remcos | bc08562e6e3a026e383c9c11a2b2f04cc5d7e60630efb0a93c01f09ea254392d

General

Target

CamScanner-594026496-pdf.exe
Size

300.0MB
MD5

f42ad96a95669ad8c5b90e40eb210be5
SHA1

d370218dcf08cc47c6cecec61aa41f65e098bacd
SHA256

bc08562e6e3a026e383c9c11a2b2f04cc5d7e60630efb0a93c01f09ea254392d
SHA512

6ad7973fe43508de7dbf25f8a7c0b15ad2c497963d9047e12104393d45de327e68b6b0caabd011d0fd4a296663ecaeaa23ca1299c3a9a463061300dcf6267ac5
SSDEEP

12288:ywnu/K2uzLZnO0Ex19/7D4FBq/gJSdyAzc02egHZESOmoMNVRb:Lv2sFs3D4FBG8zpoYR

Score

10^/10

remcos navidad rat

Malware Config

Extracted

Family

remcos

Botnet

NAVIDAD

C2

hotsdefender.webredirect.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Key
keylog_path
%AppData%
mouse_option
false
mutex
DicRtgBn6Uy7K8ollH5RfBnFadTyGn9Mj6T5RbNoskj-PRYOGS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 5 IoCs

Processes:

trxs.exetrxs.exetrxs.exetrxs.exetrxs.exe

pid process

2796 trxs.exe
4852 trxs.exe
4504 trxs.exe
4772 trxs.exe
1060 trxs.exe

pid	process
2796	trxs.exe
4852	trxs.exe
4504	trxs.exe
4772	trxs.exe
1060	trxs.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

CamScanner-594026496-pdf.exetrxs.exetrxs.exetrxs.exetrxs.exetrxs.exe

description	pid	process	target process
PID 5012 set thread context of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 2796 set thread context of 4456	2796	trxs.exe	csc.exe
PID 4852 set thread context of 2628	4852	trxs.exe	csc.exe
PID 4504 set thread context of 3760	4504	trxs.exe	csc.exe
PID 4772 set thread context of 3552	4772	trxs.exe	csc.exe
PID 1060 set thread context of 4516	1060	trxs.exe	csc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3128 1004 WerFault.exe csc.exe
1996 3760 WerFault.exe csc.exe
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4140 schtasks.exe
2392 schtasks.exe
476 schtasks.exe
1748 schtasks.exe
3268 schtasks.exe
4928 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csc.exe

pid process

4456 csc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 996 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 996 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csc.exe

pid process

4456 csc.exe

pid	pid_target	process	target process
3128	1004	WerFault.exe	csc.exe
1996	3760	WerFault.exe	csc.exe

pid	process
4140	schtasks.exe
2392	schtasks.exe
476	schtasks.exe
1748	schtasks.exe
3268	schtasks.exe
4928	schtasks.exe

pid	process
4456	csc.exe

description	pid	process
Token: 33	996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	996	AUDIODG.EXE

pid	process
4456	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CamScanner-594026496-pdf.execmd.exetrxs.execmd.exetrxs.exe

