Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2024, 02:22
Static task
static1
Behavioral task
behavioral1
Sample
3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
Resource
win7-20231215-en
General
-
Target
3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
-
Size
1.0MB
-
MD5
e5d2981fd9c531b3cfb780cf781bac91
-
SHA1
aaf7084c369138eb5588051eda8aec9aa3c4ac26
-
SHA256
3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b
-
SHA512
ec10e5de423564c17caac9e3c8a4ab2d1ed51882c9cfe145374d69e9f18382d7bd23d370f0389fb56c3b77073da11351978e803dc53c7135e618bbf0507be539
-
SSDEEP
24576:Aazz87bccsW43UyDBU7RCFYK9i3iOpOnC+yqiQDi/DtS:AOz8732BdUCYK9i3X6CPqinDo
Malware Config
Extracted
remcos
P2-bin
84.38.132.126:61445
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-ANE1CN
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 26 IoCs
resource yara_rule behavioral2/memory/3772-27-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-28-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-35-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-44-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-54-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-38-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-55-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-56-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-57-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-58-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-59-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-61-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-62-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-60-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-68-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-74-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-82-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-98-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-138-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-140-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-147-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-153-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-161-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-162-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-169-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3772-170-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects executables built or packed with MPress PE compressor 18 IoCs
resource yara_rule behavioral2/memory/2552-65-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3572-67-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2552-69-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2660-71-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3572-78-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2660-77-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2552-76-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3572-80-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2660-83-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3572-84-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2660-79-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3572-72-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2552-89-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3772-94-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3772-96-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3772-91-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3772-99-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2660-149-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs
resource yara_rule behavioral2/memory/3572-78-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/3572-80-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/3572-84-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs
resource yara_rule behavioral2/memory/3572-78-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/3572-80-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/3572-84-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3572-78-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/3572-80-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/3572-84-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2552-76-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2552-89-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral2/memory/3572-78-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2552-76-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3572-80-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2660-83-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3572-84-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2660-79-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2552-89-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2660-149-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 116 set thread context of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 3772 set thread context of 2552 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 99 PID 3772 set thread context of 3572 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 100 PID 3772 set thread context of 2660 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1156 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 4652 powershell.exe 996 powershell.exe 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 4652 powershell.exe 996 powershell.exe 2552 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2552 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2660 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2660 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2552 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2552 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe Token: SeDebugPrivilege 4652 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 2660 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 116 wrote to memory of 4652 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 91 PID 116 wrote to memory of 4652 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 91 PID 116 wrote to memory of 4652 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 91 PID 116 wrote to memory of 996 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 93 PID 116 wrote to memory of 996 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 93 PID 116 wrote to memory of 996 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 93 PID 116 wrote to memory of 1156 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 95 PID 116 wrote to memory of 1156 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 95 PID 116 wrote to memory of 1156 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 95 PID 116 wrote to memory of 4976 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 97 PID 116 wrote to memory of 4976 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 97 PID 116 wrote to memory of 4976 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 97 PID 116 wrote to memory of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 116 wrote to memory of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 116 wrote to memory of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 116 wrote to memory of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 116 wrote to memory of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 116 wrote to memory of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 116 wrote to memory of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 116 wrote to memory of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 116 wrote to memory of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 116 wrote to memory of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 116 wrote to memory of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 116 wrote to memory of 3772 116 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 98 PID 3772 wrote to memory of 2552 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 99 PID 3772 wrote to memory of 2552 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 99 PID 3772 wrote to memory of 2552 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 99 PID 3772 wrote to memory of 2552 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 99 PID 3772 wrote to memory of 3572 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 100 PID 3772 wrote to memory of 3572 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 100 PID 3772 wrote to memory of 3572 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 100 PID 3772 wrote to memory of 3572 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 100 PID 3772 wrote to memory of 2660 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 101 PID 3772 wrote to memory of 2660 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 101 PID 3772 wrote to memory of 2660 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 101 PID 3772 wrote to memory of 2660 3772 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp76B2.tmp"2⤵
- Creates scheduled task(s)
PID:1156
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"2⤵PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\joqibzhdro"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\tjvabrrxfwsor"3⤵
- Accesses Microsoft Outlook accounts
PID:3572
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\wlblukcytekstzclj"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5f7317fdc71d30fe75bfc822d892d817c
SHA144356ef7ce7d4eceacc50527b7e2b3b71d8a2a6f
SHA256ec622888b888eaf65051631e7e83a27b3910ea923ce9a50337d9ce4392ec1ed5
SHA5127802521aee26138519a813e7053e5025db85f04b2e282498095e636f10211da7c8bfecada404b7714683ba7653e645f98201a751b88f3256984f5c1b1da4e58e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5320830fb2990210b35d02eb559f1b3f2
SHA1fba985836640a92e69c58c643929b75f7635ee33
SHA256155c37d976ae56d6d9d7bed09e2802dade565be58b8af769b1e815ceb044c318
SHA5126e0536d68bc7f2c053a02879aaabeabb390913028f5986be4d2c3eee67db27f1c9bf1675e33ef28bad5afb7c542070cdae31b31a1493328dc6e36c23a78a9073
-
Filesize
1KB
MD50d68ba61317bd7e6027c177af31ad262
SHA1c227d201e0703b292eb244d576395112933e0cd6
SHA25642b8166e931ed6fa5af31bf3a1cee048f3ddf8b89b44f657bb0da831fd9df3d1
SHA512efb288a47a76f84425e748f5b4f32a1cb9e1cb64227fe9144a38ea63dba09e9e357b4a169c497aaa5e7655eecd5416dde451500b6ddb2529eb490f153c65ae9c