remcos | 858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477

Analysis

max time kernel
599s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20250211-es
resource tags

arch:x64arch:x86image:win10v2004-20250211-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
17/02/2025, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477.exe
Size

1.2MB
MD5

d367a5f6ef5348bb19df2feeef4d1d84
SHA1

d9aba2069b24b4874314b9a36fe55b8e7b62d55c
SHA256

858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477
SHA512

92ab4c5aea5c87399b21287f2d0f5580b71696a02fc3534c8fa4fd620fda08820c899507e7581edb711956c85bb4b6304bd91faa20ecd216c1fae09594db534e
SSDEEP

24576:uPAbms9IoHaDWP6sHreukWZZiLT6mEhQuEmMpYTuAD+d:dZIcVhLeWeWhemM+LW

Score

10^/10

remcos seguros bolivar discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

SEGUROS BOLIVAR

donato.con-ip.com:6014

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
datos
mouse_option
false
mutex
udjgfhjdopajdfegvx-OY1HPL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4808 created 3368	4808	Disks.com	56
PID 4808 created 3368	4808	Disks.com	56

Downloads MZ/PE file 1 IoCs

flow	pid	Process
49	3960	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation	858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeuraWave.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeuraWave.url	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
4808	Disks.com
4784	NeuraWave.com
4160	NeuraWave.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
8	tasklist.exe
5068	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\NeKiss	858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477.exe
File opened for modification	C:\Windows\JadeLine	858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477.exe
File opened for modification	C:\Windows\EnteringRolls	858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477.exe
File opened for modification	C:\Windows\FloppyThreads	858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Disks.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NeuraWave.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NeuraWave.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
216	MicrosoftEdgeUpdate.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4808	Disks.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	tasklist.exe
Token: SeDebugPrivilege	5068	tasklist.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4808	Disks.com
4808	Disks.com
4808	Disks.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
4808	Disks.com
4808	Disks.com
4808	Disks.com
4784	NeuraWave.com
4784	NeuraWave.com
4784	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com
4160	NeuraWave.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4808	Disks.com

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4976	4760	858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477.exe	89
PID 4760 wrote to memory of 4976	4760	858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477.exe	89
PID 4760 wrote to memory of 4976	4760	858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477.exe	89
PID 4976 wrote to memory of 8	4976	cmd.exe	91
PID 4976 wrote to memory of 8	4976	cmd.exe	91
PID 4976 wrote to memory of 8	4976	cmd.exe	91
PID 4976 wrote to memory of 1528	4976	cmd.exe	92
PID 4976 wrote to memory of 1528	4976	cmd.exe	92
PID 4976 wrote to memory of 1528	4976	cmd.exe	92
PID 4976 wrote to memory of 5068	4976	cmd.exe	94
PID 4976 wrote to memory of 5068	4976	cmd.exe	94
PID 4976 wrote to memory of 5068	4976	cmd.exe	94
PID 4976 wrote to memory of 560	4976	cmd.exe	95
PID 4976 wrote to memory of 560	4976	cmd.exe	95
PID 4976 wrote to memory of 560	4976	cmd.exe	95
PID 4976 wrote to memory of 2780	4976	cmd.exe	96
PID 4976 wrote to memory of 2780	4976	cmd.exe	96
PID 4976 wrote to memory of 2780	4976	cmd.exe	96
PID 4976 wrote to memory of 1640	4976	cmd.exe	97
PID 4976 wrote to memory of 1640	4976	cmd.exe	97
PID 4976 wrote to memory of 1640	4976	cmd.exe	97
PID 4976 wrote to memory of 1992	4976	cmd.exe	98
PID 4976 wrote to memory of 1992	4976	cmd.exe	98
PID 4976 wrote to memory of 1992	4976	cmd.exe	98
PID 4976 wrote to memory of 3980	4976	cmd.exe	99
PID 4976 wrote to memory of 3980	4976	cmd.exe	99
PID 4976 wrote to memory of 3980	4976	cmd.exe	99
PID 4976 wrote to memory of 1220	4976	cmd.exe	100
PID 4976 wrote to memory of 1220	4976	cmd.exe	100
PID 4976 wrote to memory of 1220	4976	cmd.exe	100
PID 4976 wrote to memory of 4808	4976	cmd.exe	101
PID 4976 wrote to memory of 4808	4976	cmd.exe	101
PID 4976 wrote to memory of 4808	4976	cmd.exe	101
PID 4976 wrote to memory of 4472	4976	cmd.exe	102
PID 4976 wrote to memory of 4472	4976	cmd.exe	102
PID 4976 wrote to memory of 4472	4976	cmd.exe	102
PID 4808 wrote to memory of 3520	4808	Disks.com	103
PID 4808 wrote to memory of 3520	4808	Disks.com	103
PID 4808 wrote to memory of 3520	4808	Disks.com	103
PID 4808 wrote to memory of 2516	4808	Disks.com	105
PID 4808 wrote to memory of 2516	4808	Disks.com	105
PID 4808 wrote to memory of 2516	4808	Disks.com	105
PID 3520 wrote to memory of 4776	3520	cmd.exe	107
PID 3520 wrote to memory of 4776	3520	cmd.exe	107
PID 3520 wrote to memory of 4776	3520	cmd.exe	107
PID 4360 wrote to memory of 4784	4360	wscript.EXE	118
PID 4360 wrote to memory of 4784	4360	wscript.EXE	118
PID 4360 wrote to memory of 4784	4360	wscript.EXE	118
PID 4484 wrote to memory of 4160	4484	wscript.EXE	126
PID 4484 wrote to memory of 4160	4484	wscript.EXE	126
PID 4484 wrote to memory of 4160	4484	wscript.EXE	126

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3368
- C:\Users\Admin\AppData\Local\Temp\858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477.exe
  "C:\Users\Admin\AppData\Local\Temp\858447546cf36dd527c1681dbfd411896799bb4970fe3f8db40c366599880477.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Manufacturers Manufacturers.cmd & Manufacturers.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:8
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "opssvc wrsa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1528
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5068
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 584780
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32 /Y /E Mississippi
      4⤵
      System Location Discovery: System Language Discovery
      PID:1640
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "K" Experiment
      4⤵
      System Location Discovery: System Language Discovery
      PID:1992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 584780\Disks.com + Discussions + Enquiries + Deleted + Remember + Manufacturing + Intl + Overcome + Featuring + Oldest + Uniform + Usage 584780\Disks.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:3980
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Provider + ..\Pocket + ..\Render + ..\Florida + ..\Linked + ..\Product + ..\Weather + ..\Wb + ..\Frontier k
      4⤵
      System Location Discovery: System Language Discovery
      PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\584780\Disks.com
      Disks.com k
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4808
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Transmitted" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraTech Dynamics\NeuraWave.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Transmitted" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraTech Dynamics\NeuraWave.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4776
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeuraWave.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraTech Dynamics\NeuraWave.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeuraWave.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2516

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Nzc2RDY0NkItNzI4Ni00RDBCLTlENDQtOTBERDIyNDJBRTBBfSIgdXNlcmlkPSJ7ODJFQjU0RDktRTVGNC00QTk3LThGNTYtMkE0MEFEMjQwQkZDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Rjg2RjNFNjAtNjA3My00NDJCLTlGMTItRDkxNUI2NTNGM0NBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NzE5NjUzNTkzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:216

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\NeuraTech Dynamics\NeuraWave.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\NeuraTech Dynamics\NeuraWave.com
  "C:\Users\Admin\AppData\Local\NeuraTech Dynamics\NeuraWave.com" "C:\Users\Admin\AppData\Local\NeuraTech Dynamics\x"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4784

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\NeuraTech Dynamics\NeuraWave.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\NeuraTech Dynamics\NeuraWave.com
  "C:\Users\Admin\AppData\Local\NeuraTech Dynamics\NeuraWave.com" "C:\Users\Admin\AppData\Local\NeuraTech Dynamics\x"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\datos\logs.dat

Filesize
184B

MD5
f93a1d0c00118e1936f6a96a582f1749

SHA1
bb6e364b4665df24096c670e7c01238a1e961917

SHA256
bf322f2a4edb0b2594170161a8ef9fe4bf863a8611ad3be70a69aed534eb6b3a

SHA512
e4e6b0390bc025b6a0ff2d4448ccc11cc83341f4f3ebc25356ad50f5b1e5da052c8fa47e1870e3f7d00d8e57c513660fe2b2caf8a56710d79c1f32e7610d62e1

Download Submit
C:\Users\Admin\AppData\Local\NeuraTech Dynamics\NeuraWave.js

Filesize
177B

MD5
aab5d9c7a2cbd984a0ef9465823f087d

SHA1
61b0db61587201a8daa527185e44903289d86466

SHA256
c6cd73a648b9d0df8f63ad1b715eb51da377e081bc19c24b5c32a38754a423e2

SHA512
e0ac095720ffdde22766dc94a7800cf3eb6f8e8958d73b67eaf8eedd5084f88c6d12b650855d9361830953110c57ce78eb97222ba36fe736984679474ba5377f

Download Submit
C:\Users\Admin\AppData\Local\Temp\584780\Disks.com

Filesize
414B

MD5
9e2d55a05952ce01af29a5cf98da9e16

SHA1
0339a0d7a446f108a26477e8459147ef26ef0d2d

SHA256
dea9d3ed5547ed7cb5a778b1f7458bf85e62548e493a30a9954fc281c48e3af8

SHA512
2362eed7eed7d8d3a88403a0f79118afa23882c0484bee39f4a0393cd43fc4b6427cf3f464f47d52a66b288bde8f8089321c88b266cff1a91480336067abe901

Download Submit
C:\Users\Admin\AppData\Local\Temp\584780\Disks.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\584780\k

Filesize
679KB

MD5
e9cc92b88b5ecba54c2927edc42745ac

SHA1
4678f46d251c2bf1e46ca897fec97d4a1d52e4e0

SHA256
baf38f16f25ec779972f5132cba564e7f48dffc16152b4c04531c6860de606c4

SHA512
61a4068162bcb9986492032af1990614a3fc69f8d8f0cd5e22359225bb5621f94ab792b4132af6cf873fa06b0ebe21b9d8bdded7cf1b3ddf8b8d68d7430f7ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deleted

Filesize
73KB

MD5
55963eed6aa89006f31bea846eb2b1c2

SHA1
f2f5c5578dffc9d34656be9107f1cddd9c4f7372

SHA256
845520e7ea3bfec84c5d07a80f7a025a64e20882280829b14231101ffc0f283e

SHA512
a6f651fa51d4509f3e2e4dcefbdab7f5bc63ea18cbeadbc4e34cd98e92ec09bee53428f63edadca3d96b551834b17535690df86c729d1935ba4d73bec7677490

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discussions

Filesize
94KB

MD5
a2808e959eb9acecbacc7468ed3a8109

SHA1
2153a1977d41347c84f58b2d3f980af720da18b4

SHA256
d952c5f31d76a9185345c673f966c7acd9d822c996cf051ab8894eaefa1f4a18

SHA512
3956aa03a788e1f1f4abb32b273c1fde24d43b640091ccc99172cb1f719d739484aa91966db2e853d453c056eb3144435898be8a675b3db95dc301a1e0835705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enquiries

Filesize
149KB

MD5
d7ac45f79a02022d8ff027bbf5552652

SHA1
389eda30122881684dcb30a5bfca962fe12a7aff

SHA256
8dfab6464d26c1b1c42d6c7105f67eb7609a6511fc22bbe89814b9bbcad3a706

SHA512
c85f5222211fee1dd38fec4e488bf82b2d52db988d49759e99807b7d9ac90dd186c1e814f712c309b5cb5c0fcccefca6717251f005e99c76985b0a2858e047b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Experiment

Filesize
415B

MD5
ba66183a18b97d0a57bab05b7694f041

SHA1
7381b69a772894cdd81af61d81d440c780e5fffc

SHA256
c1d6287a5b5b1c84696f02b7e9bad335d1ab0c3fc31cbf7efbd7d36b5e45fc82

SHA512
8cf57b3298d3f957f81ea7c565a5e49aefef047d95e63858353bc2fa0cc04e74c0ffbbcc684f00c939bf3a6258c6cba61500508d171802638fed84ec71b5a8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Featuring

Filesize
94KB

MD5
e9fb7a0fb0b1a2d574e87e20b9bbcde8

SHA1
51a6bfa970da55d9ec4f1c139cfd9d6dba0943a9

SHA256
34ba1bbc87bcaaa6e7d54565eb5444ca83ac58153923b1f3593f492772e1ba55

SHA512
da8b9b7af82fc80d9eb1a0ce117e601589e137796b2df82232443d8801be5ef543d3ea65506b452548512e78375d5cbb59ce0dfbd6460f574c61600ba32d09ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Florida

Filesize
73KB

MD5
21297c83fe4783f3efdb7fa076137a8d

SHA1
2b2b043fd6633369bf32d8e365d0b61ccaa771aa

SHA256
e5daeffac82f90a1831ff17e84fd7a64c633fef53616798246970c40dddcb6fc

SHA512
d8174a4c0d390582b88b822e3a832c713281ca3ad7a99aa08133b3fd176c9c0c852687ef90051bc535cf1ef8b8d5de396ac31208b28f7e8e01196f7d61b1deb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Frontier

Filesize
59KB

MD5
74e92c20dff35ce3ad9f3f3f9bcb0a4b

SHA1
fa4d8b5aeaa115115b1f75be0901b89dc2d57b0d

SHA256
89f2daab94ba430f5b79717b53c0b2a3029ef3723da9469b33c61c23dcb45d48

SHA512
6ed788d56a7abac4bac9ea9400c6e65ee70e363384bfbaa245910526adc656c192f9429be9825173fe1f297394073037b19fc7e99158877c9de108179c7c7ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Intl

Filesize
52KB

MD5
504dd2df5abea18826a6e058aed62118

SHA1
233ab442bf5c5068e73c925b81bc9d692dd337b7

SHA256
f1b7b331b6c52a1b6fd979dfe204441becc49f2e638dde691067b3107ba08f8e

SHA512
7662f87780028d0f03f409af157c5c1e2f7f3ca865ec7d2c20d60d42ba1993ac2db3f403fe31c8300a82efceead95997fcbe14ffdc69df8dd6327fa36dfb8b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Linked

Filesize
60KB

MD5
ee3d01663f1ed17c6b3a494047664b86

SHA1
f06d865e5abe72d85929e8567e2558264cc3264b

SHA256
31366a07ae32b800b87b18176fa9ba4af067d10bece4c1bc3c2a89b669ff1cae

SHA512
b9336c92d97c89f4d27663b16ce8a1d8543d57b70c230cf89dc0f77ba30f5f0e08b0f540b964c9a7ee29dc64407ad9f463c4a3c40fa794c5b95c9ddd8846e74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Manufacturers

Filesize
19KB

MD5
aee25ef2c96f79828056d92c2fb70a4a

SHA1
bffe310671ef06976f22e4088fe50760e2284260

SHA256
15577ec892312987feb13d44627908804c02855e9b446b3f36fab4eef5205beb

SHA512
08e257b6214ae3a656308319b6f5fe6b64f64dc3b310df76417e99aa0792e9f37ca0d523e1119d366341901ca6497bcba00cbe6c04e1e18b556ae1f6c95557f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Manufacturing

Filesize
58KB

MD5
0be89e934d7feebf292af1c16597c278

SHA1
c171c4323ffceaabcd7a9fc401fae0591c631c94

SHA256
331c71920d24bc187fce51247eb6f8174f6e5faa14a854c3bef46b97f168418e

SHA512
aa175a4e6d583ee45e10352d62c7ec6fc670c50a289b42259692851163f76f68733b6266e1aa38f948cfa1d1c9e258c615dcafddafa3fe09253ad9eaeefc53b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mississippi

Filesize
477KB

MD5
c600ce9dcd74ca41c3673be66ca90771

SHA1
3ba58ae3ff782ff2c80e2ceaa57b4e9c3f3f6bc2

SHA256
ca03981daedce1422bee6155cc4ea3b51cae4381d2606f99ed1a9d4786bf16ae

SHA512
cf49055c288cb6d92d48a4b875e9baeb00dccc45d6e6f24b9d92ed8ce5992112021b5ba24bf45f1f0d387597a2d975e5cfd1237d8914e68ef1e13b35d0dbddf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oldest

Filesize
53KB

MD5
d9e179a5ce9d163854137d486a576738

SHA1
8e2c628e1f72b0eaed50bde9e0f26016be254281

SHA256
335ff084e8ba622d6634113dc0816d8cc566d72c5ef60a9d4b84784c47d58c72

SHA512
dea7df43e3c32f45ba3a9357dfe0eb2bbc49e06b27168d56dec7f0a677346d1106b2ad071dfda7af89c5d40d8aec2602268fea18973e704a75825a522c237c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Overcome

Filesize
92KB

MD5
5324daa3a0963e1935018ee4a53d51a5

SHA1
51ce30d14549826404d188b11552b5f81c19de15

SHA256
d32ae362e5a29eb81fde1d29f7774606c516e92d1cc2aa76b56cf9a9f3d46cc3

SHA512
3f61e885bff8777d7eddb1e8080e6dc56299c6c67e470d37a12d75577c06f9aa0529adb829d44f1d0743e2c4deb6b5e2e3d970d63a7bd0d2f142a90bb292a7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pocket

Filesize
69KB

MD5
5f6d17947d771bed766e2288c3256c18

SHA1
95fbebdc95eb4e5013051972876f4c065caa777e

SHA256
9422cb6d35c7381d91e18c9c74501a105679918eb986017c3637537bb5376b93

SHA512
112ba06754ebd1cee4cb2e5e0a5d4fecd6ba82b42c210faa825a838e0dc474a842e0b6fa5fa656b66f84964ae637f14ca1998a73fc2bfd391af3c0b9247300bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Product

Filesize
78KB

MD5
0da1a18dd71b1139ec621023b17a2a3f

SHA1
74a37d021fed1b2f98cb09006e80d5c428044e89

SHA256
2daef9f99032efe74a99bc57c6688764c39b18b63b310efb10a550f5e4599eb0

SHA512
6694aad598d37597d4886536cc031d1f40255f4baf1d11ebfcf7e6d2ba4cefc0f681bf202cf5787def66c08ba7bba138f3a22203a64df569f720c39e5afddb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Provider

Filesize
87KB

MD5
6ca39227000b2fcb36ea7d1d9a2712d9

SHA1
edd28dc7c5ca501c49c2d0953330bfe6a9cea00a

SHA256
3fcc643732ed40f5733ad9bd5ea711153cba169dde9cff27a72684628d894c8d

SHA512
6b125d7a39a22c733c2593e2e5a0c2c4db2e4d41286b8b04a6d036daa0a1d1b36d01a6b383766f9ce06c9120e3181c2cbef5b5ab00c400775f2cf7f9fee558c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remember

Filesize
66KB

MD5
9f38ff6eeceb043ef63f5689dec5e73e

SHA1
f7f001daef2ace123844591b6a369823eed345ff

SHA256
a88dabf1d25d732e5988aaa3ededb6781503a6095324f19c088f765866ff23f1

SHA512
1aa7c1714de73fc0762da4e0a555d16ac78741e0fe37824148afaa49c1cfbb3cdcafae0c4b210832b1893c67b2a408a9589476491679235bf2e52ead98923608

Download Submit
C:\Users\Admin\AppData\Local\Temp\Render

Filesize
84KB

MD5
60507d02e5b86a895e59ae674e8e53a3

SHA1
bf9fb51e9abd0dba542feae44c87ead3e63d0dcc

SHA256
e8e4ff998d7eede430fe45abae367e7c043cd08f126f4083c585d8ec978ace18

SHA512
a86bb5a05bafca85f86de4acec4f700364836c3f6720354be9b6c74dd0c42cb31b778f042a48bc8d3ca45e0144be41b0c51d9d2a85f12a7fc9f4a238b5585cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uniform

Filesize
106KB

MD5
4e228384d36809b1dcac5862ee03eb7e

SHA1
9aca068d3bf1f264aaed80575ceecec169c29deb

SHA256
64eeabaea260469b152e1d2a9984e5a85b500cae61829a39f442f1b432f8d585

SHA512
be91ab8cedc4c4512cbc788b471c0918b9f28225df6cade5ce181f6f921e3b76f8fda4575d03f24eaffed0699581303c40cacc01286cd31e0946a06e21a11492

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usage

Filesize
87KB

MD5
ad0953013543c3bf5d45070de6ef0d0b

SHA1
db1df9093629341f44834fe617501fa176253893

SHA256
460c925e58d6c96d55d64e256def12e03b4456969d5b8a6160ce7c352756c829

SHA512
6c0c0e43fd7a2be658ebbf187f703b3ed47894cebf8fa9c3305cd7082c8ae23973bf3b4bbdfa285725a5eebb5733e52121bd15b38bea42216f9e3994be46bdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wb

Filesize
84KB

MD5
9b2cd152e5fab8097c2ff883b7850c2e

SHA1
f44f37e788f6a4d82e15c5471cb16d30fd6c2bc5

SHA256
a0015a0b9549fb95dcf7fc546d6c53187503c8a307f7d85ccf94f028a24a3951

SHA512
3f79f69b4454abbc621d3c61809ab9f3aee5fb933bea73806ef433b07303f57b14599b2d535733f11a8bebc1f291e3fa263354080a30ba0133d5b134946ca801

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weather

Filesize
85KB

MD5
394b753a29fdac29cd2828037d3c5f62

SHA1
451ba67fa76245fbaeff50dfbfc00098c63f42b3

SHA256
3469763a6beef64962760f23faf467f68592f59100105c90e364fb85dcfd743f

SHA512
34791c6a4b82e1b2cd058daea3a31a1e3e8479d1fb03db465b0854c753fed7f4fe35a79572036a918db60c8d2c7cf06db06439013efff4ef0b8dcc63ce33ea41

Download Submit
memory/4808-540-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-588-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-501-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-503-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-507-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-504-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-508-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-514-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-515-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-499-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-521-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-522-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-527-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-528-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-533-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-535-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-500-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-541-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-546-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-547-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-552-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-554-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-559-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-560-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-565-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-566-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-572-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-573-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-498-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-582-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-583-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-502-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-590-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-595-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-596-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-601-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-603-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-608-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-609-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-614-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-616-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-621-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-622-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-627-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-628-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-634-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-635-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-640-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-641-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-646-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-648-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-653-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-654-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-659-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-660-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-668-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-669-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-674-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-675-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-680-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download
memory/4808-682-0x0000000004700000-0x0000000004780000-memory.dmp

Filesize
512KB

Download