description	pid	process	target process
PID 5012 wrote to memory of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 5012 wrote to memory of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 5012 wrote to memory of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 5012 wrote to memory of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 5012 wrote to memory of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 5012 wrote to memory of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 5012 wrote to memory of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 5012 wrote to memory of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 5012 wrote to memory of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 5012 wrote to memory of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 5012 wrote to memory of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 5012 wrote to memory of 1004	5012	CamScanner-594026496-pdf.exe	csc.exe
PID 5012 wrote to memory of 4688	5012	CamScanner-594026496-pdf.exe	cmd.exe
PID 5012 wrote to memory of 4688	5012	CamScanner-594026496-pdf.exe	cmd.exe
PID 5012 wrote to memory of 4688	5012	CamScanner-594026496-pdf.exe	cmd.exe
PID 5012 wrote to memory of 3360	5012	CamScanner-594026496-pdf.exe	cmd.exe
PID 5012 wrote to memory of 3360	5012	CamScanner-594026496-pdf.exe	cmd.exe
PID 5012 wrote to memory of 3360	5012	CamScanner-594026496-pdf.exe	cmd.exe
PID 5012 wrote to memory of 4324	5012	CamScanner-594026496-pdf.exe	cmd.exe
PID 5012 wrote to memory of 4324	5012	CamScanner-594026496-pdf.exe	cmd.exe
PID 5012 wrote to memory of 4324	5012	CamScanner-594026496-pdf.exe	cmd.exe
PID 3360 wrote to memory of 4140	3360	cmd.exe	schtasks.exe
PID 3360 wrote to memory of 4140	3360	cmd.exe	schtasks.exe
PID 3360 wrote to memory of 4140	3360	cmd.exe	schtasks.exe
PID 2796 wrote to memory of 4456	2796	trxs.exe	csc.exe
PID 2796 wrote to memory of 4456	2796	trxs.exe	csc.exe
PID 2796 wrote to memory of 4456	2796	trxs.exe	csc.exe
PID 2796 wrote to memory of 4456	2796	trxs.exe	csc.exe
PID 2796 wrote to memory of 4456	2796	trxs.exe	csc.exe
PID 2796 wrote to memory of 4456	2796	trxs.exe	csc.exe
PID 2796 wrote to memory of 4456	2796	trxs.exe	csc.exe
PID 2796 wrote to memory of 4456	2796	trxs.exe	csc.exe
PID 2796 wrote to memory of 4456	2796	trxs.exe	csc.exe
PID 2796 wrote to memory of 4456	2796	trxs.exe	csc.exe
PID 2796 wrote to memory of 4456	2796	trxs.exe	csc.exe
PID 2796 wrote to memory of 4456	2796	trxs.exe	csc.exe
PID 2796 wrote to memory of 1420	2796	trxs.exe	cmd.exe
PID 2796 wrote to memory of 1420	2796	trxs.exe	cmd.exe
PID 2796 wrote to memory of 1420	2796	trxs.exe	cmd.exe
PID 2796 wrote to memory of 404	2796	trxs.exe	cmd.exe
PID 2796 wrote to memory of 404	2796	trxs.exe	cmd.exe
PID 2796 wrote to memory of 404	2796	trxs.exe	cmd.exe
PID 2796 wrote to memory of 4112	2796	trxs.exe	cmd.exe
PID 2796 wrote to memory of 4112	2796	trxs.exe	cmd.exe
PID 2796 wrote to memory of 4112	2796	trxs.exe	cmd.exe
PID 404 wrote to memory of 2392	404	cmd.exe	schtasks.exe
PID 404 wrote to memory of 2392	404	cmd.exe	schtasks.exe
PID 404 wrote to memory of 2392	404	cmd.exe	schtasks.exe
PID 4852 wrote to memory of 2628	4852	trxs.exe	csc.exe
PID 4852 wrote to memory of 2628	4852	trxs.exe	csc.exe
PID 4852 wrote to memory of 2628	4852	trxs.exe	csc.exe
PID 4852 wrote to memory of 2628	4852	trxs.exe	csc.exe
PID 4852 wrote to memory of 2628	4852	trxs.exe	csc.exe
PID 4852 wrote to memory of 2628	4852	trxs.exe	csc.exe
PID 4852 wrote to memory of 2628	4852	trxs.exe	csc.exe
PID 4852 wrote to memory of 2628	4852	trxs.exe	csc.exe
PID 4852 wrote to memory of 2628	4852	trxs.exe	csc.exe
PID 4852 wrote to memory of 2628	4852	trxs.exe	csc.exe
PID 4852 wrote to memory of 2628	4852	trxs.exe	csc.exe
PID 4852 wrote to memory of 2628	4852	trxs.exe	csc.exe
PID 4852 wrote to memory of 4408	4852	trxs.exe	cmd.exe
PID 4852 wrote to memory of 4408	4852	trxs.exe	cmd.exe
PID 4852 wrote to memory of 4408	4852	trxs.exe	cmd.exe
PID 4852 wrote to memory of 4424	4852	trxs.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\CamScanner-594026496-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\CamScanner-594026496-pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 508
3⤵
- Program crash
PID:3128

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\trxs"
2⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4140

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\CamScanner-594026496-pdf.exe" "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe"
2⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1004 -ip 1004
1⤵
PID:2292

C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\trxs"
2⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2392

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe" "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe"
2⤵
PID:4112

C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\trxs"
2⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
2⤵
PID:4424

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:476

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe" "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe"
2⤵
PID:3688

C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 500
3⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
2⤵
PID:2648

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\trxs"
2⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe" "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe"
2⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3760 -ip 3760
1⤵
PID:5016

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558 0x554
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe" "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe"
2⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
2⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\trxs"
2⤵
PID:4808

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3268

C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe" "C:\Users\Admin\AppData\Roaming\trxs\trxs.exe"
2⤵
PID:440

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
2⤵
PID:4812

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\trxs\trxs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4928

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\trxs"
2⤵
PID:2768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\trxs.exe.log
Filesize
517B

MD5
3334ecde6536c93e216decce323cbe3e

SHA1
277f9a4e3a14c5dbe6b92fabac8b2050cab3629b

SHA256
494fcff7f11e2d7ea9abfbf91d6dea2595388ab4c45269e5fd74c82796d0a76a

SHA512
2830773d60aa9fe73c7e0a28502e198d931422b4a1df9a0b844d3952bb0aed7aa2b5da39e1adf145c9e6c2f75a33560da23c9b2b774fb38718bde066eafcad9d

Download Submit
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
Filesize
300.0MB

MD5
f42ad96a95669ad8c5b90e40eb210be5

SHA1
d370218dcf08cc47c6cecec61aa41f65e098bacd

SHA256
bc08562e6e3a026e383c9c11a2b2f04cc5d7e60630efb0a93c01f09ea254392d

SHA512
6ad7973fe43508de7dbf25f8a7c0b15ad2c497963d9047e12104393d45de327e68b6b0caabd011d0fd4a296663ecaeaa23ca1299c3a9a463061300dcf6267ac5

Download Submit
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
Filesize
300.0MB

MD5
f42ad96a95669ad8c5b90e40eb210be5

SHA1
d370218dcf08cc47c6cecec61aa41f65e098bacd

SHA256
bc08562e6e3a026e383c9c11a2b2f04cc5d7e60630efb0a93c01f09ea254392d

SHA512
6ad7973fe43508de7dbf25f8a7c0b15ad2c497963d9047e12104393d45de327e68b6b0caabd011d0fd4a296663ecaeaa23ca1299c3a9a463061300dcf6267ac5

Download Submit
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
Filesize
262.2MB

MD5
2ee6738105a6b602d5d859c98e6af810

SHA1
06f78db0b7211a15d75aa78fe092c4ddc1cb8d71

SHA256
388bffda7a279d9f24e901aa1d0fa10b11d13ba5686fa4e4c028a6a6d1942494

SHA512
2cc091832bad1b309c98aa797db9bb78532edc166ae3c30bcf3e1d507a9a616c8c11c0572b074d28b2b8c2bae8d6601cc6d869be758bbe8fd7eca4061aae8edf

Download Submit
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
Filesize
155.5MB

MD5
9008a8c51b26af658aff2cd12eca2b89

SHA1
9ab81f7c5a3e53692bb7563c5c68d9ba170a3443

SHA256
eb1ab8208bc2bfdf238e47c1ffd908bb2c0cb545f69111ebddb74cd2be14f3c8

SHA512
8d38db88dc50ef0841d3083b2d82d4a6512c5b702cdfa309244b7c372584085c5210775fe8b7f35d7b508186899d918beb1525bde1647faeb46ce324e724fb8d

Download Submit
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
Filesize
110.2MB

MD5
d6e87ab4d48c0e060e0ce8b450e258ec

SHA1
b4407e999d0ec2cc48307417af02d7f9b7c3141d

SHA256
2944690c070c30108b9f4be8b03d29c61b1f642a236412ee89350c550a3f2d90

SHA512
5061c77026c413c58ac4b27e734a76756f77fc4b8d600d8a1835d6484c735dfa0e748d65d46411c698c7c73e0b12d6d6dfcdc9b3ebb02f97cd313c6cd13523ab

Download Submit
C:\Users\Admin\AppData\Roaming\trxs\trxs.exe
Filesize
15.5MB

MD5
7279582ee2b9b1d98e60ebac29328953

SHA1
6389e8b9c9a5b9f799169ec7cb920baf136ea262

SHA256
27780611536ab96e5bcf12b53cad687aa2f5dabeb7802d9bf34884b0b8b141d6

SHA512
a6213dc8093a558742436fbdcfc5bb3fd8cdfcc275f6f351a7a431d21b832940c10c0f402ed76891315f1d7ed67d7450f970273e374e6763a6d1bbb190a1ab77

Download Submit
memory/404-158-0x0000000000000000-mapping.dmp

Download
memory/440-210-0x0000000000000000-mapping.dmp

Download
memory/476-173-0x0000000000000000-mapping.dmp

Download
memory/1004-149-0x0000000000680000-0x00000000006FF000-memory.dmp

Filesize
508KB

Download
memory/1004-141-0x0000000000680000-0x00000000006FF000-memory.dmp

Filesize
508KB

Download
memory/1004-134-0x0000000000000000-mapping.dmp

Download
memory/1004-136-0x0000000000680000-0x00000000006FF000-memory.dmp

Filesize
508KB

Download
memory/1420-156-0x0000000000000000-mapping.dmp

Download
memory/1748-191-0x0000000000000000-mapping.dmp

Download
memory/1764-190-0x0000000000000000-mapping.dmp

Download
memory/2392-160-0x0000000000000000-mapping.dmp

Download
memory/2628-168-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2628-167-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2628-169-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2628-165-0x0000000000000000-mapping.dmp

Download
memory/2648-189-0x0000000000000000-mapping.dmp

Download
memory/2768-206-0x0000000000000000-mapping.dmp

Download
memory/2972-187-0x0000000000000000-mapping.dmp

Download
memory/3268-201-0x0000000000000000-mapping.dmp

Download
memory/3360-145-0x0000000000000000-mapping.dmp

Download
memory/3552-197-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3552-195-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3552-193-0x0000000000000000-mapping.dmp

Download
memory/3552-199-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-172-0x0000000000000000-mapping.dmp

Download
memory/3760-188-0x0000000000600000-0x000000000067F000-memory.dmp

Filesize
508KB

Download
memory/3760-182-0x0000000000600000-0x000000000067F000-memory.dmp

Filesize
508KB

Download
memory/3760-175-0x0000000000000000-mapping.dmp

Download
memory/4112-159-0x0000000000000000-mapping.dmp

Download
memory/4140-150-0x0000000000000000-mapping.dmp

Download
memory/4324-147-0x0000000000000000-mapping.dmp

Download
memory/4408-170-0x0000000000000000-mapping.dmp

Download
memory/4424-171-0x0000000000000000-mapping.dmp

Download
memory/4456-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4456-162-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4456-161-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4456-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4456-153-0x0000000000000000-mapping.dmp

Download
memory/4516-203-0x0000000000000000-mapping.dmp

Download
memory/4516-209-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4516-207-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4516-205-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-200-0x0000000000000000-mapping.dmp

Download
memory/4688-142-0x0000000000000000-mapping.dmp

Download
memory/4808-196-0x0000000000000000-mapping.dmp

Download
memory/4812-208-0x0000000000000000-mapping.dmp

Download
memory/4928-211-0x0000000000000000-mapping.dmp

Download
memory/5012-132-0x0000000000A50000-0x0000000000AFE000-memory.dmp

Filesize
696KB

Download
memory/5012-133-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/5020-198-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads