remcos | 04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Size

988KB
MD5

b2618fbb2e344dbdc7d4b33947d71531
SHA1

a56c4724edef9a8fef490520ecaeb30c8356e314
SHA256

04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452
SHA512

1ca8727770d6458785c1206e81fa6f69675afb521944a9206197bcc9737a81afea2a462bf93bbfbe836b841038e01c354fd9d2abdd902f13187a970a4ede6b57
SSDEEP

24576:X2leFeHHdWGhuvZJY9JuynjHOMt33ylD9ESMAwL1zGUxj:GsFsHthuvZJunjHOY32nMAwxL

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.3.64.152:2559

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZFXG9Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2580	powershell.exe
2592	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2096 set thread context of 2884	2096	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e9b7a62e47db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D0A6ED21-B321-11EF-A5D8-F2DF7204BD4F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007be11abeb9293c41992044a9a83b9c28000000000200000000001066000000010000200000007d73f487f540970ae08fc6dc3637e60decc11562423987eb7bf96cecae3edc58000000000e800000000200002000000086efcfabc9376dc113317f5b524d8da5239b257389da515231584566b3933b0720000000aaf6f913b814b912e3e8635acba5ad760675541847a83aa11c7388745aff23b840000000cf0b9a454ac4c9dc5dff0d59b77bffb07cdcb000c492b865ef784bd5a09bb580b7fb48750f40b0eb773f74b632d85ec25a2dd205320b811d2f5e131e3224a2b0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439576197"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007be11abeb9293c41992044a9a83b9c2800000000020000000000106600000001000020000000c1291b1997cb4f61a795f41cd58f7e283ffbb1942ea4120fce0d634f5d4f6133000000000e8000000002000020000000b01bc85a5b78de0c98e1d753fa3ffc0fa5477af7b7063904d3b9021a2c4482e390000000961afb3a9191559e72e4bb97307059c848a149bc1ec10d28f39eab3648cd5b81feb36a1ef57a527a4c401f10c97226448e5494753003b46694c492e855cf18f9369bb3c58aeefa62635b8e6287c246f07e57bbdda9ef64854a1d30b1b3db5de4d0b806f9a5f306fe1124f051a197392aced493c3b1ff6232a3fa0f988ed5b97a7073d09e8e934104ac29c81f4093a9b140000000ebfec4a6dd2404f5c6c112422039194d3c6f61086de1bbe0f429e2551f3a0922197b7308f76129d2caaae1b34e7275f6580fb342d8edf7d60f4d4f670e4c06bf	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2096	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2580	powershell.exe
2592	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2096	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1880	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1880	iexplore.exe
1880	iexplore.exe
956	IEXPLORE.EXE
956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2580	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	29
PID 2984 wrote to memory of 2580	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	29
PID 2984 wrote to memory of 2580	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	29
PID 2984 wrote to memory of 2580	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	29
PID 2984 wrote to memory of 2592	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	31
PID 2984 wrote to memory of 2592	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	31
PID 2984 wrote to memory of 2592	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	31
PID 2984 wrote to memory of 2592	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	31
PID 2984 wrote to memory of 2556	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	32
PID 2984 wrote to memory of 2556	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	32
PID 2984 wrote to memory of 2556	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	32
PID 2984 wrote to memory of 2556	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	32
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2984 wrote to memory of 2096	2984	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	35
PID 2096 wrote to memory of 2884	2096	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	36
PID 2096 wrote to memory of 2884	2096	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	36
PID 2096 wrote to memory of 2884	2096	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	36
PID 2096 wrote to memory of 2884	2096	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	36
PID 2096 wrote to memory of 2884	2096	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	36
PID 2884 wrote to memory of 1880	2884	iexplore.exe	37
PID 2884 wrote to memory of 1880	2884	iexplore.exe	37
PID 2884 wrote to memory of 1880	2884	iexplore.exe	37
PID 2884 wrote to memory of 1880	2884	iexplore.exe	37
PID 1880 wrote to memory of 956	1880	iexplore.exe	38
PID 1880 wrote to memory of 956	1880	iexplore.exe	38
PID 1880 wrote to memory of 956	1880	iexplore.exe	38
PID 1880 wrote to memory of 956	1880	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
"C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DGlxtFUfY.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8018.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
  "C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2096
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
13f9600427cb325762a951e224b7cc82

SHA1
6d69c795b1af118c70bcbb51e416a63b3ba5959f

SHA256
c9a5778adae122f9520760a727f7c849f92d3b42336b24a540232f277d8c537f

SHA512
4aa0dab76c873de993badd86696f6452666ee0151c6d5c3d2ab342a6010926f45e969a3cc85139f8fe6b5df15cbe495dc9b4d8981c01a4a06cdb9f5ee021a24b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d50d809c5f70a953ecd68f3a788cfeed

SHA1
ad473537d539ad299d717e95ab9535a4aadf806a

SHA256
ecef42f89e7af3ea1008c370a1ad8c92711bf3d38bffd121288e64db369efa8f

SHA512
68f033b7cf06660c76cb8ea04d88b3d01474e6b7a13edb2ee486a74d272cf21692729a0d451b8aacd4dc13cebe6705404c0ad17c07f10a471cfaaf53f2fc9515

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8898c462139508e3c0bbf6ab91862ea6

SHA1
f4bdb6379a31fb6022903222fc72d92ea9513fb6

SHA256
c2015198e4ed276440422d7fef0acf5f94da459043b566e286309f80d95e09a8

SHA512
ea5281a4ec788fa58672d4d08be77e0e44b01db1d7ef67cd243a16c15c70dd1eddb4bab464022970e03763df459552c19b6c605b86d4b5ff274236648cea0314

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e697e35b62cefa73c98fe3964e1f46b

SHA1
70c077e0ea8738a6ebca536a5eee4a59a2f0e5ea

SHA256
c1269e5112ee717e092fe8d577ad95e112eca747d6a1f9824ff2977458a12ec0

SHA512
41b9795d5e90cb1c177738f596b0013c1eda1e48f2a558c8998eb81544efd6533e41a006b40fbf56b562ef53a0fe39b50972551b569ea91fdcca0ee1a84cd8ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f12f1b6e24f4109c3dfed899dd81b631

SHA1
a5007fea27e66fac2f2e9f570018a0e14d2956c6

SHA256
cd4380002a3ee8682173050cf06b37456b5b1ccb8b0f86f70534dd7717028aa8

SHA512
73fae54f46a5f73e6a4d9c0b06db82296e969f9ac9a53bc37d54f92231021088ab65ff78f9ff2ab92ef9a0c145e1b73fb0bad0e3613a12d0229c4af4066052ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dcb65403fc682e22c629c2c3df8b6ab

SHA1
17aa043038bf5cbfd6ddf013ac2012d5a3b9b9b0

SHA256
2fb8d067ea27b5166a56b37b6ca67db9eaf56acee10bd8f7cad94599b392198f

SHA512
66e0650722cf4ab0fff0c1934e7f05ee509bc2ca00ea03121eedebddda7fee9d7895465cddc227f94edcbb4d972aacfefeee8720e893feb4ccb349936c02dc92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5341912f5b40a4c7bce6cf4ae0affd5e

SHA1
7b5dcf5387c0730bbaea6969dc8392d5d478158f

SHA256
884f4d72d01efa731f4b531e55e49eece2556219221c794cbaff03db43c64fb2

SHA512
d3b167abb1c153ab5e7979053860cea107304f1e9d436574957aef03ad73442580a225b982a344b0afa8d8412eab1986d25f801bfebea3cc07a51b1793d27501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7441fe3a393bfcaba4d768cc6d92f998

SHA1
de112825194df5473a2628631f9ba75068a39e17

SHA256
b81f7e8b7a476b5e005d4e6173a54d33eeb3b6f602dccedb11d21bc835e19012

SHA512
c6e73efdd2d9759786afa123addb2a137203dbc5036c60c67f007e747b7f2268bb79ff1b22793b78c5b5b2849f5755b2a22f247f941ca7011d23e00a718262d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1609f2499e99658016d4ac4577435d5a

SHA1
fdc22018e88e2b058d3b8341a93024b319759fa8

SHA256
04a33829221d9a38f9898f53b93534ab5acff1a30910723b25aecd8da3604565

SHA512
b2523deeb2694f5474f3e2991232cb6cc673029d14f21647b31b6759177975a53d3fbae6a231dc28e1ca37dad8e53637dec630a13829986f09329ef0d0d08bbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e184cda406bafe005ff3f76f22294f97

SHA1
6383b48b2d116adfd26738b96d8d0e6b67770e3f

SHA256
e1ba51dfa05fd5c540bdbf24289914a7c4b77068951b03680daeb11d78d7c2d2

SHA512
6ebcabaa5b0ea8611000f193f3642d7dcd5291d075fd1b17154c32bad2c045d3ce7dc8ffe9e7285eed478ab62d3bc115c0e95bdd88a15fc4c2828a7244bc1e7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57d98b0864f208b0c6abd048a3e2e87d

SHA1
bfb355f077f477d80f973053a18ae148340a5cf8

SHA256
5df01ea44cafef9973e86702242f6fa272e6dfe94afb2d664f1c547b959ae3a9

SHA512
b1d05749f8ffa6510d6557a4ce0e0fa5cbeadfaf11bdefcbed3490ea4c74062cf4c5df87a812d55e6b5eb3ba6570bd33545decfba0309a2d2276f4c9b33dc382

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05ef678f05a0f852d5ef13b37fe5edaf

SHA1
2f0b6b31bf3e17e4d383241e88a83f5c1042a6cb

SHA256
20714551bbec71249e5c24f493071eda305d6a09473ee2a511783274bbe40387

SHA512
203b5b02248f6a3b98766de5d416a0913eba4aad2c07e20945387b52ebf2ccef38ec12095dc96f077453522976b04a1e4607cdf671e24149087703a0179c77dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cf10df3d5fced36610d3b19f8d289b3

SHA1
72a9a4f56245d616709bfc201fcd2db1e18ed911

SHA256
e771c407ac1869aeb5665d16ae6c0271fefa03259e397136a54f421752b4a656

SHA512
2ecfa28dea6434504fadc535352d3de95113c51de47bbfa70f7e44bdc402c0e5bb3bba1c347547c81bcb40665f0e7ed8af223968da097a63d701e18f471bc23e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33c1f9af6b5ca70ec7cfc534aa286082

SHA1
5e33f7abb03fcaee7d1c064f938b1b35b12b8c9d

SHA256
37ece09fd585f025dc44f9777cb2ba80e9a9db8fde33b34fbd3ee7a6d4b7eb97

SHA512
697400f9d485db07a77ef13a5edfa30fa2e714b923ebc17b280433905c8d2dabe5803c69571e58f4623b7df2434ac27bdbf87858539808ba3f04cc33c38cc539

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa6c8a12d1e7b424ee2ea50ce7fb5da5

SHA1
9537b9a39966e073f63868110363ade47af6b0c4

SHA256
89f040c49e50dccae81c1cbc792abadbba2edecd29f7e21138a8b4354d5cfe4c

SHA512
55287313bdda2c8eb1d7583987b8a43f45b89ac23abdfacd90a00f6e3fe7805f65982041443fe54f9f901a471f0b964137b3536ec31506f40d6ae3d249fbea9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e77dfa36df90297da960e71b7954550

SHA1
9962fbac4f9d674d5ce4370464990f337a8d08a2

SHA256
59817ff44a5fcea737b4444f3b30f09520fe16c1c5257b65ca4612451bae8cd1

SHA512
f2c449539983a1ca9658bff6c07db9c284097bb109b63cef71cd11c9cb4ee94ed7ae4fa5844b724e00fd130d8b713a8dc8e83ef8fdd4b054294ae9264e7c90b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8359804af214f428567d69c4440af213

SHA1
057e13cc1e47b499f43f537febca508bcb93a514

SHA256
f6256cbbf668f9e3b2bd16e9b895082d6968ed5bf7da9d4fe39378971dca610d

SHA512
b468a5530208d47b3fb026e5f519ccf98d8504998903c2b1b49a39c86c99192acc85df696a5b5cb1a965795c9f25526b3615df2d68989c7e2e4cc0b5a275b47d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98a1727ba9bb546de9457da0b36598e0

SHA1
41a962e13bac708fa281488e475d8159c1b67573

SHA256
0d768951e1eb55a2d578ff5e1d1b1df15cb5f9a5ea97f5c79122d8b14e21aca8

SHA512
5bd1e1118d4d37f117ca50841da6e646e38457a56b91ca22024fd43576b810bbe572e95f9e414ba288ce32b43617f76490da0356b02959f8489fc6adba70a96e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0b94eddf6e1998c8bf836804b09de6d

SHA1
84f2969cccc2913722c0d96836fb7af31421d60a

SHA256
b6263937091047eff40eea65e745f4822130770827c6b53d861d73b6871ad0ad

SHA512
b27918c8ac7c9e9e9a3d3108282f29c8935eaa775a7265225581c1644924da798c481d25f6713e193e74e495e9f810cfd8353104780bf3b2c00ef8db67892999

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13a51c1bcfc08a8ccc0dd68fa819438a

SHA1
d6d567760fb1d73ba90d2f6b1d5b23d662dde6bb

SHA256
190ae24e067f90e3782539d3bdec5c3ddd867eda59828c82a5ee46ab5b231a86

SHA512
571efe6eb7a9e0603145a1f30d39f5365dfe10f5e134f17444057f5cf32fb500516ec0542ced2da2bca0cba32af810e47d76db6eaaf88111a063252c936866ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7c459525512ac4f873880c85c39867e

SHA1
017f7bffc67fcad8ed8a7a0aac3a5b0b7e85edf4

SHA256
2f550d38cb32913e9f4fa3075f9cf484e3c28895774c6f828213764a96ac4aa6

SHA512
71a7e227c54466268fd13410945c66a42673fb67ef00813e2d15dfe720f9e3a043434c2f9de1b1da7223177ad3cebaba980f991726bde55f7ae9c8d85269dbcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f710b963a848bdf6b907b91b64a32a2

SHA1
93ecb823657d3a48108f30d501f9e58b36f638b1

SHA256
26106561823e99645dd18d8954f6ac28e93ed89a538b44ce533ea6903ef44c1e

SHA512
eb49b3ea3a08c0385ee67b317590e246f21a7b5c165f08ab187b5fe617c236b653524e66260f8f61918feab6a283d467872813e13cffc2b59b83a01719a6e0ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6af9c32c81864cf7f0af37b06164f96

SHA1
8a07f9f9540c4cf79f5eb9d75473f6e5d16cacf9

SHA256
59794b445d552267e8f587b931904d5f7d5e55ac1bb6294a0741695248f7f137

SHA512
d09a6d986b8e691083fdc4f3e2cd081be1c20101a16d0223e7dbb031e9b1360f6e563ddc70941ae90b07b31063eedbc76b8de7b79f702f0c4e2fec334a7916f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53c7201df41b41d6f8022d77284d39f7

SHA1
6cc18adbdb57df90660c71285ab066b404f693c8

SHA256
9056f2997f1ca580eaf20121d819486d03a3b40b65acd5578beb1b68bb7f27da

SHA512
878216a4f4ab023f1959ffdf7ef80775827c4c5332d966c29a3805c74e756402cd35560d433ac063de5be7fddf7369c2779acadf88f03bd53e32b5f512f6e92b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c50a5b8389d1024b0760d96711f42ef2

SHA1
7ae74a2425c0ca6885628bbe1363ffdc189017b8

SHA256
cf0b5195f8e4da97102b6f31eb3c941fdd927f8c84eaee569be3c845765ba2eb

SHA512
f13991d3e7c822b352e5597cb31e97f221826d7b67692e601e553472392e4fe2d34eae37a945e0df776ee79f6177df1563c03e1e09a98e3248b9c605e78388b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6fe3178a44e3b80999b7fd0ba5e643f

SHA1
2c950331313e4f2619560db16a90b2d6d71e5701

SHA256
7299fc9597caa2e05291ef3af6b51cf082d9c224c30b7edc1f182042b7245552

SHA512
ef1f026e8a21b4bb2e357debb74a686e33104aaa7945e4bb43da83528756c289a5410331a10d7f48cede82d2a97dec263f78a9b290ce69c974251ca7e56369d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab99D0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9A51.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8018.tmp

Filesize
1KB

MD5
88a736f3b56dd12f67cf4731c306fc3c

SHA1
0ad267012ca1a3869a6b82a04ef3fc6abb83aba7

SHA256
1d6c249662fbd8cfba785a9e9df797ee105823f055c5e96e62f8fcd5987df786

SHA512
3def0683fe11564100deefcd6148721831c56107e5c247eae8effd14fbbc0273127c562e5b15787634a4545b11ab239f66e6a7ca976e0784a1faa136e29614dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YUBEERVJVIE5PLQ8Z269.temp

Filesize
7KB

MD5
f81cc8c7cef3e36ffbbe3409fd21a6a2

SHA1
615d720caf32750d5309468c107b9fdc17971cd7

SHA256
7fa3f5c4b3967d5d3e18e96290394cb9a64851e8aa8aadaceb3bbcd7ae1bcb9e

SHA512
25c60847fa87136a5e8c488252e7eb048f5c1ec676b09051d33bd7f1c00f32c5842d2c844f6110619d28b5b0156f366f3a752eef0a96a1c0d09b7cfc5e59a062

Download Submit
memory/2096-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2096-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2096-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2096-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2096-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2096-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2096-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2096-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2096-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2096-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2096-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2884-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-39-0x0000000000250000-0x000000000034E000-memory.dmp

Filesize
1016KB

Download
memory/2884-41-0x0000000000250000-0x000000000034E000-memory.dmp

Filesize
1016KB

Download
memory/2884-40-0x0000000000250000-0x000000000034E000-memory.dmp

Filesize
1016KB

Download
memory/2984-42-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-2-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-6-0x0000000005230000-0x00000000052F4000-memory.dmp

Filesize
784KB

Download
memory/2984-5-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-4-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/2984-3-0x0000000000860000-0x0000000000878000-memory.dmp

Filesize
96KB

Download
memory/2984-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/2984-1-0x0000000000BD0000-0x0000000000CCE000-memory.dmp

Filesize
1016KB

Download