1532	540	cmd.exe	schtasks.exe
PID 540 wrote to memory of 1532	540	cmd.exe	schtasks.exe
PID 540 wrote to memory of 1532	540	cmd.exe	schtasks.exe
PID 1212 wrote to memory of 1660	1212	taskeng.exe	trxs.exe
PID 1212 wrote to memory of 1660	1212	taskeng.exe	trxs.exe
PID 1212 wrote to memory of 1660	1212	taskeng.exe	trxs.exe
PID 1212 wrote to memory of 1660	1212	taskeng.exe	trxs.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1844	1660	trxs.exe	csc.exe
PID 1660 wrote to memory of 1988	1660	trxs.exe	cmd.exe
PID 1660 wrote to memory of 1988	1660	trxs.exe	cmd.exe
PID 1660 wrote to memory of 1988	1660	trxs.exe	cmd.exe
PID 1660 wrote to memory of 1988	1660	trxs.exe	cmd.exe
PID 1660 wrote to memory of 1592	1660	trxs.exe	cmd.exe
PID 1660 wrote to memory of 1592	1660	trxs.exe	cmd.exe
PID 1660 wrote to memory of 1592	1660	trxs.exe	cmd.exe
PID 1660 wrote to memory of 1592	1660	trxs.exe	cmd.exe
PID 1660 wrote to memory of 1496	1660	trxs.exe	cmd.exe
PID 1660 wrote to memory of 1496	1660	trxs.exe	cmd.exe
PID 1660 wrote to memory of 1496	1660	trxs.exe	cmd.exe
PID 1660 wrote to memory of 1496	1660	trxs.exe	cmd.exe
PID 1592 wrote to memory of 684	1592	cmd.exe	schtasks.exe
PID 1592 wrote to memory of 684	1592	cmd.exe	schtasks.exe
PID 1592 wrote to memory of 684	1592	cmd.exe	schtasks.exe
PID 1592 wrote to memory of 684	1592	cmd.exe	schtasks.exe
PID 1212 wrote to memory of 1632	1212	taskeng.exe	trxs.exe
PID 1212 wrote to memory of 1632	1212	taskeng.exe	trxs.exe

C:\Users\Admin\AppData\Local\Temp\CamScanner-594026496-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\CamScanner-594026496-pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\trxs"
2⤵
PID:568

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1532

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\CamScanner-594026496-pdf.exe" "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe"
2⤵
PID:1680

C:\Windows\system32\taskeng.exe
taskeng.exe {BA7318FD-FBCB-4B5B-923F-278081D7027C} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\trxs"
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
4⤵
- Creates scheduled task(s)
PID:684

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe" "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe"
3⤵
PID:1496

C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
3⤵
PID:1732

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
4⤵
- Creates scheduled task(s)
PID:360

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\trxs"
3⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe" "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe"
3⤵
PID:1600

C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\trxs"
3⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
3⤵
PID:756

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
4⤵
- Creates scheduled task(s)
PID:324

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe" "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe"
3⤵
PID:1344

C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\trxs"
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
3⤵
PID:984

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1732

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe" "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe"
3⤵
PID:1968

C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\trxs"
3⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
3⤵
PID:1964

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
4⤵
- Creates scheduled task(s)
PID:432

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe" "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe"
3⤵
PID:560

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
Filesize
300.0MB

MD5
f42ad96a95669ad8c5b90e40eb210be5

SHA1
d370218dcf08cc47c6cecec61aa41f65e098bacd

SHA256
bc08562e6e3a026e383c9c11a2b2f04cc5d7e60630efb0a93c01f09ea254392d

SHA512
6ad7973fe43508de7dbf25f8a7c0b15ad2c497963d9047e12104393d45de327e68b6b0caabd011d0fd4a296663ecaeaa23ca1299c3a9a463061300dcf6267ac5

Download Submit
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
Filesize
267.9MB

MD5
003313bbebf80636c40434e1d862371c

SHA1
626ea4e8373487babbf911a8400c1485be64fbf7

SHA256
b9f054e6773bc925bc726d69f4fb8576787ece44147b0582f82375a40386e8a3

SHA512
b588816ae34bb1e20c4f62a05d11009966e9bcca3ed419049d9d8f18c53ed7ee401834008757b8e1c502e444be95ffae88d54bc67510f9392101b9b6afbd667e

Download Submit
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
Filesize
218.8MB

MD5
d8e7efc2aee0b5609ba8fa0972cdfb10

SHA1
1aa99c6054dc30b5a4b706b3ab37a5cd0df3a4b0

SHA256
17e326f6d1a7cb90f3001c501b4f15c8b33db87adbe34f2aaee0ca0b7e228fa4

SHA512
ff7d343ffbbf22e24eba67c054527b7302a11c8c3fd3b18383ab29ce4244e3bc0eb0c5a34914c3d0abdf61c75175f99f49395028bdf4659683b7e788f4d80d15

Download Submit
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
Filesize
127.6MB

MD5
531866024b25dacc444dcd518e284d6e

SHA1
f507972966fde4f75006d685963c79def59a969c

SHA256
4dad8439ef95546de5494eb237b909d76fba04b8a909f5613f7d120d73e7dd0a

SHA512
60c05aa26e97204edd59352b2b816458c7d339163be961f0df501c912cee0288feaf41c26f7f273de5ad837ea91ba1bb5243cd93bc819fa179aa1dd183a34fdf

Download Submit
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
Filesize
300.0MB

MD5
f42ad96a95669ad8c5b90e40eb210be5

SHA1
d370218dcf08cc47c6cecec61aa41f65e098bacd

SHA256
bc08562e6e3a026e383c9c11a2b2f04cc5d7e60630efb0a93c01f09ea254392d

SHA512
6ad7973fe43508de7dbf25f8a7c0b15ad2c497963d9047e12104393d45de327e68b6b0caabd011d0fd4a296663ecaeaa23ca1299c3a9a463061300dcf6267ac5

Download Submit
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
Filesize
300.0MB

MD5
f42ad96a95669ad8c5b90e40eb210be5

SHA1
d370218dcf08cc47c6cecec61aa41f65e098bacd

SHA256
bc08562e6e3a026e383c9c11a2b2f04cc5d7e60630efb0a93c01f09ea254392d

SHA512
6ad7973fe43508de7dbf25f8a7c0b15ad2c497963d9047e12104393d45de327e68b6b0caabd011d0fd4a296663ecaeaa23ca1299c3a9a463061300dcf6267ac5

Download Submit
memory/324-189-0x0000000000000000-mapping.dmp

Download
memory/360-154-0x0000000000000000-mapping.dmp

Download
memory/432-248-0x0000000000000000-mapping.dmp

Download
memory/540-83-0x0000000000000000-mapping.dmp

Download
memory/560-247-0x0000000000000000-mapping.dmp

Download
memory/568-82-0x0000000000000000-mapping.dmp

Download
memory/632-190-0x0000000000000000-mapping.dmp

Download
memory/684-120-0x0000000000000000-mapping.dmp

Download
memory/756-185-0x0000000000000000-mapping.dmp

Download
memory/892-173-0x000000000043292E-mapping.dmp

Download
memory/960-240-0x000000000043292E-mapping.dmp

Download
memory/960-245-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/984-220-0x0000000000000000-mapping.dmp

Download
memory/992-181-0x0000000000000000-mapping.dmp

Download
memory/1216-139-0x000000000043292E-mapping.dmp

Download
memory/1320-223-0x0000000000000000-mapping.dmp

Download
memory/1320-225-0x0000000001130000-0x00000000011DE000-memory.dmp

Filesize
696KB

Download
memory/1344-188-0x0000000000000000-mapping.dmp

Download
memory/1464-57-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1464-64-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1464-81-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1464-66-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1464-70-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1464-61-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1464-69-0x000000000043292E-mapping.dmp

Download
memory/1464-63-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1464-56-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1464-59-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1464-75-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1464-62-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1496-119-0x0000000000000000-mapping.dmp

Download
memory/1532-85-0x0000000000000000-mapping.dmp

Download
memory/1592-118-0x0000000000000000-mapping.dmp

Download
memory/1596-158-0x0000000000FA0000-0x000000000104E000-memory.dmp

Filesize
696KB

Download
memory/1596-156-0x0000000000000000-mapping.dmp

Download
memory/1600-155-0x0000000000000000-mapping.dmp

Download
memory/1632-124-0x0000000000FA0000-0x000000000104E000-memory.dmp

Filesize
696KB

Download
memory/1632-122-0x0000000000000000-mapping.dmp

Download
memory/1660-89-0x0000000000220000-0x00000000002CE000-memory.dmp

Filesize
696KB

Download
memory/1660-87-0x0000000000000000-mapping.dmp

Download
memory/1680-84-0x0000000000000000-mapping.dmp

Download
memory/1684-121-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1732-221-0x0000000000000000-mapping.dmp

Download
memory/1732-153-0x0000000000000000-mapping.dmp

Download
memory/1844-117-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1844-111-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1844-104-0x000000000043292E-mapping.dmp

Download
memory/1932-141-0x0000000000000000-mapping.dmp

Download
memory/1936-206-0x000000000043292E-mapping.dmp

Download
memory/1964-246-0x0000000000000000-mapping.dmp

Download
memory/1968-222-0x0000000000000000-mapping.dmp

Download
memory/1984-243-0x0000000000000000-mapping.dmp

Download
memory/1988-208-0x0000000000000000-mapping.dmp

Download
memory/1988-110-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x0000000000B90000-0x0000000000C3E000-memory.dmp

Filesize
696KB

Download
memory/2044-55-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads