remcos | 86b28c90ffb9ef1c63857df39f78dbcec1afc0e83cb972da80752f77c6d112f2

Analysis

max time kernel
575s
max time network
393s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.msg
Size

67KB
MD5

19d328f7406463ea2cf9b0e478bb6ce6
SHA1

f25caf90236a7e92a17d7fc571ed7f3beaa5d3b2
SHA256

86b28c90ffb9ef1c63857df39f78dbcec1afc0e83cb972da80752f77c6d112f2
SHA512

3996b1da007cb92b097dbd3efe627b472eb5a27e517898b9fe6293c13ad80fe5ffdda2fecb28d33fca9210ca21145dd3460d0e7b93fea02ae5728cf37fd61155
SSDEEP

768:0fjVlusyvaOtMv7lnxrf1tsKhsKgsHFEO44FmwsyUz3dFd8eD5+c1N48:Q/CtMzlxrf1tJIsD7sygtFfZ1

Score

10^/10

remcos 11 de julio 2023 rat

Malware Config

Extracted

Family

remcos

Botnet

11 DE JULIO 2023

anasalgadodu921.con-ip.com:5023

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZIW0AC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2604	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 60c7661914b4d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50CC9221-2007-11EE-9DA0-C28A970DB748} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1984	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: 33	2256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2256	AUDIODG.EXE
Token: 33	2256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2256	AUDIODG.EXE
Token: SeRestorePrivilege	3064	7zG.exe
Token: 35	3064	7zG.exe
Token: SeSecurityPrivilege	3064	7zG.exe
Token: SeSecurityPrivilege	3064	7zG.exe
Token: SeShutdownPrivilege	1984	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1984	OUTLOOK.EXE
2452	iexplore.exe
2452	iexplore.exe
3064	7zG.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
1984	OUTLOOK.EXE
2452	iexplore.exe
2452	iexplore.exe
748	IEXPLORE.EXE
748	IEXPLORE.EXE
1984	OUTLOOK.EXE
2004	AppLaunch.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2452	1984	OUTLOOK.EXE	28
PID 1984 wrote to memory of 2452	1984	OUTLOOK.EXE	28
PID 1984 wrote to memory of 2452	1984	OUTLOOK.EXE	28
PID 1984 wrote to memory of 2452	1984	OUTLOOK.EXE	28
PID 2452 wrote to memory of 748	2452	iexplore.exe	29
PID 2452 wrote to memory of 748	2452	iexplore.exe	29
PID 2452 wrote to memory of 748	2452	iexplore.exe	29
PID 2452 wrote to memory of 748	2452	iexplore.exe	29
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2004	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	39
PID 1712 wrote to memory of 2212	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	40
PID 1712 wrote to memory of 2212	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	40
PID 1712 wrote to memory of 2212	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	40
PID 1712 wrote to memory of 2212	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	40
PID 1712 wrote to memory of 2204	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	45
PID 1712 wrote to memory of 2204	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	45
PID 1712 wrote to memory of 2204	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	45
PID 1712 wrote to memory of 2204	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	45
PID 1712 wrote to memory of 2560	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	44
PID 1712 wrote to memory of 2560	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	44
PID 1712 wrote to memory of 2560	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	44
PID 1712 wrote to memory of 2560	1712	RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe	44
PID 2204 wrote to memory of 2604	2204	cmd.exe	46
PID 2204 wrote to memory of 2604	2204	cmd.exe	46
PID 2204 wrote to memory of 2604	2204	cmd.exe	46
PID 2204 wrote to memory of 2604	2204	cmd.exe	46
PID 2004 wrote to memory of 564	2004	AppLaunch.exe	48
PID 2004 wrote to memory of 564	2004	AppLaunch.exe	48
PID 2004 wrote to memory of 564	2004	AppLaunch.exe	48
PID 2004 wrote to memory of 564	2004	AppLaunch.exe	48
PID 2004 wrote to memory of 564	2004	AppLaunch.exe	48
PID 2004 wrote to memory of 564	2004	AppLaunch.exe	48
PID 2004 wrote to memory of 564	2004	AppLaunch.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/uc?export=download&id=1H-Cs5snDcx32-ujoLuP5HI0dbd6PaH9m
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:748

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1792

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1ac
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO\" -spe -an -ai#7zMap19150:176:7zEvent6820
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3064

C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe
"C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hxqeqsryaioueucnpjbtuve.vbs"
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  PID:2212
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  PID:2560
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
228B

MD5
cb477e1b3c89a6d5fa88c7843f25be66

SHA1
ca67ad4abb4f203762491fbce9b4620e27e0e594

SHA256
f56cfd9e70aba3c16d32c6e10a7c611bc217ab90717a76940548a2da466ae758

SHA512
8d60346a7b76c2ce7b0fd0dae315170ae9359da6754a014913646eca68407af0e5378f908833b2c6a4bf8c8fc18252d63fbe78b5010223d6dd77474727dfe1ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
370B

MD5
cf349623b3c3306bece8ce4d6c78dabf

SHA1
fe6e55d27604979c3902c808e124cfc42d8db389

SHA256
b5f510049301d139f42fa742903437dc81da7091de473bfd8cd80312c1a7a1be

SHA512
b1870b0ae854b05152979dc5d976e11908a6080b05b08be254e63c8229e61724551c37da758a004f4ae51c3069552e4d291ae8f62bdc2b6a1693789849ed54f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ANFZKI5S\RADICADO%20No.%20881232-EF98-39823%20DEMANDA%20FISCAL%2011%20DE%20JULIO[1].tar

Filesize
2.3MB

MD5
fe8eadda681d4da4888c1260f6da3328

SHA1
1d5fb5be2f41a79cf7893f630af6656771436a95

SHA256
d741060b478b7c4f5f666a4214ff8965eaadf1cfd90204c97600f0ab89d1a73f

SHA512
52495ab7ab319c0b7f6a46075bed7ae001c51bdc9edf48333689456fe07a4bbce2411c332e27000f00e8daaba94da1f57400c36d1bc2aadcd8e328c0962a65ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxqeqsryaioueucnpjbtuve.vbs

Filesize
556B

MD5
4d05c07873cecf7ae04612a62a93080f

SHA1
7e1374ed8ed728b1e0c907562f582bdb785ce0b1

SHA256
daff22b3c493097cdcfbcc55e69d3ac6ffac9ca47020aa2f9db2af030da5d79f

SHA512
6673b7da262512213fe3aa360c7e4f9bb716ef750035f4572c92d71291e3fdf8159d9195bdf81daed46c77fec5755ca83f3c9c45f57ecfa3c4454b41d11083d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.tar.blgjlz5.partial

Filesize
2.3MB

MD5
fe8eadda681d4da4888c1260f6da3328

SHA1
1d5fb5be2f41a79cf7893f630af6656771436a95

SHA256
d741060b478b7c4f5f666a4214ff8965eaadf1cfd90204c97600f0ab89d1a73f

SHA512
52495ab7ab319c0b7f6a46075bed7ae001c51bdc9edf48333689456fe07a4bbce2411c332e27000f00e8daaba94da1f57400c36d1bc2aadcd8e328c0962a65ed

Download Submit
C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe

Filesize
1100.0MB

MD5
adbe75d102f186e833e729bf6b640f8e

SHA1
82225f667f0558098bcd000597272129a5b20583

SHA256
2c52bdc435237c439bece70b2101a395fe28b1ca7934a3a56b5a894b71146d18

SHA512
a5fb219b98d9c2fd0451d025640a059c96c7270c7fde7469da15f912581f3314645e4adbc52fd3ca2691c720d4c79adf467c98611a581f422c472565417ccbf4

Download Submit
C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.exe

Filesize
1100.0MB

MD5
adbe75d102f186e833e729bf6b640f8e

SHA1
82225f667f0558098bcd000597272129a5b20583

SHA256
2c52bdc435237c439bece70b2101a395fe28b1ca7934a3a56b5a894b71146d18

SHA512
a5fb219b98d9c2fd0451d025640a059c96c7270c7fde7469da15f912581f3314645e4adbc52fd3ca2691c720d4c79adf467c98611a581f422c472565417ccbf4

Download Submit
memory/1712-282-0x0000000001120000-0x0000000001DAA000-memory.dmp

Filesize
12.5MB

Download
memory/1712-283-0x0000000001020000-0x0000000001060000-memory.dmp

Filesize
256KB

Download
memory/1984-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1984-216-0x0000000009E10000-0x0000000009E11000-memory.dmp

Filesize
4KB

Download
memory/2004-300-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-310-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-288-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-289-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-290-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-292-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2004-293-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-291-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-295-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-298-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-297-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-286-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-301-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-302-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-303-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-304-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-305-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-287-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-311-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-312-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-285-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-319-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-324-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-325-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-326-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-328-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-329-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-330-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-332-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-333-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-334-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-336-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-338-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-341-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-344-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-284-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads