Malware analysis /uploads/0e1ed8/in.vbs Malicious activity

Add for printing

download:	/uploads/0e1ed8/in.vbs
Full analysis:	https://app.any.run/tasks/7aae7b0f-f8fe-4185-b5cb-3d8e56dfdd87
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 16, 2024, 16:35:34
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	rat remcos remote stealer
Indicators:
MIME:	text/plain
File info:	Unicode text, UTF-8 text, with CRLF line terminators
MD5:	DD54225B541568A683EDEDE7CB988628
SHA1:	430C08997DE6E0843FED90AAD4DFE1257722B6B9
SHA256:	25E2FF66FBFC1D850D167CBE6EAE7E3AFCB3A576AB631026F6A5B79707478C5F
SSDEEP:	24576:+RRURRn5tlxuSylBNxaR0G3wRRqRR1RRORRVRRXRRRjjjTRRjRRmRRzRRXRRoRRz:IjjjX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Gets %appdata% folder path (SCRIPT)
  - wscript.exe (PID: 1592)
- Creates a new folder (SCRIPT)
  - wscript.exe (PID: 1592)
- Uses sleep, probably for evasion detection (SCRIPT)
  - wscript.exe (PID: 1592)
- Opens a text file (SCRIPT)
  - wscript.exe (PID: 1592)
- Opens an HTTP connection (SCRIPT)
  - wscript.exe (PID: 1592)
- Creates internet connection object (SCRIPT)
  - wscript.exe (PID: 1592)
- Deletes a file (SCRIPT)
  - wscript.exe (PID: 1592)
  - wscript.exe (PID: 3756)
- Sends HTTP request (SCRIPT)
  - wscript.exe (PID: 1592)
- Create files in the Startup directory
  - wscript.exe (PID: 1592)
- Gets a file object corresponding to the file in a specified path (SCRIPT)
  - wscript.exe (PID: 1592)
- Accesses environment variables (SCRIPT)
  - wscript.exe (PID: 1592)
- Unusual connection from system programs
  - wscript.exe (PID: 1592)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 4092)
- Changes powershell execution policy (Bypass)
  - cmd.exe (PID: 1264)
- REMCOS has been detected
  - RegSvcs.exe (PID: 3472)
  - RegSvcs.exe (PID: 2740)
  - RegSvcs.exe (PID: 2740)
- Drops the executable file immediately after the start
  - powershell.exe (PID: 4092)
- Actions looks like stealing of personal data
  - RegSvcs.exe (PID: 3024)
  - RegSvcs.exe (PID: 2824)
  - RegSvcs.exe (PID: 2740)
  - RegSvcs.exe (PID: 1932)
- Steals credentials from Web Browsers
  - RegSvcs.exe (PID: 1932)
- Uses NirSoft utilities to collect credentials
  - RegSvcs.exe (PID: 1932)
  - RegSvcs.exe (PID: 3024)
- REMCOS has been detected (YARA)
  - RegSvcs.exe (PID: 2740)
- Steals credentials
  - RegSvcs.exe (PID: 1932)
  - RegSvcs.exe (PID: 3024)
SUSPICIOUS
- Accesses current user name via WMI (SCRIPT)
  - wscript.exe (PID: 1592)
- Uses WMI to retrieve WMI-managed resources (SCRIPT)
  - wscript.exe (PID: 1592)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - wscript.exe (PID: 1592)
  - wscript.exe (PID: 3756)
- Executes WMI query (SCRIPT)
  - wscript.exe (PID: 1592)
- Checks whether a specific file exists (SCRIPT)
  - wscript.exe (PID: 1592)
  - wscript.exe (PID: 3756)
- Reads the Internet Settings
  - wscript.exe (PID: 1592)
  - RegSvcs.exe (PID: 2740)
- Adds/modifies Windows certificates
  - wscript.exe (PID: 1592)
- Writes binary data to a Stream object (SCRIPT)
  - wscript.exe (PID: 1592)
- Executing commands from ".cmd" file
  - wscript.exe (PID: 1592)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 1592)
- The process executes Powershell scripts
  - cmd.exe (PID: 1264)
- The process bypasses the loading of PowerShell profile settings
  - cmd.exe (PID: 1264)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 4092)
- Process drops legitimate windows executable
  - powershell.exe (PID: 4092)
- Starts CMD.EXE for commands execution
  - wscript.exe (PID: 1592)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 1264)
- Converts a specified value to a byte (POWERSHELL)
  - powershell.exe (PID: 4092)
- Starts a Microsoft application from unusual location
  - RegSvcs.exe (PID: 2740)
  - RegSvcs.exe (PID: 3472)
  - RegSvcs.exe (PID: 2824)
  - RegSvcs.exe (PID: 1932)
  - RegSvcs.exe (PID: 3024)
- Reads security settings of Internet Explorer
  - RegSvcs.exe (PID: 2740)
- Application launched itself
  - RegSvcs.exe (PID: 2740)
- Connects to unusual port
  - RegSvcs.exe (PID: 2740)
- Reads browser cookies
  - RegSvcs.exe (PID: 2740)
- Loads DLL from Mozilla Firefox
  - RegSvcs.exe (PID: 2824)
- Accesses Microsoft Outlook profiles
  - RegSvcs.exe (PID: 3024)
- The process executes VB scripts
  - RegSvcs.exe (PID: 2740)
- Gets full path of the running script (SCRIPT)
  - wscript.exe (PID: 3756)
INFO
- Checks proxy server information
  - wscript.exe (PID: 1592)
  - RegSvcs.exe (PID: 2740)
- Checks supported languages
  - RegSvcs.exe (PID: 3472)
  - RegSvcs.exe (PID: 2740)
  - RegSvcs.exe (PID: 1932)
  - RegSvcs.exe (PID: 2824)
  - RegSvcs.exe (PID: 3024)
- Reads the computer name
  - RegSvcs.exe (PID: 2740)
  - RegSvcs.exe (PID: 1932)
  - RegSvcs.exe (PID: 2824)
  - RegSvcs.exe (PID: 3024)
- Reads Environment values
  - RegSvcs.exe (PID: 2740)
- Uses string replace method (POWERSHELL)
  - powershell.exe (PID: 4092)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 4092)
- Converts byte array into ASCII string (POWERSHELL)
  - powershell.exe (PID: 4092)
- The executable file from the user directory is run by the Powershell process
  - RegSvcs.exe (PID: 2740)
  - RegSvcs.exe (PID: 3472)
- Reads product name
  - RegSvcs.exe (PID: 2740)
- Creates files or folders in the user directory
  - RegSvcs.exe (PID: 2740)
- Reads the machine GUID from the registry
  - RegSvcs.exe (PID: 2740)
  - RegSvcs.exe (PID: 1932)
  - RegSvcs.exe (PID: 2824)
- Create files in a temporary directory
  - RegSvcs.exe (PID: 2824)
  - RegSvcs.exe (PID: 1932)
  - RegSvcs.exe (PID: 2740)
  - RegSvcs.exe (PID: 3024)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Remcos

(PID) Process(2740) RegSvcs.exe

C2 (1)5.78.82.186:2405

Botnetlies

Options

Connect_interval1

Install_flagFalse

Install_HKCU\RunTrue

Install_HKLM\RunTrue

Install_HKLM\Explorer\Run1

Install_HKLM\Winlogon\Shell100000

Setup_path%LOCALAPPDATA%

Copy_fileremcos.exe

Startup_valueFalse

Hide_fileFalse

Mutex_nameRmc-JR41S9

Keylog_flag0

Keylog_path%LOCALAPPDATA%

Keylog_filelogs.dat

Keylog_cryptFalse

Hide_keylogFalse

Screenshot_flagFalse

Screenshot_time5

Take_ScreenshotFalse

Screenshot_path%APPDATA%

Screenshot_fileScreenshots

Screenshot_cryptFalse

Mouse_optionFalse

Delete_fileFalse

Audio_record_time5

Audio_path%ProgramFiles%

Audio_dirMicRecords

Connect_delay0

Copy_dirRemcos

Keylog_dirremcos

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1264

C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\WindowsServices\MUVIL.cmd" "

C:\Windows\System32\cmd.exe

—

wscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1592

"C:\Windows\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\in.vbs

C:\Windows\System32\wscript.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1932

C:\Users\admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\admin\AppData\Local\Temp\qjyzabbshe"

C:\Users\admin\AppData\Local\Temp\RegSvcs.exe

RegSvcs.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\users\admin\appdata\local\temp\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll

2740

"C:\Users\admin\AppData\Local\Temp\RegSvcs.exe"

C:\Users\admin\AppData\Local\Temp\RegSvcs.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\users\admin\appdata\local\temp\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

Remcos

(PID) Process(2740) RegSvcs.exe

C2 (1)5.78.82.186:2405

Botnetlies

Options

Connect_interval1

Install_flagFalse

Install_HKCU\RunTrue

Install_HKLM\RunTrue

Install_HKLM\Explorer\Run1

Install_HKLM\Winlogon\Shell100000

Setup_path%LOCALAPPDATA%

Copy_fileremcos.exe

Startup_valueFalse

Hide_fileFalse

Mutex_nameRmc-JR41S9

Keylog_flag0

Keylog_path%LOCALAPPDATA%

Keylog_filelogs.dat

Keylog_cryptFalse

Hide_keylogFalse

Screenshot_flagFalse

Screenshot_time5

Take_ScreenshotFalse

Screenshot_path%APPDATA%

Screenshot_fileScreenshots

Screenshot_cryptFalse

Mouse_optionFalse

Delete_fileFalse

Audio_record_time5

Audio_path%ProgramFiles%

Audio_dirMicRecords

Connect_delay0

Copy_dirRemcos

Keylog_dirremcos

2824

C:\Users\admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\admin\AppData\Local\Temp\dgjctexnjupgsjyi"

C:\Users\admin\AppData\Local\Temp\RegSvcs.exe

RegSvcs.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\users\admin\appdata\local\temp\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll

3024

C:\Users\admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\admin\AppData\Local\Temp\adertlmuvmxbi"

C:\Users\admin\AppData\Local\Temp\RegSvcs.exe

RegSvcs.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\users\admin\appdata\local\temp\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll

3472

"C:\Users\admin\AppData\Local\Temp\RegSvcs.exe"

C:\Users\admin\AppData\Local\Temp\RegSvcs.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\users\admin\appdata\local\temp\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3756

"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\urpkqqywgkcmu.vbs"

C:\Windows\System32\wscript.exe

—

RegSvcs.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

4092

PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\admin\AppData\Roaming\WindowsServices\LIYTI.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

Add for printing

Total events

12 282

Read events

12 173

Write events

Delete events

Modification events


(PID) Process:	(1592) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1592) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1592) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1592) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1592) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(1592) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	ProxyServer
Value:
(PID) Process:	(1592) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	ProxyOverride
Value:
(PID) Process:	(1592) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	AutoConfigURL
Value:
(PID) Process:	(1592) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	AutoDetect
Value:
(PID) Process:	(1592) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1592	wscript.exe	C:\Users\admin\AppData\Roaming\WindowsServices\MUVIL.cmd		text
		MD5:—	SHA256:—
1592	wscript.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FSVFX.vbs		text
		MD5:—	SHA256:—
1592	wscript.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsServices-IJXRJ.lnk		lnk
		MD5:—	SHA256:—
1592	wscript.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		binary
		MD5:—	SHA256:—
1592	wscript.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751		der
		MD5:—	SHA256:—
1592	wscript.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751		binary
		MD5:—	SHA256:—
1592	wscript.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFF36071456820AC60FD568DDF18F256		der
		MD5:—	SHA256:—
1592	wscript.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFF36071456820AC60FD568DDF18F256		binary
		MD5:—	SHA256:—
1592	wscript.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\MGYEDF9B.txt		text
		MD5:—	SHA256:—
1592	wscript.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\JFUK3VGN.txt		text
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1592	wscript.exe	GET	304	217.20.57.40:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f460a99db30dbd61	unknown	—	—	unknown
1592	wscript.exe	GET	200	23.192.153.142:80	http://x1.c.lencr.org/	unknown	—	—	unknown
1592	wscript.exe	GET	200	2.16.241.15:80	http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgM2Q%2FzRu0WaFnOiBBRPKmemDw%3D%3D	unknown	—	—	unknown
2740	RegSvcs.exe	GET	200	178.237.33.50:80	http://geoplugin.net/json.gp	unknown	—	—	unknown
1080	svchost.exe	GET	304	217.20.57.35:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0754c686571bd23f	unknown	—	—	unknown
1080	svchost.exe	GET	200	217.20.57.35:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3e412f7b4eff0943	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	224.0.0.252:5355	—	—	—	unknown
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1592	wscript.exe	148.72.177.212:443	textbin.net	AS-30083-GO-DADDY-COM-LLC	US	unknown
1592	wscript.exe	217.20.57.40:80	ctldl.windowsupdate.com	—	US	unknown
1592	wscript.exe	23.192.153.142:80	x1.c.lencr.org	AKAMAI-AS	GB	unknown
1592	wscript.exe	2.16.241.15:80	r3.o.lencr.org	Akamai International B.V.	DE	unknown
2740	RegSvcs.exe	5.78.82.186:2405	—	—	DE	unknown
2740	RegSvcs.exe	178.237.33.50:80	geoplugin.net	Schuberg Philis B.V.	NL	unknown

DNS requests

Domain	IP	Reputation
dns.msftncsi.com	131.107.255.255	shared
textbin.net	148.72.177.212	whitelisted
ctldl.windowsupdate.com	217.20.57.40 217.20.57.37 217.20.57.21 217.20.57.24 217.20.57.34 217.20.57.36 217.20.57.27 217.20.57.35 217.20.57.25 217.20.57.42 217.20.57.22 217.20.57.18 217.20.57.41	whitelisted
x1.c.lencr.org	23.192.153.142	whitelisted
r3.o.lencr.org	2.16.241.15 2.16.241.8	shared
geoplugin.net	178.237.33.50	malicious

Threats

PID	Process	Class	Message
1080	svchost.exe	Misc activity	ET INFO Pastebin-style Service Domain in DNS Lookup (textbin .net)
1592	wscript.exe	Potentially Bad Traffic	ET INFO Pastebin-style Service (textbin .net in TLS SNI)
—	—	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS JA3 Hash
—	—	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection
—	—	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS JA3 Hash
—	—	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection
—	—	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS JA3 Hash
—	—	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection
—	—	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS JA3 Hash
—	—	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS JA3 Hash

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

/uploads/0e1ed8/in.vbs

DD54225B541568A683EDEDE7CB988628

430C08997DE6E0843FED90AAD4DFE1257722B6B9

25E2FF66FBFC1D850D167CBE6EAE7E3AFCB3A576AB631026F6A5B79707478C5F

24576:+RRURRn5tlxuSylBNxaR0G3wRRqRR1RRORRVRRXRRRjjjTRRjRRmRRzRRXRRoRRz:IjjjX

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Gets %appdata% folder path (SCRIPT)

Creates a new folder (SCRIPT)

Uses sleep, probably for evasion detection (SCRIPT)

Opens a text file (SCRIPT)

Opens an HTTP connection (SCRIPT)

Creates internet connection object (SCRIPT)

Deletes a file (SCRIPT)

Sends HTTP request (SCRIPT)

Create files in the Startup directory

Gets a file object corresponding to the file in a specified path (SCRIPT)

Accesses environment variables (SCRIPT)

Unusual connection from system programs

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

REMCOS has been detected

Drops the executable file immediately after the start

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Uses NirSoft utilities to collect credentials

REMCOS has been detected (YARA)

Steals credentials

SUSPICIOUS

Accesses current user name via WMI (SCRIPT)

Uses WMI to retrieve WMI-managed resources (SCRIPT)

Creates FileSystem object to access computer's file system (SCRIPT)

Executes WMI query (SCRIPT)

Checks whether a specific file exists (SCRIPT)

Reads the Internet Settings

Adds/modifies Windows certificates

Writes binary data to a Stream object (SCRIPT)

Executing commands from ".cmd" file

Runs shell command (SCRIPT)

The process executes Powershell scripts

The process bypasses the loading of PowerShell profile settings

Executable content was dropped or overwritten

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Converts a specified value to a byte (POWERSHELL)

Starts a Microsoft application from unusual location

Reads security settings of Internet Explorer

Application launched itself

Connects to unusual port

Reads browser cookies

Loads DLL from Mozilla Firefox

Accesses Microsoft Outlook profiles

The process executes VB scripts

Gets full path of the running script (SCRIPT)

INFO

Checks proxy server information

Checks supported languages

Reads the computer name

Reads Environment values

Uses string replace method (POWERSHELL)

Gets data length (POWERSHELL)

Converts byte array into ASCII string (POWERSHELL)

The executable file from the user directory is run by the Powershell process

Reads product name

Creates files or folders in the user directory

Reads the machine GUID from the registry

Create files in a temporary directory

Malware configuration

Remcos

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information