Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-10-2024 20:29
General
-
Target
3a8b254e5d72bd8465898f3f7d3af731c103ad07b064a78f80b6f042213c66bd.exe
-
Size
559KB
-
MD5
1b2cbeac6edcd04ca160e8f73275d58e
-
SHA1
4eb5c4db67655932f0d904dc037b44b0d486158c
-
SHA256
3a8b254e5d72bd8465898f3f7d3af731c103ad07b064a78f80b6f042213c66bd
-
SHA512
6dba4d2c3781b16faecbeadcce20b3fd6245d89a3fd587521e71d228698a098622d7f9cbff1298aa20fb3a4007d8d61d8bb49e8990441add56782ccb35718fc6
-
SSDEEP
12288:oXXR47mwO8E0dAjNWiyfp0/mms22qBTO7hIB+J2W+ei:KXR47NTEWANRZsHgC7Y+AWm
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
RemoteHost
C2
kezdns.pro:2404
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-INFRLN
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Loads dropped DLL 64 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a8b254e5d72bd8465898f3f7d3af731c103ad07b064a78f80b6f042213c66bd.exe"C:\Users\Admin\AppData\Local\Temp\3a8b254e5d72bd8465898f3f7d3af731c103ad07b064a78f80b6f042213c66bd.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "242^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "247^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "240^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "220^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "137^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "193^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "137^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "231^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "196^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "240^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "210^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "193^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "226^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "247^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "225^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "223^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "135^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "213^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "247^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "155^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "196^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "194^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "242^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "230^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "223^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "213^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "198^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "225^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "210^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "240^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3a8b254e5d72bd8465898f3f7d3af731c103ad07b064a78f80b6f042213c66bd.exe"C:\Users\Admin\AppData\Local\Temp\3a8b254e5d72bd8465898f3f7d3af731c103ad07b064a78f80b6f042213c66bd.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
6KB
MD56c881f00ba860b17821d8813aa34dbc6
SHA10e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13
SHA256bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87
SHA512c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6
-
Filesize
4KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB